2a85f85de5d941e8ceb067f49c74a27bf789a3db65ca19beb19ccb293dc3b984

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
Size

5.5MB
MD5

384f3fd5abc666b08888bde2f25979fa
SHA1

0cf34bafef681a16f01d62754a34f5514480b47d
SHA256

2a85f85de5d941e8ceb067f49c74a27bf789a3db65ca19beb19ccb293dc3b984
SHA512

5221adef37baa968a270d5ca92efb52fe20a5bc2a856b03ff6df5bafbcac29f0bebe1cfd62b1c882cb6d87a2e53d8bf1c8ced0ead028e640593ae85c9a4161f2
SSDEEP

49152:1EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfi:pAI5pAdVJn9tbnR1VgBVmPfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4400	alg.exe
2004	DiagnosticsHub.StandardCollector.Service.exe
2332	elevation_service.exe
2436	elevation_service.exe
4976	maintenanceservice.exe
4184	OSE.EXE
1340	chrmstp.exe
612	chrmstp.exe
4436	chrmstp.exe
4992	chrmstp.exe
4036	fxssvc.exe
2044	msdtc.exe
5836	PerceptionSimulationService.exe
6076	perfhost.exe
1052	locator.exe
5152	SensorDataService.exe
5248	snmptrap.exe
5440	spectrum.exe
5544	ssh-agent.exe
5708	TieringEngineService.exe
5796	AgentService.exe
5748	vds.exe
940	vssvc.exe
4024	wbengine.exe
5232	WmiApSrv.exe
2240	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a968232e102ae222.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002435c7064293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029307e054293da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da7627064293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099e08e054293da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5f2c0054293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000101d6b054293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf2dbc054293da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581049903066306"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d22bdb054293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
2868	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
1064	chrome.exe
1064	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4152	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeDebugPrivilege	4400	alg.exe
Token: SeDebugPrivilege	4400	alg.exe
Token: SeDebugPrivilege	4400	alg.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4436	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2868	4152	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe	89
PID 4152 wrote to memory of 2868	4152	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe	89
PID 4152 wrote to memory of 4456	4152	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe	91
PID 4152 wrote to memory of 4456	4152	2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe	91
PID 4456 wrote to memory of 464	4456	chrome.exe	92
PID 4456 wrote to memory of 464	4456	chrome.exe	92
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 4360	4456	chrome.exe	96
PID 4456 wrote to memory of 3732	4456	chrome.exe	97
PID 4456 wrote to memory of 3732	4456	chrome.exe	97
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98
PID 4456 wrote to memory of 1504	4456	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_384f3fd5abc666b08888bde2f25979fa_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2dc,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9ca1ab58,0x7ffd9ca1ab68,0x7ffd9ca1ab78
    3⤵
    PID:464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:2
    3⤵
    PID:4360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:8
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:8
    3⤵
    PID:1504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:1
    3⤵
    PID:4008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:1
    3⤵
    PID:3476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:1
    3⤵
    PID:4744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4364 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:8
    3⤵
    PID:4024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:8
    3⤵
    PID:3104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:8
    3⤵
    PID:4336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:8
    3⤵
    PID:5076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:8
    3⤵
    PID:3680
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:1340
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x29c,0x298,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:612
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4436
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x2a4,0x2a8,0x29c,0x2ac,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:4992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:8
    3⤵
    PID:2496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:8
    3⤵
    PID:3056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1924,i,3229345320688007929,1946339712556049655,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1064

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4932

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2044

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:6076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5152

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5248

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5440

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5708

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:5796

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:940

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2240
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7395098f787f700d6ccf3b0984bb558c

SHA1
289803b0852aee719d494c8b634e4cec41166568

SHA256
e2534ec7036db30220eb61c8cf7d6c7cf29edcb2106664d1ae8edfca0df5dbae

SHA512
69eeaec4795ff9ef9d41a25c8bcb1b5de0894068dc0372b3036aae16974063722f6d45319aa0c186facbb9ef7f91b68c7208f7bc7bf53820dfff7af6d82cff43

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6ada1e5edb181be03a8a4899bbe37187

