17a6fa3b9e64943d118906d3d5e2c8bdb85467917cab04b061fd68f463e4429c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
Size

5.5MB
MD5

75e9a65d387a5bb9e047a8994a0cbbdd
SHA1

b703b52034f0e313772e3c4ebb1f2c67c6f1992e
SHA256

17a6fa3b9e64943d118906d3d5e2c8bdb85467917cab04b061fd68f463e4429c
SHA512

2106dc67a28a207b1a17f3b6c0dddb8c25bccab9c5f5cf5a3147f8e041035b431cf42bd3ca239c1423b61859a6a2e1f1052342643ea721a3162909807a49c352
SSDEEP

49152:6EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfe:wAI5pAdVJn9tbnR1VgBVmG3zlQpRQQY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4896	alg.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
820	fxssvc.exe
3708	elevation_service.exe
4920	elevation_service.exe
2036	maintenanceservice.exe
476	msdtc.exe
3104	OSE.EXE
3188	PerceptionSimulationService.exe
2328	perfhost.exe
2032	locator.exe
4396	SensorDataService.exe
4156	snmptrap.exe
1864	spectrum.exe
1440	ssh-agent.exe
4084	TieringEngineService.exe
3512	AgentService.exe
4772	vds.exe
4080	vssvc.exe
1060	wbengine.exe
848	WmiApSrv.exe
5200	SearchIndexer.exe
5392	chrmstp.exe
5836	chrmstp.exe
5976	chrmstp.exe
6104	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

Processes:

2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f04e0b592be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608849975639453"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a5d888c8aacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a809f68c8aacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e601918d8aacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e218d8c8aacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000636a178d8aacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085b6448d8aacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000937a688d8aacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
1508	chrome.exe
1508	chrome.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4728	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
5332	chrome.exe
5332	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1508 chrome.exe
1508 chrome.exe
1508 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3740	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
Token: SeAuditPrivilege	820	fxssvc.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeRestorePrivilege	4084	TieringEngineService.exe
Token: SeManageVolumePrivilege	4084	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3512	AgentService.exe
Token: SeBackupPrivilege	4080	vssvc.exe
Token: SeRestorePrivilege	4080	vssvc.exe
Token: SeAuditPrivilege	4080	vssvc.exe
Token: SeBackupPrivilege	1060	wbengine.exe
Token: SeRestorePrivilege	1060	wbengine.exe
Token: SeSecurityPrivilege	1060	wbengine.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: 33	5200	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1508 chrome.exe
1508 chrome.exe
1508 chrome.exe
5976 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exechrome.exe

description	pid	process	target process
PID 3740 wrote to memory of 4728	3740	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
PID 3740 wrote to memory of 4728	3740	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
PID 3740 wrote to memory of 1508	3740	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe	chrome.exe
PID 3740 wrote to memory of 1508	3740	2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe	chrome.exe
PID 1508 wrote to memory of 2408	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 2408	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1932	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 4732	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 4732	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 3832	1508	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Users\Admin\AppData\Local\Temp\2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-22_75e9a65d387a5bb9e047a8994a0cbbdd_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7e45ab58,0x7ffe7e45ab68,0x7ffe7e45ab78
    3⤵
    PID:2408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:2
    3⤵
    PID:1932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:8
    3⤵
    PID:4732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:8
    3⤵
    PID:3832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:1
    3⤵
    PID:2500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:1
    3⤵
    PID:2336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:1
    3⤵
    PID:5012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:8
    3⤵
    PID:2160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:8
    3⤵
    PID:2816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:8
    3⤵
    PID:5604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:8
    3⤵
    PID:6120
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5392
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5836
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5976
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:8
    3⤵
    PID:5408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3884 --field-trial-handle=1916,i,16572456806759385659,7150944064220503931,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5332

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:476

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1864

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4044

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:848

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5200
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5924
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:5356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f1c185146893705ea3c5ddb0429b4d40

