d1d9ed3eb7edb9d6ff94b34beb94a7aa8a93705cbc0a1a52f86bcb545bf06b35

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
Size

5.5MB
MD5

604422ae21a15f5848761ad0d2346d40
SHA1

db32722e31898b17352da4df476e5f51aaa33c31
SHA256

d1d9ed3eb7edb9d6ff94b34beb94a7aa8a93705cbc0a1a52f86bcb545bf06b35
SHA512

3b2d5f83ff981b84a90b6458fb9fc15c112307bffa27ef576b320ed984340de93d49cc321587d1529e9621976f9f2a11d5c4a5f28e87eaecad496fbc6f88321f
SSDEEP

49152:LEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfG:XAI5pAdVJn9tbnR1VgBVmeOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
3900	alg.exe
4264	DiagnosticsHub.StandardCollector.Service.exe
2268	fxssvc.exe
3932	elevation_service.exe
972	maintenanceservice.exe
4524	msdtc.exe
4304	OSE.EXE
5044	PerceptionSimulationService.exe
736	perfhost.exe
944	locator.exe
3416	SensorDataService.exe
2884	snmptrap.exe
5200	spectrum.exe
5504	ssh-agent.exe
5664	TieringEngineService.exe
5820	AgentService.exe
6092	vds.exe
5216	vssvc.exe
5812	wbengine.exe
5820	WmiApSrv.exe
6032	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\94fa21e17d34635.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\java.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab6b3b694b94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c51c3694b94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008702b5694b94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133582190486703907"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002be4f3684b94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ead2c1684b94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037f8e7684b94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c39df0694b94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008270bf684b94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1292	chrome.exe
1292	chrome.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
1568	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
4072	chrome.exe
4072	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1292	chrome.exe
1292	chrome.exe
1292	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1424	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
Token: SeAuditPrivilege	2268	fxssvc.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeRestorePrivilege	5664	TieringEngineService.exe
Token: SeManageVolumePrivilege	5664	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5820	AgentService.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeBackupPrivilege	5216	vssvc.exe
Token: SeRestorePrivilege	5216	vssvc.exe
Token: SeAuditPrivilege	5216	vssvc.exe
Token: SeBackupPrivilege	5812	wbengine.exe
Token: SeRestorePrivilege	5812	wbengine.exe
Token: SeSecurityPrivilege	5812	wbengine.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: 33	6032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe
Token: SeCreatePagefilePrivilege	1292	chrome.exe
Token: SeShutdownPrivilege	1292	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1292	chrome.exe
1292	chrome.exe
1292	chrome.exe
6016	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1568	1424	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe	85
PID 1424 wrote to memory of 1568	1424	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe	85
PID 1424 wrote to memory of 1292	1424	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe	87
PID 1424 wrote to memory of 1292	1424	2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe	87
PID 1292 wrote to memory of 4968	1292	chrome.exe	88
PID 1292 wrote to memory of 4968	1292	chrome.exe	88
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 2188	1292	chrome.exe	92
PID 1292 wrote to memory of 4976	1292	chrome.exe	93
PID 1292 wrote to memory of 4976	1292	chrome.exe	93
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94
PID 1292 wrote to memory of 552	1292	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-22_604422ae21a15f5848761ad0d2346d40_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd71c8ab58,0x7ffd71c8ab68,0x7ffd71c8ab78
    3⤵
    PID:4968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:2
    3⤵
    PID:2188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:8
    3⤵
    PID:4976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:8
    3⤵
    PID:552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:1
    3⤵
    PID:648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:1
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3668 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:1
    3⤵
    PID:2024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3908 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:8
    3⤵
    PID:4468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:8
    3⤵
    PID:3572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:8
    3⤵
    PID:2248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:8
    3⤵
    PID:5208
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5512
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff72e73ae48,0x7ff72e73ae58,0x7ff72e73ae68
      4⤵
      PID:5904
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6016
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff72e73ae48,0x7ff72e73ae58,0x7ff72e73ae68
        5⤵
        
        PID:6040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:8
    3⤵
    PID:5876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=940 --field-trial-handle=1896,i,1544810410554894209,162205419005182712,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4072

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3900

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2936

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4524

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:944

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3416

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5200

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5524

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5664

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5820

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5216

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5820

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6032
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5996
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
855208ac2d23edb51dfbc2c2ad5e6574