SHA1
84abe7cf45336477e89f9435c602d7829008c6e8

SHA256
3c7711b3dec26e6715481875232286b92d5ab6585184c7919eb3d0c2d5bef3b6

SHA512
4913fae70a8393ca9076363f5672182a903fc06fc9558181a64707d08b955ab8d439326b5dbdeb46559a933716d9c51f47b8e6964f0536979bd343e69ee93e2d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ad79489ef065cfea6ec2a0606402a0c3

SHA1
dfe7e765251ede49512798825739af7891b6214a

SHA256
421c9ae36dae3cf74cb38b1b19f6401c0f3e1d46e0dc34152dced8a22f58b841

SHA512
a5ac32e8464563cd6862ddff70003271c894c911337ebfb2224cbb3f35ffbdc2c6cbf94b401dbfb697dfce9c557fbffa981c816aa0e6339b9f2dd87384412c0c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cda208b8f6f0124724192815b0ea3115

SHA1
7513279f274568b4acb4ec33c65166b1cb340b70

SHA256
413a1ddd541ccb32fc76b4311d9fa6fbee7f92567b250e47ae02b30b9d499320

SHA512
bcaf3cf4cf8b03c7bd13b17cd8c353b984b0ddc484b5f20db7dc2422e6ad22be740387b67d4b717c8fe3e7b359e2f943160b00207957a14cbe9e598bca38c44e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a6a99bc849528193eb7d249bf7919b47

SHA1
10fcaa729104610b5af091d83077d8449015b353

SHA256
3ca467d725fa92abc8e763bc7021f1c2c8a3099792f90b4fd7b369033f2c7cc1

SHA512
d3ad32713a90cabad266f00cf9f8d5c3595a5fce2033cfa96a83b37533fa8e23435d7b169c6f2c3130dc94c61de3e8b87501aed070d199a6dd376b21623adaa0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
32cd4eb2f85dd09a0c01a7bd7783045f

SHA1
fd2075914e3e68d09a383e0f2921a839105650f5

SHA256
8775cfe903ce5d2fe199b399e3cf06dbce95385ad45a011c5c8e2cdc1fbdb05e

SHA512
b550227120bf851f0b7ba92f37e8dd49d3025633ca46c7569de719e3e48cfae13bd43fb3cd4e1fc2d46226252175d7bc8455c8b425df7f1f406375090d596782

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
eb1c448632964999d8d003cde079b0ae

SHA1
daaf1cc75bf363315bef636669b75d47b27e3cbe

SHA256
55fd54a218343d77cbc70ab21dd27c4d45d2c8bef44481eb914050159e427d1d

SHA512
349ad3555d26e12603baa875b1ce242aff4becf51e2b8548fa01feaab2363eac88e717b0755e6a1839890d998eb5dd96b97d6beccb038bf91515eb9e16908f62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0be94e42480b490c4cd111bc9fda39be

SHA1
aa0db38d11768d2e97782e659744259c2098c52d

SHA256
26c116b2dae70a63f9986b958de26c8e45669d20f7a15a5c4cacd7bbbbbaa1da

SHA512
fd601c1d2f0f67a8a8f02b4acd58a28fec890eeff6e5f8d9bce727e0c656e59269e3736cddcadf15c7bdda6ce93273a31d1cc2d3d1bbff38a250e2e79568eb0b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f2c7bb970d0edc3ad3691f99f2a63060

SHA1
0b3b76e58dce78821fc9da7b1d7772143adc92d8

SHA256
b5e661cd74518ed21d91931e44b763161a8f4fff4c073c8f8d05c84dd29e5273

SHA512
55f439bbc9b4eed1c6bbc858388178b155e90004e5a2fbdc87cb41c292553091b7a65bcea425d2ed0c3d90af3acf893091519118f64ded6e9d8a043d21a56bd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
952b8eb859989d3e70972a9466a183c2

SHA1
1cbc7494c464c5ee7003382fdc1ab1951115e7ce

SHA256
c2f4d8c1e58f63fc6b24fb27e42ecdd862e0eda60d9665e4b966e3dc79b813a2

SHA512
a6a2e9411fc4f6c7f6be6fa3c65b8ad7ac745073514c4fcca6285f4dd31b9832bdc8bb5c7a9e5cfc7029e69ea78106b49fefced082e59ac0aba935033614e4c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c5c0dcad0973539810a58cdda43c1a6d

