b343ecb91b7e5442f71476849ca1c4a1b74ee3e81257151c454b798c78f6e12c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
Size

5.5MB
MD5

7e79b0ac6f31bd5e3345ab3d92f89264
SHA1

f1c5152b556560f62c090f22fde95530c51da7d7
SHA256

b343ecb91b7e5442f71476849ca1c4a1b74ee3e81257151c454b798c78f6e12c
SHA512

6ff1ab874da7e42100400f61ea7dbb2837828b8d96a71cdfb8631b93421ba5502635d273e74e5651ab58baa9bce68b60b5eea5a7b42a90ffac3c661bceca5ef5
SSDEEP

49152:/EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfk:7AI5pAdVJn9tbnR1VgBVmKXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4704	alg.exe
1184	DiagnosticsHub.StandardCollector.Service.exe
2860	fxssvc.exe
2812	elevation_service.exe
4148	elevation_service.exe
3832	maintenanceservice.exe
1292	msdtc.exe
4608	OSE.EXE
3964	PerceptionSimulationService.exe
2020	perfhost.exe
3096	locator.exe
852	SensorDataService.exe
116	snmptrap.exe
4532	spectrum.exe
212	ssh-agent.exe
3272	TieringEngineService.exe
2860	AgentService.exe
3740	vds.exe
4376	vssvc.exe
4512	wbengine.exe
2092	WmiApSrv.exe
1484	SearchIndexer.exe
6128	chrmstp.exe
5856	chrmstp.exe
5224	chrmstp.exe
5848	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c095ed47c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000971297d6db0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000971297d6db0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9afe67c6db0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613123047971015"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e34ce47c6db0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
1184	DiagnosticsHub.StandardCollector.Service.exe
1184	DiagnosticsHub.StandardCollector.Service.exe
1184	DiagnosticsHub.StandardCollector.Service.exe
1184	DiagnosticsHub.StandardCollector.Service.exe
1184	DiagnosticsHub.StandardCollector.Service.exe
1184	DiagnosticsHub.StandardCollector.Service.exe
1184	DiagnosticsHub.StandardCollector.Service.exe
5264	chrome.exe
5264	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4844	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
Token: SeTakeOwnershipPrivilege	1108	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
Token: SeAuditPrivilege	2860	fxssvc.exe
Token: SeRestorePrivilege	3272	TieringEngineService.exe
Token: SeManageVolumePrivilege	3272	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2860	AgentService.exe
Token: SeBackupPrivilege	4376	vssvc.exe
Token: SeRestorePrivilege	4376	vssvc.exe
Token: SeAuditPrivilege	4376	vssvc.exe
Token: SeBackupPrivilege	4512	wbengine.exe
Token: SeRestorePrivilege	4512	wbengine.exe
Token: SeSecurityPrivilege	4512	wbengine.exe
Token: 33	1484	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
5224	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 1108	4844	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe	93
PID 4844 wrote to memory of 1108	4844	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe	93
PID 4844 wrote to memory of 3216	4844	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe	94
PID 4844 wrote to memory of 3216	4844	2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe	94
PID 3216 wrote to memory of 4732	3216	chrome.exe	95
PID 3216 wrote to memory of 4732	3216	chrome.exe	95
PID 1484 wrote to memory of 112	1484	SearchIndexer.exe	120
PID 1484 wrote to memory of 112	1484	SearchIndexer.exe	120
PID 1484 wrote to memory of 2192	1484	SearchIndexer.exe	121
PID 1484 wrote to memory of 2192	1484	SearchIndexer.exe	121
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 2156	3216	chrome.exe	122
PID 3216 wrote to memory of 5144	3216	chrome.exe	123
PID 3216 wrote to memory of 5144	3216	chrome.exe	123
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124
PID 3216 wrote to memory of 5180	3216	chrome.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a21cab58,0x7ff9a21cab68,0x7ff9a21cab78
    3⤵
    PID:4732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:2
    3⤵
    PID:2156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:8
    3⤵
    PID:5144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2104 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:8
    3⤵
    PID:5180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:1
    3⤵
    PID:5248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:1
    3⤵
    PID:5292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:1
    3⤵
    PID:5664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:8
    3⤵
    PID:5780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:8
    3⤵
    PID:5836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:8
    3⤵
    PID:5856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:8
    3⤵
    PID:5968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:8
    3⤵
    PID:5960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:8
    3⤵
    PID:6064
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6128
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5856
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5224
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:8
    3⤵
    PID:5788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=356 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5264

