c6f300b2d261ee2624fafa685cc867d8d64cfc5013130c939d5ce010c8afddf0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
Size

5.5MB
MD5

8b6240d65026c98c40d296fd9f463874
SHA1

415f4c6e2d0d0126341458558cbd011a5c557ffe
SHA256

c6f300b2d261ee2624fafa685cc867d8d64cfc5013130c939d5ce010c8afddf0
SHA512

b3bc9ef9818b86d67063a5fd15c865524beb290727699fddc8c0fe2b30e2ad8e2ddce9eaa8475e40ab3d6e1377dcf45914fdde5cf6d1c435aebd60dedb58caca
SSDEEP

49152:BEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfJ:lAI5pAdVJn9tbnR1VgBVm/65tUV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1764	alg.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
244	fxssvc.exe
1528	elevation_service.exe
4532	elevation_service.exe
2596	maintenanceservice.exe
4888	msdtc.exe
8	OSE.EXE
4864	PerceptionSimulationService.exe
3308	perfhost.exe
3380	locator.exe
884	SensorDataService.exe
5008	snmptrap.exe
3248	spectrum.exe
3156	ssh-agent.exe
2012	TieringEngineService.exe
3696	AgentService.exe
3184	vds.exe
2364	vssvc.exe
2652	wbengine.exe
2068	WmiApSrv.exe
2308	SearchIndexer.exe
5380	chrmstp.exe
5680	chrmstp.exe
5764	chrmstp.exe
5424	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9d57dbe3bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093b3009b5399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b164119b5399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6010f9b5399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068c6139b5399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ed8df945399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079d7459b5399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024abba9b5399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079d0e09b5399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000010cdc9b5399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a76dd945399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6010f9b5399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bad7c9b5399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

chrome.exe2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
4456	chrome.exe
4456	chrome.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
4456	chrome.exe
4456	chrome.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
4420	chrome.exe
4420	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4456 chrome.exe
4456 chrome.exe
4456 chrome.exe

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1608	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
Token: SeTakeOwnershipPrivilege	3652	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
Token: SeAuditPrivilege	244	fxssvc.exe
Token: SeRestorePrivilege	2012	TieringEngineService.exe
Token: SeManageVolumePrivilege	2012	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3696	AgentService.exe
Token: SeBackupPrivilege	2364	vssvc.exe
Token: SeRestorePrivilege	2364	vssvc.exe
Token: SeAuditPrivilege	2364	vssvc.exe
Token: SeBackupPrivilege	2652	wbengine.exe
Token: SeRestorePrivilege	2652	wbengine.exe
Token: SeSecurityPrivilege	2652	wbengine.exe
Token: 33	2308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4456 chrome.exe
4456 chrome.exe
4456 chrome.exe
5764 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exechrome.exe

description	pid	process	target process
PID 1608 wrote to memory of 3652	1608	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
PID 1608 wrote to memory of 3652	1608	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
PID 1608 wrote to memory of 4456	1608	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe	chrome.exe
PID 1608 wrote to memory of 4456	1608	2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe	chrome.exe
PID 4456 wrote to memory of 4260	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4260	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 748	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4712	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4712	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe
PID 4456 wrote to memory of 4520	4456	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_8b6240d65026c98c40d296fd9f463874_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84231ab58,0x7ff84231ab68,0x7ff84231ab78
3⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:2
3⤵
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:1
3⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:1
3⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:1
3⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:5556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:5280

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5380

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x268,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5680

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5764

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:5696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:8
3⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1928,i,14699118992335990377,3709843038512667100,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2424

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2596

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4888

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:884

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3248

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4784

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5936

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:6008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
742edf79b33e16ba69a0cd61dcb59ca4

SHA1
6aa5d670416fa237ee24f50bd27a4e34d06ccf80

SHA256
7f6723f006e420639f2ab5bf4daa8811dd00eb3107df8d2b7d12aeef3e6d7243

SHA512
f9d75567310af2eb767c3c97b52cbdba0e7acfc8ad614c2e45f30bd945ec3a75fdaed0373d95e60dab9ad8620bb2c53f1a0f504f9caa293fcd254589b6c64b64

