a98a538f4bbe05f090dd66ae883db662595362036e40418cc21147b713fab913

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 16:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
Size

5.5MB
MD5

0072b90e7a0df9e551575bd913e3ad91
SHA1

19b1ebc3d02c6cdbb115275db30fd4fd6ec84cb7
SHA256

a98a538f4bbe05f090dd66ae883db662595362036e40418cc21147b713fab913
SHA512

4f4be335ffb46d60a2b05bd0c42afe604c7257dd163d3db4129cad6e643f3e979f34568672a0cb3d1fbc27b7bbeb96ff5d92c8654e35834263ced45cbe722db1
SSDEEP

49152:AEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfT:OAI5pAdVJn9tbnR1VgBVmKB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2032	alg.exe
3280	DiagnosticsHub.StandardCollector.Service.exe
1928	fxssvc.exe
3068	elevation_service.exe
4484	elevation_service.exe
1456	maintenanceservice.exe
2564	msdtc.exe
968	OSE.EXE
2060	PerceptionSimulationService.exe
3568	perfhost.exe
2692	locator.exe
4956	SensorDataService.exe
4036	snmptrap.exe
1432	spectrum.exe
1456	ssh-agent.exe
4548	TieringEngineService.exe
3420	AgentService.exe
3284	vds.exe
3304	vssvc.exe
3760	wbengine.exe
2520	WmiApSrv.exe
5148	SearchIndexer.exe
4996	chrmstp.exe
5576	chrmstp.exe
5616	chrmstp.exe
5776	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2fd24e79a33ac798.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112765\java.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044dfb56e56d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a067386d56d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1b3656d56d1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ac6786d56d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb287b6d56d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649307918546584"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cf1416d56d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000319bce6d56d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f447a6e56d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054182a6d56d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcdb4d6d56d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
5012	chrome.exe
5012	chrome.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
5484	chrome.exe
5484	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	452	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
Token: SeTakeOwnershipPrivilege	4356	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
Token: SeAuditPrivilege	1928	fxssvc.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	3420	AgentService.exe
Token: SeRestorePrivilege	4548	TieringEngineService.exe
Token: SeManageVolumePrivilege	4548	TieringEngineService.exe
Token: SeBackupPrivilege	3304	vssvc.exe
Token: SeRestorePrivilege	3304	vssvc.exe
Token: SeAuditPrivilege	3304	vssvc.exe
Token: SeBackupPrivilege	3760	wbengine.exe
Token: SeRestorePrivilege	3760	wbengine.exe
Token: SeSecurityPrivilege	3760	wbengine.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: 33	5148	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5148	SearchIndexer.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5616	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4356	452	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe	82
PID 452 wrote to memory of 4356	452	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe	82
PID 452 wrote to memory of 5012	452	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe	83
PID 452 wrote to memory of 5012	452	2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe	83
PID 5012 wrote to memory of 1152	5012	chrome.exe	84
PID 5012 wrote to memory of 1152	5012	chrome.exe	84
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 1976	5012	chrome.exe	90
PID 5012 wrote to memory of 3204	5012	chrome.exe	91
PID 5012 wrote to memory of 3204	5012	chrome.exe	91
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92
PID 5012 wrote to memory of 4460	5012	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-08_0072b90e7a0df9e551575bd913e3ad91_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2e0,0x2e4,0x2d0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f51fab58,0x7ff9f51fab68,0x7ff9f51fab78
    3⤵
    PID:1152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:2
    3⤵
    PID:1976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:8
    3⤵
    PID:3204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:8
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:1
    3⤵
    PID:4204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:1
    3⤵
    PID:4520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4364 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:1
    3⤵
    PID:3660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:8
    3⤵
    PID:5612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:8
    3⤵
    PID:5212
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:4996
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5576
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5616
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:8
    3⤵
    PID:5820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=876 --field-trial-handle=1916,i,7321938484434173634,1330302407049545619,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2032

