41fdcdfc33374b7eb1a0edbe80958c08ff5f6bcff89746ab99d65310ff4de659

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
Size

5.5MB
MD5

cdb12583d3bd1718a406c23fc2d8142d
SHA1

8a5cd343b0e8fe4bac7b51ebfbaaf13226d8e9ed
SHA256

41fdcdfc33374b7eb1a0edbe80958c08ff5f6bcff89746ab99d65310ff4de659
SHA512

5a362c3b809687380aaeacc3032f6f83cf006b6a826f96d93d5778ab97210253cbf3e859a777e21778a7018b56676cc3705c63f196d2e5ea0ce062680bb7ea3c
SSDEEP

49152:jEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfg:/AI5pAdVJn9tbnR1VgBVmy3C6Vp

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2720	alg.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
2732	fxssvc.exe
3196	elevation_service.exe
4984	elevation_service.exe
1528	maintenanceservice.exe
3180	msdtc.exe
4044	OSE.EXE
1072	PerceptionSimulationService.exe
3096	perfhost.exe
2640	locator.exe
3904	SensorDataService.exe
2248	snmptrap.exe
1528	spectrum.exe
2700	ssh-agent.exe
4840	TieringEngineService.exe
4680	AgentService.exe
1156	vds.exe
3248	vssvc.exe
4040	wbengine.exe
5224	WmiApSrv.exe
5420	SearchIndexer.exe
5808	chrmstp.exe
5928	chrmstp.exe
6016	chrmstp.exe
6104	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

Processes:

2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exemsdtc.exe2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9a2ce3614a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9b95c7017aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610554596057951"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007437d76f17aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000671d26f17aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007612926f17aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002e0637017aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
1056	chrome.exe
1056	chrome.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
3704	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
5684	chrome.exe
5684	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1056 chrome.exe
1056 chrome.exe
1056 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2752	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
Token: SeAuditPrivilege	2732	fxssvc.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeRestorePrivilege	4840	TieringEngineService.exe
Token: SeManageVolumePrivilege	4840	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4680	AgentService.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeBackupPrivilege	3248	vssvc.exe
Token: SeRestorePrivilege	3248	vssvc.exe
Token: SeAuditPrivilege	3248	vssvc.exe
Token: SeBackupPrivilege	4040	wbengine.exe
Token: SeRestorePrivilege	4040	wbengine.exe
Token: SeSecurityPrivilege	4040	wbengine.exe
Token: 33	5420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5420	SearchIndexer.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1056 chrome.exe
1056 chrome.exe
1056 chrome.exe
6016 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exechrome.exe

description	pid	process	target process
PID 2752 wrote to memory of 3704	2752	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
PID 2752 wrote to memory of 3704	2752	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
PID 2752 wrote to memory of 1056	2752	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe	chrome.exe
PID 2752 wrote to memory of 1056	2752	2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe	chrome.exe
PID 1056 wrote to memory of 3788	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3788	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4696	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3400	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3400	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 2180	1056	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_cdb12583d3bd1718a406c23fc2d8142d_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb639ab58,0x7ffdb639ab68,0x7ffdb639ab78
3⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:2
3⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:8
3⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:8
3⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:1
3⤵
PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:1
3⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4376 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:1
3⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:8
3⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:8
3⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:8
3⤵
PID:6076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:8
3⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:8
3⤵
PID:5708

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5808

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5928

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1876,i,7207378132791761050,6937336365144956438,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5684

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2664

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1528

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3180

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5224

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5196

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
2⤵
- Modifies data under HKEY_USERS
PID:5528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
5d302144711834554b7dc1cb8d7a9575

SHA1
9a050af8e73d700530ba6cffc69eeba8e05c4b6d

SHA256
2464a8a8283e95b60dd6e855686c7a0ae800df12ee8a588fbe663de25e7b0bb1

SHA512
91d5bcee9c847641d764a782b8d6279e80950d201f9de7aadbd8d459396b1e2a6aef7af27b00434b9039334ec422b3d6a4a456abd68b5f0ecc78ef6e465af927