SHA1
34abbf90589f7f5e3e14afcf8a31fd98b435b1d1

SHA256
cfb81728bde4a60319af46d54fe1377d306097351123618462b6b23b0f5bbbba

SHA512
8e4f39fbc00ca1ab7949d88ed2fc39a8024221016ab46dae11a29166c11a7a82be51a06648441393db8a381bbb6d337078ec6362694ae42aa3c646182d1508c7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c9a76efa84ffbe5c231ce593493a839b

SHA1
3e8447f9e8854da8215373e82d1f3436f42b59dc

SHA256
73fc4383e96ba6290c5c0d7ea4be951cd76d9d7e63cc638f32c99ec8331a5796

SHA512
9c2090b24cc0ff77985bfbd4f53ccecc44db4c197c704ceb95762ecfae244cb2a61d702fc0442221d440437b0bb3da752ab846d9cb21596526822af8aae7b1c4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4ac602acc5d0d1096d7bfe82dd434050

SHA1
06e808f131fb710d8ae037384b901298448ff96c

SHA256
c2056844645851f3e00d5c264103b2e7a5092a260a1e809e9349c0279bee5f34

SHA512
c7ded320bd782c5cc581c8a3b28c5c94b843f2115a4c363eb880a449a54d76d5b859ef6bcd984447550f17a17f90340e55bf0054aadd76d6de23d2820ad82de8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6cfa33cd4354bc2a554a182f4132bd5b

SHA1
33d998637347f6b6a262055a2b130516a1587191

SHA256
c9f09237ee7c553098961a2d32718561311e6f7e073c002a3d40b38e4b47f3c7

SHA512
0101b2cdb12ef70e8bdb919903168a758c643362a8186e42a22a2da643d963885d7dbea161751ae29d068c33e09a8beaa95193aee6076e4b064f8542384997e3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
27f0b562fca9520135867ac50d2efdc4

SHA1
59df6472f384d0e69a224763fe1e851b18a4bf7e

SHA256
6ecc4e69dd752f2699f11dd30a356ee4a98ca21a892ce82972a55d3f8671ba70

SHA512
675952f8bd0b62c1503fa25cd219caa29f63b789154a3265e6cbd8d68ad7e5b1d32a77c6edced2258c2a2f4cc53ff715bfe2e820588ec07066e8e216fb2e4d10

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7b623c129cca58818179b09e433a5856

SHA1
07444a04a15d265e4abe519d71a8beb2a4fe27df

SHA256
464e443495de928706f8d92a40d64f199f435be30c4a747d3d92dc40046a4f7f

SHA512
de2627746889dd0d4d52d080511f0219c3590f0af17da14e13cc37fa07ec2eb33073c785114d734507c00f29464228b5ab6dbd4a398c7e2295b6fb7388d9f2eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e8712d0eceaf69ec3469a998c543af7a

SHA1
59ca467939063f07a2ca923c3435d5e0899d0b42

SHA256
ab5cae3e591d34700ae6012e872ff7ec6a902e468f49c55f399fb8fa21c8e899

SHA512
6ea63d5b8d6f2ce68d734fade768fc25e8050bcc33a291c58789914851ca7030a776f62d74d972cd3d24bdaeda56d54f820bff7a417285a7cd7ad3b62e207ed3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
34f5d2b780475d54bf52599648a0886b

SHA1
1e260cb71453caabbc1e6dfb6096113be48d3c69

SHA256
cd8b307c4faeded29f8388a59b204bc6c1c3ff2c5ce12f9eaecb83d6451afee1

SHA512
c7dd032b3cba9539d483728e10004957a177602f8bc7eff077affdbc33c85de17944b32f3b920d29fd7ff85f0109a19b34508c286b767a57ecb4096b5d95d371

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e9ef218446b9554dae2c94fd3a0e1bc3

SHA1
ef1337ef043e4377936803033f16d47a7bcb68ba

SHA256
5cb872e8eedf94b13726a556ad6aee888c45454aff2b9e7e1cf84ff568e59027

SHA512
3cd559957bb5373672b9ac5b9af9434c93ab87115f7cb72ec86b1cc2f3f7d4f20b1c1bc09f62c7511c55861d7579e661ab803b54c5492ce05279960127d33d71

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
12ec7e1a380f546ecb246f0634b61447

