d1094678869c29df3963bf90c661e4c82b228a2017252f9dec64167232d4967a

Analysis

max time kernel
155s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
Size

4.1MB
MD5

50480cb8170b0d97e73ba781aec7cfe9
SHA1

ec38f88ab9a828640c1a8cc982896014287de814
SHA256

d1094678869c29df3963bf90c661e4c82b228a2017252f9dec64167232d4967a
SHA512

075571b1fb6dd2d6fff774d8aaa628afccad9b4c803e05a563eb57af881ef8db25385c894b41228e82e942222f117224601accb2893437a05cab6820bff11b22
SSDEEP

49152:Q5Viqwo4KxghcyJLBaSbvviqMjfBV+TFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr9s:QBfr+TFFqRlw6a+dU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2044	alg.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
5080	fxssvc.exe
264	elevation_service.exe
4944	elevation_service.exe
4600	maintenanceservice.exe
2272	msdtc.exe
4420	OSE.EXE
2112	PerceptionSimulationService.exe
3656	perfhost.exe
2620	locator.exe
4064	SensorDataService.exe
696	snmptrap.exe
3220	spectrum.exe
5100	ssh-agent.exe
5284	TieringEngineService.exe
5444	AgentService.exe
5544	vds.exe
5640	vssvc.exe
5760	wbengine.exe
5888	WmiApSrv.exe
6032	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5c76feb7c92b1ccd.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005aec2dd6704fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000277e47d9704fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000194110e5704fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008aedc8d8704fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000853581d8704fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d1305d6704fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce440de3704fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033cc57e5704fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
4692	msedge.exe
4692	msedge.exe
2232	identity_helper.exe
2232	identity_helper.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
5424	msedge.exe
5424	msedge.exe
5424	msedge.exe
5424	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4080	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
Token: SeAuditPrivilege	5080	fxssvc.exe
Token: SeRestorePrivilege	5284	TieringEngineService.exe
Token: SeManageVolumePrivilege	5284	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5444	AgentService.exe
Token: SeBackupPrivilege	5640	vssvc.exe
Token: SeRestorePrivilege	5640	vssvc.exe
Token: SeAuditPrivilege	5640	vssvc.exe
Token: SeBackupPrivilege	5760	wbengine.exe
Token: SeRestorePrivilege	5760	wbengine.exe
Token: SeSecurityPrivilege	5760	wbengine.exe
Token: 33	6032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6032	SearchIndexer.exe
Token: SeDebugPrivilege	4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
Token: SeDebugPrivilege	4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
Token: SeDebugPrivilege	4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
Token: SeDebugPrivilege	4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
Token: SeDebugPrivilege	4068	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4068	4080	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	85
PID 4080 wrote to memory of 4068	4080	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	85
PID 4080 wrote to memory of 4692	4080	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	87
PID 4080 wrote to memory of 4692	4080	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	87
PID 4692 wrote to memory of 880	4692	msedge.exe	89
PID 4692 wrote to memory of 880	4692	msedge.exe	89
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 1292	4692	msedge.exe	91
PID 4692 wrote to memory of 3524	4692	msedge.exe	92
PID 4692 wrote to memory of 3524	4692	msedge.exe	92
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93
PID 4692 wrote to memory of 4540	4692	msedge.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x1c8,0x1f8,0x1f4,0x1fc,0x1f0,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff956af46f8,0x7ff956af4708,0x7ff956af4718
    3⤵
    PID:880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:1292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
    3⤵
    PID:1588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1
    3⤵
    PID:2180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
    3⤵
    PID:3916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
    3⤵
    PID:1216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
    3⤵
    PID:1588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
    3⤵
    PID:696
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff72e645460,0x7ff72e645470,0x7ff72e645480
      4⤵
      PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16668556606671986331,3928535896865723685,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4152 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5424

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1568

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:264

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4376

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4064

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3220

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5228

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5444

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5888

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6032
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
732c132f1618dbd6addc5b5ad08cac68

SHA1
49b1a8264f5b9930ebfa29e327ffe5c63f9eb3f5

SHA256
bd08834a43961392616783b0eaf1a863c097d812eb5f9b54122fa1647b3c08d8

SHA512
b5c09598e3f7e06d974e787b47d777d71400b9a5b955bdd284ac3e6a2f74c37c2e0164fcdb6a943ad792e92c176b249a8e20fab23538cfe6ed1a910ac7aea084