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4148

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1292

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:852

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5088

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:112
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:8
1⤵
PID:5364

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
26675adad11a3e4518d752ad432109ad

SHA1
8c05b6584108179456c3078e21a284c77d75fc18

SHA256
00124734b768d823ba9199c7163b1232d1cfff8f1a5bbfb0142f6a9ab6e7dfd8

SHA512
77f392d583700951cd59f0b5f352eab124ae02e7ea516b4d30d493550c23aac693d6d529d80d7cf5054f07fe53dc54887d7160eeff16e1b6416b3678421a5893

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
3c42615ae8ea635433ff1b5947f4c719

SHA1
f826967c12d1ad3c1dae1aaf011469806edf9030

SHA256
486e1039353f819e073285f3e9917acb91220b4a78254d3df60a190414a0ddfb

SHA512
bab615a6b895a3c739a3fb3cf315ceacb88b4063bbd3c30fa978eabad07ee945f807cc81834d5b3ba18904ad0ff6ac87e7f53a09db2c611fc792f0ce54c5369b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
735142bb8d9b6dc8c8cd987c0e7751d2

SHA1
b40a27f094b20ce65fecaef65e356c2a94277ef2

SHA256
ca054c7471a9a17c29d2ca7ccd2fd057dfd573ee16c34838ea1fabc03a9aceb3

SHA512
0188c7b6827844eb74fe43a7ff4665b9f64ff4b9c67d2c24fbe9a3873ff9b9bfe6263c473217397501178a1ff250439ac760a25700d30d443fe8518d06858b4f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cae20934191050cf7103657d3ad228d1

SHA1
9ab6f47999d8b755488aa6b1087747ebf6ebc7e4

SHA256
e416978ae03903bf2fdab3af99e3454f29e0585c300953fb233e440d3e06159a

SHA512
088952bb0257d71e7b03534b5ef8c9004eee55228278df0ab3238dffde4f419c923b5770a796e1c9d4c8b2e948835d2e24edef6cf8861505a8430f971b4b8c6c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
23a3742f87d6cd57789d28f155f10a90

SHA1
e380901e394d78937cf65bd3e1a0b957c5161ba6

SHA256
7d941244f86968e5f0b6f3e646a130f1e6616e67efc74e555ee3282c3396529d

SHA512
b3ae5fab2180a89978ea7373cb3d4336bac403dd2845f2ec5980798a3705461dbb2d75fe4f4f7a55d86d730b0108cfd904c8080baf8b8564c35d119ebc4f1873

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6cfc3bbf6a5049fc9bace217df827fda

SHA1
9dc666445e50c254f265598c8012346b09340644

SHA256
cd9e235e6b7a1e0ce5d7ebc959abe2909d55e390c131186e92b641873a8286a1

SHA512
ec9363fff1c61a4356722a7837d3bf3e280d759e9e7ebff9dca29ba3241325d66c12bdc05b50aac66366c3b3a6411dbd55cc4dd095e5712f822f5e00ca41a365

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
be8442e1ff705a64e3cf9f4be9e186ad

SHA1
87ca59d39451d73387c60b73e1fdc19266d814c2

SHA256
b9f96a0fb392ac7e341856026b29492c935f685f4c946f08e1edee4ed165e207

SHA512
870fb2f289af0594e0f875be1bb4b292ccc54c2252011058686cd557bb8aa85abca8ec4cfb985d544e29d5d48b22005257a057cbc8c32f9b131719dc107e14fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d67813afe8485b03fe3754e552ff3882