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
54d7a3522438c6c74460a25fd1ed1a15

SHA1
fa0e9c598fad2aea8a10d7a55af664d3de940447

SHA256
01754cf6ab0f66c832c98b661c5e8b03b798dce943a0e620edd16682fd8fe43f

SHA512
6e9b1a26b67cbb6ce0a44095844af0bee9088fc56e1a8c865b43ad5cc16856416205bbc95217b1cc30b92e9309f63378a2186e43f239d780495d66245ed87d31

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
0a6c62634417286c0941d62832a69c2f

SHA1
e112a66c84447a9d682a46a5e9d46d61a3d7c047

SHA256
370c50a2a2777ee844c942b5149b71c54aac32e3d0877932e8826f5c8f13f2f8

SHA512
838dbf79bfb800babd574f092b7c65e7bbf9365ca8fe2ee6a1d4d8333497ba9ec759cee82a80cf5428e6a6c9baf5c388d564e8245ec745ae87287ffd7ea86a02

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
61b8d8e2956ac1b962465aed0e067165

SHA1
75085d8b5ec53e83587137024038057def38cff7

SHA256
3682a8f5f99ef2face65e973a0add2bb158e7060c5d4946bb7d5722799949654

SHA512
4cc785fb51f3b348a0a1a59a15f86a9080185d5d190bd8fa2e10f2612b7e37d7f52dc8ba08178dd74507fba79295af5c1d80a28dad7c46fa595921150bee9cbc

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
59e5e867ba89c288130a62c0710f8a20

SHA1
3e3e161b255dce66ffce90f216d166625be26ece

SHA256
8e8c0a9ffe23d5961c4d2bed615cd5ac7072146d4aa3dc413f7a3e93198d7b26

SHA512
e639ed3f0eb96dd86e9802ad8c176034a67aed96bf75411dc2f7e2cb81f04148667d987cb3ef4f4d308f4aff457a9814dc150ae640a8003da93b7253b3a43506

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
0c644055e5622c574c133cca20263c53

SHA1
a9eb15b1cf3b74fb81c6099a4a390a5ed16d263e

SHA256
742894d4dd2f4c849b701382c884c8f4beb8cb1b0de6acb68838d5e9ae7be390

SHA512
af9e0a0f48a0d7c102a819c411be7422a89f882558c05c90704e69a8519705f852496b9015618a505de28ecd277f3f6a2c024af21bb8a3bf7139333fcef4bf7f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
cc4424131faa81cd42b3a22ae11b1f52

SHA1
6cf3a231c92ae165cd4b8d1a8bfd88c54643631c

SHA256
73e8fcb60a15fb31d327faca433a9bd09be0f234514c71c21b3d060421d7d2bd

SHA512
d988f63982e7fc93a51c1efa5f18a1d8d1a0e3594e7801c1ce503769a48de1b952bed88b5f97cc0aa60de13c65a0a7db5116925ab24d4db39974585df894b794

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
e6b104ec10727b129f24800dffacb0bf

SHA1
c388f01053aff038528663a8e2011cf7c63bd285

SHA256
e8dc73ca4558f35ac991e604f8c473712d2bf8778c70784a905cca9f749795a1

SHA512
98853dc42272427643b9b424f8d9583501f8abc9c4287ff5b679584eb36496a414bf95f305b558dd24aa48e0e3f8e404d2689cee1bd55b0ef7b78c4b621ed8f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
c846bbe44c6ed706303b17a7bc419324

SHA1
5786b49f5bb125f9b14312daeb618bd501c6f09e

SHA256
31dd1f5f6f9cb9b943bee361272a56b3c320a6fb6004e4b94d7914c4d87cbf5a

SHA512
cde1b4dd3061d15e463a1b0c5d6c3c3c70e08b2a3753b0580129472a6b7bb56221e04e86248ae41bced25aa06eaabc855f7d920edf882a6609cf175cc0c1319d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ddb3b153a3cfe91bc313577a7eeaa690