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7dea99d90f54e3760569eb95ccae9896

SHA1
bca7e43536e816e5d6996d7ed0f08bae11c7fb4c

SHA256
01b20b620b6d765cd1547b5f087a1dd656cca4a7fcceef2e818ca4301fdba5dc

SHA512
230dda4ad33ad280958f61a1939e92ddc489da820251c323bba320a9c0e53dee2445719284a5c10075e62024a8cedd8d99d3024520001f4e86f502299e7290d2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a83aed6e83df9ddc782d0171a1230fd1

SHA1
455e7a10e1555fd4eaa3fd2fd2ee63eb5b5cf368

SHA256
189f9f2460b880e8b8e68c504038980b9c106277cecffbec4f9b4d1eebf266e7

SHA512
96b75b4910fea4400087b7604308471a7ed0485723b0d18ba9b0c2dbe355682ed4f0bad6d911947c95142b97169cbac443ab9507bb8972bc7a3ed071e9638834

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0a9ffcf2a7c9059eade1500415ef1f13

SHA1
87558f4cbdcf40296e8d78fa07a15e14a6aef59f

SHA256
9a471f64a243c614391447d979d48e2d6a69430789863f4db8eb5dfe5a6268aa

SHA512
a93c3c9ed83b984c9b0bf87e923dd55e7c67a17523160413e3f63ff5eb8bc27a79c3046ad4526a059f9f7a6c20079f9ce0296f76193bccdb3a935ac259a62567

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dc3a5dd9ea7b03e34c1b8b20260261ff

SHA1
5cf6a4657b38373a31f386901577159b1244b473

SHA256
55fa04dd90cbe6329b3b603d1b5378119b54d8c88f8692c8e8726cb88d5cffc6

SHA512
de78313873b7d69fdf995d453a82e0461643c8ed9acda388c1939d87d46bfef7089a174c9fd9d5d5f08025d97245911ca6eaa94c0c02892b4399c4875760ea23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8edd7da7ebaa46bfe717ff71ddd51bff

SHA1
251cc9de9c57fcef49098d131c515507e2d546d8

SHA256
b4a63dbf2e996b8fa3aac1ebb04ace60dca75cf86553948fe1b0c718bdc256a7

SHA512
bb09b23b51c5247d764baa7226308b47df07ab60681a6cebbf811cbd1fbb3d9fe4330a7eb2553c68f48784b3f3b5a0b10a4ce149154e2dc55575f76dc05e319c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6e8dfbbeb928e7802ce451780e19210a

SHA1
4fc7c38e064679303558f377a739e5aefc798da2

SHA256
d46aa94fbca47179bc03050ef96450cee752912726026db55965f3834adff26e

SHA512
fc44d11f6810fd477cf63cd83dde5435a24834fd2023761388b497dd391dc626cfa0276a7fab0f6d0840af9e352012463f1d6e1cfc5b7dfa083a37c1db49a95c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e67fc41e586b3fe90b8690dc9f4e43e9

SHA1
f6a79869a6aef144a10ad9fce644919a7dc840b0

SHA256
669da7f73013822ff2841e3947f68ad36c564febc39e5372e15f446ad4972137

SHA512
7a40757e22e78e87bbefda0d57d503a9f37ed0b100413c9ccc91a85d56f909dbb246ac73cab1e9696c0c6ba9253119401d535f257e85a72d4317baa5f5c17656

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0076cbc04ccd8b2ff5dd6c0c353025ff

SHA1
66238c9b973425b6389eecdd2d444383ff922828

SHA256
48e7db1cd4b5caf4799d5f76529c98e2ecadbc03ea29d28bf7cef325ffe175b5

SHA512
f2b0be6e88dd479f82602032696c00bedfb2f136577f6078bdd89a6e762c1469a94f071469df238c65777542a4e619012f1585dbb5c59ad3c6007b95cdd2059d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
06abee07c84675650ad7be0cab4df4cb

SHA1
e5204521b065479c0592397e890a38b7742ef8a6

SHA256
b3247dd16986cd9fd8c8522e5d5f0ebcf0a719e84445c2969de9f7b4a6fd7bf6

SHA512
b40dcd772c966ca7416977000c4632c96c1fd593bc0a3ca3cf49ea61874368be121732be93496d2c7ee44f2a9f9cbcf16e67058603dfe8d0e15e7d4ab41fe5b5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bb7cfdef51699719aa726b394584fbb5

