8c5a88d326bd991c268e3ea8ebc6f697803629747fa71eb613caf62acf341e72

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
Size

3.2MB
MD5

f8bb0d3a72b6af0d77e7746f266cfe78
SHA1

4e78787b03dbab32b4674baf4964ea036c58f68d
SHA256

8c5a88d326bd991c268e3ea8ebc6f697803629747fa71eb613caf62acf341e72
SHA512

d055f1d52612089e9dc04bc782b20eae4fe67cd83e47af11fe2cdc71054e2f6bf154e44d47b0658a9ac75ad5bba708d122c7c11593264bd8e00e1c2a9e37b790
SSDEEP

49152:25k1YCdptya507NUUWn043oHS3fTGYwVq1/xT3DDbwwTU+ec/snji6attJM:QNhSqYw8OkEnW6at

Score

9^/10

spyware stealer

Malware Config

Signatures

Detects executables containing bas64 encoded gzip files 1 IoCs

resource	yara_rule
behavioral2/memory/3024-89-0x0000000140000000-0x000000014033D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Executes dropped EXE 26 IoCs

pid	Process
1224	alg.exe
1840	DiagnosticsHub.StandardCollector.Service.exe
1060	elevation_service.exe
3588	elevation_service.exe
1972	maintenanceservice.exe
5220	OSE.EXE
5608	chrmstp.exe
2824	chrmstp.exe
6048	chrmstp.exe
5892	chrmstp.exe
1384	fxssvc.exe
6068	msdtc.exe
4336	PerceptionSimulationService.exe
2600	perfhost.exe
5152	locator.exe
5868	SensorDataService.exe
3536	snmptrap.exe
1068	spectrum.exe
4572	ssh-agent.exe
5832	TieringEngineService.exe
2120	AgentService.exe
4804	vds.exe
4164	vssvc.exe
732	wbengine.exe
4796	WmiApSrv.exe
6160	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dfbc9c628642d83.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{63A530B2-4AF6-40C9-B231-B4073A76EB72}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f606665f7770da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eaf9f55e7770da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cd00d5f7770da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a1d1c5f7770da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d827435e7770da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000404cb5617770da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
3024	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
5524	chrome.exe
5524	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1412	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeDebugPrivilege	1224	alg.exe
Token: SeDebugPrivilege	1224	alg.exe
Token: SeDebugPrivilege	1224	alg.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 3024	1412	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	95
PID 1412 wrote to memory of 3024	1412	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	95
PID 1412 wrote to memory of 3660	1412	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	98
PID 1412 wrote to memory of 3660	1412	2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe	98
PID 3660 wrote to memory of 3092	3660	chrome.exe	99
PID 3660 wrote to memory of 3092	3660	chrome.exe	99
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 2236	3660	chrome.exe	103
PID 3660 wrote to memory of 4196	3660	chrome.exe	105
PID 3660 wrote to memory of 4196	3660	chrome.exe	105
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106
PID 3660 wrote to memory of 4348	3660	chrome.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-03-07_f8bb0d3a72b6af0d77e7746f266cfe78_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.159 --initial-client-data=0x2c4,0x2c8,0x2d4,0x2d0,0x2d8,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff924139758,0x7ff924139768,0x7ff924139778
    3⤵
    PID:3092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:2
    3⤵
    PID:2236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:8
    3⤵
    PID:4196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:8
    3⤵
    PID:4348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:1
    3⤵
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:1
    3⤵
    PID:812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4600 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:8
    3⤵
    PID:1068
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5608
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x1403b7688,0x1403b7698,0x1403b76a8
      4⤵
      Executes dropped EXE
      PID:2824
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      PID:6048
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x1403b7688,0x1403b7698,0x1403b76a8
        5⤵
        Executes dropped EXE
        
        PID:5892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4004 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:8
    3⤵
    PID:5648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:8
    3⤵
    PID:6096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4920 --field-trial-handle=1892,i,14664856623344109357,9204207162662503199,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5524

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3588

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1972

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
1⤵
PID:5428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:6068

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1392

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:732

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:6160
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6592
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
1.7MB

MD5
18b1ae1824cf03967c1b6b70fc1b0d72

SHA1
b0954c6d6a26a7fe921ef64b86aea566f2e5e19c

SHA256
61153630500d4e80d63a88f4542b30eaa4ae076cb2eac22705c2e35ffa998ce3

SHA512
ffc14c94814636ff90a76a2cdc12c37848be4a78aaa586f30734ce4ca4942fe2435765ec90def6c33ed9d9ac47d1d58ed89e729d28832a753ca1489906f13e53