SHA1
fcacc6e143f8e8510725c3cb55912c027d175280

SHA256
06f976df0c1f204a98a0a30e9a25a5df5eff17a89d101774008494c23d2a7537

SHA512
c35395592c4b131a041ee63ad7a05c14af2fad1e09398f0c13b992b26bd937a831bb576f8332dadf27e5e0b8f638224a7bcd79da6747867e2e809e509d3cd4b0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
0b146d96c196243f5038956af1b2f1ec

SHA1
3c97662a19632ff173756a2c1f1f14850603e55f

SHA256
af3eabf21fc06e90b7d939af259df40f503ed7325d3a4ca26fdebb7cf9fce157

SHA512
8f0771e2c91decb47d648b1e7ed728b13d5855147cf6996c6b53d34a88b32bfaef650d49dc8cb871242cbbc75ed047bd9d005bad9ee912938897b1de149c54ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2141c2dc664bf1fd952b691dacdceebc

SHA1
963c9806829814396749e7870a431a1795185bd4

SHA256
9d3239cd199e743660c92d6cfb969a228be72afb31f3cec8242b117acdd35cb1

SHA512
75ed1690518f33e6d7c0531d8f929a44b139d4317aab841541df77b6d1b03ea9375bd119ad9edaa5aa19b18b4507fa36681f6c8b0166886fb9676eec1a67a9d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
2dceb08434626b53cfabeaca8ffee165

SHA1
7d6a026f7119b9b33744d24ce9575b241677d6e7

SHA256
58c8068aa1862ff29c64dfd5cd7c521343056a20b71c48392c8381aa5a9efa3d

SHA512
86df0f3f2dea752087b1cee99a4d7bb69f4484a6af12119e33e5a0334c8b536c6c26f2b024977ccafd5b69db4190b5141ed68ee0dab489839f500315ad19c3cb

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\13c8dc4c-86ab-4d0c-9e66-5d1d0ef1c0df.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
a8d50aee2fe25055ebc40ab57eb329ec

SHA1
d80c4db93586bac71dbac141084e1d081ee0c475

SHA256
3f1cc44a5edeb7c16e2cd6fc18552c8648cdf521e21602401f0b9adbd029010c

SHA512
954918146cc0e80dea40400374f7c5c8187ef51bc723f672b6b731c3245b0c8ec7b958411c89b68724f244ced3ee3ec892c1c123fb995e07494cf9661d05a02c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
02f61fca2de0ffa4dbf3507055a3b43f

SHA1
6ea21315aaf082c94eef8b8c24e7a43ec5003398

SHA256
425ae5aa4b4e4a04a05a5a51f655e40567e68fc85b7644925fd2f836ce823604

SHA512
a888d7550b569ed8e451ce065d5c02f9eaf6f8fad605feee045e911971d2c6a92775fdb680187c89a8876d48020c8c51596d5c86e5057e0400cf6cb0ccf21deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
62069563d5762636f1c706732a2a1c06

SHA1
f7d9559680f30f24204ac480f045aedf65823eef

SHA256
1fd27cdb547383bfe443fa31cd71b7ee0c4a7fc89b2697885538a4c1351a5d61

SHA512
7327ab41fb792d254fe8d387d929278466ac9fc549c5278b46278e0fd80cb79eb2584c557cd4fa1f5c883f82bbd3acea71b375eb42b2445ba42425d849a2d5df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
705ad72bba4861e2bb7d395d39bad59e

SHA1
1ed2bd5d493cfe04f67d9be6aeff404c0c578ccb

SHA256
ffbe8bca4aadf643b2f65692249ef40bc1689b2dbe04121e3f23c728e8fd969f

SHA512
b4b402f52602dad5bf5911685ea52ef71934bd150326a4bce8a7ac8c153441de8e27ce29d09bca8bd1dfb1c7dad80cdaf2e1115ee94c0bb4c7726a66c9c13a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576f92.TMP
Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
b19db96ace3b96d1d2f02402c3545cc6