SHA1
04976ff1a2903b27723020dd57c40b2a85f49909

SHA256
406c7c63012c3ee6eeee7c5fc6833999852b5532d8bc285eaa49958618c26215

SHA512
f7d308d22b95338048728cc905a3759b35ec92b4d82a8764d7cf74d19b36d36f1a89f8bcb92bd1c02b914ed96d14fb35d2a4ba9597b3cb6168379787a3411017

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
208563ffdfb6538b26d48119fcbdf8e7

SHA1
b65dc5a63b2ac44860af763eb4450ad04a9ceff2

SHA256
96dcd15b3d5818ebaf256ec9ab9862be923e5dce52726bb9849b03c163deb69c

SHA512
3b9723f42a334d1ebe270e386f5481890cb35169865c2de04c4e209d52f0e673bc717646ddb9311ce39ad542bc16cf208147f6b115ef84e2848b26b329a504fa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
df622d1a23cc99e48bacef7c65a79c43

SHA1
0058e6b6424605c83545af20b14bcfa89fb79306

SHA256
84cfa2d1e388da5c3f07175f4332871841348aa65551ef2ea6423fe08078390f

SHA512
4a4ae77b172721e96c982143a74a258fad91f4d2c5db97c31e259607d94a3dfc7ededc5c1c04f2794f8fef3a311c3f381416390bdd5c58ddaab3d9c5691d63af

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
e32fe7359f00e73dd4aeb44d561c5711

SHA1
33a70535b7d4a15323f03b7673d665b1fc9cdc19

SHA256
7823689f1efac46699398f58eb1303d0cce76b73699150557f65ff68af5278f6

SHA512
da2408a54983ebdf7e117f35e5df665477f4bb1e3a30aebb2d23a60a1046653086f03b1438b7349bfa32d1ad53ed1ea4d7155c377ebdc8c74e3668b219f06a47

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
bcaaed49b60192a0bbac58e5a6bade58

SHA1
ea11bf600b56ca9c894b77b428f930a13e8801bb

SHA256
031c4291564570655038ce74afb6ebe2b849ab6aba5f0c95afa229ac1c9fe4fe

SHA512
4e82f18c5ea8f0095adea18cd4794ed64ce4e1a6dcf6c954e943d7ac7dfce6989a3a7cdad5af4c4880df6adedf9600de403d88771e8a44081749e56987af49ff

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
1f02051f3c9678ab8a457e916437dfce

SHA1
6200b85e6f75ad74cf236f29132099b2887aa4b8

SHA256
a381c13122ae78ef3e11eac0ab817ff02f0335efc1ae8e6ccec512b160be8e98

SHA512
5defa0124837800baa97caa503e567eb4f8304e035440ca8086ed41852c448040bc29bd75b4b786a06a567a3f07e1c7da5e445d73b8e458d214b5d554b3791d4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8e5eaa98a3d8dd09ef64f1ad7277bcd6

SHA1
1916dad560eb1c99c512b511fcdf6c041baefd67

SHA256
ea33496a82669d9ae99cd7b6718bc052636a48f5877baeda7dfce08a503b382f

SHA512
255a3cd14240e0d74e02247764dd45231ad930ab0c40dd3c4e33113ecbc663b8259ebed389cdf403addbe4ae54cc8460cef8648f401654ed8c5360c9725eb3be

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
200e91380bb532e89048f26f31b3e07e

SHA1
f137e93ec91181dc791336f5945e4fb553900532

SHA256
6c6ccbc8d5edb7b89f9941811f467c2e1569efab6d19da82a9fd9e043b014043

SHA512
1ab036d95957f3c044a499a211e7a8180f76671893df65871c693afd1b748ce68c746edf467c951f9926207a99875528d762662f7b4034a4926c1cca7e2751c0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
09138e7212ab0180800e6ec0d74ac124

SHA1
a6618ab4ec29b76f22498c8fb282d3aff6503441

SHA256
10c7f01b0a7346a60c585ca2028489baa92eed89aa3058afcd8914ec893cfa6d

SHA512
52a1bc0cdadf356c4127a242bf18aca5fefda008c909b905978ac966b6158ff5c105a78ae7d51f612d66cccaf76c0677155687bd3589fa72837364ae93e135cb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
5416098bf9e615ecc768e5201c7bcd09