SHA1
01799c4aebf33d4bc1d98621f00f1a6a73fe24dc

SHA256
9bee43c1b2f3d1a1772fc390bc288b3b360b273dc7184e9a204688fd50ee7ae8

SHA512
0f03408e3c4155adf0fe65959c5d755610833ec1ffafc45d1c750d2ea51d496f8872ca83bd7b400579683b0781c9855b2bf5438d36ed670a71124278052bb84b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
670c99c0570f3a1822b0a286242d5f5f

SHA1
829b851ab16d364f6f1b77a3d5e7e2ab57b7f108

SHA256
ae5094359f7e8f3b24307a40d4dcfc6acb4f1df6a9c4bc5377d5cd14d4d7cefe

SHA512
8bcc628f7b58b2e178f26d630dcbfaf1b1d4df14efbb921d863b26bf5bb376396239d552f48ade11710e03d21a645d2eb336b6df472d6465e0b86dad94b98a63

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c41f6fee589c194f64c1fdd61736d367

SHA1
3cb63f6df19b1fa92901b27b5959c0235b8e085c

SHA256
3d4d7501480738522ad9fde676c460757409029c80cc871ae43c59b3292989a1

SHA512
dda61ff8d3d955f63f2423304721e0916a8642b1c0aa43744debe70260f6380eedc730ecfa36243f4e147eb380da32b009e38c8bee79c41f239a12051587d071

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
be56212b4ef92a4ea549c995a6458b22

SHA1
6169a26bb6ab3e26ae87538937689c12e97b2811

SHA256
f72700471a267190d7556c13e8b708cb03335816b16bdd3cfaf15fd1056631a8

SHA512
68c60d4e58944f7b82372c0c0f1ef6241d02d0e59cb9d9f51a99b9644d744cd39d1a6a43595bed44f743afb01184be09413ec6b0092edc6e3713b49105cdf858

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f22f9cfe01115fc7030d703afbafe9f8

SHA1
8950dcbbde64d60404c459ffafeefd677e22b6f8

SHA256
f0a42633c14cde3d65864704edc4b94d28974e8db4b4138b81c4318171921aca

SHA512
181ed8082a1e974ff0f7664048c6bf48bce07a49bdf8514407e256906698f2c97fd15102addd5683f17d4507ed4c3df29e62c80cc64e808a0f9a05b6df0dbf29

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
daa7c5830a3508179b92876c87c6a175

SHA1
5cefeb4d181c6bb5ed74876f824cc6350f74ff0e

SHA256
507d6b0ef823ba6a09d9a36ff02ce962ec2b086ac055a22e3dcc57f8bf006594

SHA512
b974e9328dfad33cb76e50fff18f716b697446106998fb50362ddc0d670ab4356e07273a45b8ef477efce71bc03bbe6aeef07f9c7b4e975bb560b7fa290514c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c0b945d4d230d77252a667cacd5a0a9b

SHA1
f8885f55e84a7f95ab5d0e52e2290dc9bf02723f

SHA256
25d7bb59e4ebc9b8d16304ee9fd159500711eb7dbfbe53db8b422491abd74339

SHA512
3c15ef8bb4138c6d6c9d233312adb3d95efda1e6ce7c2b4f5fae9a82755868b2196c6fdba34fc8336e711b9c733157e40d929835553b3590439cab4848ca26bd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1c61ed7ee6f9915a534bad0f35e4bd04

SHA1
b85f53b6f422bc162e4f0d8ae742895f758bbed2

SHA256
48103f8a0694b98ca72d9186610ad47bbd368c8fac2de855de7b5458a00107e5

SHA512
6fc4633eac94d9689e4ff84eea124d8770dddc047a168eeb7559430094bd9ec54aaa9e84bbb0ffc73a939b4a5d40487b03fe3c6848f5e0e21841969aa3f9059d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c524e9a7bf5f5a36bcec5125584cb0df