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4736

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2564

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:968

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4956

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1432

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5148
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4032
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5428

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9ddf9fb5fbb3d7c189a9ac00077a37a6

SHA1
8c4960061fa27a673294b2acc12265a762fc10f5

SHA256
e250c7fc46aab3b712aa17abd81b229f7d412e905017b9c9de7ff41e2f559f39

SHA512
13facac52e78d48bb9f7a9f0bcca54dc4e358f51655b9078c3393844f5ead2aa4978aba6de91adb0da04023d6e3e56280536b70f6426de1d4ee5877059ea95c2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
23e70f297a20d22915c13afccb20a662

SHA1
10a2ef5adf7b8d8b90d4209b0c95aa875be1891a

SHA256
f1e765d8e335a2de877cb0c78aa477f60bdf30cdf66ac43003374c6ee0cc4ca7

SHA512
504dd9cabcc318bad96129846de7fdfb8706e82f8f83cf5266a169f46d4f9d5558d05ef65e9066e6d9a0a8914cb095f251b83d2c769a0683b2f34c486444ffd2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0924536eb41ab26f8f94a22a2b7ea122

SHA1
795eb6548279c5aeb108e9c24643dc382ef85de6

SHA256
2e566abdc5d096a81e0e9ac01b78c98c42d7180e2d52a8e4b7e59c67792cd59e

SHA512
f737642d2354815718f54d3ed2ab180537eff0c9eaf1b87b8f9d850067b07a71f72fdb6f94191652c97925ea23ceb0afa07173593252d3e61c7c4de23d83dee1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
846d8ad963078f52cb94fd08652cb4d5

SHA1
3199f8d5bfcdff586aafd48e56b5e6b3615f1172

SHA256
c71a700e1120082afdae2106b02ee0dd3264010ccb6ac1bca83fbcf64c74f12f

SHA512
949aa99950a231fbdf8d1ca24a961c5ba307daa719486f492888de877688acbadf47e26087a66d2472541a24d283e1073a6b267b5e2c5f50c251066dd3437a17

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3b8de1f41297654c5bd3be32abc8fcbd

SHA1
bae086c3541e92dcd4e012f60b42cb9d0cb59a99

SHA256
0829de0bbb98a499c35cfeb06e204b35ac976532c8d8444f4b71b3a9de71b93d

SHA512
8291e7243be2946274b9a777f974059354f788371ceee18d33d51fe8745d2e317865419a502b309e8ffa68fa78452c90e3ef48f882ddf3ac48162ce454be003e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
566b89035f1afaa179cf1248bc3cc017

SHA1
b55140a2e9c5935c932bd0550dd87cf77b4ed256

SHA256
90d23d0c1fd97cc373fed8016a335f21a77decba4b6c2e65a4933f499abea445

SHA512
191f2e810cb85ead663634642c610882683e06d28ee1de2b02fd226e4613de9be8490717f32f12f1af4bbaa51444552cf9c9c5e34d82f1428ab897f187603dea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
efb239edfaa0935cade5fb458169539e

SHA1
61a0099d478dad9c562565128e812ccecedcdb06

SHA256
08fa47c5f86f64c88a14ad73f35960a9eb3e83786db3d1bc4729450bcc1456cc

SHA512
c280c77360378579fe7c56267a7c3b4a8711853391c69aa87850ed0e8388e6948efd0d490f75ad60e09db77249569b538f07cb523effd8955ade12faf42686e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
da9548ff076ae4d866045b78e503f9a2

SHA1
f2e4320c330a8b264d4f851e6b6a829c0eb6d82e

SHA256
0c4056b4ad4b09ee87e3449dd3def5ed412e0850f629a53771c8752d3cff84f7

SHA512
a103b95c406fc4660644d1a1971af0cabb2cc2ee12c521881b26e8da3455656d8eb8064105370d0f42e30626fc18d5ba4aafbdfa57fac800b9efc79de2119de9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
1ae233a31af45395ab55d8bdaacff20f