SHA1
46999444ad3fc369787330565c726b8ebfbea119

SHA256
d0a884d0df36b8cac43f6396d70ccf52a802dcfbce3018eba74b96a30a074ef2

SHA512
3362c8092156b444ca6f57c95e57d070679bb9289871a4d1333d4d5da4a26f2e7e861b18f25e0f49a1bd212ad0eb5068d6bf36ba09b965cd112a400ee0f1a325

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
70553d2e8cb28b4b5f073069305dd6cc

SHA1
a5ae08933bb01147aa61c0f6c6248f35dad5b071

SHA256
dbfdb3d82126e0cc8cfe45d6f3e5508bbd493b101a2219917787d254eaa873ce

SHA512
ba705f07eb14f89e77a9766b240547fd98dd57f5e4b9485e261e74af251354302bab2ca87b44fe0fe19ccb1b67b6495bff3924fa2f82302d407a8f8c9d6bdd6d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e4d6813c34792a94dd09484fb6f616ca

SHA1
f41fa1e4567b628009988eda10c4f56c1412f1ba

SHA256
600301925e556df21c2d689a0303c1a18460e2dd681ba939c655ebb6e229e66e

SHA512
75936fe021745cbb1cf9d88bc0df0c66873a987b23eba15111b13610292a5e7520e469331c7596d2e89c766090b9db699cc7a0b0e70dc6e444c3741ea211c8bf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b886802859aeb8bf6665d8bbe89e1c98

SHA1
432c9131ad288423d99ecc936da20d4412b9e006

SHA256
ab48236d5b03a42f9b4d60825407ac8a5705e0ad0be472fcaa4a9dd83c5ea2d2

SHA512
85fe391d1097aa201b31ac35e36de9e354e1e925973c65f12142410ece2fafa2b83e16a51ab01dfc726367fcd27839e4b0fe4523d028e9b31bccfe34648cc1cd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d32125eece3694a3deb4d0ce81a187ab

SHA1
3dc462de9adcb5fab719e75384fe14f7b6bc2502

SHA256
6d8fa49e8da094f84c6d419cb561e2bdd74780d3b51024eac34e00ad185d242f

SHA512
6029eb9d791443666afdedef347fc23c308557494e23fe53c9bfc8e3f37476dd309f0e2e11f8ebe64cc9ea3d0823a60099a1db5e068699fe13bfd013c89cb3cc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4750dad100841f5309e4ba2987e44a6b

SHA1
a90832fa02862db694fe232ac575c7ef1d717228

SHA256
678bf78e4b284005d0d8d52f0f72050266e99755e640334095d061afd9c4ea4e

SHA512
0066210e24bbf55aa8d93b744abb2e966fb295b12094e3872734a8b09f9462b010a25ad5e6fd6a564e0866d98d6613c723ac7959576e0e14736dd95ff61676b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e0b17c4d20916f63a4bb10a32fd52a0f

SHA1
96bf3dfb289fdccd7fb8b5107fa875cd40fc7d62

SHA256
5ff19f64ecf6345bcab4b20323548c931e89e2647d9c3fe1ff3737cce9874793

SHA512
ffc40b8198defa84bab0030b8983d6101043bfdc1320158a2a0baefe24be45baddc7bc5b5c36448731df4e926f43dc2163ce66c00c293da4a0e4c07d5e52fdcf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
016f8d4c310efd50ea888585ac3109e3

SHA1
2260513b4166775cb3e4ac65946a8c4e17133161

SHA256
a3cc7bfa7e1e38726863abaabb5d67d777c4f191c11eb1a9bd1443780ed5b252

SHA512
25a0342213afc2761c237a39f7cdd4d18148499d0b01d9ab45a6e02c1f20414f57f91a16797b4434475cc8ef4d06967f378cc8f9455526ed99b24cc376b00859

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
54e5b555e25f4c40d7c1f3dcbf028634

SHA1
6bb64fc6e29c7b6f645a8802e7bb58016475f76f

SHA256
2b1ca8221384bb8099082be7d2b56e144332f531b4cc445d22458b78783a2424

SHA512
b9c6074bd261301a6a96eabc6486acc5ab1f356df81a4fd020dae569660a89d2b8289c94184dafa1774f38da66908401f8e04a0667a5393b8c59c249b640c8dc

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\eb90f384-5a8c-49f5-8574-59ba08ec5572.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7ac49938b101dd616c344584f27c3307

