88d86da543a7a34289fa0f9be3442c581bab8017bd61b668d9fbebb0f8a7399f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
Size

4.6MB
MD5

c3a07b390ddb2e1efd5f2154a5b27918
SHA1

55810d9c97dbcd4004231d9752e600c4497bdf90
SHA256

88d86da543a7a34289fa0f9be3442c581bab8017bd61b668d9fbebb0f8a7399f
SHA512

77de1c4110474519925e6f1889c45c365861e2119a2775fccae5f2d1d017770462f60e3aed33115665291c2c1c95f7ffc3fc09c896c9bd8df3398b08375cf4f1
SSDEEP

49152:kvuURFfSjB2ZAKQKIFihIwDOhIYz9RtHBDWeTg8iqSkwER4a1HecEPLQJE3jM2ce:WSDiIwyhx4BER3A4E3Xc

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
5008	alg.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
4212	fxssvc.exe
1904	elevation_service.exe
4364	elevation_service.exe
2360	maintenanceservice.exe
2036	msdtc.exe
4228	OSE.EXE
2748	PerceptionSimulationService.exe
1696	perfhost.exe
1240	locator.exe
4496	SensorDataService.exe
2372	snmptrap.exe
228	spectrum.exe
4264	ssh-agent.exe
1388	TieringEngineService.exe
4596	AgentService.exe
2816	vds.exe
4284	vssvc.exe
4932	wbengine.exe
5180	WmiApSrv.exe
5320	SearchIndexer.exe
5204	chrmstp.exe
5460	chrmstp.exe
5564	chrmstp.exe
5684	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\667aa05eb3b9834c.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93546\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020ea19fdaec8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e45811feaec8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c88e88feaec8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a0d6bffaec8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d9855ffaec8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002303b1fcaec8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020ea19fdaec8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
1548	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
6656	chrome.exe
6656	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4744	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
Token: SeAuditPrivilege	4212	fxssvc.exe
Token: SeRestorePrivilege	1388	TieringEngineService.exe
Token: SeManageVolumePrivilege	1388	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4596	AgentService.exe
Token: SeBackupPrivilege	4284	vssvc.exe
Token: SeRestorePrivilege	4284	vssvc.exe
Token: SeAuditPrivilege	4284	vssvc.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeBackupPrivilege	4932	wbengine.exe
Token: SeRestorePrivilege	4932	wbengine.exe
Token: SeSecurityPrivilege	4932	wbengine.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: 33	5320	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5320	SearchIndexer.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
5564	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1548	4744	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe	83
PID 4744 wrote to memory of 1548	4744	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe	83
PID 4744 wrote to memory of 1472	4744	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe	84
PID 4744 wrote to memory of 1472	4744	2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe	84
PID 1472 wrote to memory of 2644	1472	chrome.exe	85
PID 1472 wrote to memory of 2644	1472	chrome.exe	85
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 3420	1472	chrome.exe	107
PID 1472 wrote to memory of 2904	1472	chrome.exe	108
PID 1472 wrote to memory of 2904	1472	chrome.exe	108
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109
PID 1472 wrote to memory of 4184	1472	chrome.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-27_c3a07b390ddb2e1efd5f2154a5b27918_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x1403846a8,0x1403846b4,0x1403846c0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4d54ab58,0x7ffb4d54ab68,0x7ffb4d54ab78
    3⤵
    PID:2644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:2
    3⤵
    PID:3420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:8
    3⤵
    PID:2904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:8
    3⤵
    PID:4184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:1
    3⤵
    PID:3940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:1
    3⤵
    PID:3084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:1
    3⤵
    PID:1584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3920 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:8
    3⤵
    PID:4072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:8
    3⤵
    PID:1176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:8
    3⤵
    PID:5992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:8
    3⤵
    PID:6112
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5204
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5460
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5564
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:8
    3⤵
    PID:5692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1884,i,57057526377785150,3030931593668259186,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1660

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4364

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2360

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4496

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:228

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5180

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6064
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

Filesize
1.5MB

MD5
158a94a3a40bffd85425e35bcf5e4d87

SHA1
6b927fccdc92dbf4e4a16851a56461fd8789bd7a

SHA256
5395ac704a0a869411c780ae8f13f866f259fa6df8b4db802b2252408b9b662c

SHA512
e9f45d3abdfacd46898532645a811d859c0c3e73bc1a5f906a867848ad8b0f1af650eca2090764920f78c489dc7d71ad56a792c7063070bba606f8226ab7a699