SHA1
04db8b389b239fdde185e995c15a52dd80e0f6cc

SHA256
34174279589a2fc4824bcd61532f8ab61e78f4ed7ad5e68c2d09181d38d511e2

SHA512
fc2668b33b47bda2a766a21e3152cddbcb3325ecb758593bd994bb19452035bca104a0e7d5ced7e1e69c683d642f713abed312340fd8d86fef4bc224061ce906

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
258KB

MD5
140e7f54642ebbaa0ed35a25550e583c

SHA1
a2a2f581a4f7d2681078ce294eee17fd36467a3a

SHA256
5ccf186a3b6efc538220a44dc8f53f6392322dbbc5d7b9b3b11991b680711eec

SHA512
157c5ec6d970bfc9471b2898a9825c173f952713314d16bac1dad523b22c041d07210b5c357e24612c5712e0ac00e385d2c9303fd99ae291f2f2cf959fac2e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
bea57217bb03fc7d00efa59e22da78dc

SHA1
2a5389dd4fd4a27bdf2c85fdbbf4ed6d81e3947d

SHA256
e2ad545def02968376389a2bdcd02eb5f48ca2c442b4e2f3356a68ad2adbec34

SHA512
c4da38d175c01487ca3dadac9c6425f14db9a844af5384aa5bb4647c5ddfe6a7f103d3649b90f0d312d70af28bc0a6403ef8b27c0bc36016c7a9f5d22e65c833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
279KB

MD5
f00fb7a983e6b22ecc42d30edd31c643

SHA1
193ddfbba6c6ad7f69d71450f0631ee075d2403b

SHA256
4901dd98bd85f1f09a296674773d07747db935ef809e6d372e7a69b17b6e0617

SHA512
f46ea24858aca3386f9e181b11ad994f80150a69d02c3b12f51ee87fb59eb99651c59fb97bf8443f13ad9a66960d466b472756bf89f68eb7ed5a60ead5e51a74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
258KB

MD5
026164329fe82e869ccddb3a038d9256

SHA1
e9a753162892e4318a5c3a930442558d2e4f85d2

SHA256
851d6f34fee9f039d65ed65736f523d862aeeb434ada163ddbf9949d3bafca3f

SHA512
46699c2f879d925a001eefd2edeb4bfe75f9582fb51d45fa6049dc8d265d6faf1f9d518073eaa6034878b02f76bed5635c6b0e4e8f3cd63d8345a4b087095aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
1c3d782851f13ee48f942442b1bde686

SHA1
32d13afb86dd418ba77f932470529f2dfd6f0829

SHA256
3eec98338d0e9d7b6376515936abffe204b058e722840acf06840aafcbd3ee14

SHA512
4af4e55d2a62ca139dd80b950f742a591ef492ca4cdc39aaa4c1ab973046074dbc86d4b47237cc6e415564dc2e1c4d5829b91be002be13099882648811455f19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e4f1.TMP
Filesize
88KB

MD5
1025243539e72afad1e05da096265d88

SHA1
c9d74d9677d75074cdb25fd555d82fa12e2a01f1

SHA256
c0f6f5d54eafda324ba8b753dfba4b1b4b42d46a547fb4f4d9fb5bbfe124d71c

SHA512
2a9b2a24899bb534516bc3e465f1cf7f8e15a713e31ccb639e0ce15e0f654588013f44cd4eebc2f567be6716e4d2f3a88270dd4b3c290e08cb3a3acdece4649a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
e286c906e65521aa2e1363179dc63c32

SHA1
91f5caf0c4bc63f094dcc2230aaf63694d523763

SHA256
3caab10d264b4788ee42a31f89c6e447ec70eaed28e34806c35d47229fbe580e

SHA512
1c2964bb3d6f0a8a193745b98742d93333d7e2ea67535bd8a4349a0a024d59489a491e33814a3e343249e2ae1b6fa3351a32992b25f7cc175e3783e155fb5f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
b18e33959de44404e0e0ea99c8c70562