SHA1
d1c747559b689dda68ae67e55c36f36064672758

SHA256
e69435984c58648e86d4be86592b1ce0d5a5e8388ed300f50966dac295a2bece

SHA512
8541d21b456708201b8767716e5486fbfa8ee594eeceaf6c4c29e9b7d9b07b0d18815376f746a1fd32a972eaf5c503e39e393ba8fa896cec7f765d6bc02fafff

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e345e28c-4165-482d-baa5-88f0bbe920d8.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
370dfbbd0b0c954937265c545ede5ad0

SHA1
6e1df4fa1eac70e4aabd5a0a0fdb95d53ac8196f

SHA256
25d1d0843089e111bdd5f6c8def21ef444e6082314290d068a1c31dcbcad4a12

SHA512
9c0a1e96c32dcc21e4cb7a9da5f99d3030dda7f203b54f261f3e2a8bb3de20c9c0cad37c8cfe5bd5dde0b289488d8c9e5f47c8336fa5fd8144c073d0a8f249c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5b232f2ec5e33f7709f554291a0582c7

SHA1
8e09d16cdefd7434b6626535778c4d6aaa94502a

SHA256
539b48bb8997ee07f386d39e50b64b6a7f14ae24e0fd7c49a5d72e387860d5b5

SHA512
570f3bde7f527c8af2cefc04c0bb7d9024c2836b328a25dd50546cffc192d8256a276c6e8e07c0ca5afe06af86b819569f25ac6213e006588fc7edcc95e24d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
075695286447d85241cb79386501148e

SHA1
b0b56130fcfbf296e0c98e65f4755550c4b6bf93

SHA256
b930c2479c9895f19f4052e2294f64f6960de575fc18f16f802c5f0e692f28a6

SHA512
2dffe5daa4959522a3839ddcfdd314c9fa9374b26ab5e8b640dfe3cb6960e5f94696e6bd051fc15a52a032044cee4ec1e61b62e631041e992a6a0f341d6b7ce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
90cd6d86e244606bc0b2e647ca993eff

SHA1
c3f7c75cbe329972299960790725a1e7792e4b0e

SHA256
2104db3eb8c0492b929dd4bcd16a41dcc8c2b44ec8176d6ee2f3e8f3011258d7

SHA512
23c352a33d7195ca42cdd8f3f1f0c99b8b8580923b31e12b6824e8a94796f118cb958df5d0d158a5e26cd01790a5e70e4f8b9ab807cf07be95e4fb4b6aed4ba0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1d410557adbdf900e67e54896d1bd9ff

SHA1
a266484baa9c66eac66930c51ea74b3ef5ea94c7

SHA256
c662ad46bd3b76fde85102eb7cab79939450100f318ca185187dc36ed10cb2b1

SHA512
45eb79609ad1db00c389db1404f4fa5781933f0ed08e368bf4844bd3177e1751df87b0e03e6ed713fd09bc591cb63c4343fbbb77161b70bdb7a060533d88d0af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5862bc.TMP

Filesize
2KB

MD5
4b293ef6e36074d11d943e6699266d96

SHA1
c59e290054f47b0a4afb481a1f974ce5bd4d854a

SHA256
13713350069ea503b433abbd2932f6a25aad6afce17c2e0c3a0f787b58071054

SHA512
3238c301df585a7499d814c241bb461ab4b7a5e53ff040836183d3f8d07a3aece36d6a5f21f55a6bd69dbbcb913911fd1cd439a73de08143f809d4dd77f49009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
888bec03968a97898f539e5075ca37b4

SHA1
8019798078ef8dd855b18d93e903d5e773a70c76

SHA256
9c68f60d3bbbd2321bdc88092f916a87a6b1ad68a93ba1fc0c57f40fb52ba686

SHA512
3ecda50210cd3cf6820d6e0680df08b2932ef4fdc4b7e6ed40b50ff40ecc1a379f2e4aef61e05f582cb660085721aa2fbf2c3edcd706a88d31765b141dcd7b9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
15167056389605f57012e46e007f3896

SHA1
a1a5068e70ff5b06d146645a68a4ab07617f1d80

SHA256
85b4a8468260f7803d99fabcce58016177f4de64a9370aaaef62cd627799d482

SHA512
f9d9cd01c895a3e94464f2a915683d6e1f008a388eb74bc448baf20cc1c2c5ccdf36ddd6617886587087ebc3876907cc6860d2767e4834cdfc38c1afefd74741