SHA1
96adebd81d95bf5b7dd51999acc7e985aac4d6a9

SHA256
e05186f48437b8a6f363272faf70b34aa91ea1247a9cc245fc2d8c4726b9bd6e

SHA512
b46d43ce4dbc9cf4177f4af905c439e62a84918825a1ec0c7cfa8f14b136775a703beb41d4276a1a573fc9312b75ce757949d23f36c7ae5598bd1df48e9e8659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b810b01c5f47e2b44bbdd46d6b9571de

SHA1
8e3d866cf56193ca92a9b74d1c0e4520b5a74fdc

SHA256
d1100cf9e4db12cc60cce6e0e2e3d9697e762c219f6068eb55a1390777bf4b45

SHA512
6bbf900b2f7614dd17aa6d5febe3ad1100851e2309ba2cd5219c5aa5af7bf830eec2cc88071d37987aa7e3f527b8df5b2d85e8b21b18fcb071baaab1a2eadae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4b59c528-be1a-4a7f-953e-108438139812.tmp

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d51fb6237511514854475d1fbbe849cc

SHA1
35f9d05a1df905eeb7e366c8b8ddbcb57f556cdd

SHA256
2b3403089dc54ffff7b56b75ae5e90ecc6e593041e3b9aa75db1afd86fad3819

SHA512
e15200d98fe30acb7ae40f5d334ebba330e84f68bdcff78847aec7452125d8825ab6c8b6430aea62d0aebe80a454f0950f69805709518a7419a0ecf5a27df77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d9d105baef83be2d89907a6c6d6e0844

SHA1
512c974782862af2362db08341c8f5e13ad60ded

SHA256
17b9a416f23c16f9bf092f79532ce2cd76b418406e0c89eec03c8f36a3908bb2

SHA512
92c36e308723e238053d82935dbddb18e7a872cb1469f73edc9f0f886add0d85545b78fed8d1ac9a1c13712a6b449151e5156c1b0df98884175c2e835f92b879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
80ef1701fca6e43ed2067349a75344ff

SHA1
9dde1409a2ed9526b9d5477e27ccc31f59d9b303

SHA256
9c3e29fb1a61cf031a30ce2ae7768beaade933923cce8c3b863647204d0e42a4

SHA512
8c9e2b4d3f3d3e52b5ce9deabf832c1ead18d56db24253691b522da372f9eed834a629456765eafbc32b1467ebf727f883ecaf0832b8733e6600a76f2a044e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6bffb106f07746cf09f23edfa51c4e31

SHA1
57f42db7d90fe465ce69a718ffc6b5ebcb914dec

SHA256
7aa64a662c5a1c2fc38e1f8307fd7682562e081a51b6bd42a374bcbb075bc190

SHA512
168880283fbb7580e096c5724186aca35a9c53dabfc42493a630200ebb93ceacbf0acf4dc5ded29ab6f9726267c00ebfd071bd0f359b6bacb54c9160c8f91f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
917d67e853eecef2c830b7f7a854e24a

SHA1
19355ec69660810e06622cf16c94a344b42e6655

SHA256
7b6c91c73d7090e13666041145f40d414d935113709b188bde5b49d87527ffae

SHA512
9c6cc362f2ef0d59f4f8058e2c22c71860cba37ee1977839e7778db80f54832d5e27b6c84888c399fb02b675b72e46bbb725f33ef68f79d009d405f2558955ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
6KB

MD5
913b851e51c4fb786dc7697f3f7cc9a3

SHA1
4580b356ffd17b1b4c569117d28742d901e06e69

SHA256
233ddeb549312c5a2d968e089a3217927be10e9662875dc5b9aabe23ce72a3fc

SHA512
63e12b7a08524f9e0c3ebdb0c72edd6ccdb9ee1b24d66cc8ef6257ec27ef4673dafe40a457a52dd7573c1ceda97bfd819bbdddb5aa77b17331a626b07e5215f9