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
c65227ad07a97461e0b0b72c42a3e113

SHA1
33afeaad1f6d78cae5762f7fa69bd932bbabcf95

SHA256
f0377e0de4b672c567a362f3d9783c06451f07727641bfe8b15c496599c298bf

SHA512
9569cf7ce185fcea7af854fd92657f1710e16b3404fb0f0fdfb9ed0e8b95bcc9a99cbf1e548ea65ac4ee9ae0f45667cbc5a8146bdee6dd5ddab63166ab8832f0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f1722056d2ee5970516ec589882ecab1

SHA1
729f89675417ea641ec19ead99b3ad237bb60b2c

SHA256
df3f29276e6ed9e2d6482ca62ce9a40d808ef911bea8e06d7a6ffa3573ee886a

SHA512
6e7ba85705d22e611a41f56c1e2d1692d78a9422068ae1d9afad5ff3de72d4da1450ae26ca6b1bd7dff14fb68821b492818b23576066fbc75f4ddaca7c3fa41a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.2MB

MD5
e86f431b8c31c77b929972014e570874

SHA1
d2d33f48a18ae8f2058c7adef106bfdbb042b51c

SHA256
6af7c08c27e40a80bd360c41c6490a54539f3def7d685f9a7524f0fc79fd02f1

SHA512
1a222d0c9f14a466a8bb5538a051be3c40cd42772c685b9905fa17f33272bd5089d675130a51cdcf755e964cd9d8d2dcf1b9b7692c8929883307c61b0b99d239

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
afe08d94db591a8c38ca502c6fca3fe6

SHA1
e756e05cf5a6dd5a39acdbeb412aa66c00fa4257

SHA256
d0d0df17242ac1544cab12be726a677ff415f122b73c6f8c6252b926216c9935

SHA512
e4cf7627ac676d42d3115b1344e39c0806063cfae90b3616c37671443cb01bf75c056f1b5f1de2c2550a6e20a0cf9444fe0d969181389d701022d6a0552839a1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ff34a132b3c7eb83afbec103d83b3f51

SHA1
937f1bcac3f70bb69f8d69732877cb169c93f746

SHA256
8d7d2a0fb40682c634638a2b6d994cd3dbe2e1e94d38de5d2c1f099705152dc3

SHA512
bdc115cd551d11d6b041173fa5ef95243dca46b6e0e17c0551fe211eecdf67ab95714eb1bf2ebcb650613b46f98ae6accc4f4c93898fba7a709c784cd1b547bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b491eca16ec81b51ca7b5a6dfdfb8c2b

SHA1
b353f1b1dcd0b71553c5565606430649fafed8e5

SHA256
e6d569b751d7f6ecf28523cee957d351cc43ffc89d7a37d5d104a0127701db1a

SHA512
4022d04f7751bb3042fc8a2260971e0ed604862bb6cd16a014f5bfaf29031473ae254f22395cfa2c660f5cf46722a18272f673df3c0e18c95d115ccc9b879984

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.1MB

MD5
73c096358f99ca68483f98de9cd86e59

SHA1
d57c875fb17e2936d85bf2fd52f23f1262a7ecf0

SHA256
6809921a59e0b8cb7b1adc616a3668003645680e055f6fe140963551dab22f44

SHA512
b7398c9cb07bd47ec6e7e180375604b188a4ac4e368b9d2fb37e2b0981cb229648e430958debd7b0389e21f09c9e4c1918a299a8dda0740e339de591356d3ef8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a88916d2b577eabff066eb9fd0fc17fb

SHA1
05f6d147da3786150dff7d6a7616aa0a519887fe

SHA256
fd2cbdd094c553c3625083014c9233fae9f6e7582644b1c255885ed9acb2bf9c

SHA512
1ba63255d8b127cc2e52f419f94bea5d35e2d7269f3fa9be35eaf29f2276bba14c75eac515c5608bb4fc83328f65935ed936b4c3c495d6d67348c2fb384fcb8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
987KB

MD5
92978c73e9f3d4812e08d80e17b5d826

SHA1
ee5a137f4505dca3c3eb935772910b352f8e208e

SHA256
99824cedc30c5f80ec5fbaec2af6fcd135765e0c13d653cbaabbf3bdca502d08

SHA512
e16da6a5d37a63c88050c2ea11cb0277994f978b68ab5b401dc01ffee89fbb80fc5396d9f4bb06c73547ab62bde92d1bf60c23df8821240d2833d80a8810ff77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.1MB