SHA1
16a50d3174a04bbe37ba33f8013bb5b67d85016f

SHA256
2de4a8f1434720248199ac79a87696db0b88f94c51dc80d1fb22ba77d094830a

SHA512
61350469cc111615e59d68d33c29f76dc210e44121b6774e0f23bad73117843a28f6f9702d530c2ad5b1c3f4aa9af181ae3e2c2ca930906b6685403c708d5080

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
92c21a7b7bdfd9d406520698266f79a2

SHA1
52d96f4db100cf569ccecaa4e700d61b0543ae51

SHA256
01b045025259a819eb1fc13ad948e0de49c74cb4a44ced1890d7ba905dd54a99

SHA512
3afad4b3f3b26dcf2b96cfccde215439611456bf72744b69b38ef5e5c4577ae2491b04edeedf3fab836277c3798738260501762492272f3db4b16ead4ee3edf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a251e7d8920ad0ae50087d3903f218d1

SHA1
89a40725b1fec22d61561b2286720638ac0f6625

SHA256
6045f9f01ec3f769a595569f236cec5f057170f13aa5c7f8f01df1cd687725d5

SHA512
0b3c16211e1da01608cab5853c907f5c061d22aad2f83aa990fd5e27b08cca8147c0b0f02af9c91e10b7dd8f9d658360a0d73900b0c101fd2a6758386007bc7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\69834bc5-bdd5-4527-b7f7-8cf149fd5722.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0e7a61b6ae44f8b3a87cee4763391314

SHA1
971a74044f675e2761d8892427b3abfb80926c20

SHA256
40d351e279b7c7671721737e92c7df0658b655f15fcc81492ac1d7cb4492201f

SHA512
4c0acad025c4efa236984195391ebcf5e4991719bd48c912f719a7bc32b68f7722140ff5ae2dcbb7d3a45e075f8be9a138e992f6cf09bdba7a97bc2566f84be6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
584d24729d1fbf022b8f7d557a282387

SHA1
91663db5a977aca4cf950b6f5a1c15b27c481008

SHA256
738ccd2d35940a4fb78ed38d2673fe5e3ffc6e27c6dc20b3f4df49fc94028404

SHA512
79cc6bb89951b29afa380ca5e86ddc35fd34539d6a59d14aeef7db1a4113460d4286bee598477098c6df2717dd1358ab28794a1bd5f0b010ab7c16f06c7c63c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
06a1ea8871d135b13755fc849af22daa

SHA1
39aecdd830e49127f4b67817a485b19be30f8acc

SHA256
3b875c1fe083fe178ed8491f0bf47373290366bb9b1e7c55c3a74f042ca433e9

SHA512
991b39325f7cfab2b31657d252a51c11d6c6e1ab2f02be66c6022f1b46cd63c02f7899586d90092494cdd49e63a6fc7896cd29ad742424a0ae4537b5d43f4028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57631f.TMP

Filesize
2KB

MD5
c541d6caf1eba2f47a57217be76c5517

SHA1
6fbea28eb3c243a578e6d904eddf794b51c5869b

SHA256
1e5a9517f8e3940d71f3321f9075ca8bca5bb1e82eed3bf223d0bf265b960b6e

SHA512
bc9e7551a58873b1df732905c27e112c830a71bb725170c4e45e3c21a2f71822cc3ce48f9041fbc21d2fdbea8f5c8537e5d027fcffc6d2c67dfae7449e25e739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
217a61aff4b64035b24e67405f598792

SHA1
ef0476811bd33d252df32a801133fa560e09c4e8

SHA256
86a08c4321fd9832f68ea979d2a477bc0cd645ab7a8cd9cb53b27b90fe3e62ef

SHA512
5bed66a4f4c14763c6166037a2a62f6e81bb054f44c3ab6870c8e8cd51f17fcdde82b1ab86cb2a57a8ec55419714ba02caac90e93c996af7cee93b7f04b05f0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
1236cba83ec599c879b4ab5b368cf3d2

SHA1
41bd549beddc0ee893174716e4acf192c053b65d

SHA256
c5f11b947f8704f2540f865b12525df33de0fcadacc51e39c13539b36d06ef9a

SHA512
1b48c760a9d252432213ce3e01f1205d16272f5b920a112a86f0084b2a03bdea04cfbcc52c673c86fdbc42913846e327c597682cff491dd0f28daf6f97c35f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
f67b340fb10e5c21fe78d319d84c049b