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
147f450ba6aca1ae2571fd6c9b0e0581

SHA1
d465dcf718a4dc73437b18b59dc8a5c7b00ae6e6

SHA256
1632d3123d8e65103823b6cd9cf418e75c8026762df7f011a4041371a7437f8b

SHA512
f0bc3d597661f66b19a38d2e994006822d4b230d6425b5b91155752019370c8b69d905b2cd0c9afa8b8af26a5a7b69995af72d75d36ddede60c1f98931bd2c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
c48c748a95a1b4a908d46174f8a455df

SHA1
e03a04dd3874f76760b58d54a99ec0ac5f1b5cfd

SHA256
b114b22d5494043db13fde6921d8d36e66979b3da25a38e7d62fc6765f2da4fb

SHA512
b0a5169c4c54ed793392067f0c1a75859e8c5c9de029654619a62884e10d8e689015375454bbc33be8c7ead87d745bd2aa1d58f785013b1ee13992a368e8c33d

Download Submit
C:\Users\Admin\AppData\Roaming\a968232e102ae222.bin

Filesize
12KB

MD5
f748be602f1a7323055261729d76feac

SHA1
dff653a073719e760f217e0e1a1fc1e9df636a09

SHA256
a0f4975238f6f41ac49963409b452299a5b183c0221aae2b820fa39ec26a20b9

SHA512
b5ebc7be9e198d01e1ab0ad6670f527234797884c5415dc96482883ee5dbd591ca9518fcad2baadf076a2e5e729eae93250b2dd552bd1e486e86476a757ec89a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5aef88e964d083d0dc77db8ad772153d

SHA1
ae2093c3b4748ac3af7f0a652c2fd109ec15677f

SHA256
80ac4178515f5c43b3016a13b9094a869cc1c9a1bc260d624bb6ac29eb5b974e

SHA512
62d8cf216862e4ae3945aaf0dbf6913db91872b72fcc6a172084b12825041e402f54123775dfdd2ad40dbb9ca848441d66f03b6e6bc22f1c13eb4532e423f7d2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e789de7600c306db946db0060a7894fa

SHA1
248e2ac2c1053dc7f8a6c91414b84ec37568e6fc

SHA256
de7a07ef44e2276e0cb3f40fc64b59fb2723a9408d69cfab011b43ff06570a6e

SHA512
9def7eddc75ece69619d069e02e82327c6e91b9e399cbf5ebb819436bcb3573c59289c92069c4cb643ea75fd40cda2f702b727b2bf0c68d4dc78f90c08a437ca

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5a51848ce713285d0851f0096574cf5c

SHA1
4dd04ab3c668ae3372df4fb013f83b6803fb6547

SHA256
bf0c3beb0739738d17b3b182a0ee274077ec520fc92ebdbae35b0843436a9524

SHA512
bc586c3196e0d5463932dbe18825afd257b2268862a33f72dcafedb8b2f60808675090e0c4ce145e60398472562c258d7c31023ce93209c6e8115260b0a164b4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e701b5d6c7756bf9a03ad1f5064276f9

SHA1
7ccbfd14ee99f34d02b8e61e33429be0e9c52b42

SHA256
dcb6675c3fa757ef7badd9c6cdf0426990d4178015fb7b71c5cce67a68802550

SHA512
5a14f5d2b3b6709d8cdabc49232c95a19a9e261a7d1cbb1b7a1539beb651b9e2882eedc86dcba3fa5ef2f610b535efcbfe513e2fc093e61757fd603d160c9429

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bd3b6550a46398a0e32391d4e6dcacad

SHA1
f7f279147c6b6d55f9b1f31fec059f357ef180ca

SHA256
56d0ab6e9dbd517fcd8270902cafa593a1620d910e9a11b2213d0762d8ecff7f

SHA512
b2ab4e681e51818d7eb0c7fee06c7c6f54b1ea4d08ac247b308be9f905559e31db7876e2f5d7f95ace0e0b7761d393bf82f379f815dbbd2e23c11e88e0af36a8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
fc3219d08d07e4f9b32b0d788b0ab27e