SHA1
f591cc61814ebe7f4224092cc1d79652c23e9a7e

SHA256
53bbff951d928cccaa806200e3fc04471492c3c81a675f985d03e28b5462d674

SHA512
2db4c000140a6ca099f6c00c81e03c30c0dfcd7fad2cd7393d71163bf5b5065ce7b579c1f34d538887d28f64c03bd03fd2010c2417155dce8195831c00f8c038

Download Submit
C:\Users\Admin\AppData\Roaming\9d57dbe3bb5459c0.bin
Filesize
12KB

MD5
0591b7e9277ff9d25c8a3b43f90d8595

SHA1
c5a868a5c7224f2c4992c36d1694a752d6b092b5

SHA256
dc221e3101a14042153e833d5c4c112b6832a3341f7e2ac7edd025abb7f08cc2

SHA512
4ac889e31adc6850b8d45597e1f0652eeadb5f54bcac7bd534cde8a7808dbd60eac52f37ed70a4cb538de5167c3e5a0d19eafd0da3c9ac09057b8d9b815b95ba

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
25e346599d1bd95c3abde96b2d88818a

SHA1
269fbd0358a65586b45d44f7f943adf81ecdd4fb

SHA256
8a2f5d827d291f0a6993a96935eda047f9ef80fc5c23ef9a8c9671cfdcf5313b

SHA512
acffd9c583eb688f2b2701d0129c031fee5fe62ecf42387a3785a22b6ec462d3701988a512f9d6a286560af282ac5a5f34d9f46125a9193129bfb34d88e1f6c1

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
cc2f13f466d12b4636f93d7bbf19cbb8

SHA1
8fda0b55911feaf7731e6e8143256813ae40693c

SHA256
18d821e0e5e8322ce202040c3081048290e56a935fb5a9ae0a06de75b48437fd

SHA512
bb84aa3282c83e7c58da239030d81dd87dcb014acb21986bf26c6d63181fd7b130af4bc3a3993d83c0aaab3bf5adbc8b6ed428ea0e39a8def75a953fe7ea3922

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
004fa90afedd5894decf86e538cc69ca

SHA1
ef3e605b5a6c3f77c4584a03908196e6ef5835a1

SHA256
de6e115889373115bbcf1a452db1752750256e68518eb606d75de867480bc929

SHA512
643a0799defde932b6629c0fc9219d759a18f5efd9b8c113b083effe188e4515e7001fd6621d0e3246e2ea8edaf04087aa02f3af32a07a72d85aa50e102e8889

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
baf9c9bb75863d713d76211597cf84d1

SHA1
06973bc2bd5199107e3c4a4b5c6cd5e367de81a8

SHA256
676c61a3271e80ae0467c204c209098ad76d67d58658256d84818fdc2941cb24

SHA512
691fd8f0eb3073bdfa017992e3366fa9659fa78aa166592a0fa5548e23d3038b29545eee753d2b8cb08a86ba6ac532a25d484b260715a1859f88be24a234af3e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
74b75b7f99155625c12959b6367677e0

SHA1
493bab42713c972bf5f94f9027e71426d3f375a3

SHA256
afda008f27bc38617b4f7f7140d959a0350b763bb32b5fea7c5c0e8e2d1e19a6

SHA512
1527648dcd717d947097476b99f7b533f380257dc1850328c55904dd7a79872799d6782d63b141869594df941af2ba958b7f58564886eb96491e3efb47013af3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
387e725336ff0863707486d96f4cf17a

SHA1
b32dcd4b60b87c292b6eb31c45699aefdd31ee26

SHA256
d0a7fd2a57614d8d6f1a4adefa7380d0c539ed44f7c24a0d60dab2ba895cc2f1

SHA512
4d75c014bc6e028ee12071da4590aa74ecd6be0b3b354bc7d40c059063fea3b0559327d89dc9352b2325ccfb4933d56d0c6abe017eabdeb11c66ce1c504ef167

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d95931223f90c483f69575614c5129c0