SHA1
7e5831b62e8d42372070575909077e9fee5883de

SHA256
7e8f9e2641735cfe464aab3e5b600fc33ccea43e95b61583fd3ad647185afb30

SHA512
1e0d212ad0b69e05600397f44a437231bacb98c19f5a6e5188ba377125b36fce32ceb5b93f66e18708284e9ab9d0c95edb03f941ed9179bab6b4ed1559d056f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
cc5f8806e19d31f0cf4a1c486d8caab2

SHA1
ab83f2bca7d1a6b5239609e4dbcf3a75c36003a4

SHA256
fa2a95889d6a4bb62e478533649e4c19cd49dacbba85ce322d7c94b37255c433

SHA512
079292e31a7271a2827cea3ff61f39496cedea9a2024f747dee5da3196a21d0278fb79bd323b596513a34da1ce1faf32d2a7b9f1e9d6a3224767e62a01e71cea

Download Submit
C:\Users\Admin\AppData\Roaming\94fa21e17d34635.bin

Filesize
12KB

MD5
16b5f8fd244caf79ce92cfd6d4283806

SHA1
20be8ad45a3db96d1b547516dea7b0794ecbab9f

SHA256
73ae0d22e89e98b62f3078634586f2d4f8e002cbdf20345b625c4b70f5976c01

SHA512
b8baa39a0407978df9e4cd68880eb1c64d5beb18181d455f4764dd0f2186252d99700c1fc53b96ec2134db8790564b1d26e12eb9b9fb732c7cba2e1298a9e0e4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a619204e0f3e22407fa9efbddb8406bd

SHA1
6c919d2e1c366154cff4786226e25bd39e51ad93

SHA256
4fe3d03ed92c43512e490aab7296fd5bcc771719b8f1390eceaf75551b103b19

SHA512
dba1fd4588247768e100ee3cd827a530471408c06cc3943041f5def2c2d4853a2392e1910a702a6dafc6ea568c5453c296295fb9ad4e5b42bdf698b1d7d67c48

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ded261e5a819104da5171e7e3aa758cc

SHA1
9fb46d7a287f5c36d65f1baabab4a9e6c0f8b641

SHA256
2be868cb8e7a011b845f00f97e585020664008d8923b456656423152e784f472

SHA512
94b424db13c741996d8f85ca67b5200b613086ede0551abb53630cad88644c6a779ef5f117faf3c3ec1f31c071dcad433d856ba1a87955879b6ca3f6f8c518b4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6f5a5da27836d576fc5294c5de392558

SHA1
d5b1202f16a0b32ce4130cd3ac4272c954851cad

SHA256
74e3c6a4c7cd949cfa87ac1ed56b20d911afa048bd58b5a9d167b0c1b01f6063

SHA512
c0a2bd0032a2747bdd087ff10dd8e6ca9150cfa53a97cd5d97829ae6b75347722916f15472b9a568beeb77b3f04b7ceb7a8f4346a81f5f8d74b7ecf90a1a1efc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a188777b97b1719fee6f0bb6b3df28e1

SHA1
19e49e58887c5bdd8c0dc937e310d19f7d26922e

SHA256
130ca67a1d9391f57e3d6dd2d1636fd6b91aa3db54cc9bc28ef3ad63319fcf5b

SHA512
b1fb940dd411ebb5d47c1ff016e3590cb83b052db98342124b9a0b370b938f71e4e89e45b9fbdb744aa9cd17e73279658bb29bae66c22c2d3c895b865255835c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a2d917cd55eb990ef39b257b0c2bcb08

SHA1
d9bf58ed7a983dd17c863c2ef03fd7e11ed1e6e5

SHA256
87c317b6b926ab2bcc2dd0c30a369cf33b1e602912c232e33fefc449d4e358cc

SHA512
80064ef36e749ace93ba055945f451e480a336532c0e01ace12ba42f613d1f3bf3cb2e7adaa1676653378dbdd7a7aa46400905502815e830e27d081984906dea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
34ade6dbb864d56e18bf9238209fdea7

SHA1
bab16b8aed9b39d3de303ea9ae4cc165b74a198f

SHA256
cf067f23ca1dddc16d554838134e8bb59f6fe1e24fdaf82540d0828bce570f68

SHA512
0032a49fd21050f61105e6d868465013a468732e8add1e436b30c4db52c6cf2253a6487a7bc5df80fdd9b542d5394171b456584b50d58730537a1d9464f2b40c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
10076f6cfa7fb7301463f0a921a53bda