SHA1
c86b96844b89eac949a939b699478f57985f34be

SHA256
90ccb2ffe9603b76894ff70d8f2319e8f3167e9247eb0d32e5dc57d8e3b7bac1

SHA512
a36c33bbe71805df9953514d5643fdef17e9585c70c665fce1f1de195170b74a9b5e5691df4ac65126bc6b7d6154f8df27ca5e6758422f5cb8c11846c1b6b94f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
01cfa5cba21eeaabf2c2c53d69765585

SHA1
bbafac07b3e24cc2488a1d540a2168b8e525e1d7

SHA256
1469cb9524eb627a7ada1dd667bd3a3922ea42dcccd8ea31e7307a0898f0991d

SHA512
4e88ac33c75ff4421c1042ce32a8926d364acd859804b874f8f6e9bfb416270af34e3210977767a157bf58959a9acc860afe5940c9ac17f920491e9d041f9d89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
64f603b7380fbef206c4e34186990254

SHA1
2690f5c9340ea1c693b65cb828fa0bb9bbfe4738

SHA256
a6cf9da934bcd3b3b8f79b3cfc013c506ca3c86304b6ff0ce11992bfc15aeb0d

SHA512
102a473f33389ba1f69f914ff5d7969709c864732183c67d3c55bdf371c32718ffc9d3a615e4950ce31d2bb4dafde1d5529ecf53f9c057a8ff784bebe8745810

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
13b42c1d92d0bee3193e462c9f487ae4

SHA1
0a91192f36c22b186010fe5a7f151dbe716aa025

SHA256
7e160368652c422a1c4c3d43ed36a3468934c81e2d2f0a87865161b404f41b3b

SHA512
3f1460970db568b139bb46f5ad827f7372f31937131d417cc72051c49399d22ffaa6e8adaae605d6e0f8b2f09e88ffb5ab1918628e0ced847396ff1514d112d3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e6e800b8b8f35de2d1402e9a00f8638b

SHA1
76441ebd77fae5432283f8459ab1ed81c48d90df

SHA256
4311c2dec5074c94eae03925431b956fdd2adf9b00abac91b73efed0189b51e1

SHA512
d3f8cae4806ba6db99a53a6226dbfce7c9b01219f6529dcc49b33457635e254962db1928b4e6c325fdecee892e6d98e3c428b57a96d3c4b84a6028039806a569

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a1b2c5202586c5eefe375e4d8f8a13a7

SHA1
c5bb3eed283bd32ae9afeda043d5ddfa07d99917

SHA256
4c2dcec6b940fd5d57534df73d2e191c46e68064cf61b3dcd082cb56a36cefa5

SHA512
e36bb7144b9143a780977917d419e6c4e9b95b718cf7d3cb256020b3ed5258b77afc0a621ed2a92beec15a61f5c9b54a4f72dece206334681c03e0f3971ad8e2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3bfe750cf3c1721f3b9d2a4a6d2ebc9e

SHA1
7103c574740dbda3d9a13138be5dfe27d46919a6

SHA256
fa5143d3adf8343e4dec70d7cc12073ae13b26f963c025bb11095c6a1d425636

SHA512
29f8bf26e5d78ea6eac397e97436f45041ae6932d8abc6fbfaef397883bf92d65eb4a20313d8b44d9901b90f02baa97a5838e8f3cf9a15e8840c3af95ed40328

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1e2c675dd4dd66f044edd8d66ba3593c

SHA1
ddc78a32b9faada12dfe445a7f0a6eed48613f04

SHA256
b72b94c18198572d352ab28e51273264473a7d208ffcc6678d0f80dd8847d32a

SHA512
19561cc4dc7f149bc6b54f71ad565602d191b44c79c71a40e9993a9a19e55a6e045ced6381d5ebd7352f7833821176680f7378b7b5f83a4cc678a58a6ef20190

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
41aa47a4dbe9965274ea07db6502caa0