SHA1
bd9975fe101552bc44c0228b607563034c7b2c2f

SHA256
49ac90646949209cb4c47cd5508f9bf841b52ab1c469a03b108b4685847be3c1

SHA512
10c7f69514d21506f34039d649c5fd132d0b7eb3f211555b41c003db2a47f8d6d5b9860f061e0913d9b7c03be0f8006252c2741c7fe60fef053d67a685fa5b43

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
1b2d21811be7f55b874855d311f83cf5

SHA1
0801f312078463e41fa3a360e9297c5cfb0771e0

SHA256
ffd7310b56e451fa1e5f347d54e431c8bb2cdfdb395ef84d1099c9594d48c130

SHA512
e7efa4637300ab430ce6bdeaf0a811bab292b61286844e60bca11c04569346944d685103fdd5016b386eaa7933143d0db11b0767b76a39569f3fa9a2dce2248f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
58a004d935a344766160f385e25136a5

SHA1
da1712921597f5dd174e0ee24d35977689756b30

SHA256
8614862fb1d39887e4951ee9d64b646120c51610dfc97530c8681d9e9cac4c59

SHA512
4c90e33983b55f44a6efbf34ec2baa6093952b892763f0a45a9ba98a39f2c834374678a40fe857209a21fce0b4498d6ddf4e75ba5d115f64d9a8b11eed7a5be0

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
04852e31de283ed5c19a6275f75b847a

SHA1
bc8d169ead97e62a6fe4b76c2f83d08f925099da

SHA256
cce74b7aef5215101fc2457d5825b55ba1891691e75722080cafc6d971d1a3bc

SHA512
3cc08e99cb59059eb1bd90d13060d369a2f513648ac3a22177f7e622ea7eb0fa07208bffad54b83c0234d326c47677a24e8dc8f23b3de1c3a7ec64d4f8171d63

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
a2139028cc5080659f99188cff149182

SHA1
86ce4e191c2799f23af6f17cc44688c7c725881f

SHA256
8674e4a124f74cbd317094100fcbd7dae0d10844ec65a5f807677b2b0acca369

SHA512
722ed2325b09a736beace190d39b1e70de4acb39a98ab6303dab5df3d244b6b0eaf44f6b1356ca111327d4ce2fb0a6fddddba2c71edfc883198c94be8c69685c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
915b876e00f245f85393ac516e71fa8e

SHA1
82b0aafa4ff231fc51b6cc7c5f9ffd5f4318e462

SHA256
b06d098cb4708324f0108bc7ba607ea08fcbc7f75e4864309ca91fcc3ab1e8d8

SHA512
d3abd9b59d637dc3015261f4100750b1fb5243dc9347dc3eb91f6083bac1a6d8f115f80db40d0947a86276f834d6801f1a2e16173f92158b345e485e7e6976fe

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
f72d07f72fb923a58b578e62ad45fe43

SHA1
db3a11e9864a3ee6a8fa785831b7dcc63adcf26a

SHA256
9bee99dd6a4cc6bd108922d41636ea45b258bc64c122ada92452c71a4f21efa3

SHA512
ca0cadb40a2168c464a2e45d214533251ed486937383112c95ba777527bcd48c915448375b3e422bec18252940ad67973d1072ba97eec1e49a8c1961d956347a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
e716ff5545174dd350c604d8fd74c7f6

SHA1
a3c527fd1f92453d4536ab0fdae1bc72d1d432ea

SHA256
d743df7bc361cfc86248d0fe45ec5ca019eca87ca6160d3adfb7fa27a499befc

SHA512
cd41d35df23814904b2cdc16d9ce21af7384f792ffe8443dc30d90dd9b4fe8a9152089c3326306f78a98633bb7b032abe5bd82a99786d61f633eadd03e21b49b

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e7be99b4a88f4e247981c6f3c5b3b257

SHA1
d147354769080519d11bb6ee2a51898ce224e01a

SHA256
4e7b37fe580f520b560160eca384eb885ab8d72ef64c324bf56e30bf580e55d4

SHA512
ab2c87dea20e040f33afcfdc7f57225f78f0b913cace78756de3903c541e76ebdfcb5bfc9d4f3516fa31b67f67d5cfb38fda173eee9154748af283b610d69f35