SHA1
0e2a8b2f2481ea924d794beeca4946569dde5007

SHA256
5ef3dd06bdf3bbbd6174b5dbc9e1c67fc05bec8e8850c2b7b0a5835738b2b74f

SHA512
b084e6c8eaef4c348f24be86c6937aa6b8e114f7e270b5966ba06b60f372854f61a1b7eacde647c18105afa43cbeba4615fd6c792067cc9e669b7bbc5b36b5aa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a353ec645ce93ef7bbc6d7fe0bf184a3

SHA1
e8f645d0554c1f6c897d87bc8db190959936f390

SHA256
329802d76f257d77f5144b0304843b0507f0de266e097009468ac7a868a7f1d5

SHA512
cb7f7ffca20854d81142bc04f1a6337463af0b4fe86b20c5804d8d0ef361123d01d3272572b664a6fbd2f22dd1d6d547d4e3bd9384aa15456fd6ee16060ea68e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
87f7f63acc9098cd03d002387d0a85f3

SHA1
48d400a8aab384ce35e8dd8b50660063721d8214

SHA256
549cd58b65349c163b82f560362464ca52f2b60b5018f4a7be51929940987b5c

SHA512
5b4b9f61983efcca42bee0777a84a32111e32dc184093b849971df6ab352d5402ae71113008a68ca77c1fff7afe27a07ce1f91e35d5680786143d6cce3a1eaca

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
50c8b9c1a5a9f2d493f4b6164d686735

SHA1
ef12b10b876470680b5153824918ff053a062fd1

SHA256
cebfaee3c841ec1edf8908c19467f73c4dda4ae7c0a70c044d5cb58403f9f44f

SHA512
723e77379f56a6680d5cf4d79fd2bc03888f4ae96f202bf28cb4fb39832d501cb8683a9b40ffe30621bbfcd9808b9e88ae195d975dcb9dd13d784c737a18d697

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
032941a53adff4052708341ec7f132f4

SHA1
2538db47c6634866b3819123ce902b1d1e6ee50d

SHA256
e12167c7548dd9504be67b25b45c958740750b39ba6240c78e332b76d512c2fc

SHA512
3652673f1a2edbf7cad46e83ea46213ec39eb9a1f6324d0d9e56c376433060c9a89b7b72447de830f4fa4b5b67c4bae16565bfc4ec781a93f116d91e2e46a09c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
aa956fe4fbd35e26e0b8e46e26b6617b

SHA1
b4369bec47dbba4066cd1ee740c349bad664b29c

SHA256
7aa3904ac748aa3013679dfc2cb584334ecffe5b910bbc1c571b7fb63768e6a0

SHA512
b0c5a3d768ac734816eeb87614ad8743ff8bd3454d0079a01a9b434818eb85186e955c2af5faa5a879b3fe491741ce95caca4591c096a987f74194452eb49a92

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
216afaa9f5ba74ff90ffe62ef3951259

SHA1
e49c5ec52ce3485e86b293efa49b9f7699327631

SHA256
60b9c1f8f7c90655f20ef13ecb4b8700826c201f3f852575c8e72c99abed1dd0

SHA512
178847b5ba2393f6ff780c7c63e1b0e9e90fb420687bf5fa641478d5f341f6af07df6a50aacce059185a1885eda15064b02b0fac762d6fe289d78a85c6a7d234

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
52518d6126f8430a9b33a5137ff91d60

SHA1
27063baa9086753733bb3b773e7194d746b45cd5

SHA256
bf9986b9d2b7ddc4e4954629ed3812365d6d22bd1e193c524aab3bbf1295d971

SHA512
bcdd527950246381939cdcd9152a54bdb79bf70af80dfabd7de680a1d9a0f7bd1d5ecec749b7be99fb502aa78f5d15449df6eae7e00cfbe450fcf12688b37b2f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7285cef8dd62b16fae3dd68ce36822a2

SHA1
830dd5213ea00990f5647059b6d1956c1df0b7dc

SHA256
a1a574ddc7d6f45a9e85eab6bcead0bbf07e7f641cd358138d9853fe4188f4af

SHA512
7663bfe5182e19cad878cb34fe9b83eff9eea7a807cd06224db22ecc263e7aa640cb611245c39bcd91dfbcc6b7aeee2162006252c6baec523e43f60b3e8d97de