SHA1
1b747688295585cfacfeeba429b3538b6524c095

SHA256
a7a5dbb5a210163cd4b6b9174cc4af2f76c1c5b96b5faf181dddbed9d85e9b77

SHA512
e2444340ff25f3f6718e0d429649e385abb7e71108e9150c9921ba24d1e734f05d495d7272d0b80e718333e57d1c8e39bc479afc6195ff49d44359e8d40d6737

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
76fc9d6ad3eb688323d93ad637efd749

SHA1
7c7581d4090d794de3d87357ae70fc00ec23f85f

SHA256
8e7ce33580a11c33451b17f95a089c5f3c6fe17de9abfa459f16ae90c4e3f4dd

SHA512
ce4866c42b8f591d73458401a588079a4269dca452544c8056abdf483c0944fbdead43328d73996d430e8d03f794e919bc85f3d11cfcf56655ce24e2cf561df0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
eeeca53d2a2fd50c91c096c7c6571ad5

SHA1
b0b1a722fb2cc66ad5bd985bbd0fd45bb47571b2

SHA256
8b5d416fbc6091f6559bdec2330015bf548666ae0c0b6ad7a09842fd2f7c6d52

SHA512
3c01bbb9c2560f732c36dc443969711c2c0b213e9ba495361b572637f0d1d77cbe65fb1d76461c2fabf729ae5e021227717b86d2c65b60e57ff276752dbe3d50

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
de5e0db6ee57a87cbb5f430b9cf92ae9

SHA1
7180dd572dad6dce59278ae9541caf157ee846d4

SHA256
613b833e04b6a3b480d93f70cbbb2d00d0443184c68a859a5cd07a179a9d9fe9

SHA512
2df76f718b6c191be6f041cf3c040fb0bd57f585698b71a0eefdaa0b85b8b6cc312ecc2089747fbb684e50d06b0bc70d9b39258c2e49642e60df94b3b554f46f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
716c866d478e2da3471b4737cb73027f

SHA1
e1f24a304bc776e73640a34f4905439afd2f7361

SHA256
a8b2685cad6db287e4821d05adb606d666cc6a8276611786868f4a2d6d349300

SHA512
a3e0e37bb01d0857744248ad263d02abde29743832af64c36dc3a785aa14866238c7c5d5ae374c27ba440fd8cf40aa0cb15dbd9a10bc0c36c0b3d457b86863c0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
710b0d3f4fd1fcc2ba5a3ec5e859e3fd

SHA1
1176d1d864f5b9139551e4051e9d276e58973f60

SHA256
7cc10a2ff57c8c356c47ef81792153dd800cdabfb9471cd8a3ecb625c5ccab1d

SHA512
75c818db29e22feef3db6fe0c8719b4f88ff77ed0a5c9e93e7f3e4ee6b2b1cf5c00c9727d0d0e046574df71a46d6d5163ceff52a1165e784b996a314e7317e91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
63c00ece2b5c96b0ec305d623770364f

SHA1
22ebc783ff7e083272ecf77ab8e3c39a97241146

SHA256
7cdf2c44710f8d7af4527c09c5192049a6c2b7ae873aebcf170e679828390ccb

SHA512
a13a3fc5c2d729580f4534d056765253847aa450267653f03dcf901c3f1f792a91d674452c68ab3070471b01372c6824be593b61b818743dbb8fbdd17bc4075f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
eb7c7d66d629429f83a2d78cb9fe6491

SHA1
7af1483db3be93f0b2b1be28d7738ca8924a4181

SHA256
03f3434e39631f1a06b8769b27c9bdbf77e0704dc2023c8f59b04da4fdfb0eae

SHA512
f768271c98dfed41e4fa3f146df0779d504edbb9dd65c8d4f2f189ea975f28f58f79ffe68874a7a0ab011527ae6106381dbd8d8f12c86793573947cdac179cef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ce44e450a51ae2f3b5fa43bb143869e4

SHA1
d15418ca717e6dee832ed1c20dc9ddce735cb1e3

SHA256
866999daa49ac92cb3d8e90b383a630c615ab044baa85c54c65aabd78673a0ae

SHA512
1529e75112567281f150c1dacb78926dde9fee358b588ca6f374fa74a0a32237e554dee8824db407a8b53eac99be818017d0e99b2fd24dab2f657f9123cdd88d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ca469a730ba588e5254a7078b4d8ddd8