SHA1
6cd0feac9bd9be829f3021147acf29024861d73a

SHA256
744deb1c219012b01287f1f9a1db9e17a771717900df270326fd0f1346db2c6e

SHA512
80109d7822addc93f93347cea2c0a1203c4cf780015110fab1b90ae11ea5ae6180d454de1d1a4ab0ec8104006318d10a9fc007a3760ba48be07f0e7f3ed21c41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
be9ad1d41549622341cc096c2549746f

SHA1
47586cc4c83872fcec013432fac209f01f170adf

SHA256
75e6f9e51553ce8e64a2b986442153c2507508ebbe6c25c1dc5c9987f9c89050

SHA512
dc61c066c29ac333a6d5c1edf7be401568ebc6233ac1b0e7e411fd0373de99eb8c1491bfb88a54fd255cf87808dbf366b5f62364ef1c8790b3f1f66b34603bf3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6ca1c7ae8010c8998679aff18265a146

SHA1
64581fa010541dc747a17434ce9470659937b35a

SHA256
25f293e80a83b5a1693bff1086b4d728c89912edcd597983230bdca2a491e4cf

SHA512
e48116c1bcc23a2d2e10975887ab58b474ed8f4399d3b5ae4193e9275c68aa1f1ffb122eeda1dfdc4f45e769cb79b075678e4d0033f9f299ace7879f9dd668e5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
84caffd207d37c7e6c334a1dd31ac5cc

SHA1
1e0657795fd5e526f7525dcbc2c18e175c59ddad

SHA256
030f3a947d9e9146bc7041f67d971d58c64c5b10fef68bf253306ed0c9048308

SHA512
6131d83ed3af4faf424a2b21c2e8226adc40c742d80cb34a44d124158c28520633d8fd63495cb579b9532aef4af404cba993471fd1af390961d9de70a699be15

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
9dae0e38723d0f1112ab2d6a9b962606

SHA1
0e9a6decbb2fdc1356e73e118bd09021a07572fd

SHA256
1a4ab273701c8ca7312b6845b363e26c8c2cc9a3f6628e1c02689e94dccc377c

SHA512
13d37287dddc11582818f57362f93dbf7a7d098ff4b0f9d608b1150d69f75eba1e400b35793d8fa94425011d5926a7ddddfca1fad9fa4603b3371132821d6e05

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f24c46c4e2c655fd7e79c8d864deefe6

SHA1
13ea36039c59ad70637365078c2eee77c665960b

SHA256
13aabac7864ec04c6f48a7bca9d629192ac947600cdc1bd6f38f3f873e34d0d9

SHA512
ae0df39f602881c0fcf6d362fa45e25fd4c7d9bac563278a73aa1f5afe1bd827afe38d857f832807c3dd838a715c0180fe58a69423bdc99a19917af47159db0d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3d196bb53ccf6e9446048887a3ea4721

SHA1
a38258c57d47536e8be284d3e2bed81d97289d7d

SHA256
59093267e351e16c5b434b4dc88e12a1b8692d01280dc45f74e61f6a35b9e9d7

SHA512
72b6a8b8bae862fe1480133ada6282c772ffab12b324ed3ed73298550ff7bd6acf16206c590873a6f4628a7083e9025b64ecf48e9a0323acdbb9533b2a7d9236

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c1abff6f29a914c2332db1f3870627f7

SHA1
07a2fb31a66395663fe84fae1d6c56061c8dc5a7

SHA256
9bbe2d27a0e00caa25de29061e4c7a8160fd2a79db19856dd56200e42a405056

SHA512
f69fadfea60c7a570e2adc4fc0bb75373ed1d6bc7daa40cb4aa387ab65f390d1d2575e4aa2345ca47be9a8ea122623bfb3afddcfade3ec45a93079c5ceb52cda