MD5
117f346f43585a282a1adc80d16168e4

SHA1
10fb33e2152470a4889d377323f214f6c43c44f5

SHA256
98334144b683234859a8d37146f5b0dd1c3bd2b3ba0a2908a6f3eefa559adb17

SHA512
cee0b2d0f6f7f814baa3936a5052676aa22ed63e28c0b9c4188abf7f090e59743c7a0e4cae59e0260b76d287c5a597393ea19443f0b6dd5ac3d670414f6c7dd6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
60693c5dc9a2232dadf4291071e3257b

SHA1
c0c613a063d3718b35db8e970c1cfa4e4692c996

SHA256
ff9d7048369c42d5fc2d6557a954c4bb4562603b6a0339d879bf735c9cf3d23e

SHA512
c46053809a3506aff1c4202d8e94fb034fda42ff8e239115b2cee53eecb6ba80c72f59a59198b5b3db28252ef85db98948932da8fdebb2cf151abe55db3ef2f7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cd95bc0416a574828258fdd78bc743b4

SHA1
967dc578d1a1d77ba1f30523f0a9c1cde7972eb7

SHA256
9a31991b9e4fff9a413f37691a260a35bedef4f94f4e0c89575073e0527e5cc7

SHA512
aa3d6908a1f770f18a3fd6f59511f9549b70f815c9da1da34ff875e5900f87570f0c1eb3102ab14873c4275d389b8e2c946acec4be29a831ee245347b5d83e86

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5b94d2f2e37c005eb42f6c091c48f737

SHA1
9e577caf8d96bcea7850e688bc88f060bb2017a0

SHA256
11b45a811a52fa352ddc60a97bee8074f535f98faeba26aa90d1f480f6e1d3a9

SHA512
d978574db8e5d7ab0f27846f3d6f53edf4a948a5694492f6150f7c8abe4ea6d66b4285b0a5eed37c06753c420d48f810e4f2e9794220625fba481f838acef5ec

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.2MB

MD5
e71abafe0c36cf1dbd556abd50524c14

SHA1
2ff2429eb4da0c7e0e55139389dc2cd6a8170d2b

SHA256
325e5c744e018a01a312ab2706772eea4be61d97a0d61727f9f2c59d73899d61

SHA512
ec07d8c46340e39846b6303404633a8f38d6d0c672ec03b7074fb9cc484745f22cb15034f4e604bad5f990fef5d8e12d2f53c9896fb6c28f766e3c3f47a23e4b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.6MB

MD5
d8f540ff042f0331cfa70684d5908d41

SHA1
cab09de4e5fe19f76eb067a730fa8ed008ecc266

SHA256
28cf0d5822fec6eb613254a4349b7a9b5a72f9780501249d5a6cbcf804a8276d

SHA512
08eb126a00aefa7edc1918cad821aa4dc102bdf383fe6bbd436d17c6ea80141bc5fd1f819e93cf6b854ce85d9a46c960fa6267914076e1b3636d2314ac60911f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
3.7MB

MD5
b5bd23300425cac57311863fca0b76cc

SHA1
5356805f7e81dd1c8526b585f3731c0923f7d66f

SHA256
2fb98fbead3ecdd5491fdfa176cd7bcbf98cd85be76a378ac932aeb3c68b7cfb

SHA512
e1190b30d993d0159ab24430dedb0ee1c8481b50f584ed312061cd585979eb69c8d3c71ced004c41b5fb8a040ea5470be6f19465c8f074f5bf6adf610a1efe31

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.4MB

MD5
900b8db6d5f094a779ec1c633b25ffd6

SHA1
6320968fddffde0694bc00087339b75119a8b2f2

SHA256
97d82929b7c5b3a96ecb5acbc7f33c2c694294322080985090f7c75418a64d94

SHA512
eae0cce4b2f385059cce1a35260a78f8c767e1151ce63c8653ba4186a1f68d7ae5aa48430114aa798c7eaff357b27781674b5f3575a6beb42aa3ab712d8691de

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.2MB

MD5
d7cf915c85ef33a9e5bf9026b0857233

SHA1
34e73a12737651d24ab884d252129aeda8fb0edc

SHA256
5dd8601587b9c60f3a6792da017e735b1a5f2290d943ad86da604d9326b1bd34

SHA512
38806f3490b92a96dcb6a7ab6f4a2dbacad166a252a328e4e88d2b2c6aa6a3ab546609e5b348232abe055fe04b3122f3df87512a668754aac652be7ff33f31c1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
576KB