Download Submit
C:\Users\Admin\AppData\Roaming\5c76feb7c92b1ccd.bin

Filesize
12KB

MD5
c54408a7bf6ee89b8cca2a7f715e0d3f

SHA1
864c8df5e7bfbf429beada975b319812bea986b6

SHA256
284fda14233aabfe27995b319ded889517513bef633b855a0e8d6f000adce0e0

SHA512
f43c42f5d37facb71edb45c1662d08545fb41de259cade3664586a593027ed0e4355441f0aec183fd4650fdc5dd1c8a0e04ba34b1023a6200c97e0a030c47693

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
4150c1b24a6dec00974526cd4587e08f

SHA1
3ab5b43ea8baa06b1c86513ae0bc5522379cd45c

SHA256
3073c714abd9eea4b03b3b523dfe2c5f455854e436350598a012c0c24a124638

SHA512
0eec4a8ad3fff58f7d98fc3a38a5442fbac32988ab83e9bb8ea767c638410468e04fbdf4723c407fcbc34ddc147d8702c6cf98a0438ee30789e14ac8959b1801

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b3206a73f7707ff0e6d6d56b51de20f7

SHA1
1c8d353e6cba7b34ac558a3b1abb53fb3d4e84ef

SHA256
dd92d73fc28e506aa6aec4fb0b9c486583ee205cf4bd6b89f62a1c8e7cfb2472

SHA512
c923b3955b0768125c50cb59e3b93399d2b58a8a2ab0185bd1e90bfbf6a9beee34a80c3d1ae89ac8e59c827bf991c98916361fd0f7fd51c882e6bc73400e7cf2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
65313ac6d213f982c948f9838fc32e00

SHA1
487e2ea6d36cc69e5846868381cfde02c5cb530b

SHA256
d4f61ec2446380030b179ab7ec7a3e9a6be93b327373ead3ad2e2f960bcbece2

SHA512
f5b76fdd502c056cac305c3a41693432d780f40dfc3705104e7e255e51917125b82277f7eb2ef0c4cb13041a4ec9510fde548165533a1ab23dc2a71510ac5e92

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5d3e5a4f69eb797e6d1d0b15fa6577ac

SHA1
737d6736e28ebc8784817f5491a132c4ec7df657

SHA256
1632c6af84843a30594d470544cec1836c6980eb2fa93cbab4ac97d75369d441

SHA512
162cba7048847f67843ae6d53f3b64561d4ddba9b41813271955872b17a594d29bab76389779c1cd087752f54fbcb1473d191cd9f6bdfc32de766989589f330f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
da8c1f3ce4897fab41fc79b85b7a281b

SHA1
60657febb29742443f88913a6611fde631e733dc

SHA256
568caff26d6d605e0236a0792f25f8bdd2dc1c037593fd70e0aeff66ae39bcd7

SHA512
8adffb0c0efdd3e9b64640e6aedcc62279a0107b92e57c55b975e9226b888d8558e1bd5bf5e0f65f9f09e613ee3aebb46c203355250881bc9df0ecdb603ba81b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b9086e072365728a4ce0e19e6ad4b5a5

SHA1
4d6a8f4822ac457f10d7ef793a0d7eead34fb609

SHA256
f61bfe5338b0c45b9fa3f451004b2aaeec7cfed05e97d7e94f2aa346919123d6

SHA512
8e5c6145310c202fc31c38cea9e311c511fa5d882372397da195aaab52255f39d50606da6998c36281ab66ef5f73e90bde8d1ad7b78cb56e890e887f8f7b0d4d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d96b142bd7edf9b51cfc42b8f3bbfb1c

SHA1
f1c210e5b739293391f92c8ae8da62d21a4ee6ae

SHA256
7e95cb96a1629eddcce833ac40e0942894e48d9da18fab13b0e09b136d6cc97a

SHA512
dcf270c551359ac1fbec24abc58ef6bcdfaed3082ae91614befeca01a77e8576c25cb3acba8a1ebf0baffe7c75e0d19855c3a74ca3b0ef9168bbbc55d5561a6d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2052e08a958bdb879d4ff37ad6e33420

SHA1
2759d77c2c0b832f0c4791ae7fd00a9af5a5fef7

SHA256
2cd5a15c402c96eaa87e937511ef1992f961ea6469dedd591574facfcab3aab1

SHA512
2fed0b975cf10ccce1da92df4ee4e3a19b7daeadc24c607e19f65bd03dbb636f26348eade619ec9b10b4cc16ee27b12ee661d6ae7331fc2ee0a64dc05c85629c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dd78c3843f3ea08bc57f61d23c3c7330