SHA1
99ed785e2f81c9051f91ac3313f75668826e2e2b

SHA256
462bef30e509ed74886cdabe4c09c1c63e4792aa80942f61d5ad9828eae924de

SHA512
1aad1a963d992ff8bd36944467857d784f16e57014f7e289349b9db69f7d72d1df0bb0b576d81720e0017efbe7382b1dca63d7f76e86015549c4aa760d749786

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
61cc4c684a6829dbe351c61258a959e3

SHA1
b0cb2855b829be0b608aca894c3b6c9c2ed0152d

SHA256
b7e9648665ab390ff11bb52d4a0b654d4a88a49d883c7b5ec3d0565400df045f

SHA512
0e12bfde7f8f8d03d1b382a03e5fd0ec4326b8a69449e559df7044ba7bcf1107b350c1dcd971a845fa42055b60eed3596f3cacdfebcde90942b039f25b898ae7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fbcb068fef2ebacd5bf763521a42564d

SHA1
e6d14c0e572feeda8c52d6c6ec2f4cda59b15701

SHA256
57c362f8a734730477cc142f1ff65c239986a52bb4a32916cabb769af5e5aee3

SHA512
dd58d514e82b865b8e7cf970811b74c41b277d910e98e66920379e1b531584e79b9ea30f489da6eafec0952ac237409b95a70efd0a0fec5fa3a6c386a4d55416

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3553badbcc45e51942724f6abbfbd463

SHA1
df1e6aa66d04b53b17bb9905a6744434e5ef854a

SHA256
e953881e8e23dbb7150e4cfcfd56fcfd18fc270785a5fa71203a01ad4c020b12

SHA512
1c46a54d4f4d3a70bc00c0677b5dcab784d8887457d24c313c92262787a0534b6a95bd16d90d7835b4a334b5944fd88b03d7620b8895c2b8baf4bf93f4bb1fd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ff15f9e1a21dfe00a47debcc53797e0f

SHA1
f211e9cb2a8440f4e1bb9acee4f1579f64a74f39

SHA256
301d6329154040ace79b50332d63f6cc24f70231a4eeec5dd9d33cc55d5098b6

SHA512
b9fa0c4448b734117fe999d1e9b1ee4565e69e1eee2bc5e14230f0d0b598809d4a9384256bea432890eecac9684be993927fc38175229d66c20835faaf6798fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58461c.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a3e4f4e25c12f9f2931b0d1393214a37

SHA1
a5acbd60e67327a59dabd3b8a2d6d49efba6fb8a

SHA256
b56dd9e33f707ce6eea1ca7f626746a30c840930a2301508ced074bfedfa1812

SHA512
eac4675492b2381ebdf2889a8c05b73cbe5b5427d482ec572d945e6689b72385b21e02d0022cb4133d97892ebc654f97862de097fd44215e19bedef217110598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
6465ad9e77d63e1a0595ee1fcaf9600e

SHA1
700982cefe6f4b1f4fb88e172d40427d5ee71d04

SHA256
5258e6db2ee1bc3961b4b63c58914ea6385af413df723935ce8114e1b8f2f4d4

SHA512
ea062b3a3cd3513180129e5f2f2271ac3a00b636ef8b0c4261ee2ff05c33dd3112b931e71cfe31ae5ae3e38ca1bf9035c980366423f406d5d619d66d4086d159

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
184564bda13380eb408bace8f7a8abce

SHA1
5ce9e8d6e643123a8f9a1f591d0f3d7ecfe28314

SHA256
a825c20e935f1a2d7979a92e6b74fbc3007623ae40e1abe3766cede8e1331178

SHA512
c008d1cfd330a83231e7c15e19fcf3dc1de29919dcbe5ad9c8c70b46e0a4ed3dfcfbe053a15eacd525dd1d635b394d09249cee80fc9d44bccde605c005d46a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
4453eec7dc92edcf460300ebe614fb73