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Filesize
9.9MB

MD5
7259c9a79aeb9ba9ae02abe755fb4c43

SHA1
62f8d73f0652ea3ded173852ced9fcf763d625b6

SHA256
af270755bbf704fb548a550253f5f29b70e5b573bea1b35b7e8db05d32243cf2

SHA512
866cac3732e8070b84038b932194e37adc195ac988a303bb00dbb8495430a0fdb0617b966bb82d6704c6b9283a9f016fc1ec2cfd6908d021e40f95ea3ea8d922

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
3.0MB

MD5
acb31d5bfe62198753daa98801a3abe9

SHA1
e15d1ebf19fc7a785e57cbb1cb4828ca4f904264

SHA256
3e2364a2784c30998b2270bcfeb6ccc8dd7f109221319270f18b75a14f0fecc6

SHA512
5066230431b197ab21e007e03d50a071c5cb94a48ee165d5efb7ee0a91fc65e0d9068258d8434db0312d00b928f6254c839ef5a0329730922e78fc58c37ebc6e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe

Filesize
1.4MB

MD5
94b1e044efa5460cd3061856a10aeb7f

SHA1
7175da58e878b5cc8f3210a250143b482c54c92a

SHA256
aca02477ebe9dfc2e97b714c65da6d4c8c0069e7d727edd13c54bf7919335ff0

SHA512
3321713e51f4c6210967fb443c91f5cd0713f32f556b84d23a32cc337fa64af6af7b1e8d3421e884fafa40b6107a0b6ab548cc51749c204c15c078e792c1c131

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

Filesize
1.4MB

MD5
f6272835cc39151aee9530880b32ffee

SHA1
9a4b380af20b360628d7bb1ee406d0d377a2e2a0

SHA256
1320e6039381b44c80748e3c61011c65cce734a17bd14b21e653d6b3fa5c820f

SHA512
59bd5703a1253bc05074ea08a8ed3b86850a03f02ced50a780f039e722b3c1877faaf2bcc3e0856832f66466ec5af9b2cb67ae955d83431a4e4853fd910d06be

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

Filesize
6.2MB

MD5
834dee2211d23335545eb33261fb6237

SHA1
29a97202754174fde960dd14d44e1b3f6666bd84

SHA256
59c14ef845d0b6b77ee24eeb204d7ff3db0d8fc067e6d8e15e7008cc346ce6f8

SHA512
13669b47069ff97c27e3626b5b0cafd6861b086c413d4ff5d449c77bc91b60ad9e9fdb6a1ab531eceb30877da0f5964edc5ae7805ee298b94230ae66948e9d14

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Filesize
1.5MB

MD5
e0a773361fab3485cb945237322288c4

SHA1
7bd93619b173fb5e59c9b27adcf77da0177ec0e4

SHA256
c83c5b44fe5f63bbef2a3655b0f8bdf2ef92a08ca8608b583e87b95b4315222c

SHA512
b2fdc64e1e5559deafdfcc353a3d61f42c96ca42e9df250f612ec25d4053b78648adb78da884623b77de59bcb450d260774b9b02020b67a9b613f222b834f4c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

Filesize
1.4MB

MD5
102c586d7a4039bedf664e23326b9f28

SHA1
11083fdf70c73c9e9385f2e26a7e368bdb32cb3c

SHA256
cfc954812a66790224470f15aeb45cc4b0ac4f65d5dc35c44471d52d590d10b6

SHA512
6c0d0cee962732e7e4db368b0c3c90a506c55bacc8b00ba8bed182136ba13a24b4737af55e348fc6c0e8bf65e61a1cc12a5b08a873535f5446462866b5be78aa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

Filesize
1.6MB

MD5
f066b945f4b1e8cc8f4ca023fb426e11

SHA1
97434c93cc55710b2f09cc03ad7829177c02d44c

SHA256
4cc639fa2d6ab418f522b19663b0d49ac3dacff4a638ace64e463e33a9e98a9e

SHA512
8da8b8c0cb8e335b668640e9fa279bdb4fddf5a2125443dd3048fb9f03319376546424169748da5e81378533937713ac579bec36f7e647e8a171e58c08194035