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5bd7ec24503729c41a85e653c6b41bc7

SHA1
b5be1c30d4d7db2baf0f61ecc928b7bf01d50997

SHA256
5c8534d4d0facad6be8f9f01f9a95f4bfd8c90d7a5bc574cad1d3b7df3c7de7c

SHA512
f79f1c98aed19d964211621cd476f25f1083aba5cd31dcd266783b8f1c8ad91f524adb7ee75b8fdc68b7998749f3675bb8be0b2786e54917283cceb5cea0b1df

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
158e6ded05f5f6ccd39d3830eddb5341

SHA1
c97e0e91c5e75788793743c7f83fb98b84f7e8fa

SHA256
6ded509d4b5375aa550c1c137f3c34980839e501d45d76cb5096009e21b6e698

SHA512
ebfcbade205b4c605c7f72dfd245ca84d6aaaef936513441a68d67353ff4c5013b514668d70bc660bd38f6c3a472b2e3bb1bb503bd0a473de4595305fb078637

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\33c8d11f-8e73-47cb-86ea-a4d86cfa0a2b.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
adc303ef003b66a55b138b50f050d5dd

SHA1
f9617bb5f4ed75669e018fdb2b37ec18abcca3cc

SHA256
55412658eeee863e6facff83edba0fa045d60bace47970080751b229dcab6d16

SHA512
1fc71bfce3892d0a1714b4a9ef28a62c60425503b57a25825201f7540d7fd937a35953a420c1487d64266429899bc32f6e4070df57f869b18a1ce526257002c4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
18794a26423c089724aabe5f4754b9df

SHA1
179234cdfacd474efd6a98a7b039cc91986efed5

SHA256
e2a3d6a0498042247ae0dad06d04d01205cccedc8c54e80e519272450e0a35d3

SHA512
41ab1ed847836859c61c7e8eaabc30846342cc61c97159743b2a350a8d1da0bef285e147a88f503c2b642c4f96415610ac816f9d566dcd7521d993270d6e6644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5fbaf5d7e8be176c8afaaf213e32599a

SHA1
4d532c68b02f4fb1f0e6b4a86b00df3e4c79d84e

SHA256
57ae1529f91981bf65d6ee9ae8c1a21c1400e86a30e169a5083262e14f1d6c93

SHA512
8c8906ec32a48d2f1086cee192d6cc5d713ffae8515ea5c9a0ea73ef0751e2093a4f68f068d15f4bf7adffdb56e61aa3ef8a5d5d257bc534d8acd51fecf6fc9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3ca194cb87daf0d6b74064e4b7c3ce91

SHA1
03c8a4de7d44ee54977f495446923215a6dd6044

SHA256
71c73eef134e43262299150f928384d3bc4c111508f856435397cb32627e3efa

SHA512
c344c32db4a154403e8e83920d91805e7b3c982e0502f77235c5de86def45998791166153b210a376ac4243c9b6363a6cc3d0823d264d3b496e4678ac1085b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ceb82d1ef25b7c96b8f7f42012157b0e

SHA1
065b7df9392807bb94328992f777373d8e18fe1c

SHA256
0fe891aa8843aaddc5e99e57f069ae51ad584ec98b599debf0f72a546d6ba69e

SHA512
48b71457d01ac04227ca3745ab856af346aaac2ee6a6670ec313de7c1202a3edfe5c2e1eef327adbc4ee518f5357cb96776710f0583b5eb3f6363f950a14bc47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3ed1d4adec48fab8e1f2d52ef58461d6

SHA1
a3d567ae0afb3eb50b6be0d50cf30fcb53f89eaa

SHA256
ff12d37f95bae86d58674cd3838f61a7b0a9d9bc5cdd7110c414ff99b30972c7

SHA512
3bdbbf164b6be8feca2435aba78066f197b9c5c27b0b5b2fd89b7038e81dbab9e768700baf5c8ffc50422c68fdb9e4cb0851f2329ad34965457c5efc254cdf96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4796cdfefd2c27adb14dfae1b4a99081