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0b0b28bc2341605a3e09681cc4df20ef

SHA1
e4ccfa42599aeb4007b8dc1db868bef0dc02bc56

SHA256
38627af16abee0ae3b1f82d153e518bd5019109382f5168685252b59caf71de3

SHA512
aea0c2542d160072c364fd45ed82bf31bf6e1d0c4327b31ba0a3cfab886baa4640cf370172e7c136cee4efdba2ec40f4f93f30a4adfafef6826220de8da26a94

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
e422070c54fd45b90ff80a538948fd06

SHA1
dcc9f584e24c729966953dc41a0ec60257abd1fe

SHA256
c4c46641b0d85f099e6c5e9a6e6e2c57deb057749bad9cfb9d809f0a234e7f2d

SHA512
0360132dc7ac6d1bfce56c27ba59fc19bcb1c1754d16cbf369398ff06c8a3f86adaf1855b88684bc8577de3f61e48ddb9b6439b84c71ed1493fd85e6f39cde25

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c43ad6bc44effb29bca1d8965244df5c

SHA1
c98f64ca867e3f7bf3826b5f94bd2381a97d04a8

SHA256
fc6385d86873df6446ba2d72bff9130a4cd099bbf4b2220a274903264e3c0b29

SHA512
3fe48b0b1b7ee9158bd0955a7e1b43e92eb41b56d3610bea5a329850e4e6b94ef22a5993f236dbd4cc99c6a726ec3112a4c3ffb02cdfb83aee8ff31165a0d13d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
8583ac3e76ed2155e8fef321907878b7

SHA1
780b9413d8d31ab2ee634f65c0084807e698ca5b

SHA256
4a6c6f20fb4d97f7839218c977b0ddb61e7b50da117a333408b1c4d61e8861a2

SHA512
9d47a5b343b6eb47068cdb4874f78098e35d43d1033d6877b4cbb41b9a67060aed18838040e8ad36708d5b25cefaec6d284081c3c824e5bac6898356c358a476

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
849a023bfa949272a42718a659d6eb9d

SHA1
70fb2ece987bb6247d83a0097bec214c9d10f1e9

SHA256
811daccdb89b424bab742be9633d9eefb7c76c9c8dac06d52494e311a4cca92a

SHA512
f1b868f05a74e2c4ad11e78abdf53eebe4eccd55afb08a2a0c1f6fbb1decc798bc87b0b85288c533e91c314458d29d2d5df01c3c5fe8cd367ec608df5584f88e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
706195a17f9fc59f2557c71ef7015fd2

SHA1
36831ef8dc6fdc119cccbb7d21f77be5294622dd

SHA256
cbaaa5b7d594d8591b3087805a32ade5a1af39cb51c841321b2d695d4452b2fa

SHA512
94be6f4a1876a4af2644d666c9c88fd6b884ca8b3dc76dc2d3afb695fee06ad324995fb2b22a40e3e4ee978210db589c3568f50fec1bc886b8fe307e95a2ab14

Download Submit
\??\pipe\crashpad_4456_THZDRKSEAKHGFTTV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-205-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/8-90-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/8-96-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/244-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/244-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/884-209-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/884-499-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1064-42-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1064-41-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1064-518-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1064-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1064-40-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1528-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1528-294-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1528-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1608-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1608-24-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1608-6-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1608-21-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1608-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1764-498-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1764-28-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2012-213-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2068-565-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2068-217-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2308-218-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2308-566-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2364-215-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2596-79-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2596-73-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2596-83-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2596-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2652-216-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3156-212-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3184-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3248-211-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3308-207-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3380-208-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3652-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3652-11-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3652-17-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3652-438-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3696-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4532-533-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4532-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4532-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4532-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4864-103-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4864-206-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4888-204-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5008-210-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5380-436-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5380-495-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5424-471-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5424-611-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5680-610-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5680-447-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5764-484-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5764-461-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download