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

Filesize
1.4MB

MD5
2266e9cfb963efb7155c3f65eb01e052

SHA1
97cf81fd78d0239bb928af3290ad368ccb5d55ef

SHA256
95e0a22ac4f5e22b32122e45e02d23c1f279a404098ba6f7e6f64e2cead9d140

SHA512
c6906e069a588e8f6a1b82c16c227062c94dcb2e10cab52921b07f0def41229355e86976648a3d0afa6e837d4daa97c58cd6840227d7125b34a2ef4a0cfb35c9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
1.5MB

MD5
4e09c3b48be1093ad3d57d4524879bc4

SHA1
90310bae4cb4ca364a43539690daf94a7b9070cb

SHA256
eed46ba29fd6951afc520b2481e59458f03db99fd3226c3dc17eddc1c2e2afa9

SHA512
ceaf713493b35b668b5e6c2493c8d96d6cca1da1fc0d8dd1df6062324d8f5c5a1a4fb208ecfbca96bbab434fa18e7b553d64e279061026f264b0b540d0590603

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

Filesize
1.4MB

MD5
7f314fbbb675e26296770605690a59d0

SHA1
293679ed7fc5d985b9d9a0d5b03afa3f134c5e98

SHA256
9a28c40fe71caf323389541cf83c1ba31b9ec1c07a3430033da32ab8726b7d50

SHA512
0fecae177a417286eab7da4804d614a4ad74e53805e455f017c7aabe509ce5d4badf6d8b2aaf0990a7ff41cab319f76b609175effda34e578cebbae3f4a11183

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7129ccde1184761ffc74e76b64db575e

SHA1
b682161a57371ea80c6f631201bae77ed19f5075

SHA256
6d58d3ae64e33c0a7f5a18afb0702455da90cfa4678e289ecc4c91205989159a

SHA512
1f24e6ee68f6fc6d587495cdfb84aacfda118ede2e6ba65f66c61ad6d9e3576bb24ab765d39d980e11ea7ffc5e9db88a85c4afcdd0a27950fc16e8f4a073b86a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
432d5e2efc901e0f60b0aba060a20601

SHA1
8c2399af86a46981f98501c508112e6cff1d1239

SHA256
e2b6702673a048b78c45951cd9dd4030ddeb957fef066376bc0868f18e0abb69

SHA512
fc200918294fa59d7facd449268b2f34a4b911bdc9e27abf0f5d077da409fff6f96eee75fce441b5cc90802fd598bce323234cba94740da9fbc4d7da0c0f4c60

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
4a4472d73fa311ea6cc0ed9a4d1a3a72

SHA1
e3e50369bfeed348b7d4cab60027e6a1adfb644b

SHA256
bb161e7b8c51a684163443ba1ae2569e143f1b99d99bf601b35d9dca0cf9a860

SHA512
6016a1053e45fa048e77e671bd1aa95618ecd421fcb410f7b4e136a4e428a3a1e69d01db75d47d4fc343db447731a07103e3ade976c06268ec75991e10a50887

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2bb7b056962f95c56b12bad44ab1fb6b

SHA1
a72d9ea69d8a6decd685d62fa2f1fad35c109e54

SHA256
7fa2ebd8fdb23e06c67f48273977331ed6d46d65c02c11d4cb93e94313131f66

SHA512
86dc96302aa53ace177e8abc6852ef9c7de2483b625ff77e9c619df5d41ee21bd7f679f63e560ebd08ebb49b0e51cf2cfdfc337709065c21464e402561a2e566

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8775197c76b0e7ff052b38d9d3a1411c

SHA1
0c4fdd1ad3cec2abe4491856f6cfaaa54f94ed86

SHA256
a69ba258f084784a2feb0b6b2b20e4cc9930f605aeff34ce1ef92ef5f737417d

SHA512
da71d2b699c1912d11099f28aff9a27a5ef5b19fec377551fe061c29bc69f0d3230fd788bd4573d2b0d949fffe6209fe0658d57cbec2f90429be80d68fc1a91a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\3d5fba6e-3f99-404c-9d9f-542211d0c74e.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Mozilla Firefox\updater.exe