SHA1
d01d81973413b4f39a4a873a083bb2b18f5855cf

SHA256
fa0d1173c122a4fe2ebff1bca2ac604987cfad35830a8a2dbaf204e4980b9720

SHA512
4e0c1ee0cd322f3570abfe0692a259840795803b53ac8274b7b74cb2ee7a750791b283090c48605cad267792925612dde8fb50fb846d4c23ed1440268329de67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57e29f.TMP

Filesize
2KB

MD5
4d3b86bde734dd4f78c7570405a9bf01

SHA1
fefdf70cb37b1caa044478c562bb462cdaf1239a

SHA256
a4020f53404ff5123245fe9aa42b6823608572ecd7ec60666a48cfb22c617dc4

SHA512
b9d08f86f9b303fa15ac9865e10d7c118412a696ffce6d7f2096f190f80464368306abacb2fc74f16d38370674f54894b1f87c5db03378ef1a43f5bbdf093d70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
98a2c6903894bb4983a5b9deda987bbf

SHA1
fa67f213a1b20442cbb2e11809bbd8f231324924

SHA256
d7badd9f87e7bbc341a8d73fcfdd055251d8d1c67c65cbcc3e0fb85a30706fea

SHA512
18ec4256bde62260c33b76037562a67d7960832f6f0ab1d9f3e23bc8f0dd435258844cc79ea6e6186005f094a5d224f80cc7d987f8c2120b9d2ac15dfbd7032c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
71ee54d00cc7f1887efa21cbd8fef84b

SHA1
280b08e63c760cf9b413d29419401d3fe4e816b2

SHA256
b5769c82542d16becb09e7502367963cae1dbf1d28f124d867cd024c3bde6de2

SHA512
010a80294e0cb914ef6474c1494dbdd8b9247f2cea8a993362ede79530fd6c17109d82e25336cdc6152b04da64a06efb1b31936c199d83e94ef4703b854e7ddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
2f9235bf495b354e6d067dd262ac94ea

SHA1
9c5dcf24c96a580e7190e5974d8ee63e9c4992c0

SHA256
1fcb43b9e81a016102080b4e118c5dc6e2a418df29f36d38f51682a4ff54f933

SHA512
659b47920e337fa84f378e5d4463411bd27e37a6969da4bb2f5532ff41fd930b17681b563dfc94711eae83eca5a6d289049686ebf0361b79bae86b2e03f12026

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
0ef8261a7b4da07464ce8a76bf98ca62

SHA1
1f0f23ed9e7da9bb85500f0e9b700fd1a872e0ec

SHA256
1ee6a50ce3ae38c33826ce60e0226799c7841a7cbb9c2031e02531a308da3a9a

SHA512
34683bc538dbebd3757a9a1dd3b4253e318d48cc426da52ecf4e9eaf57ee36495368481cc7aeb37f44e89da31d445c9d3f221bafbf0946ef03cc528d41306dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
85fd9f4e387e904d493078189ccf71eb

SHA1
87233547e6514c83c7e672f970fcb836768f9d8a

SHA256
274027385e0c4f119608978e48531399f70df16251bf05691611ae27444a3baa

SHA512
aa86f9d5c5aebcd2ce2751539b56284874b91c9bcb454ce58c42f2224b30a919af510a6487e19858e8cc58c7372e6873302500c62f0e66acbc9a24db760eacbd

Download Submit
C:\Users\Admin\AppData\Roaming\2fd24e79a33ac798.bin

Filesize
12KB

MD5
4284793d400192aae0301e97b9ff27e2

SHA1
6ed5285a8b90e2bdd7719a64616d6ff4a25b8629

SHA256
874ed15fa0ba7a971b8531c2a32abe7235703164e60640a319574d8c10aecb55

SHA512
75dbc348e4742438e1766111e537f2ae1acd65ad2be08c23e700d7ae1966558113c6ca4b334a774351db810923487860323cbd154113d486fe3a765d6d6375b4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
bffdc2112eb12b5635cb1c7b662c5f49