SHA1
55857d5d05a1c259fdb0e2dbc1640a866e40e50d

SHA256
2c9cf969e1dc853154f827ccb89b2e79a6b4fb22ef682c74a194c13d1edda9fb

SHA512
ab3f26d434bfa7561e2782824e37ceb9ac9ee55028eef353afacf5a711a1d9f3c2bd6c6e88e66da143b3893f426078a5f207e032f564a3b9ab22ce0aed7e97b6

Download Submit
C:\Users\Admin\AppData\Roaming\c095ed47c3a5208d.bin

Filesize
12KB

MD5
ff90f8b563733f14f996aa96d82157c4

SHA1
c4572a087936dd03ae4ebbc39357292363b663eb

SHA256
528670900abf1f3c617e4ef51a6582b19d42e8b492ed00cc73a02cd5efcf5405

SHA512
73088e463531cf216dfe7d85884679815d1e5ad33836795c2eb6fb0aa8ff2062760dcfb747e09eee3481f6f023c66d2917b1df103359f5c44955fe3cda03bff3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
84e1d3b0d33c999eaeda06095352c8a1

SHA1
7cdb6bd23cb2c7ca5a3486e54ebaf50c344cf11e

SHA256
e5ed1b2d129c2f5fdbc4b57cdcfcde90d759340c16f767b628ac7b5a10b03b88

SHA512
70b81367b866c74934ce01f326cb43d0346438f28277f7099830463c0cb80560145b5a8abefe839c5253647cc044946c88303c8c200839864fd6d5d1a414d0f9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cea21132b4562934559bf9a4ea709536

SHA1
8727e6ba02ebc7e8698dd704a1134cb071f10e40

SHA256
699650af827f6e47eed7b59560572d1668c6b6401688f62af385f9ca1856fd40

SHA512
2a68db8b92f52780d6c236386a8aac7b21ab25b370c1c2a1d7d106f13a9f236ea15444d13244224254a7d3d79bb30107978babaa0c5838da5a400c43d812dd52

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1c0902a4d7c70df9e99a2e70680c0891

SHA1
9c47521e4142b7fb322169c5fc1c5c4c915d120d

SHA256
80579be169dddcd812553e60e529c4aaa4aa20c6fc04d9a44d0def4c8e70180b

SHA512
77156a1a7e48c7d18d047a0d03a0973efcd043dec44c583b44c7d54ddc14abac4edcec89077c395bd35130267f3a3d2c50d1d91c1d579c1051820308459aebd7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
efde2bd816b68857b2f9d0c0951bca98

SHA1
41c0d0b8dabf1b660afdb1e477c49550b219750f

SHA256
87d7193b7f1a1593dac06dec158dcf931cc05cfa6d9c49126b0105184e8c8a6a

SHA512
1cd3fc84c7e8111d911d6410e301c005f9c0585aaa3ac521e7bb8aa50e868db11714ed85289ff4b259a37011dac8819b9a082437600c5611ee3cced57f43a754

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d3b5cb0f37689128f755d9b52dc6558b

SHA1
107115c8bb127283f0ae4f758d90deeef00b9399

SHA256
99efe08009368f906abf5fe7a25e6660002424c0362123e335e5802845441e8a

SHA512
cfd9d17be7d5d83848a5f214237fba1bed1ba0efed78c1209c8ba9e257a3de065a6bbed778f3f6e344a5db3bbec1fbd9c577a8b9d569b0eef54379fa0a9ac515

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
db7df2fca68a636aba3684443f568e1c

SHA1
11a8d3da94f15db94704d4ef016421ea8be27191

SHA256
aa24bd45c55956390fb7f7952c7ae848a47cb1825153748ba45a195af5f0f474

SHA512
b3a8b2183f9f2cdd58fe9937d52466282e4aaba9ff3931580dba6f677aaf3ad19b1d40c1b3af32e3196dc8b732caaedf21e57712d3c192c41deb81db42e87001

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a106a0cceab8311717fcca580036865b