SHA1
598f039d0e6b791f2c3056acb7cd5117a9a1e53b

SHA256
7efb10fc0f8010030802d0fa481ae0813896056e558a5185742c5f93ca59dbdb

SHA512
bb13b2ccdeed82b5cff1881e37777479c357e5be29ec50d7306805a7790a5068fd99d8cd604e0b3d1ee273dfad0c149df4e643c7a60cb77f497bf387bd3bce60

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5bf8761925db70b869b6250debc832ce

SHA1
9a67a6669e9e7efbe19383ebb97e9a5f999b06ff

SHA256
63c5abbdd332f3580165de8fde1dfb4f19270528fbdc784e8742904cc599fcb6

SHA512
7037f0c3b1e1271c72fc9e1d2aa86480feb700244f3bba402e80724578097b7b310c854da2a90784bc856e6dc737d2eadcd898ea1f665fc6318745e24b7c5fd5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e4490ccaf4c1f567fb8d7868f1687aa7

SHA1
a324402c53f749e7f55c69df2150ea2675e81766

SHA256
fc09e343628ba5ec9a8ddae6f6a12b47c56e8d2b062a74f2dae44dfc03a65887

SHA512
49d69a4e7cfbdef377309f2076a0e7b3a311691b0ab0c4c1a7c327984bb89e4b3cdd0f7fbc52b27fbdde60b75d55d7d9a381b7101c6eda83fdccf066e7ce29c5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d9d81237928a0e57b145607ccbb630ca

SHA1
6863cd3b486bbac6bacef3472ffbd0030886edb2

SHA256
b38d5a135b1bdab35fee0dc63e04a1aeef44ef19b31061bafc7f59ad830f4ef8

SHA512
69bac7cf89bf78bc958b56f953e8444ab76f3c25169ec3b10b2353a3996d9d25004c121a212e43d03930a53f3372575df1af97ef90894629f6e5074029751936

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
409d978e0047bdb1ccdd03d9f16027e4

SHA1
01f12360253288903fa77f7072e378b7c5d281c1

SHA256
7444d1d47574b46d81cb41096e15611d8114da8f72e942dae3b0d11fc0b60c7f

SHA512
a11d260d2ca788f78cc90d9c2713ffd716f1e6553e2d08d7d7d40b74e75c5534166cb2212f1f872317d311d81551ad45d6374b37ecd6d1f4c0089e0837d87c84

Download Submit
C:\Windows\System32\alg.exe

Filesize
64KB

MD5
778a5ef7ec82423684ea1579e3c4e37f

SHA1
df3ce8620e23c7969fcd9949363d691630665a4c

SHA256
be216d2cec1f8b85f54f9758c03a998007e6537bd9e43fc760bfe0bd2b361839

SHA512
0f229e84bee975e1465bf6f89a8e5f164af5fd1eedd14ad2bb9c709a02131e5ce93920ed05c7ad3c41069ebfd3361c4dc50aa403235cf999e0d23710e6bdc665

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ddb697043a76e027ae82f7a4c26dafd9

SHA1
fae3f28cdd4bdcdcd0a581a39772202411f3f304

SHA256
cb71b9b8964deff288cfb549f11c6dcca5c0207906343987b84cb8fb0fe6eb8f

SHA512
613f9a26ddb3ee8fd29200d041c9e6dd3e7ede634cd598cd430a217477e0845dbf6b035270a00464dfd7541ff62bd0372f72a83ab4513944c10dab9475e52796

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2470321b6246b9c142867a66f2776432

SHA1
16740de7fa05e79c851fca646050f3d1681bbf5b

SHA256
366271b2daea6debe6c64353d999d068e21381ce79a021a4d056547b10218350

SHA512
72bd1797f058556723a118854a05ef22c18c2b9b4170edddc5025f33357a1656039cba199fba0f3589188a84b769faae5b719e6e68c44e37d1d0d766519f41f6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fd58962867bcd9144e649b0c393c80c0

SHA1
15c4a7eecdf947d251b63573b5760f43be3ad0bc

SHA256
1074eb827ad391a6bdfe8a543a2b30a8fdae3a68639d6131ac6f1619267cb73b

SHA512
a19a046a38668bf25b3d8b1f1ccf818dd8af9dbbedf0201c3f1f0fb53e2d921965dc451ba02c6f72ec8b15b1328223f88820caa7aa56738f7aff52943a5649ec