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
8b014bf3752946ff417db3b5fc5c73a9

SHA1
cbbe62ada67e53a4c69b9869821ed31aa063d68a

SHA256
754f376328953f45487e698a04beffcd7a9fcdbf1295fcbf67d3526c43ba4db6

SHA512
5a998673002751829f3da324d57aac57b1a0de27eaaad7b42fe8f9068dc0078161f6aa0b4811bd33e5f5aa21c7a9fefe6690d2884d01dd99f49e9f35941bf1b2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
b1505cac79c3cb5e7c66a961bd55c7cb

SHA1
96dfc2e6ef43056d9dd9aeac7debb8880023b5fe

SHA256
e0815acb5da7f416b349c322386909e4f62cc9e7b6690cbaf238e08138333403

SHA512
7af34749486be9407c065b8f3213fa7de47a2e85fd3c11898c78329bbf17d2723c3813ae01ee88d6b7326dd0807b1badb7546bccb0b108c1f1a974ab2f48a22d

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
a86b0a95e0da9e25bc0b59d9e8583079

SHA1
e51de3484175ff66e50f3099c9ed44e4a2ad9b14

SHA256
28d7795141313bc9df367954f5ab686140a96f5ec7e237e5751c8cef1a8b0170

SHA512
c45c1b0c5cf9824793760b6c7a2813e206890507535dbbc0e1032515308fc89612fb5a8aed4a6e00f0549382e9e2a2d8539ebbf7f2b818e401d5479ad23dd6ab

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
936a448240efdb190ae0f9f8b4ff31ef

SHA1
b71a83b911f05aefa83d8b935e3f40047399edbe

SHA256
1892e0aaae23dfff8be41ff53f6b4d8d8dc913b1ee98afb2e7bb5a1f4a3d3a63

SHA512
d62c2fbce64aa9825459181311aa91011efffe1bb65951afe0b7b2a6cc04e0aa9325d4e49cc8cb838fd2bce08e03889d102b246d679f0e551fa412fb11361932

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
e0f0ab6bf455f81098cfff9b45ab6787

SHA1
007b594738d359b7d84c14d227c5b458ba30b9f0

SHA256
cf57d0fa6532e2e6d7627073b666c4985190fd54c2e14b14797b6edd03898eb7

SHA512
65dd3fe33f2cd507bcf326c54e58514ecbf9c9cebd9fe3f869aba9628ca492d20c78854054977a53ace0a46f97213968faaf247809321f79f0b97f096d5adf1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
a5b487a5f238124712adba9a062a907c

SHA1
d57a6beb1586650f647ef6a543820883e9b3a816

SHA256
3c586b785332ad6fbbb893f5d713de69e171f4a819dd55ccddfd0e6772c361fc

SHA512
ad680991c6beadf9f6e751f8884967799d85527e16989359d69a888b8cb1d9435fa232134c3e50f2cbfbd9edb9604a22ff45419f23e7ec64b3ef860962fb5841

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8b57b6592d9a3d809e5952189d6c70f0

SHA1
b2745636f71d6b060e826b19eeddf577b94cfca4

SHA256
082ff7fd57a096393daa9d41db63fd78b3fd03a77b3efafdded9c5809c42b16e

SHA512
0338757a6ff88c9a66462f4ba1078f38c3c6d0d74a9cb3b9bd1cc6daae9aeec889cf0d32439f3bf454f76bdf72f4e4782d513a510316bf50d87f986ec70a7b4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
7a3f4260858fb285fb03d79578f40207

SHA1
1e7d1c529cb5142d20821aac4576943a774346f4

SHA256
df958deb2dbd45a2051f49c028a27e36038fadd0ab7b87907f5537cc3a667ae0

SHA512
7d55517585b9c3c20796718f26d31e39b3d762b742c1a1ec6b92ba59af376a18e8a6d6fe690faeca02ea478ce27431dd6957314db771d0cb3d462acf2ff5d0b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
4f0d0d5d214d51e0b111b45ebf886b73