SHA1
7c8247d2f4e3f3598b843731dba46c374165fb5e

SHA256
91a1732d6da90abdd8a7e74d17358d9b8ee3f66abe3aefd8a8d65f248822a684

SHA512
58917a043323c07a121155da55425722102bd1f432c28a8ac941e7fba76bd7f154011d0ec50b9e10de176bb0928b47ac5347e0799a72186d9dc86dce7efccb54

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c4a5b53cb87a092751f2ba2c1f634d86

SHA1
16c6bfa791529e0c3cf91012cfd9dc378353669a

SHA256
361cf8bd14e5579f6215e7c1aede73a2a375436d06c9f50f1974b459e42bb018

SHA512
79cc2e321279d02d5801944ab04cb8ca1d35bda792b179421d81df23e5374c8a66de16d4a97f5d8b26d4065a50c6eccc767b6b1ca66335f4d1c9b7c744698188

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a3f314cf5f17ff88fac89ca11023c05f

SHA1
7a9b2f7d4fa6159d17e95d5903032c1f0268705f

SHA256
1450a510fdd011244db43b89f4740dc4bb54d6efe3c91e3625314770708f14b0

SHA512
bda3626b68fd0c1d7edc2f7fb049d74eaf8179e5fae48e2631d9a4ea48488a60e982cf8b2912164d2ef979b5fac1482a184f4777472608c2030cddd233fde420

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f1795c1931be1e06b33673c343a9205f

SHA1
fff054ab78b86746db5139788f6724eefccf7d75

SHA256
4a21f5bf8164c4887c11b3c20bc38195d47b54d03a5bcbc10b1601236c38acb4

SHA512
9baa10bc4cf83c69860d0259d7c015d03521f4e9501218f76c5e804fa522619bc5b7c66f9d65bd769cca9bcff6e61f7432b46fdc062e0414ef2cef610796f08f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0a239140bdd3d0a812059b79f333a7f3

SHA1
008507d7833738dbbc886eaf11fd2c328f1f34d7

SHA256
ec451ae877d377ea70f066ef07b7d5fc3d31bc8b67af90032df8782337e46f43

SHA512
a4247998b5434993da34f56306ad39a814a78b22652624b86fd8589158cc7ac55559a2bd41516ed656e2640aea51255a3ca280c40646e92140e8c32b34403b1b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2aa8f276443cf3d5b290a77d1fb07421

SHA1
cf3d1bc8b81b94ceb336a55efa57babf5f9958bd

SHA256
d521f2e8bccc3a172fb425bf7fffbc5b453ee381cee9622bbd10f943507ba7b9

SHA512
04dfb05be83b8ee77b508a4a5e875014a4348aa301896185f6a36c013d6dd3a741933e22d5ea3561d40cfe46baa85030d803293c346c71a828c2a5ffd42fc190

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bf382c3333960b35ae6ccc7e488b8a82

SHA1
03dbf37713cff4960d929cee21b720e1ca67c5cf

SHA256
57414cd4e0000826be25b8621c0342c8100470c4a26ad19a465a45d953208d4a

SHA512
f79619fa1d765e4d079b580e0f8ed735ad00de4fbd4d9068119fa9968c318a45ad5b34b4fc82e997ad00f7339db16e24c12736b3f73eb859a75c3039a5aa7967

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
fa11541b18691a91c3a931b53d5920e9

SHA1
19ead71f346b0ff6b3763dcd0ffbb4178450d1b5

SHA256
c809adb5483af1cc40210c77b906465fa449ae6dc4810dbbcb48461dffc62c3a

SHA512
8afafe55320fc4c3abedb7d6ce92332e8a33b74953d6dd5dd6d31644b720968512846507cbb49bf4d753ceef0c817ae0299e85b9aff5d384bc008678f9350d6c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8208f19e2597006992c6675cedf84bf4

SHA1
3b68226c4a971ba4461e0031162196aa15af4103

SHA256
95ea9fe7c824f8b82b0a2109440e9de373cc58ab200fa8b805a73bf2ca7a169b

SHA512
fbd4d4a555cd9dc1c1191b9e2e04bdec6cdd0e192988c4ec73fc88cda5a23024626a272f4d0cb159a4da4b21525045d759912e2026f845c09fe41412d5c77923

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0511e294c9c25eebaf1203cdc8c8b6b2