MD5
2fa6ac69f85430159bd993b736f24d56

SHA1
5a64fbcdd8855e555be2ebf4f03e8b0ae2b3d89d

SHA256
5233cc5ad6a3813d2c223dfd03eed0f9c19365265f5fd78f71a1435bac04dac7

SHA512
885156dcbfb985c5ccbcf9d6303f14dd7394986ee8a0ec071f529bbd499fb1644aa548b5ff2aac46583382d9ad6fcb838a3045b84e416ad2b9db6322a2ce273b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
640KB

MD5
e94ffd18ff6048a1f46c7d60bc7f59cf

SHA1
a36c57b94cc35ce7a87df6e852b708c17d6c110c

SHA256
c0b92648c801cdde129a31009545370354f63aacb169b5430527c64a5176183a

SHA512
923ae668ad47f35442f159fc6abd1a7081f9521649def7bcaf7775eccf5ccd0212963d7b570721b729daed24167dc9dff8ff7f4e87e97ff9265f9018e6e91d91

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
320KB

MD5
2a31e930c6e134dd180711be1e770607

SHA1
181b04447766281bba5ee5e6d4e10baa1f354821

SHA256
52cb87d00b8c948de7263899bb83331e183c039dfd615b21e56afa0e1710cd2f

SHA512
b5183abe121de7d7a5a2046846b9e085a7751eecfc87aae6e5ae463b3a4dfb5886bbae5a9e8f2248cf420342fd7c22d0bacd44a32d51e4fbc84941e47229a54c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.3MB

MD5
a88004121b2d06e3162779c2782a1fa8

SHA1
0abb4c18453a622288363250de2bc097cd0400b2

SHA256
9af6980aa3b2358a8605d23ba0d4653620e9d6c371a84feb7260d884f7ae4dff

SHA512
117b1234d2b77cb89d3f7beb2d782bd01dc308502d249ae08b0fa546c057f9384a7ce5cbb773f91bb1b66d8a9ea4331dc280b459903f73805e3b3e9fae7477df

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
576KB

MD5
b3d2456e020b3a06f26fb7a5b1e86992

SHA1
311736abdcd6d47d05f091e61537d5f06f1b1e8e

SHA256
0cc7e5fb53b886db6ea456ff9d62d231bc730f10d18d2fbd862129113e0c6d92

SHA512
e1806e95d5fc6e4e23cb801aee09e8327a9ba17d7e624b9246475564bcc969c176627702ba2c37172b6d6135f4b17f19c9398d48e4f76b0ae2ab20cb6c37d479

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
553KB

MD5
bf520ab5f1c2123a1d0ce6fe90c901cb

SHA1
88c8fcb57c767f065449161d93405fe3e9fb3472

SHA256
126544b709531274274693d80058f751450f67a432d25a17c273992542dbce50

SHA512
84e820060d5a3fc7521d5695328152b1e3704cf9a6f8e8fb50579aadcb7d52436b2b3dff262041e0a7b4423de5ce769f3583630a9918936e164ab4915444178e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
512KB

MD5
aa5800d8729433e52cb96331d2662c08

SHA1
8253a5aacf359a3d33bf8f86e2b8d98c9f28440e

SHA256
9e89fe48a0daae89ec5001b95bdab7c865f4e523e6bd8a0be3bd0feee011cc1d

SHA512
f82237ea187d65f778592239239fb9654c0dcb58b393f5403a8c89074030b152f6c76f276254963073a1f3dc76fc0125eff96266399fa576beaa6b28c4291491

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
385KB

MD5
7e888668f93876583e8a185c1f0013a4

SHA1
08156fca60dacee063e8d636a7d8602954efa33e

SHA256
b2b661398cbf5b6516d4435cc37dddf55773aa233a43e504a757d411c626579f

SHA512
4518c349178c94c4519d96e60f35ab92293478b943aef4ac34ed4b391a8ed0d8fe90bc70ed289f271e1879ab9c62a2df35fc7d35363b4ede4701b9b029977b7d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
640KB