SHA1
6344d423602535e497905f324f8f99ebf08b70f3

SHA256
cb8597d1ce663cd5553ee4c898e11ca86adc781297d571072e70143b87483607

SHA512
1d6fe809ca516f5d32e1cdb3bc6e6167c882d5ef4a4890fd06805a9816ca6055ded9d32dc8cd852eeef8509b66aec8845f9a54a50c7429d2c33563c93cc848ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
020c36453ebf6c2ecf7dbd57f5a20a1c

SHA1
8688a8245a046fa4e34fc9bbfd117a81e5155a72

SHA256
0d3ee5c8cc2516b774d01d92b4898bd0c7cd91f163608490e6691c0bb525b3c8

SHA512
0e1c9c4318cd0a626993c808125b062f20e682f9b506c49c9839dfdfeb6e355c1f234ecd28ae30dc2af770c2f263637c482ccf11f0b6a34d9cd1782e43e244e2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
0f99af533b62a737a430e29df807e597

SHA1
482450b52a7616e128bc525b6e757385de954cf1

SHA256
d22a0afeab78a037c8b73b99aecfe08dc2220565fefeb409ec06c177289a91ca

SHA512
1bc6f3741d8f6df1d86c550f0069ce58df5349f16c23fdc1c3760b090f406d365480deddaf25c06574fd2e933cf6f9862b83582ba682e8dd5c2c218ad54beb38

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
918044a666e410475edb83c943cf0782

SHA1
6cb7f719c1c90cc174087cb110f454cc35ffa463

SHA256
121be68dee92fea6a08424743a363865e2adfa8e315681b23f02745dfd7b438d

SHA512
222171fc9c1cb12e35fdc2a6c2e56dfb388ec48c91f5850a6902ca6fb0ae17cc05fdf5cad8b5786598ff672cf18dea6c8bd7c93c745bfc0b26e50370ebd77e58

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
34ac13ea565288bd338fde6519fa9374

SHA1
821b7c8a6fa7db0604f3a2387633513df1b641e5

SHA256
91be72f03822d1fdbe9d5103e1df3e3a21354a1b4cd3c2f5cb9d12353fd2fee5

SHA512
a79d4b98339cc9cb2a612f8cc18813e2ac5046dd91c2e20f9d6277dff197205ee019c5b3904a07054d14597cec0f7cb9c0dff578ca13304a52326402da641f31

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
faf85659dd210b86a4dd82fa7a9283c4

SHA1
8abd698e947bbebb5af0317489798a6c2e4883af

SHA256
d812b406ffd32a53f8f52270476e2fe21671593999a80d7e5fdcae68cd3e3301

SHA512
e7ae43d8bdfa420f59c65ce899d596471eaf4876c27bf4dc0135f0ae09f0693ad157e2593a4cc1f313d9b406907b9f84b354a44d84860a3f8a2931ce6fd78082

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
0968eb1b6ad17de5adc9264968088cb4

SHA1
d10c0a0b9055e7b63ce8c5c212185f377658f0f4

SHA256
4e03a2ca1ca45dc2f5c8c24a823da6d2ef55cfdf2e0c3d9a12100dc12994bcd7

SHA512
36dae406cfc7ab0a1f9d2259b0c2689306f9c329c7742c734e6b86bb4e1a56d8626f25622b104474ff6a4e8d8299e1fa413ed8e7dd2072beeb147a7884c37886

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ed133818-1d2a-474e-ba2d-e1491e46ec83.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
3eb93ebb18271b0d99ed77c2e230aa14

SHA1
58efc04938d55c48a204799e42ca5a0baca1e3bb

SHA256
61eec6d54f58de3d7dde6059b4c56018c719975d5adaad4eb3d4ca1861154da6

SHA512
1fbc54156345d57cda144bf7bf896b8b9157b590054b71c69ce36a4dc67a6de75b7f7f0052a6f98d83a15f5d45fbb7e857f16a0c7ec4a9ae5345f2ce1e4074db

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
a4cd9541d650855cac8ef9769de0ecc8