Filesize
1.7MB

MD5
6d69cea4c1c3281b5aa90b0bae696783

SHA1
1c95024abae690778cc773249b1e96604eae35b2

SHA256
b0791c572de2d47b49054fab51c30fb15e0c57e2c9be7243ad01bfec3bd87fa8

SHA512
10d5a83079740d378bdddaedcbed2a351c3a9695d307def86e280d5c8ce3c2d2184455b09d2267b15a9c99f14bf944aa2587454ff84711ab7cd60326008d041d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
adf991e83ab9b8e9389c0d14e188c81d

SHA1
1114c4c4c145e7001019403793e1296d268c6101

SHA256
85582bac935ff2328645b9211c8e4baa5fdf58788bf08b623e77d18a2425f4ce

SHA512
64a99757e156c3d58a98a048add819770f1e234dacab398590914c7c2e674c1bdfcbb4f60e359630638110670dfe522f87558f8840497c6bb9c45efc33fa3f09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3ea070e60e7d429e1e61c8db38c29e6c

SHA1
5e299ee911c837db884fb5fef2f5abfe4e9e8863

SHA256
b2a5745d6bc2caf9e182d87fe017e223f6237fdd3768705f02a67a10b4cc2d66

SHA512
bd55194313210c91259cdfbe4e6cbef7eb74adf00b7bb292cf8bdeb109eab962f8253ed0277461b94fe7eacc644648318baed002cca9af07b27b00e584fb7cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1f229f054c0900415dbcb3f2feeaa2f6

SHA1
0078a6b11705d206eebc13f4f929bb8cb4a18cc9

SHA256
ab2fdd39791d3c765039563979be0c30b988b17150b9fe6df761863bbd291266

SHA512
0faed2819c67da8312f1d27dcba0db1abc653f3799a030e71deedd38c22067a004237af0d714329cdcd9cddf68b7ba6c7bdc4f3339682811ab6abd3a21cfd98f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6c89f12f2f5dc985f969ab81243a8085

SHA1
41780545427d63408bd376c01a619a7e02848eb1

SHA256
95fc353f42e304231d8c51ad1b6079ad7b528d694eeb47f7cb597770c311cdec

SHA512
4932444960fcbaabcd95d7129ea9eed2162e550e2d4e1111605e62d7f3fbdaabad12587163db4ef9aaadcb2cf0efd305d177c6dac739a04aec20af6936a5028f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8d83d18c4660102acd0222cb9083b3db

SHA1
bb538e3b5df15ae54562ed906c99a9fa872dcd4d

SHA256
d1d9cf572a4316f8ce32749e57d5bef4ad5e081b531f6cc87e8b8c644d49f9af

SHA512
2ea27ef0ab9707b54f228f0957141f6cb143dc87f4369ac618d6210a6cd874e1079fb622e8e2bf4984266e7044bcba948a1d2222f76bbf83bf472d9f891747e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576fa2.TMP

Filesize
2KB

MD5
d815a154d920aff927b3986ef84917db

SHA1
c1c2bd7df2e21219963cc39d302b18173713afc9

SHA256
0603be058d7ba2a08d3233e42e5575b76578513ddc7e3cb58fa53fcbc5e26028

SHA512
7f7fbc48d9be3c0a935906b277e766261ca8fc1b9eb05542d528bca09d1bd817e6bdce0fd87fe3f56e7597f09595b5b610eb103903a66c2bd79de04cb4f250c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1bfc64f3819c1075f4b4c1703336dba9

SHA1
f8a922f080bd5a6b1d95fcf7de8ae15540ec9a39

SHA256
b3ac4081bf067fbe2eda61142b22042994a9381367b46575a28f19a64164b726

SHA512
d77bd379826957efe0fb09459cac47756346785e995ae09604c574e649fa34974a482281203fdeeadabd23b9c009a499225eb624386d03f43272474ba0c3c67d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
da299ac8179e0854a35c770f10345541

SHA1
85c7f644247999782a71aa2ae222bb1b0ba5424f

SHA256
8b25b46eaa393a886d6716cc2cd03b2df65ebb90f0f70a228a337e72e7786220

SHA512
cd5da6e10436028a1275ae8948bc047a5bc77f4de9f5906a2d0914aeddcd32d067800fb9e61808c67d7782d2d2773953c2d9fa58f2dc2986aaca74856c9f8115

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
9bfcd88452b7156c95933bb8c2cb55b1