MD5
36780e59acf307f02b2a5905b6c9feae

SHA1
c4f7dc2b1331ef9c2a37147dcbae90d7a7a4a33e

SHA256
98d9f3d68797c3dbe14b638e89406dddbdd09950130909943346b687b4c89ede

SHA512
b235c63911c80155fda060e1e524985ad64291ae739ae1328213958548acb3a4b51735a11bb76044f64e63802053c40319e074f7e7e8aa6eaa7f448c082bcde3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a6af806de53cade9b0e7a6f2446f1ba6

SHA1
d5078ec988045014437eef70437e1243d3c4fdac

SHA256
e1a9dc7f8e1fff71c8ebc2da931c3c254b5a62908a6d22efbe27085db8a9b36a

SHA512
2ff96045a3b5e1adbaba43ba3267c6d03f113bb545af563a3711a998dd5c4426ce4f56f6cb501d2fb670b8b8f5fa71a696797648b428c86ddda7de4c82d227f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9219e6ce7c00b814f0fc0ea195657b20

SHA1
5aafc776d9fadea7fcb73458abdbcab01ed9cc59

SHA256
1a4ab7c903b3328cc87d2a7d3af64396de58355d54a3b3bced820bca8ae543d6

SHA512
4b425345500d9145349c1b17b2568ba05a769fce8b73d29547046b32af73de97b5f1fad8fef75a62409928a928c50f2bd1bb84e61b141ee183e99634b2e8dc8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
4ab558ea8d9bb7ed119aa61d007dc929

SHA1
aa8ef76858b8fe7f6330174caa1e72574e671a85

SHA256
21274d267e7e4c08c9fcab6e42ff9f9472051d35e06b6dec7a6f3299a7cba34c

SHA512
27d5adba7e6b1224b0b27fca5be67fe7fa4a41b8f192754b15ddf8c6f2e419867abcfb036c65d66fb5de18240e40f846101706b048e2a66ea68c68005d0b6a05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4ca16bc368de535e3ddda4bd1918dc72

SHA1
63575df6ea33755bfb9a1be1c3b853f75c4b1e6c

SHA256
5668d324b36224804b2491b09c3fc9c438d541ebc86933b1d82aa0e4baf1dd28

SHA512
0c709ff4c90457f91b3d0f653ed387232df2b923ece09ef77547e8a588ae0c5ee80abb8dff75d33ce7cdaee47b9e61a1e87e0190c8055f97c28dcf9c9b56cb55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6b07e8292d5f8104d9eae962bd8d261d

SHA1
dbec92df1c1ec338aed97c82ce23923603552bb4

SHA256
e239f5f4bb2662a3d46696356120da540193744047276e26679883ec0659a7e3

SHA512
daccf00a406a9185cbed5733c8a7b0f8db0c940ae6500235e3c078dc6e2f0ac200e59d35eea6872ab5f25ef755085b49debcef1dc67dbb71d126a56716dc5c05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
69f6b0ad6da52112dfe1895fcaa5bc05

SHA1
d418e36c809e599a10c004260cc7ed552b38d8f9

SHA256
dbecb77f683ad4faa57e89b2ee0dd544ac0df054e73d5fd91a13c00a6d98a7cf

SHA512
6c1b176ac70c7398c4c0772d406c1ec597e8bf84a7f1065bc420e7ff2d6f79225bfed01f432cceb65331f10b6de529392048bc56df2637697cdf2fa57f0dd468

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe579d0b.TMP

Filesize
2KB

MD5
3c284274fcfaed236362cd810b542cc2

SHA1
578a3c86ae7cafac8ea2fd1aa785913f2dce853b

SHA256
697eae9f64542c73ab26efd93f8fc32a77e9c15cc99fb60dd3f3866ca8df21cd

SHA512
fc6099cf5604e931f5da5376effd1c720eead4f9398298c70c7746bb25ea66692a2acbc4020cf75754aa62d90183cf032463aea80a90afc688f5687d2aac2042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1aec5069b3ecd5146779661246c25dce

SHA1
cfdf960b7c045ccc83511b97ac0fa12dd1c95b56

SHA256
4bdaeab27566cf6c37c54fb90564970c0ea966a778b7fd1d62b96aad4d1db0e6

SHA512
492f031febf10e48fb550e34ead2112159665ab478ff0772f20d22e64e1d80a3cab5ddf9b3cd9c5d5921db9413e1ab34e82bc9b8a9cd7fe6b389b18bd2d214f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
c44adda7225d1fdfb38ab4f664e5d076