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5c2c9872dc25a5b341adde2783de9830

SHA1
333423513137341fc17563258c664c6702a22da5

SHA256
80acd5ffa25f0e01eecbdf1e2ca0d1f581046a968acc3be24d48110e78d8673f

SHA512
8d5a5fe45a649fc565bf2724775d5c8c6636f49d0d708d7e18674f55d13953b0bc91ade45987cf5af325469b73b27236bf36013e308a30f2ec82f46df2ca3a8e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2bb5bda417a961a73003417c7fb6eafd

SHA1
18a7d426f23101defb8a390043b66740597b0fc1

SHA256
85d43e8365d259ec475686c94c23b642237955d82a03caee0c88d20adc6596b9

SHA512
418438cb85f62a7f67df45c907432aa451202c7c3469656f4faa194007eeff8810c022235406360ef838cbef6c0cc82fa8814404f5ffa963b5b98e2f2ca73d60

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4caa603e8abb168eef4ed0d0eb450945

SHA1
f1683166c49ac7758704b0aba407eb9a88e5ebce

SHA256
d2e55aee0aac2987babc3dd63af6238b28ac4c1fa8483f2510da1d9a094054f9

SHA512
aede1c9562f89a2a279b42aefaa8ae0270f3ab9279a4e1c31f2b9400cd552d238fa6a7692fe19a94c2265414f6e402d41cb536021168279304e3793bd5ef9419

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
321627571ef4f9d5422c96cdc7727dfc

SHA1
de06d683ff3cb1024f25b3e48ae52b8a859188f0

SHA256
9ed3e6595f155d0c93ab37fdbc41252e99382705edc47228356d0217b9e2652e

SHA512
488e7827ff1efda118ea98eb4b1dc30098b588279c7f4bace1824d12998387f5b394023e84894ebbea2ebb49c276c78dbfa1b99c7f93e792966584076fb0915e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
46d8cc58fb75731c9c27c4055e530c55

SHA1
18b641a0a11806aebe197434dcd1f9fc4ea5e8ff

SHA256
496b542f566823fe4d1751c9c2cdd1cc897a1551cf82bb555cb761453c8b1a1e

SHA512
9f63ba75dc3cdd655eef4dd803c8769c8d4e2cace36f4c4779656493a55981c81b68fab3e100dc2746708d9b738ed4138d8eabf2655adbc5ce3bfa9f2d493afb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
80eaf10cb48033a2a237a0022a2e5498

SHA1
559054fb3133ff6f2d0c31777d14995be7c91f60

SHA256
0efa33fee06a7af6ab9729617073b71c77c00353dbc99436c7a4e4192371db87

SHA512
445a6dc38bb10597860b2d160a78fd3fac82764f45312c66299ced741675bf8d87360558322b0521081a292b380daa6489aaee4a12b353353e9c6988359c17a3

Download Submit
memory/612-337-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/612-331-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/612-436-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/612-433-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1052-579-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1052-514-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1052-521-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1340-397-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1340-396-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1340-305-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1340-321-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2004-299-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2004-38-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2004-61-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2004-36-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2044-490-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2044-482-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2044-548-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2332-48-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2332-66-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2332-125-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2332-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2332-50-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2436-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2436-348-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2436-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2436-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2868-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2868-112-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2868-30-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2868-13-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4036-481-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4036-480-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-465-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-474-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4152-8-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/4152-39-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/4152-0-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/4152-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4152-46-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4184-404-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4184-111-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4184-114-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4184-128-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4400-27-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4400-83-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4400-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4400-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4436-350-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4436-356-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4436-385-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4436-384-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4976-116-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4976-84-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4976-105-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4976-119-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4976-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4992-437-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4992-371-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4992-361-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5152-592-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5152-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5152-533-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5248-539-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5248-550-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5440-553-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5440-560-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5544-576-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/5544-567-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5708-581-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5708-589-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/5836-555-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5836-505-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5836-499-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5836-565-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/6076-575-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/6076-510-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download