SHA1
d941684c0dc3f38c5a95ceef378d86336cdc1d81

SHA256
43b8ebcc52ec1f7d0f4694b9dd4822d1cacb85ef0241fce38bca3329134b9509

SHA512
42601e7cb366fe7e844aa4dadc0b30c461106595ba992a9865b971c05f95357e06ecd82706e92bc3bce7b43ef8b10ffb2636b19abe13338b2c00c2fee83b040d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
115487109ad5e0daa13a7b09ebd6326c

SHA1
711cba7e2c4865ded8d2fa3e87e05a2304cd5e10

SHA256
c6469b8dce561e6756f94dba1c35e2aae84c19261c833b4166168d98f1d9b4c3

SHA512
7b6e4bbf7826c63b3ce446311cfd6438f2d1e54601ae7b6306a7290ee1947c94d845357fc691613fb3b81cc8a8b6dd6350a4f40ba152580dc95d31d0e24dc74f

Download Submit
C:\Users\Admin\AppData\Roaming\667aa05eb3b9834c.bin

Filesize
12KB

MD5
921b10a277acb8b427d5ff100b7fa0ef

SHA1
df09d23fb52a68253c55b25216c12db7b904c763

SHA256
35a68121d741e06d87c8f828528e5633779d53573fed50b9f50afffeba7a217d

SHA512
c2bb0962edf8d58f7d783b0a2d2ca756da2373de97ead7db7f679da54c96392be95b23eee63f36376236d28f59b7755cb471b04a977da6e56513a76c7e3794c6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
cd7b04cce00660d1c2afd0fc3950411d

SHA1
367185e6dce13d2155a85f233d3930b786bf0f39

SHA256
8a515cfa72bbd065c9366d2c661c2c72979c0b596d2e04bfc8a832e243819957

SHA512
e3e1e88075ed45a30c19f60c88276481621c128e36fc5eb9f19c4c0a97ceaa55696687d4458100d42f9592cff6240a73a9d21a46a4076ab9217dd685b78e65bf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
df938a4c715a78a9beb6b4dafbb05fb5

SHA1
492b8493626989658e9f9485ddf498398fda02a7

SHA256
44a4a5291b54325b5ea699388b6f8fd4c318340db92657e0b27f9a51e4a52709

SHA512
c3a4d603282dc1d5f85f824ab26fdc46917fa913e386e272a15297d7942950ef1d2ae8605884490c5a2f0e0aad741580f2cb6d24c8874592b3c051a211f77196

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b6fd7777274e2b90fbee314d05535644

SHA1
97e3824b5ce241ead511207661fca3fcda57a978

SHA256
1e9c8bb59cf01a50b81a792b1809442205be93417853b67e729b864cd655c5f6

SHA512
acf917cfac4cdacfe14e124c6b06ac3de61daa8f7a2c25a9dd64b5ad59fcf99699c2fdf2aac4fd4b4ba3a4e0df847418e26c6b8e7ffc03e6b7abf6a344996a72

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
100b18d0ffd82f1a9f19419f7e7f8866

SHA1
b9b6b3dd3fc178c5813a085316607d868cf14e41

SHA256
103ad74afb0d48206ef29bc492e78927b4928d1d3aa38c45e4224c42fe8ff049

SHA512
2e2f03f7b20c0256471726ce41d0b3381fced40a2341c0095c52e649b13c03b28099553be8b1a9aa0b5fdb8b328a657367d3dfe68cce4803010cf2a73f514379

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
bfd32e0fdd7d77a1bc1c25674244b738

SHA1
3191aa85c2b7c263b29f9a07c41fdfe759d19aa0

SHA256
21b32d3f1bc26f289fc7995d8b2c80060d1c6f1365a4d72765a378310c419c93

SHA512
7219b727f6a2382e64cec795dc253410b7a8824bda8fea3ab75ce03c13b9a91199d0f514819683cc734d2e18d8478b59e7faa08655183d42f8374510855dbfa6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
e9a5a6a62b7548cdbb472c9f69a9ac40

SHA1
399f4e4c601d81f2444fce1d710ad858108715fe

SHA256
4c05158b435f9e490d807362d570fa71a7d4df9784515a46f4fedcc8788ded38

SHA512
aebb8955d94e2908f3fe43993467b36bd5cfeec6e3c72771a0b362a66ac3b3bbe5197d85f62282c4212f716ac535c034072778da8a541c07c4c0e56c3850d4d0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
7fe2c596208534c2914520c5480aa645