SHA1
c24e97054a72e00eceb2961177cbfc03f7f8e395

SHA256
8a5160233b38f5cd9aa81241ec7aa8a7a5c3c5f02bb553af0806580b183bcb43

SHA512
c2af791fa6cbe05851c8afb3f568ebe69e520e4404f48f9a5c311cffd75df7f039b32e590533850644cb3081fa4d4eca9125117f99a0e62f7c4ee596d2cbcf8b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
641badf4af48b3b75b706243b17d516a

SHA1
ee095330ec5bdd7a0ecf320a90d431044c33c177

SHA256
f4db93f569fa7a6d3acb1460dd09ea143d724e931001b07b8efa96fac68c63e2

SHA512
55ec54991dcc4d701a3b7650d14225a83d521d7e53420f82466a7f881632a1f9582ddc772904868b67b6aff8f92194e18417a1045a099f68b70defd720ebd062

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ffeb6b412aefcb742f598fbc92e54856

SHA1
2cf6e597d2120358276b637c68d1df460af6c60d

SHA256
5d3e47703b66ee4e125e4cb99da48e6e9b60c47ff2d858c4019221f3a7638730

SHA512
9468e83b5ce14ac1e891ffafd369af2f590768e49b293409482a48918b90891fb1ed95562ba394bec255ba2a0f243eed332ed0e79f125d9167e76c419ebb22ba

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
73fff02c2f522cc4ce73a6cbaa2ddfd9

SHA1
5435962807af605426a25757f110160230c8292c

SHA256
a3d0770c905440352009cf56b513b60122719093caa4962abc07715d2820eb4b

SHA512
c032d215881e08c1e7bc411d1bddf59832a545e8245bc8ac4656b4f3630c445730637bd2bf184cf4ab2be780c8da755cc9c85180093ae5ad73c8f15b6bbbe4e3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1db57d30917c4a4d1575992b3bb4e82d

SHA1
2bd84ee7ebcf6b0e44b6ea880340cdda1ddc98dd

SHA256
b81de0141aee4a03f3d5fc5f87e5ef1fee5c6b1a83df3a09b1c552b5fc89be6c

SHA512
79842cfa05e1ba24cdeab4fe896b359c5c4b34429d1cda30fe5d1a7f109b80ec0a6882756d64ef959e96d3c9b829ebc15bff35641e3b8f115a336caabf26b380

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ba55e99a626f9b8c8b1c0c887f678061

SHA1
c42cf676262cc61c34600b6701d80cf62e1bda11

SHA256
336737659c303a85e0cec83a6a2848dacfe32ecfe90630facba58468648e57ee

SHA512
a6c9a5356322b2fdb43474e9da5cc861b0007e4ef7e563109a1987a15d1dc34ec504556e6674c4a7ca0945b68f62b8ed79f579d20e013886330b52ebde6d4120

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ce704c260e1d98ba9c3db1dac51beb42

SHA1
c1ab209905d6b91823401c45784a925b5477194f

SHA256
8dc24087d13f0638c54b7eaaf6655e38b568525358f15be61c4e7de409541b93

SHA512
abb43d262917aed1c0130bfcdc934c374b52bbd7f69774bc7f926e053e50ee3187ec1ba2cab9b9954b54534e39caba0015a9d97a4b31ee0f2845967365679d14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d0c3489dbfa7074fbfcb0c8e508c3380

SHA1
7bf6e052d5998303c17637b1c86a65fcff3fbc5a

SHA256
1a9b1b9953bc96c5950a246046fb16e6deef574deed2366770c98525efd57298

SHA512
ce78cdd3a10af3c9b792e5b71d1685730b3318d5210551c2adf054daef470cbf89bf96de10aae84812a823a321b1a82084d53cd2997a6db153cf9eb4734a1a4a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5bc0ffa4085f0d4fbe7625b28502e81c