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
aa818fdcbe6652b293be17a4c8791a61

SHA1
e6616399921cf956a907489a4f9a025d5558039a

SHA256
d37da8679ba97cb45fb404679ff628fde65f4e6e63c85783415d6be800d71c96

SHA512
50bc4b0315b760ebcee9791b90c6e6c97c0c812fb4fe582708abab2f186dbe1b5ccfd67117f89e58eff71ffe3dadfbbf764e35120c2a64c2a623d68d51823f5b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
51fa8538905c89b1dfb9f53105dd1ce5

SHA1
3ce51de3849d012fafb7268dafd9d4d992e79a6a

SHA256
479cc4310af0d2bcf84c683c95164c85769f1e412d7498698fa26854ef8cb56a

SHA512
c0e0e1d4b5136e82a0a0101852f9880e0636407727e921668622050e02a727503c785292c9196fd0d7340e18748738995198a96f12a738941dea71cb9798f8c6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c37f4e88c3c50cfc8dd0d030c28aec88

SHA1
a15d5457200eb38ec8ede51ddd482461e1df9467

SHA256
9774f5826c031ac2a54c6e4c48256deccd879d2d3c79e363b6b41db7eed4ff05

SHA512
4784e3d0b6abf828f2d8e4687821c6909da3be97b85bfa2a6dc26c4a541cfc78ba61a0547a810e5ce49637a6febd680e381e725291e67a8976f3a93dd3e6e4b5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a34a4b2349a23a3af51c002e32193f1c

SHA1
3a4adf9a9f14119f8db361e5d68f12496b47145e

SHA256
73e964887c84c0cb1078d3473c5f1d0ecae71e694790955250d03c1aa20c795e

SHA512
0a0b4dfcf99719666fc4f91dba7e22905ea6f7daeca27b230369682bc87d81e4089023567512f491bc2f67a7caf2b93eaa1abfac1c598bf8fe89fccdc0e6b724

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b3d648f79949ee85972cb1f70995899f

SHA1
45a17e27f0c6802822712343ba2b8194a72a859f

SHA256
45335e944c8aa9ba92625f893cb7a5e2e9473195e13a62b460e12928ac8fd33d

SHA512
61b63e376d823c52c47ed7a82a9f10824b55407d87bcaf6dc7aa78c4c0cb86d9bc6233f4ce36e8b2d3eb756c5b229323e95b235a74ce4bd3826a929cda0ab969

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
2c306ed55233086e6e16f49b57c9b5e6

SHA1
e48e26afbe1c9df10ebfc7a48f091f5f795d180d

SHA256
d94e69cf0e3daea27bb55351f35e8d6611d24b21552e3d15377702a2cfa3ca01

SHA512
716eceeef6daf178026bf5418064845a01ac078911b6d2f419f771cd511c4ecf3d1f9b67d66ae41d165e899b33ba4c3e54c88275d0a6cdeca5659fbca71b23fb

Download Submit
memory/264-116-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/264-109-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/264-178-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/264-110-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/696-370-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/696-300-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/696-291-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2044-31-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2044-130-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2044-41-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2044-26-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2044-40-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2112-206-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2112-216-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2112-299-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2272-262-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2272-151-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2272-160-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2620-331-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2620-271-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2620-264-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3164-51-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3164-141-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3164-50-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3164-57-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3220-383-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3220-314-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3220-304-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3656-313-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3656-228-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3656-326-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/3656-257-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/4064-287-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4064-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4064-353-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4068-118-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/4068-19-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4068-12-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4068-13-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/4080-1-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/4080-8-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4080-22-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4080-0-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4080-27-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/4420-169-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4420-179-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4420-285-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4600-143-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4600-148-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4600-149-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4600-134-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4600-133-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4944-121-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4944-214-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4944-122-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4944-128-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5080-91-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5080-94-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/5080-100-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/5080-104-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/5080-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5100-318-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5100-396-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5100-327-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/5284-340-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5284-333-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5284-409-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5444-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5444-362-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5444-355-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5444-367-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5544-379-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/5544-371-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5640-384-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5640-392-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5760-398-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5760-405-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5888-419-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/5888-411-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/6032-424-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download