SHA1
39aad80ec1748b36a9ae7d7ea1e07b994a9ae1e2

SHA256
0f715959aa79425d1d354621ee61d116356e370a2475e6ef7c303ac61b0a700b

SHA512
f435283f792789582ca3dc62048ec944c94ba34d720ec12a85e01f87e11b91450c7b70879369a6743f61c99604683db78f4744255ab71cec8dc6ddb08da6c06c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6a531d6cdfd9fd87e5fdaa4ae118d4f9

SHA1
6750cbf690b401c546d20e773f29020eba0604e1

SHA256
b77c91d956143344ce1060cd8de1f30685e086e50b21f41d9a71e14281acfefd

SHA512
190db03e79df5b926d87d462f8197575797bd548510cf699cc572497d7537ef89df961b37eb73ff5c4eb501e2aa7df093644afb41d2e33c9f20fdc5b272df80f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
01a1bad8dea2825bcf4dadc3757c2921

SHA1
6bb707f1af8d58664a16c47272ebeaa85bce7761

SHA256
f49dabdc68ac44a1a190ff628735ee284f33dce3e7bc05a3a152910b8e231928

SHA512
80af1b20e9c75c48a36631dcc8fabc47cf9a4ff1dbcf13d4ad27d4d279a053aad4833a631ffc52653ecfe2db3a7a54b4bf3cdf490b057011361909e04dd0335e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
01f326d22d92cd0c5777ad464813ba4f

SHA1
7c98688d72fb0380d82d962f9a03cba72d089763

SHA256
8e2aa87bac4b2fdb4a1f2a8008130048ed1f5f7b6f7a5369a781d284023bdf4d

SHA512
be511653b0a2bb47b9f5930e55da3a3318ccb370af8106b4f9ac9ef23a68ae5629c1e5142ded2013039f9105f94e24c79e8be10bfee9e329f52b514dc28e8d05

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
58419930274b3eb088963578735c074a

SHA1
cfaa4b1a22f5b9b5cc96845d512b849332b7eb75

SHA256
8df7e482453f21ae0fb60c4e328accb59b257708ba7bb2da5d0f323ff7367e14

SHA512
9860f78d5bb6d6e6037c49cdd496aeda672bb70abcda6febd331d31a3dc5e28c6928e89833ee941accf35a13ad8c05ba1ad780856334d80f45a6c4e778ee1197

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
12ed477d14acbe49040a1b4c65e679b8

SHA1
130eb8a4a6baf463b4568239153250a9c74789e1

SHA256
5b045c67a4781a6d7b3dbccdb1783ffb3762d533f4b396e1d25e9dd20ac05d8d

SHA512
a8ec8a96c32b231a1e85c73d7f1cd81cdcb4d8d6ee56ce7f185be7ee1c3b3882bd5884645d4dacc2274a231c688714632e4f9f5360811cf85b457fc1cc365c73

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f401fd3f550e9250109122d53113c0da

SHA1
9bdec8790f4c1564534cdfe955e10147190bd5aa

SHA256
fbb5fcf6bed22e0a290b469827ecab26394df984499b8bb3f4fc52bfe5597e86

SHA512
d29ce6abf15fb26d5dcc0855d7b0e830e216d1924c97776b7df701556de20ac79d2545a769932b35c58ccae33fb1eb4ea2642a0c66de34b02ea07a094021e116

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
5288d198f5ebb05252b077f134745da3

SHA1
3f6c95d29735cc4137bc0ca1c9112aeb0f573269

SHA256
7626c6e94b83726b7931164726834771be3c3f6abf57ab48a935077e1b73f816

SHA512
cb69fdf4baefe22170959853064ead746b6ec04c81e15dbe3790ec1369ccf8fe5f6611f0089585af937dec12b7ca4f531470668ce894e344d6ddb01a07b66f7f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
9161fd02864338559bc6f3a3a31f91b4

SHA1
784be1b004d8b3a3a0c1e808e5559d423af09e51

SHA256
60ed638d9a03c5ecd06416ee8769fc1d137eee2b650ddbcbfecb9feb24d080e7

SHA512
2c678b25a9a78dcecca741da511004a17275151a44d406b89345cf76385c144d4f9f58fa697cf5ba499145bf137cc638468be263a7f6624c7f6aecbd6df958ff