SHA1
470bf4a561ace5726cfa4bd01840310ae725eaa3

SHA256
4d9f936c8c05e8f8629658a1c84308ca681235af3d3612e8d516b2722433c759

SHA512
748811dea183eaa6111fa967b40f5f7149be32475200c255806bc1455e908aa3f240dc61860c03a3acc885a74182f1541786429bee7beba08a99fa482cd56d76

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7544796ec85ee837eb132e226ba6dd8b

SHA1
6a5b404f016fea8f749cecb8e5a0a8bcc91d6c29

SHA256
79e124ef924f99f35b228c081e347e07d7826bac58db02a831b014a3e1c643de

SHA512
a427ea126119aa01529de5b2421f5389259714f1fa0728849fe8f163175e759cd11eadb0e0849a9a4c31d394d190ba6254850c01c4bf11b46870b11245a9da2f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3487e45080c43de05f01a61d32f7e30a

SHA1
0d5cecf911104e72e6450a133e0f392d3d94b90a

SHA256
f0a71861840dbb31e2dc84e439ca0e146661ab62da1ecabc6c7f2773b2180854

SHA512
f637a176c4e53352b717a70078198c9785119de147988da1944b89b779e01257ca1b20a5b6272bb353c518f60fc2fb69165812078a99315aefe9e004a8b935ac

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8172c3cda5a1c760cd9d057bbbafb8e9

SHA1
05ac621c92577cf267ae8a07e91203b9f232ffad

SHA256
407f7c7873add5927c0f83107cac580a37b2adb9fe515e4de3434989f72a7199

SHA512
4b67feee8d299b3f25f34e36661f93d13434f95e4f6c571fabba04596b3c418f69dfce2b13ac17d2d5dbb525315955b68556b2cebb37fca5afc629e1f3b8091f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9884bb217e6e027f773e7b7df0cec672

SHA1
bb02d4a0cb75fdcaeb7f53aa2e0f87cd18c69a6d

SHA256
3a833544e8022aa47ac9b352053998ff24324eb2280ef21fea3efa21a5740683

SHA512
44497270b5301da97ee9e2c6d3d1b72f39018388fc96fa06c440418b3488b029029e892ea97e307f5272144b6f3dafbe6688fe2473e35ac56873a161cd75bcd0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
af2c573ea08becdb2362f5ff3c203347

SHA1
96fafacee052e504a239ab7a22a7475811120c29

SHA256
832866be27ba7a5ec79df3e1b15718d08d2f50c3ec9e234e0fdd36e91ccb30c4

SHA512
7c8210b505d8c881bf8378a288b62cbb2c923ff14bffc199d9520eb34fc903ee507c14ad6e721428f68da24a2a6462c4cb377c15a3a354f1527fd8808331efa7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
754e6d3ef685e8b16205cd750a0c2cd7

SHA1
5d03579a0e17a991d98ab8b6e9c14a5b6bfddad0

SHA256
8df4b33d6fac6ad036c8c55634c85a08fd43fed87858012d33616924eb39daf2

SHA512
7f3e393b627c961d6d1dfd4830f980d041cbc7981d9c882f4dace8e95276acecca503d35f1e5603c49e41c1712fb854035e1736c58291bcebf544c1356cc1aa2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ac8fc1939aba55b8649699ed34c6baed

SHA1
f335017d8cedbaa722cbb9c5ac6a890a96d0bb00

SHA256
decd195f7efa11a2972d4bd5ccc22c8004b3b9e5942b4abb307476175e7a996c

SHA512
9dcbbadaf0f19ff0de781b2879573959d8c93142f0b88fa46fd9fe43fdaeb9b19a79110fdbc31748774cfe4588474f7019d7ee18de3191a721919db0363f04ed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5193f5a2a761eb2081766c49a67f00f6