SHA1
03992c0f49e594315e48780dc9707fb1a8a49e4c

SHA256
96e72ceb947f255cf090844685da357780d20fac80b87371c3864ce1d479396d

SHA512
9a9b49c771cf752e24a44f35e323ba1427ad14b8d7f4f98b88de3e44ac8c9716c0ddec1df20d31ba7947ee1c8af0ab60dd27650a5956a3613fe847a52a99ed86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ead5c5b65992ef68cf2eb90edd0f8846

SHA1
e23f95767614ce9830147ec6ba7b0b5ca18a8101

SHA256
be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f

SHA512
043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
5ef745ca1bd05e2bd7d5e3d61a156f58

SHA1
cb435cf2bae49375df70339c42d265612f769360

SHA256
31fac86e6f9f353cb0a429064b111d653dd144bdd9c15029b0e2817dfdf7531a

SHA512
12b7113330e8a54298153586461372d8ebee5f388edda7fe45d91f4882421c37c240da230f08f7e8d71a738384c87960a97cb10dbd0e43dd21278ef557bd0151

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
26ac1c74b958045811180deeaee04a86

SHA1
0df2ef7b8e2643ccfc355ff1e030cae45b940a3c

SHA256
b8f66fb19ee452f392e09d7bc62d73e45c5685bdd140b0938485d65bfba12669

SHA512
7b642cfb9acc44d30a440d913b8faad74726c7a89c366ddf7c8b08ffe82e2614ceb0216fc60db0fd595de8db328abae6b604f0c17129c6cf666689cff882266e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f1f24137d365958b92e8ad9d27420d78

SHA1
409d83d456b9de9547dfcf08a382423ac9a99640

SHA256
5e17a3f1f0f8946837c10b206a9f21efe52798d8adcfdfe1c934274568c39d85

SHA512
51d78470e06a543874774e79447edabc48005a89e6c0519c5a3b836ab6f78f2c9532b2bfafe1ccc03d2ce6b344bd9d067295efb693899dfa382d6821d52992f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576c56.TMP
Filesize
2KB

MD5
056cebe70ead07d8acc38f1ddd50556b

SHA1
906167b4de443ef14bb095ae8f196165c25d17e0

SHA256
bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b

SHA512
ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
6622bfc934ffc7aee57c92f7d45a2931

SHA1
6bf1aed16887081e68408238619a62259f631621

SHA256
b09c66338476e4facb77e265b5a2daca371cce695a1a2535ec191a334de158ee

SHA512
83ce403bf58b1b4b48389e279fd4d3557b5061a4a9727f21170ed83be4089b84af738df9dd2cfc465b900d377cb54caa0bd5d346d39b4420b71188764be3465d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
e44fc3c6c229c23d23ebe5fb80c96588

SHA1
12882e42d35381e155256bc3f97a9c2ba33afcd8

SHA256
6ee817b6731451f60e8ef0f721fc8c3986be1962b91a0af2ad486c7c8b19865a

SHA512
6f12dfddc92568a031d713c3ecf9b0b5a11d97d224f7b881077eb383d88c9ad02c3584df9bb164af5d5c4b7591f2b1eaaf934f803c1b626cea900ffd339e4850

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
20c4868fcb9a67f324c93dd963763e0c

SHA1
c5691535202c8a82b3f4014cc103bc3645d1cb2d

SHA256
a0590d0264e308b5030758a2d094ec97e5626dd137ad485d669334bfebcca62f

SHA512
e72a9045d737de16423ebde8cb66c2610c7940515b027a80229cf442035df7ca831a892786150fc0a3fb4a7eedeefecaa4f2dbb8a0157a406f141b94ab56c257

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
e43e17cb5f703d432663af02de759a22

SHA1
88fd4582b5aafe652bf82cf9b3ed84ce92a8137f

SHA256
8475ddff29790b8d1cd42d7332857d47b3891399c21c8c81cc1977a8f80a2dd3

SHA512
c0a785e2bca60b8835112478d8c092cbca7172996b95ca96c12ddcf29f63dbf110afb154c01637d3ef6d6f1ef4b42bde4ed9341d34a32c6108f0718544f6f26b