SHA1
97151ae3017836dd8234e366c382f46c1bf23043

SHA256
5148630e1691fc1dc80ec9e4d1ce2486fd922ec2886a3aa96d8522da0dec7d55

SHA512
876ac5eaa41f3cc86455dd5efccec619f476f8cf16fd29837349ffbbdb247c8e7d80d6192cf7bc785d9a03ef9762d846d40caad71a09c2e4155502e82eb3397e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c21fd3122e2797085c175e920f118635

SHA1
f6dd35b5d578ae299da194dd73686321c7c73719

SHA256
dad8fffb105004c978ab73a3c5d0bc93bdef05e6e2ef7826140b5c61f0cdf76f

SHA512
a57834463aa29df956c2bc27cbeb4ccc2be146dc2896ed22fbc317f6c88c87183f87e5b0b98811263086c17c03058735f8ef78719e28dad14dc50d98e248e84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
60ead9d5623d941332fce0ccea0d50d0

SHA1
735643ef9b894eea4eb8e89191d372a555b00340

SHA256
706df2fca347ca569f5153826c966f861ae56332d9668ddab216488a1f71ec7c

SHA512
6405c56e25118c8882ef3ac2cf10e4d00c742c66860a01eebcf1200b839290b618c1dee7cacb52c78dc3404167805a69a521405418eed520943e0d7106438fb4

Download Submit
C:\Users\Admin\AppData\Roaming\dfbc9c628642d83.bin

Filesize
12KB

MD5
c84df4c5e29944b94b0486c48e69a3e6

SHA1
78bcd41960c0a3937336a5b4da02a82dd428b078

SHA256
86230709a9a2fe40e0c8468245f7b06ad591a4b8102190e8566f8a992c4fabca

SHA512
a44f7bf3a40a2b61f6fe8a663fdf3a1967ffe1cea130017b75166c4846ed3b4421fcd80902c86e66703332b390152671be0e15f1f2583590c563185aa51f3afa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
128KB

MD5
4b8b0430d48260457e0bd55062e3ce50

SHA1
3444fa4600a61047eaa1e266fde5013be95b99d6

SHA256
5fc1c34e56f1382b98fc0d285aa42b73b3718d58cd1778225193e67c03e9de70

SHA512
122274f40e844829c1f173abc952d59e6e3f3b80d73b2008a8eb8234cbcc751456eda13956f71c79b9eb3fc5973507a7836340ea7a1c58f0b193d6a7ee6aa9cb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5015a9f3b1bf58311793298d22b2d22d

SHA1
05f9b5919e2bc615fc16f327948c2c57145aee54

SHA256
cc5023ca16828fc21e579d51b76f9c7b060f8e63b9083a9823ca92fb192856a1

SHA512
ac110bab7b0321c676b2a75337c15e21ec5030c1f9b58dd2b7c429eaf4d6c8690c6fabcd5ebe7b8e7aa36add77ad237617a69fd735225bc58aecdd48dd5ee7aa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7eb518c1a7d9f2ca0c2b7d4a5f218a30

SHA1
b87624d70e265155cc689f5ea342f4d5cfebe418

SHA256
ecdad4286b6b9370f7d274ddd120a2e63e4bb814dc40b3c776078d8615fff0be

SHA512
8001a3fd049e925f8bdfcade2276e26711ac55d11a6f4c11a0335676a95906ba4ed5fcc00d4cf9a80613f6d3812be29d8d196692fe9d22a4bfe7e3ecbb606a44

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f932cc55946dd627893106cf1384b701

SHA1
2111c4a5e5c82822944ac29f6b2a73fc9b31cc8e

SHA256
103869c0c57033f8445f292789ed6a737bef6da66aa1bd69076fd783baf803ba

SHA512
d2cd490d0928ee1b91c677a3767527e106b6b82dfb2e9e84c8b1b972fa5bdfd1969abfc656704defe5b9e0bf4a28b38b9b6bf160353d72e11008174cf7533c7d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2ce09c95435b60895dabe5e87ef60c6a

SHA1
1da9bc1c78683685f1711b6f7bf85c48b2ee093d

SHA256
b15110b78f3eaae97b7a5822d2292bde115ab2c7fb2103a0db803cb48607fb52

SHA512
5d25c70d42f78d7e73791524cb96937d40a975445c1c181c3596c376b9be247f4d70fe3cef78e51ce4d75a9e3d8aa208e9779d38296ee8e036221cd930ebf87c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
787cdc6cbd2e56880d0c0e6357bf8cfb