SHA1
0f95daf498b10364d7a753d25e06ea701f2cbfef

SHA256
e09151d78e6033bcfa5ee7d992dceb450cf7d9381c3bd7138cb8a34525185477

SHA512
a2e0b25e3015a511587b51592e4b067e570caf663947c0a57cdc2483ea7ba0d2e94aa64278623d22e6268ec2cd0693433ff7d257f61f9d34ea8a924c38c8784f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8ee171bc1ca29041c3817aa6185d4501

SHA1
54b0d44449d12ae5c8b4736638ef59cba001072f

SHA256
e43158b43efba142fa3c6238607945c879a6db3f9c444b6ba5dc64390f69c2b2

SHA512
c68a40dabe43835c9c8205c4f9101f01d7d1b9aefcf4e07dd8344b1ff6416c57dc327289ccbda162b02166a0a62b72fd7043e32940427c504aa0adb846e6f05f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c6ad5938bcf1159de0ffa28fe47b42df

SHA1
5a93b90d58ae4d0f577df6553ad3dc6fc0867e60

SHA256
98aa238836af922f8eae3ed6c1fe310c2c3edb73488c1e0ca4538fec8c14e777

SHA512
58652d5b04174837390427bcdaa4994581eb4ee19d7d0075435d9ede98294520d06706938bad21cbb3a18417739acbf521adc1581360c6b4edcfb089c9f9148b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2208ebcc2b1006932f85a331f30c8c19

SHA1
386c1328d4a4435e04324d0bcaf5cfb437014a1c

SHA256
3b84089637630f06a99515ad27a59749aea00aac9a0b99ddad7195c35d369150

SHA512
b441a5cbdf12ab9def06bea97b84e1131dd46d4f24c9ef2b787747a05b51b065b33eec5005a8e7e2d0412de4db662355eb1e75fc3d146bb7730c258f8bd48d9f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bd2a5079ad423ea984892c46a0ca2a2e

SHA1
110d67981a39e911b4533f9a90c055d7f2f65c6d

SHA256
76bf35ab3fda396f2dfb83e650f0c7a59a53d30731815e7a4b641e68f1b3c597

SHA512
bccdf91f4ca018233047868652715d4fba23acd03f8a93e0aabf5d6a69f1e0c8f7fb54f8621dc44249dbf2ebc468cb66035cb52847a7dced570fd9cba7767669

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9228bc7bdf3ecb690991019688dd99fb

SHA1
32807082d5ca942799d9167e93f3434617c2f9c2

SHA256
1e794bc04392f87dbfbf93fd2037fdcfd79077dbb2c8aea5e0988bca4fb7ce80

SHA512
a26f781f3ae49d7064005daab530d9a4f91a3412943a71a7002808042e57eb1064e40a0c0646576a71423b1318beff409307c86e0be9a928bf2d5830ac7d6aa1

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f4fe0c57b058f6052e820e83deecbd4e

SHA1
862d94207cfd33cc767e635d072054fd1e970f6f

SHA256
60727af71255a1997b72ac5db2a1ea3b0d79e76f17dc38416571d79513d41537

SHA512
6f721e2afc63e1e18bf83daa2a92c3383c69899d98ff7d4022e829453ab4a4ab6fab37e4096ccbb43755a5623ce67c08752a8a46f803738ce58ee667b6870cb3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ff5f3bdcc4c665e7d2174d17431cbe91

SHA1
bc7c9519555871bc2d491cc28263c7a560a72e4d

SHA256
286c281674c392eeed046f964d97d8742b25ad9a515ba1d5d099e1615f6e6323

SHA512
22d5714ee30d636d5100262de4a1dea62ccdb9caed3c3ccd9258ee2f007c3845a71389fe4eb54a2eedb3a3878cb4b2aae532c768f132e8a713feb42dcd5202ba

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c65b879694226bec1ecb69073c76412c