Download Submit
C:\Users\Admin\AppData\Roaming\9a2ce3614a48edc7.bin
Filesize
12KB

MD5
ab5a951a7a54dc14d553199e147a5007

SHA1
62620a77eaf538aa0bbfbeb8264ab9d3219cda55

SHA256
408c5028ceea31d9e925aa07a14e21aabc278a9c757069393ac20958bb0cf78f

SHA512
7f2de895161234138accaab52dda30050d2094567f23d4f062a71e22e3e0cf799fb83005f817fafbfa06e94465ae4cc29d88184eb681b9ca1f44cd97820c757a

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
25e9589d64bc5d875f28f8f40caf2fd6

SHA1
6e895d0c11c819ec9ba92b7ae100ce762afbc0bb

SHA256
6b7348ca40f2af097c455f2ba41ec561d2d816c90764b7d8dea50ea6062aef5a

SHA512
cad85dc56628da1d4b5724223e34a25f3a76ec575eb41a760781236616d974d97f85faffda06d1c39bdf8710b74305fb3235ef88dcf6b56d0af4107fb71864b6

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
394efeed1171be12f22ff3bc070b8952

SHA1
51a3c68121f2d578398a0e639306aecfbe583f18

SHA256
6bbf270922ad9df9c7dfc0ce17113d169e2737843c0d20fbf20fb9da311a5729

SHA512
00e40613442722f471e28fd8c00b4cd6b5716d1a0f94f3522fc375fb995a3d903b2744dbbde77f28909644d92a38c302bc4ae81e7c5a052cb41380b79af6a343

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
4697268967a51bbffd2f5357c254165f

SHA1
401852af5c6219aeaad909b487b261ef17a04f14

SHA256
b6b745bf2612a791a37d856064a66a318b5cbbe196553341fc63fb7d152c2c1e

SHA512
2c9777fc95ceaa530ddcd238df3fd99d7fb9d1bbf5549f3d15fadca386af5a9eec2853210d01ea0870aa1bc9cfe831c51fe6a76c31ebc3c4220baaa30e994458

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a47b1a0832f9132e9f9c102c107031e7

SHA1
d359e2c3edda501f45419c6bdaa6bbd83aa19b40

SHA256
5ebc2201f386ae9586553e81e08db1a82ce11f6877effa081aebbfa1fe2353d3

SHA512
7adae07be5d50b4f0f698652d5a9c862d6750a54ffd076d11b48a04adad024ebf32e1a244015013a1d66f20172654b95887c63e006d56fda622ba9f87aa47fdc

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
de61d34c065884b70b48ed7b8b1a9ee5

SHA1
ffc4f653d532eaef499c33c75a059ab5c08aa762

SHA256
6e9b45bfcf188647d4fe38b70e1b626dd9f082b210cf04cbf51aa3185a292aee

SHA512
b261b10f23141e3249f3b6607f708fd3765f5aac98b2411433df006912e6dc717885ef4beb7d4099adc996da1b083ffa16167e61d4ea906afa3752177116a2e9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
960602186ccdf0eb49818773a37ffacf

SHA1
784f3788a179eee2a400527ae323354a6ac0e9ac

SHA256
4463ec95f5233275f85f702ab69a171c20995b9e7379c602e9592086c80b466a

SHA512
21028e58002acd49ca07342ae8ef006dc535c30ea6af72c473a9d07faac2c30ee8e74be1d4d4be6478849c7f783303857e43560ef72b6224f9658cedec3bd574

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d5ef9657fc2ed332cd75ebd90092bc6e

SHA1
174be7a54df37ec67a342027354f9a3e2261a8b0

SHA256
35d574e96621e3c5bfae61caba4a86a0183ca2977ff0b73957caca4cca75dc4b

SHA512
d2753ee9ffa34e3c72d015c3de0790c76509e79f47fbd79c2f317b952579e12766de4d18d7c4449f80182eef839292f26c8b23288fb69b98e74a511d22e4b1bb