SHA1
b491c6ebaf5435fec278a13644dc108222ea1868

SHA256
9634f1739980cd7350437c420df950931cccf4ce536bd48952684d7e45746c57

SHA512
e7a17a790d67f12af79400e82e04a92f00b0dad40c33858558a4669ac32c4929ed24ef92e4c11d237b58fa1db332fce81ad9a73948c1ae584de88d17850699f8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3ef610fcf29d7eae59b5b59f09a0d3eb

SHA1
4c0fa14a0b3a96b1b2ef25fe20970443453833f5

SHA256
498205c6d3e83ddca51a020d819a9f085471b333873a6ab7479f45e5650454b8

SHA512
5a128271860e621610a712324da9a19b7ddd93e226e6690d27238f35fc83e69e8d2dfc32579acc978010563a09a4aabeba5c06aa892d5d60e14e550696262d7b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
30ff78365f546b999a3a8a62dd4d2799

SHA1
85b46276d2357b12d1ad231588e017b736dab5f4

SHA256
6ccb71ce05c010b689953b4d74cb9c9adae20e3e811a297f833657ff7133c1c5

SHA512
eb2ca49bb44f510ca8e5663855dc60ee108b60e9d3bd899b26cb29fa9c076430b68f9709bdf481dde4de02e74fc4f903401e52960711fe4e78cc67352c8c947f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
742283fa6d67c9ee6999af30ab800b55

SHA1
79194cd89d0fd9960b10390db8e40d5c53d8e248

SHA256
70c1be0d9ab9ef39b2eb9ea1d147789da5ac399a8f3573a903ba32f141db0cd8

SHA512
538a63400ecf7dde7b2ac8d46f19534f2e46b9c7ea42b3b199738185637a740a7718c9eee7360ffef493209e94a291422ac8864826e3c0582f88f4b96cdc9ebc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a46763531fed42c8682a294ade463208

SHA1
eff4326a0ce42db01831e0953f97cc305d640889

SHA256
ec05f5c9d3b591c0be1996e91e17c2d26b642780606f86e3190cc120ce737f55

SHA512
8e511cbc526d5bc346949488f1a61044632aa03a155a9e1d5c2ff66f3c35312a6d38fe985cc8caa6ebb9cbfee7d683976d0386bda976c7d931ad6e236b2e2643

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7a5ead8646939171efd7247937573118

SHA1
f7897e33ea904ff26fd13f5896113e4eb1fa3746

SHA256
dc7d1eb2dc245bbf64f85ee836d3bec7d17af701c48c895771f1e5ebe390cd9e

SHA512
1fadc1a9f374b33b82415e42d8557ee5e548134c3be6bbf230d5f97bdee59acd22d6f6664be90b606073ce9f9afab78d86d8e4672c3a4bac12cc8b82231408e6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2fa07d368af232452d9d7596787c562a

SHA1
5834240a84cfd7472e80e6b23807702b5a9b002b

SHA256
48b1a82ef6fa44a278f3041980f35cf37d7c91e1940a0b7360ceb1735b24fef5

SHA512
1e95ef059793a9f48cc58069e5a632ef7ff8ab77b0041178040041c1e528c0fe0c85d817d78da4815b07c4242b1f1aabb74a9347e2bb8e07ded2dc61c26212a2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
98b25fb003cbd0086e7bab56606cbc1c

SHA1
3d8dc56eb9f70b1cab2bf6fb33eca976393cfdc4

SHA256
4a090e11f5f6182fb588ce09d89509c24e5e29819ae8dae63c4898c417ce8f7b

SHA512
8b28076cc28230be89fa18e8835a3f34f287cd2b385d94825c199e0d1dc0a3e8f012a0728d7c6d3a7fcaf7d3a863a42da7f7b6b3983e5848dcefe9ca93a071f0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e225fe5fef543d8fa95a90a72510ba55

SHA1
ef6b1014b1dbcd0e3a8dc68c24a21cb7d71bde58

SHA256
669199fe5428171c585adf04245fbb186783bd785e0d911b6387c7f469145310

SHA512
b24131b30af0a30d359146c76a6dda6b668c4f209009e4ad8dbe95fde96362ed68e18169ad87a4860b1543d04a3ed1d2fe76664e2cdc5592a72caa5035c843ad

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d6ebe9c7a01cc7833aaba9be57aa3aef