SHA1
65b429c897249c7fb22f398aefed00915d6b63f4

SHA256
a0242206214bc39d6a69cd5326d4446d2da3708ed86626f3c1b3d92e1775990f

SHA512
1128bb63b4df9eb9b81a5d43d9fdf4ded40931468d575dc1690e17258738b944544ea6f681324fa66ad493bfcf754c5ed1eb62db7e3943f9abb8058e6f246981

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
931afc81511f2396a810ba29a0e3a74e

SHA1
a2d74679da72c6d7f9e5f8dd4bba5bd259bc0da7

SHA256
db0b0e4d87428b0eb70ea318525fc84605184d46bc5707328c3dcea9aeb104c4

SHA512
02dfee644f8d655951e8d2bc45e6e23dc911f2769ffb42388eaa5639e5b2246b0ff33d89c712e9ac45d9b0f390d0e1fb626363f4708b943e702e0d2459571428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
543d77f21d9bb0c1ac6acfcf6e0a781b

SHA1
e3a2d8ffef9f7becb297eb788375f86daba3b9f2

SHA256
f734a2bd6579876bd61fb1173d7103d4c6aae28f62890a2fc75ead91c69af836

SHA512
22510d010cd09874b6e6d02ff71ec3edab3ef7d66b99a3c0775e34af5e96efe0d6b3a823324ab4216459597b25a67fd31d0e9bb041bb430ca3fda6c5cd8d6075

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0794c7fd25654866bf3d8dad0fca8206

SHA1
77bce6e5837e8782fa79baf01e2bfcfc33ee5f28

SHA256
7b3cc0c190562c58256ff42d5a4ba86e2124bd0b042dc652f1a0d5364275cea2

SHA512
c48b74bfae9be68fee5f22b1955635c89cfa9c755bd0aebe3f32453158ddd11000e21b0846492ccd90fd336d8382b3ccceba736f51a1411a3b47a6b6560545d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6b5f073264ccdfff92083f059b850d0e

SHA1
8d615bffc41068de54016e74aacb2a41fe59a355

SHA256
c0ca9220b113b285ff91dd172ba31c532b4b356482c76d782f568b4cf23b2d5b

SHA512
e84fb982bde16f697dc90b92594d2999a6ac78da91a72fa7f0592a3ad2466cbd46fe10c3b3aff61c26c330c634c39b3fe590fe5359aec9558ec0f320b938cf59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575bdb.TMP

Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0f1f35267340f3efe1094b54f6a83780

SHA1
082d2b4c5b24628457082f1b3f8043aad0279d4b

SHA256
feabdc979383a034554086cc378a65cfec2b4cc59145d75180cbe09dbe8fefef

SHA512
2d4bf7b44a8e298454d069fb36d4ad7b7e840d501a8587f4c7b954df7a55edf05f88c511441a0c6a4729a183b3d6b87606ff27b295e6d1f392367c6d67f3c037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
e7710e30ae7f2fe499ca5ddf70a210b7

SHA1
bd8d0e2d00d292ec9cb770a379fa98ded3f44d21

SHA256
37ee8afced50c32bf4c51988abfe02990b3d28411b608e7a5c76c8feb21c3293

SHA512
f1b99874cfa60eb0d1d43b6bcbc2460b9ecb5dce94220d88a89e50698199e8754844db821545e29e9e3b0c3fcc2d2422b3da1665c51db3a840370d3ad5e64f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c8208b6df20cc186e38d581934e94557

SHA1
c3228af7723a2b14af8e81482f3e77876f712eb2

SHA256
0a2eb502b7bdd16e31ec25c0cc218fabadc32f815c9d56a6aeaea4e6271ada41

SHA512
e802d6b64227796cc142e3e7108b454cf25b4f960508e7cce47b71184a8f360c3d2b3d0d7a70123f1ea57878a048d50980af01764fc6d45761f72148dc828c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
e4b855a479b390ba0d2834e80c4277b5

SHA1
9ff1701f111c05994a5983d0fe5eeca9d1e47216

SHA256
09b8f01b71f8e169ac9dbba90688fa2f97e9d539df9c51830667adf16fabe620

SHA512
137c6fea3b1d4ce880bb76226cd3eb5c54019302788dd235d08cc476b7b2c48d6f6a5b63c80adfad0eb52d8a1c63f8d1c830cad952b8ec96c59df05233cfd89b