SHA1
be6f1ad2205b1d80fde5390b5893a3584a8771d7

SHA256
337eb1fd47794acdfdaba2c87c2a7e2e9e8f350ef116ea1ffe4391099c1aa46d

SHA512
00031aa5784ba153af43683b326980ee3e65238661b098939c511843d7ab05dcb03b268968a737e71d427b34500d6a902c5d077a98dd5d6e3d0ed0eded60ad02

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
06cb8a5f0ca192d3dc32d134cfc0e59e

SHA1
9d4dc0b90215c800b0c217c3cd99eb22c7ffbf39

SHA256
67c84817245ae039860172f79d3f27ae00d8f34858cf878b6887792927d35521

SHA512
5d0ae18b07a380ad60fa486789b32aa7e3d2f28485427d4d5491a2e411b9b36409e5949470f2674f0f800ca41e16d3e2d534fa5f994bc7520bbfe0b8ca4082fc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
da05385bd6c96adff4efa95d7c2780ee

SHA1
b59c144987de9b13654b12b507489be8d14ed730

SHA256
4f83e83be85bd12c0d881d875c0855ef86cef611ae85a2b735476bc14b425665

SHA512
64dfaa63c6ac908e3c88a92e5358c37a7ba3edda72cf91038c92cccd28af63d7f550b7389686a85f12fd041827fc3b290c6c7484ff92b281ea3baee9e1b413f8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
65fdca48937d1557f252d7e955c5ee8e

SHA1
00576456dae4bf017ae76ccb023d77cc189aaa9a

SHA256
f5a6e609cec6a1099c965e05d512f609a4378e8c4e2326c181cd1b9a749ebc8f

SHA512
f5e97e42b0e31f70a1f284fe0a06e9cf1230d21cb25ee550bc770a29b64e157dd933a80ae79e359647d59e1f7fe35aa30908b747aaf76d847474aab30da6565e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
52db04815a8d7c57f79e8c746143c018

SHA1
9e76c8f8e54c27fa29981267ca3ad9b81fe351b0

SHA256
f6a1094e62ae5bd826613610ea3bfbd553a8e4bc5772bb9410c906c9da478ded

SHA512
5739fed79ec0cd9f0c036642ee1ac13d8bac97cae7b8ff63e6dca9c1aad04f13b6e56f7554ccb3fb251270bee7dca3e5d85bada237cc8d4c13b7ea0f76eadcd0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c59295bed2dc78cd58366a75777ea498

SHA1
09004c554e026649acc811ec2a73495c2d4353bc

SHA256
eb36eb8cc90a838db55583e2bfaad018f4381d12c435dae8b333647e538cbd8e

SHA512
2ac6b9a33712af7f6ecdc6f75076cba35e646ef94facdeafc6356d597bd291229fe495ac330717b29b59c2fc80e74af110b4294529a35fa92d95804d191c13c2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5d1151d4d2e196da9c13b6738a9f456d

SHA1
90bd01aca2d5fcb154de5d124aff6c9d942d191e

SHA256
fc61746528a0ff61286dc93559a564d060707eab8e83761c3c5728f263754a9d

SHA512
6b4021ceb11eaf4bd1b10c17eb8b1d87851741b09e8bb5a22320f38bb81c116d6ef903a0e80298b4eb0aa2c163e25a2bcec27ec118a6c83e3047510f10fc9a65

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0889cec705c153e33c6898fcf2e62506

SHA1
86342a22ca5eb2a345d8b5eb42cb07f5527fe659

SHA256
a8d1eb01b25b8829ed061b004b19ab903d3c78cb9ee052b1e5b5dd01efc89cfb

SHA512
52a59a0af4e7b1246327cd0cd4f12b0ba1b0894e01b6a1b9ac04f26e5cd13d394f843ae506e542fd25e1edf53fd486bc1cb1da6d9bfcd85d4ab9369ebdac5d2e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7443ac74009cc610eb2c17468aa227fc