SHA1
2c8404c34acb22fc4ccf8268aa12d548f78f0f95

SHA256
6463430fa81979e34b2b2159d5edf574aaad5792067c9ec5828afed1333e1ccc

SHA512
1a582a831439ae62ee5d91879fbe3fdf27ac66e7968a320c05e2ff0107752db3df32556c43515a1c10425dee5462838865653cc460f7eb3dccf65d32edf4e400

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4bf844ced3d7684a58b7fbf4961dd423

SHA1
f95cb1f958bb50677ebf11838ab3add00911393d

SHA256
0dd12600b8dc1ada08029223b38151e0f6267bac1961b04946f748d8269650be

SHA512
7c8def16121a45d81b9157631b83c6327fb3450dfc13c6a226de26d8fed815e6338d85e63147d390bd54647dfcb47e219829ffed140a24199de68e41e1860e0f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
485decb98763f4553075007ca56008d6

SHA1
d44ec2ce91e9b19c5c94f74913a3cb42d2fd2a18

SHA256
be0d40917c34d6795041806aba1ee7c52ad8f40f752ccaa879eec93662e6c3f8

SHA512
6c8dd1a8a832b5acae3c7a46675367adfae262150f1784eacb39c4cbd4a862a52eee4b905017141225bfd8b088e6e2bba7dcd324b6e9bbc4d8a8d5bb464f1bdb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
828f6c0cd2e7fe3871c0e0175b979b83

SHA1
feb8dac49c8db0d5785a3b8ca7dde42458a3f467

SHA256
19cfc578e01d7cd1b7b0025d4d4a149793ce0ae0a503c847a9b444c662697fc2

SHA512
6666db8b3981693b5654dbee49fd1c15be82312ea861b0de53a77f24721acf2a0d6160d3a4dddb403446efb6a9926ddde34c7041373dcd9b20d444e287ff13d6

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
65977525032194782302fb74372e0bce

SHA1
be4d33e1020f51613dd58dde0564aa088ba09a22

SHA256
f11a15dff21527e4dbaf80b3d6a496aab2c8cb48190112215a14bfa486b549ac

SHA512
6d408f43879dc8e16be87198beab6ace35f124f8bf875d4c89448aa418e64a283e333dcb739b209a4d0444cd027be39b7efae618a306cf8020711b13103e960a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5cb01597dcbd2db9997f9dfb8335e4e2

SHA1
9150f100b491deb6bce943e219db4266ce66d847

SHA256
3c7c7e25cf63140e6e17c7f0d5ef12cf1401b77f205ac6d428cc9c4e5bf5878d

SHA512
eb481d856e8be75f3a682488f59588854041635f2e874771bd5b0a830f97828476fa63906c149aab836b14b2c5e9261f50d16f3668edbf497c3b793db4998e0d

Download Submit
C:\odt\office2016setup.exe

Filesize
1.8MB

MD5
0e8234a786ee1aa21e8274b650414d2a

SHA1
fff5a1727b6d340fe9c27bc88962ea033d481642

SHA256
84928e890c2cbe3c66ad727e44a865a2002636edb111db59c345858cee694ad4

SHA512
03c338d1743cd88ef256cd23027509a7dc15de0740806627700885028bb57a30545021175e8081d1eff04bface7b5c7cbed112d6d225de872ab8cdb42c6139dc

Download Submit
memory/1060-63-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1060-114-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1060-54-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1060-53-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1060-108-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1068-514-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1068-523-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1224-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1224-14-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1224-27-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1224-119-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1384-428-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1384-437-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1384-443-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1384-444-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1412-8-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/1412-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1412-42-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1412-36-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/1412-0-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/1840-58-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1840-246-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1840-39-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1840-40-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1972-105-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1972-92-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1972-90-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1972-113-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1972-110-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2120-556-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2120-569-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2120-564-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2600-473-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2600-537-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2824-295-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2824-397-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/2824-287-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3024-28-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3024-13-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3024-15-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3024-89-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3536-501-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3536-511-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3588-70-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3588-69-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3588-293-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3588-76-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3588-77-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4336-522-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4336-470-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4336-460-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4572-527-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4572-538-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/5152-541-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5152-484-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5152-476-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5220-117-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5220-116-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5220-126-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5220-326-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5608-280-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/5608-267-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5608-374-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/5608-373-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5832-544-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5832-551-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5868-554-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5868-489-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5868-495-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5868-563-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5892-400-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5892-327-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/5892-315-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/6048-366-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/6048-307-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/6048-365-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/6048-301-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/6068-509-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/6068-445-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/6068-453-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download