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4b3c5f27a792b89b565b0cfb760ccc57

SHA1
dcdfaec866e339b1f1beee186d4a6016023a3392

SHA256
45ba375f186e08540267e49ef917924ae5160b9a0c8dfb05e0df22ea232e8953

SHA512
14a4176af2116cdc8b976a8119f35f49e3e17684926ddab981c7ee2957072e735496c58bfdaaafe97ecceb44ea459911812f8287ea39ff61911e7a1f0810029c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9ad068d82019a9587182965070f7a7a5

SHA1
fb84344470607005e1fe2866bddbfe71dc2f58cb

SHA256
be808f0f420ee636641809ea11f0214879760ecb3a6ca50d2fd568cc934b6fc2

SHA512
1b7a2f0dc02043bd43a22b24f6aa0cd606d3e613c3014d17216253decf4098d1b702584db59609c4cb329b4fa66e7377b16ab040a9de864d7632234b60dc5c62

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
40b30ab1936a344b7f2b2d6adc11ab83

SHA1
7680834cc11342b65ab6d4b78e18a2d747a950a9

SHA256
e8c0f8e5ab1fd67fdc2afca7278d2c4cbef3cc2f1f486a3d87d593d801741e6f

SHA512
a8b0893a6ab5f74ea16ff51ef6897fd3c1864f38696282ea465e96859f2e888e727754c0331e56510b9b6266af7d29f8481bb5e9c94094ab195569e473e13ada

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
36ce2b6cad119c81a528c439949cd5c2

SHA1
f635102f17707ca52a99ae7082a91df76d1c4d6f

SHA256
0c090de79661e741558d04a5e53e617bf3a81c1bf4fca885509d6297f59ede52

SHA512
848fe3baf38ddf286b42c0c9a4c443d3851fb681a095e1311d0a312cb84a6e99aeee42f165d51174de98fa6ce862d6851d5ed3c9eff6aae5d323237f48c9e878

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
532c153e93a9750cdd66c13a80d67858

SHA1
be773b64f0d54a084877a22b8d15b6b8d2f3202c

SHA256
b36dfa454fe6e85ad983d10040eb7c1eed889b7d52be4e8b9f77f2e883884695

SHA512
b5d402bfc11594774b3933f8102247357a0b68bc571d9ab5d80fd53840221dbd1ab203d003e9ec6b030f57271ba3273dac3a49747ff3b9eb2fbc7834be89f544

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
1ce0c8e2d349f61961057b5b93721ac5

SHA1
cd2dc9e73be413aeff7f36a33c6ac202c0db857e

SHA256
126fa7291469ecea9d986b3aa77862c6b08343a754b5b4462a4f7d6b4672e4bf

SHA512
5f0c1d85489b3c8a077b528e50bb6840390db3be7dd632612123e025a234d8c3553f3233d32ee3b9604acb6cd06e39003436086c3976500ca71f1d6085ca79dc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
279279c8af6bf61d4bc805310298acf1

SHA1
d79d80680505ed0c9a569766642b66ca4d271dd4

SHA256
bcc538e18c4bc5c68ae931f494cb3ab09a1f31dc86c89fe485df883ecef30404

SHA512
78cf086fc90ab20317c1b06c7b526119e677f2897fb96e178d216ead3f3a4724d4b7e36f42dc892a115bcb3190e93f689c66b6df79a86956c0f16b52f1f14b30

Download Submit
memory/228-206-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/228-434-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1240-202-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1388-208-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1388-435-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1492-53-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1492-46-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1492-299-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1492-52-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1492-54-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1548-274-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/1548-20-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/1548-21-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1548-12-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1696-201-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1904-69-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1904-251-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1904-75-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1904-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2036-198-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/2360-92-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2360-107-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2372-204-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/2748-200-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/2816-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2816-551-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4212-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4212-64-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4212-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4212-58-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4228-199-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4264-207-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4284-557-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4284-261-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4364-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4364-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4364-412-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4364-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4496-203-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4496-483-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4596-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4744-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4744-28-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/4744-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4744-8-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/4932-562-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4932-275-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5008-32-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5008-40-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/5008-42-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5008-286-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/5180-565-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/5180-287-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/5204-398-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5204-462-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5320-300-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5320-566-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5460-409-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5460-567-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5564-423-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5564-451-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5684-570-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5684-436-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download