Download Submit
C:\Users\Admin\AppData\Roaming\f04e0b592be0f3e.bin

Filesize
12KB

MD5
e8c1f9625bd94a0f0d18727d1c1221e3

SHA1
c29dc7c66707d2dc2f92a52f5388e5fd585d0df8

SHA256
54f5a57c3309cabfcfeeafeee571e154f5fa755fa03d1d31afa5791c1c40b870

SHA512
4a02fe3b2426e0e07e010f00d958ea4b23ade7607fb728c1f4c837c07cff1d5a0c1fc948b42bf58a26f1b2f1505b687428d9aaa7f152ff866d89afec606c548a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ddaa3ef621c2ab8c9299e86c637b3dd7

SHA1
824048c492a6140a0c9155cc43865f17891726f7

SHA256
2bf3e527dd87438adb2d3b91db54737d20ac38dc44128832d95a4101917383cc

SHA512
dcd510404d5e7a602dfc8a3f82b5190c76ff8c8e4051aa3e620e75032e262b18ec0499bde13ae8ae6c495d2dea05c247fc7a9c7046c461371706bbdf99dba9d2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fabdbc0e720e32617d143326d3afc520

SHA1
e626d88397f57bd66d34836ef5a46bef0b07d864

SHA256
b802b004c6c7c2bfa651c1151415a0bb9a7496db07adf44920d6aa4352d6576b

SHA512
e0144e02eaac4b0b0b3eac3d305fb4cf1cea7991f93e4fe748b3f14eda7af8475137f3d150ab462e2633415d6227a444286394bfb48070696887f6e7fd38aa00

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f935dcb09d5c4403be744faee7150490

SHA1
ac3a83ca5289b0e7fd14e9827a832bf69b58552b

SHA256
5418d786ebc3404f9b22e550a5fb1b2c93154e37113987841e495c066d9c332f

SHA512
129f186e7c2a69360e6e0cf068daa53f45aac24c24feafcaa702d25fe1a43f4e6156944ce7aaa531dfc5d08ce77dfee1a1a16c97b43789b1df50cfe3ba0da412

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
638a2e471d23dd3528935fbeecf95ce2

SHA1
8dc2762aba0dfac21a68f9cef9ad3698efc74066

SHA256
3c52b2e36d5f51c495bc4cf9ccf3bdf546eb211978b77011cfabfcbb62fdf38c

SHA512
1e0d5b622ef6ceb3fae4ce20d8b6e8d58b9f5e6f2d0fe3757618e8979a8874b233533a41e7a3090761c409d69e01b10d87755ed9e51697cc4ed68925c510a93a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1f2c9a6e197bae704703999785b6f463

SHA1
ed77f726519297cb601d1946b666151b209e62bf

SHA256
18c0c5d2aa7fc6a3f2d2d671da0c81c47a127238bb1e363f4c95ffe6a5c47b0e

SHA512
a85ab96f16e026172b853c563e877aa9ae3b6bbdda8172e4ae72334b0762fa942432f9566ff4ef8a1e9f326c963d452bfaff97d5a48f0192f4e7bd238b9dd1b8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
87f81c7b94b505aebe34e476027c8e6a

SHA1
6e1bc13b63f1793af0f8322e3f510498dfc6496a

SHA256
0e4659c4fd82e705ccf938e6aaddeb26edadf58340d5c97e6803a1a0464c38c1

SHA512
bbe42c2fa639b7f32b7959fa08fff3c4d4e616344e1b4fda8d29c4aba924411f57c7e7c5bec20f19db4a69d0cd1dafd489fadaf200899a0d1dfd9ccdeb57477b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1efa445483f35de9bd3b734e55abefa6