SHA1
8e85e02bd97cfbc5c5d045a7103cad02e7c9703b

SHA256
ea103ade4637100541f0f10986fae72e78306ae89e665ef6d5070a3a473bea50

SHA512
64a83159123998240e409c7c2ae3a45fe38e6ea9a0717f0a9f733c3f04f1fd59068e8ca18cf5bac4e8c2173e29f9b0e5f73df12c4216c7fb5e946f8bbefd44b9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a4086204ba1356b1e63a8cae4c623226

SHA1
ea603540ea9a704db133b852166069e12c712d9d

SHA256
ae0c48c17dc6ed5b39fd7bb76a22a27d5220bddf279dcf84f240dec9cbd849b7

SHA512
a7a5176a5cd9baf0f72cbbe83939656b7f0cb71cb83138cdced741c2bde7d84bb488930d26ad3c4f0a7c01522d99bbda599391f9c8919d2ad796e07b91ec1476

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ebe737ccb37c4129b5fd6b41d795e6c0

SHA1
36aa4c16a3cc3f96f9ad862036786854c0be7ffe

SHA256
12681c2446f3d9c5655b4e71c131d808b55fdb441a94226ee8cf977f903342d7

SHA512
a7d9ad5306316277f70aa6047c9005b266a7f30855ca024771127225faf1dd439d75b8fc96763d570bfcce7ff81cbe28fcd6017effdbdd74050ccbd9861a499d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c20540a66e64b2f4540b9c8b7a56deb

SHA1
6b2b65c1f457d2f22611743244c5fdf9d2600cee

SHA256
1684dadc8f183641e51bd8dadbf60626f773bd6405ac903ee8e1806fec4d3293

SHA512
32ec591f5a76e30d57759678e939c2a45f2ffc80707b362a910e6d8d238cf2abfaaaa5cdb103c10008e8b19bf63ed6eda5f1ba82e464c76c5ca1b8ba1b215f16

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1b4f368e2b244f511676310a64500097

SHA1
152d835684d927ef119a31678e6e52858745ba8d

SHA256
e392819831ddca048e034686993376e91a9b27455e605e09e6562b639283d5a9

SHA512
e15a7f78a2ffaf47c65666b2910de988867046b3324f094600e1bc488339097c2be0543d4c4fc96e790fffbd426f134509ee3f59be13f199db98935c532c1f26

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7baba8d9b1caabe0078b327fccfb5934

SHA1
0980bca7acfb80e7d91390850688e6d41812fe4e

SHA256
ce2dabb60b4e6a726e8d51a618c848e7f70dee94bdd72299f40a90fac3c5d657

SHA512
3b033f2ac37c099aa2a359c15597edb48e5bae49c65b67187ef3becd8963ebcf7b9218fbdf9161502395c61a59816b257c2266d6d933b6bc30bf7e829fb26af2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6700f4341b1f832d45e72a6f8753e0d5

SHA1
80c97242589126400ea2b08a5bca52edd7912ce4

SHA256
9f371cef3c96b48e751eb2267c066e92099d847433374e57a8883d8d16aeb1d6

SHA512
063bae921b85ffdd5cbc61a4199070fc36435c7a4d9888bc03a02c0694899f0e34b56a90c4d94b52cfed1411fbd234fead5d720ad5f79920914be6000b08d129

Download Submit
memory/116-307-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/212-310-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/852-306-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/852-498-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1108-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1108-453-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1108-18-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1108-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1184-41-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1184-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1184-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1184-42-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1184-526-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1292-300-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1484-327-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1484-532-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2020-303-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2092-326-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2812-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2812-50-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2812-56-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2812-368-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2860-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2860-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2860-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3096-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3272-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3740-315-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3832-83-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3832-73-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3832-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3832-79-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3964-302-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3964-103-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/4148-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4148-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4148-299-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4148-531-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4376-317-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4512-325-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4532-309-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4608-301-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4608-96-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4608-90-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4704-518-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4704-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4844-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4844-22-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/4844-9-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/4844-0-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/4844-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5224-486-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5224-464-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5848-474-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5848-632-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-615-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-450-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6128-495-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6128-435-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download