SHA1
bf676a6f5ef63cbe39e17987b2b93aaf3ed85965

SHA256
7181afc8465735eaff033cd249a447efe684bc778389fccbd84ae6b70969ef71

SHA512
fc5df82d29cbc9e8b1f7eed7d21b59cff0cb3a421f41c5ce8a1eb4052fe865cbc54a6e646e5258b072b65b7eb6172e3b8716b78b0eefd2c4891501c89e70695b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
af49cd7b11758379f48f26ac8971dee1

SHA1
80bf49541ebdbe85eda4585f7ed015bc50105f86

SHA256
683946f5a22aa2f48df865d2602380ad7985df526878dacbdcea69e2ec6df043

SHA512
81ba635a70a774eb1258aaecfba77069de2fb390a0b38021bf9524ec6e6ea35f1859deabbeb19e49735c3afdb8c467f5958b823265fd8c508624c9a0d47ae6d7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5609c712220b53ca320b344395f55a0b

SHA1
a3fcbe3b7fbff443425ffdc7e74a19a420a9c1ac

SHA256
52a920da8ae569e8c651cc7b3f4f4d7bf55ef70ca968852438846d6c972aec26

SHA512
09f3d33af1ed4fa1bdb09393aa9ffbb1008b04f025d7998fc1b78266e6681d02e92edcdbbbb5b114bb767f6d37e924e142c5437d8b4746fdf5552f62f158c8e6

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
522df09671ae433429bbcaf7252be0b6

SHA1
61ca04f9f4e85e8568ad48873b678d1e513cf1e6

SHA256
280a84c5c19d1271eeed9e7b9b3673a1981aaa57f14c4fd4b13ba86d8673869d

SHA512
f62deed71d60fc03149e67987af7a52bf70ede79171316883d37f3f01ea2b6c4973a677798812609030400f9d4acc0e3f3a52284e3ccfe5212e90cc019107319

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ec0f45290ac3f6afbc664de81192ee42

SHA1
6cf65ae1b880b6959443c50fec158685d6bd1739

SHA256
ed3be686842ef41331e0828b7757dd55134150f42615d9a11d5f71c5bc07bd88

SHA512
e35c9644522f90c20320f76f8fce17f673ae4890f15fa14285db79639dc1c898a5c14c2f7663de549ae3acacbd939372aca63c0cb6d803e0c8105ec2c490d7d8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5a30710aca0a96c0ec5498ac01963329

SHA1
d60935d0f254958e9d4e0a79a225cb4b02a411cd

SHA256
44e76fe166cbba582f3d9253802bb05d32c46b9bd8e90ef95b4ca24f4e0dabd9

SHA512
30cc07083acd9166a2291f9fc5d8830cf9c09351182a094b4ab61a8ac06dc645a8d15287071e836a54f5524651a723d85f9dd64577a7b792a070833985267e72

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0b4e4269c1522cb9f8c2f32cb21447be

SHA1
df75eeeb950b499ecc5aee64757fed3212f0964d

SHA256
ee1851612c5daa673ca78ff303ee203b8484b80e727814214d6a8bf900d084b8

SHA512
182bb72d8253f66562d33e6f60eb3aa1f3d8989422aec62e91bdc9d2d1f37125043cdc1e6b6285a257d73952cfd20ae75bd7c4c3b23527a3c46b89c35d1b7f38

Download Submit
memory/736-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/736-181-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/736-256-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/736-187-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/944-194-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/944-201-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/944-262-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/972-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/972-116-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/972-109-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/972-101-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/972-114-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1424-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1424-7-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1424-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1424-32-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1424-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1568-102-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1568-24-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1568-11-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1568-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2268-97-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2268-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2268-66-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2268-80-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2268-100-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2884-229-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2884-220-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2884-299-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3416-276-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3416-214-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3416-207-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3900-29-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3900-30-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3900-16-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3900-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3900-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3932-85-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3932-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3932-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3932-92-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4264-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4264-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4264-53-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4264-136-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4304-228-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4304-137-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4304-218-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4304-148-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4524-128-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4524-121-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4524-204-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4524-120-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5044-159-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5044-178-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5044-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5200-243-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/5200-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5200-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5216-337-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5216-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5504-258-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5504-340-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5504-249-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5664-265-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5664-271-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5664-353-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5812-343-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5812-349-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5820-293-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5820-355-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5820-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5820-286-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5820-363-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5820-292-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6032-368-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6032-376-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/6092-312-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/6092-302-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download