SHA1
c3d1094b3bfda88d1223250ee011e7fce08bffe4

SHA256
0bb92fce5653822e9e0840a20c4660546eeb4fc78998b9cca4d4b6c9b916ed20

SHA512
5260707b3bf92abcbf97c833a50b1b43f265b11d75bf014a9db2bb6f981b02dfabc96a03061ef9a56afbdcb44433a999054815aed88a785cfd7b3bd238025c57

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0538f89cd4adb1dc4b35955d6ba684dc

SHA1
f121988a07307dc8ca32188e0ea2b7a74ee729ea

SHA256
6e8451c8f504ff807ad2f897b2f30ff47b737a4ba22736f31847ab5cd95f6b2a

SHA512
2b931bcb9a6b505d69d65337ffc5ac8258a67f3e78ceaf09b8349a2ae7aab8e0c3aa8c18d118b0e33f2ea04ddb4cb4ff60a10bae439043ee35bd3a5045b93ab0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
401db6519d0e22087cbe575c1200a53c

SHA1
ddd3d3792f4ca2fcff538c62bc2d8332693436de

SHA256
5cdccafac3c5ad2434a09a5bf4911cf1aa097aae63e5e1bc4f40b6b6adca942b

SHA512
09a0f052ab81c78d167123206095753ea37440b2f598922a811a019b580bc0193b31de69f24353dc2f5f2d2fa20a651b92acb3e2e13f9c3807061d2f35fba9ef

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e6947a1a247352c25bd669c73b9fdc94

SHA1
7dde09dabfe11359827f8d5bc1df467d84f671e2

SHA256
33e975f5c436bc6abc7a884c9c8cb088b86ece163243e1b63aaf4d78745546fa

SHA512
2110e4f6c764fb388728c217a5623af485bac5b713cd7f0b57e3bc076ee2385eed68c6dafc28496b0c5baa2e9fc776de52ac4d9a94599db800475409c36cf097

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
059148f71e9dfe05d81c6beff66c9c71

SHA1
734a9b46276519b1f4233645a33bee1b523d1d4d

SHA256
43c834dec84a3920d0df02fa0687eb5955c94bd9d972d7fa341fcf4fe1b48266

SHA512
49dcaad40c4c933aa12bc0fee3532b7e4b4be42685cab3403415376567b0642c9763356ddab224f8310f44298692ef49668a3c72355c8f23eb09a03491ef785d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3d466037b15d4a974670275e28b82029

SHA1
67e60173917dbea8051b23a719108404e07d01c4

SHA256
526baf41ef863b4afb435abaa6629b8f608de08ec205a2248505fead6c460aa9

SHA512
17d3a43c93ed64025ae670a2105adb937daef91bf5f465d9c5c63f2a41ea8402eeb3f8113f9009b6429d0dbc682fa9b06bca2c39741db0c73fa1b36f356403c3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c55a26c65f53f4ef857b0b7e8b989e72

SHA1
5b9e16f86d86d30886eed23e1d82a861dd6e6580

SHA256
7870c4a5f5a66c3e1a603845244314436a645783855299993b4e68b4063f2ecd

SHA512
3b254178cfa1bc8722e2cb56320fb783ade58420df9f622319c246c6642d2effc90c011bd3143c511e6cb76625c4f2837e6bdc356f71aa79c88420b1f18138f4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8a0859c8879fdaffdce6cdb740c0c63c

SHA1
c1403263288aa55fc1028f1654f31b90097913ef

SHA256
2e0187299576a2ae89941476850f58857f25965c7a0bc4d6a6ebeed672231ef2

SHA512
0a8c0e5d2655cd6d7b9106061e47de9c3f44ee5515e625296dffd7be451f6ebe673b1c7a67ddebb47b6628bb2d8fcb06d9f51a306e57751297f5328f0753b8fb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1e108e40834c417f16c35d62b354fe9f

SHA1
3dfed13562385d81936863cd9bcb05ac3252aecb

SHA256
315b1a61a1a0b1c9d75ccc462b66abed93371e56b8a0d3207511645169ca7f99

SHA512
62a01ebdc06f43c27a8aed393e33432bfd0a7060267c399eb5217770961dccc42cf21285971e8b4fd6cbae1dd46b5c17864a03a626946a020d1ed1548ad5ffba