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
2730bd24a0d06e5595084f9a62d0f023

SHA1
bd59360e76c60d4b336e2f31191d9b4636d72122

SHA256
af96fde960ec81a5a0a8f7655998a0a1665f06e37f2c31e2d873451cae78e650

SHA512
bad1e0c5f51b6e5dc0f18833f75d3c2d4ab0aa0b4366d2c5e2b02f4211d262b0877f67979f600e54f2f8a1fcb05bd210015a8e8b35d49b1120a7cbcbf4d91afa

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7c80d26700a78f10de4022ff38c9a956

SHA1
21fb774fe6d6c3b5cd0ea7e2bdc1344d8721cb00

SHA256
4fb595365c9d3681e99cf6abaa3c95a79e672b67c0d7487d778be7b3db2b055e

SHA512
6b3c66cd33b180444a966de089c848af8d6672e7a5d23c51bcad52ff13315bde3a062afac563f101042f748b33ada0e3e0edf83953817b56a496ef89f69849cb

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
73b546aed3dd96131b72ed017227f06a

SHA1
0c7b97c6ec5c747e4dc03bc1bcf31f9c732c2574

SHA256
58e787dadb68e03e1d1a202f9c75d4f5ad59f0ceea484b1f76ca1160332d13f7

SHA512
752784f4a02beeffead2f7cbb494e059fd260ca43568035ddbcdc37bf65681c6dd9b7f85ef920e1e6ec06ceabfea190cf4b4f63040bba3bc75c3b11b43ce14a3

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
60c6096fb1a0d0c9d6e0fb8e83267c17

SHA1
77c4ba659927b9b047700c8be3ceec1763b82b15

SHA256
bce83e8c47c06621f2e7ca7f962ce7e8f04428ff19e4f247c37c0cda1e533ce6

SHA512
a9ac6861b7733026cb3b268f4caadce60e4784222d87b9accc257fd6ec192706e988ab4b61c0c900c797b97576a0dd326c4a183995d77f3a4fb284bc3fff627a

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c1cd565a6a433aea388ef791ec395802

SHA1
3e208fe5e09f0143b9db55e0bf4739acbbde5d76

SHA256
0b6402fd598a9c5a715729320143db4d8baa7c72b74fcb4c95672eaab5cc0c91

SHA512
502a7b41a07070c1adc3515afebded23158c89434a3af272abb592ccdd80091a089b53663b0a453659906ed6bfc5e6a9ab0e6419455359fa405d2dd73865c1eb

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
676d5d85b3295721df860a6ac18b67f9

SHA1
1aa29accb25045d558fd2496cc5598c69486687b

SHA256
13ee7aa677c9f459843ca4dc41f598341e21200821cd55c11a47863f2ebc32f9

SHA512
34c7977e6d29055f994ae374e8da63d0eba33290ed0c5bc425186f280f9d0b5318179aef76fb80545ccf4085546be4631a2967ca85bef33d0fae9e1bee93386f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
1f7163f5bcae40abb6801d58f3298dab

SHA1
9b75bd609196a8919d1a8d824a600adb5c34e7d8

SHA256
a535368c21ff9f6420ef6dbb22fad22e1906c2982a25f1ff513841379497c1e2

SHA512
bb4ba1d0ae598e4da7558d984a13b0eea85e1ecc440caec254ed99f9b66f88fa36f4b613e5c33fe461c0f9c3352cb9fb8e9511fbb2fb07a503feb430d1b1c4f0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
f5d5d531bc96e63a4cf6c7ecda0175c7

SHA1
61a9a0038b93450309d0d3e16e41b6fb04086cee

SHA256
3717b2694d3cfb3e18c6d9c5e75e02711d4670c7dc9bcea4a873d99ae9cda368

SHA512
fa8e5cbc0ffa52db249f50c83abc31ec75ea88c6ef792f8908c57593f9f4429d27a2c67b22d9c3c9565f558caf7a0b0a43445591daf769f60d93b50d311b70e9

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
320e78b7ab2ea0fa3a9774cfc58ccef0