SHA1
99d1f79bbc70b314067ad6cd1592e6fbcde8aa4e

SHA256
83269be910136b8121714f1c44b70c52abc7b339150b06c8433ce0b512ea4ba5

SHA512
d2d4ff1525d88ea3ec371969ffb369f7e1ff125af7249b701dda72112e20600f00e7135d5ebfdc4fbf44df0cc854b6f93151321946bf9e06e9653d6f771b996d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0af442762b8c132a3742c9221fdf8601

SHA1
e04ce248c4dd1ed006f593972850fa582d65665c

SHA256
7a019242c4e8a40e9c80f738fcd7311f8ceb1f19da414b7896ff342df1d99a4a

SHA512
a8eecbd1d5981aee5e2d597c839507fe0e48dfb389b90da18f2831cbeadbcd794eda021d1af093ecbd9d1f301ef4303aa102f0333b2b75417cda4e24fa033302

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f0223400e73908f6aa5fdb284cbfab2d

SHA1
257536928c8821d6d1e0bcd686b6123695c746a7

SHA256
9a2b8e721e3d715735cf5c1df5a158d39745e2f8f1e59d3d48fd050433e23d38

SHA512
964cb9394c9ed7a26e1ef20c559c4a5152974fabb79c378ee9f441b841ff1ab5669bccb6888fb64d7de4d6f52677e068a663452ce7572ffe0a2d9fdadf237a5c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6545bf752659c6ab724d9c723dc836f1

SHA1
565fe45c2198095ad038581718acd84b9db03b68

SHA256
68cdc51da4e1b9147f5772c814883838ef7d4b9503b9dd28cb62340f4afc9478

SHA512
c7557cc0007a288976179ce7713d662fccc04213940ae6ca6566e32d186cbb9009cf3f4b84450e5b1eebeeae62a9e3b5725bc8d151e8e03d93dabe43b3d04c5d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
be78aee4cb0928edafe2e929216d71d1

SHA1
95275b920ef73c9e5d7c897fbaec04db1ed53065

SHA256
d7ddc75b520270e203b0a45387c7b253ca0ea619b40ddb90c6e96c5853e2466b

SHA512
78c5323b575b7a01ee3f308986c7fa3faa400f698bb711f462ef26b0fac7afa307b92462e097ddecc8b51c9ae4c21b4f98f718f5fee8236bdbab334178d0602a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
e05bf416b5828bceb011c56eb8c3b5e5

SHA1
dff31aa1894d8af18ba8ac53adccd9d2e39afc96

SHA256
3f4a5cbe894b2e3b72de167f7ab67e143a249b99b9ed83d80aa59046375a3885

SHA512
4525da118b23c7ac7263898a399453b240077823e995e8f0d4c78130a9ccd7f1a75b86949b8c3c68528be2553f5bd0624daaad96b3278f0eaca8b5e641002ddf

Download Submit
memory/452-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/452-24-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/452-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/452-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/452-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/968-147-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/968-618-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1432-648-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1432-244-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1456-125-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1456-268-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1456-109-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1456-110-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/1928-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1928-95-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1928-64-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1928-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1928-58-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2032-33-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2032-32-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2032-41-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2032-232-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2060-161-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2060-624-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2520-700-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2520-357-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2564-146-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2692-233-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3068-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3068-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3068-75-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3280-52-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3280-53-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3280-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3284-270-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3284-649-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3304-352-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3420-257-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3568-645-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3568-165-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3760-356-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4036-243-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4356-164-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4356-10-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4356-16-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4356-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4484-94-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4484-104-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4484-98-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4484-545-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4548-269-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4956-242-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4956-608-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4996-519-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4996-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5148-701-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5148-358-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5576-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5576-720-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5616-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5616-588-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5776-721-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5776-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download