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
438a9abef3978fd47e91f5697f97ef87

SHA1
d543aef99f44ba6a4fac18242f25efb77c604212

SHA256
48faba9801d91787c435c7cd3a4b285c15499de09ab699331c6c8779fc7c4be9

SHA512
9756cae9dab1baee2c91a97286a40dfcf870032efd0c5b2ab7a4433e79db5366ad1c409dc8e0ea965711ff399248a878dc319501db0af93d5dbe2421412dd767

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b5f08e64717bd41c6e95eacdc88d9194

SHA1
91513d2c782876adf4809560dddb29b33f75242d

SHA256
2fef349b923201a463f4ad4b94f92a4d8fe02976e5b4386a71b348e763d76d03

SHA512
fb6de3e69b5163d432fffc49e77cbe0fd997d282f6420f886e029f58bdc1645a4ed2ee462204085f87ed1cbcd11d98c8ed2ba5fe2a604daca1676421cf71ad43

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7b6fe0a546261058cf2fe3e99e4e132f

SHA1
492e81c3eb87a6c84dab6627ac3b13525c6f218a

SHA256
c3c870901f3e6be19c19bb54470408ec0a2d841e99f80c150a68946ceab0ff54

SHA512
163c5e0b499a96a9faa0eae08666952e3a391092ebebfe74e666fcd1e465921ffb6f75d57b9dd33a023998f0fd78efcc46c9b3adcedf355b52b9858435f1699e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a11ad656ec4f3f33d26fc273249f5e60

SHA1
957351b370adfc519657314fe10cc0c3f467224e

SHA256
8eb4bf7d5e15afec56a82233b8e6abfa909fd40f381c12fc8cd2bd0fd39c2913

SHA512
a09c8d6442f93ddb4158c5a14a001b4eaae7c0fd482180a23f3c86d663ec948b6c4285b076c0ccbe89c496850445a4d55e6f0352e23a77539901dada9b190707

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
356a74e585a59cdd36ba46489e6902a4

SHA1
f2dc23a19ac0b985c8a296c8249da6398762d7e8

SHA256
86cfbfa31d6bb6835cd2e8fe72fab8c9eca09721432d7eef2e4d08bac0d9cfc6

SHA512
1135f77e2d26b57e86c22d108d6c963b2853cec46de2fad28ece47a1d7d26dc7eb4f16c28fa0bba62f05375c429a77ea94a7ea0bb2edd57f1aa9e5f4b9ac68ab

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
db031b8fa0c56945f83c1635fe9e9bab

SHA1
747a3327dbce8d59f9ef9db09cb8aa0b95d42a0f

SHA256
52b14a4e4d85b7b3fc7aa75bcbbb416cf6386db5e81e463238d26d2f1984e410

SHA512
bbb0af915449fac1fbfd80103c3cad520170bbed5485d75a67c893c25a1fabc9d1af0554004b627a61868d9062434635f2d1446623d5d823b219cae010f5ad4e

Download Submit
\??\pipe\crashpad_1508_VOGDZYKUQMUWPIJN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/476-190-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/476-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/820-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/820-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/848-634-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/848-227-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1060-223-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1060-631-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1440-174-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1440-449-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1864-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1864-438-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2032-226-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2032-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2036-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2036-74-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2036-80-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2036-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2036-85-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2328-222-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2328-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3104-93-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3104-99-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3104-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3104-195-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3188-110-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3188-203-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3188-109-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3512-193-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3512-192-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3708-56-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3708-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3708-50-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3708-150-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3740-31-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3740-6-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3740-23-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3740-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3740-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4004-39-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4004-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4004-41-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4080-204-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4080-623-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4084-454-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4084-188-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4156-156-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4156-426-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4396-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4396-601-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4396-231-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4728-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4728-20-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4728-101-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4728-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4772-506-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4772-196-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4896-145-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4896-28-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4920-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4920-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4920-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4920-173-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5200-232-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5200-635-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5392-500-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5392-440-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5836-450-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5836-640-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5976-455-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5976-492-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6104-477-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6104-641-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download