SHA1
ff63cc1c88c5cf3d0fe35a342758933a4f444c51

SHA256
b3fc08b21aa7944e91ac579ae420c35589c48c5f72c85f75078fb1d851ad85ea

SHA512
064e6dec2a3f128bd78265bcb2667cdcdb8a2d1255198af40ec8ab5208d386ea6190523a71cff7c84c608a24ddc2d1191ad9535997e509add264eb1f23a4691e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
99688d9b5bb208c31e5da0cc11a151c2

SHA1
c4f579acc89865483b99d0150d43a3053d6a337d

SHA256
ed7f4a087d793a49a66010ea8ce616bf6c64dcf9a758319c9ba9bfe5a4d04578

SHA512
a7bc69d750287ba8eb532fc1dbec17837c61d8c61e3f6d9c14f5828eb35b09660f2fe263e950727a0745d0d0133745018ab0e0b856fcf6581315fc1499b7cee4

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
1004b76843866c88c418bad531248276

SHA1
010bbe365bdffc5eea438ecb4319e284b2791662

SHA256
339b44365b17501289a7a26a98be97d5906e400fe91ba3be804fa6c1cd58af6c

SHA512
67ef464bdd75aa9b851e7f8dabd19b0c861185278740ce3e54c13a9cbf3666b7cdefd5c2e763e48095786f4f2578155ab163434e83fd8eedddc624d2ce5b6393

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
295c35172675c56d85b3271fc5adbaf7

SHA1
fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

SHA256
f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

SHA512
15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
7b18bf43ea2f34c57fd7c2e974ab027b

SHA1
e1999aa545b0e66fc186415bf058016d3764116b

SHA256
468bf54006dba9ab5a78aace8daffb2022bf5e3f12b153e19355fff5e2114558

SHA512
d00eab73b18b085fab74da9f0af45ef0edf87eeadf796d21c60c8becaef4a412db1897a39efe82fa13e9649ab8d372191fb04cd70313bc7b905a042a29b2f286

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
82c2f18f4f3806c740d796dea071fc34

SHA1
3fd1c197ef6f2609878d8a627a8557cb55b7408a

SHA256
eade19ed2dea6df042116e81c2c6606fa99495da99425e7eb0e0c1b319c22c5f

SHA512
28e581866b05dc581865fb980be792598cce44c066be0e0f7493fc7d8cf1bda06097d588bdf2f929e5c428806c1d6cf5094ee626c31f75291f7a0a85fbab4489

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
b6e92db73b264fb70a1e64fb9e273b81

SHA1
9cd9e476546b93b14800af21c3a4e8cafaccbe21

SHA256
9a445827d451b0a725e20369dde843cd6dcba2cd9e62abc9a1fc0ba2c6bbe31e

SHA512
c88587c093c99ce9eaae79f83be672a16e82001e7c568d3bddfa84b3d9f4c5160c2b51dbab796a721f4878782f2e695bbb0c3b9542b12fd54b7c14574009d2db

Download Submit
\??\pipe\crashpad_1056_YIXHJGNEFSKRAKDF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1072-199-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1072-107-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/1072-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1156-197-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1156-540-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1528-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1528-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1528-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1528-428-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1528-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1528-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1528-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2248-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2248-405-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2640-212-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2640-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2700-184-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2700-444-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2720-138-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2720-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2732-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2732-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2752-24-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2752-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2752-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2752-31-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2752-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3096-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3180-190-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3180-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3196-156-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3196-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3196-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3196-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3248-610-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3248-200-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3704-127-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3704-19-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3704-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3704-12-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3904-539-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3904-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3904-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4040-203-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4040-621-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4044-93-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4044-196-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4044-103-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4044-97-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4548-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4548-42-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4548-39-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4680-192-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4680-191-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4840-458-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4840-187-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4984-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4984-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4984-175-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4984-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5224-213-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5224-622-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5420-625-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5420-229-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5808-416-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5808-498-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5928-442-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5928-627-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-485-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-457-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6104-628-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6104-474-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download