1b7bc3e60ca79e7d5ba340ce0c2c1c7aeb3b4f5ef1fb2be6252a95ec41cbc37a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Size

4.1MB
MD5

9cb761fcd27428b6e601887ea42ee621
SHA1

2aed57e91386239202cb93169103b9ca3e2765ea
SHA256

1b7bc3e60ca79e7d5ba340ce0c2c1c7aeb3b4f5ef1fb2be6252a95ec41cbc37a
SHA512

6278a614bb4e932a7a94f547f42c7a6915d41fb473dc9dcea2cc3d35692f032961530ff064a04b85de87d761e775b5e84fd3a3b47db21d3154e27863e35d098a
SSDEEP

49152:S5Viqwo4KxghcyJLBaSbvviqMjfBVdTFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr9k:SBfrdTFFqRlw6a+zC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2668	alg.exe
2720	DiagnosticsHub.StandardCollector.Service.exe
4900	fxssvc.exe
2320	elevation_service.exe
516	elevation_service.exe
5088	maintenanceservice.exe
1360	msdtc.exe
4552	OSE.EXE
2708	PerceptionSimulationService.exe
452	perfhost.exe
4116	locator.exe
2980	SensorDataService.exe
2712	snmptrap.exe
3476	spectrum.exe
4640	ssh-agent.exe
740	TieringEngineService.exe
1212	AgentService.exe
1464	vds.exe
1848	vssvc.exe
5136	wbengine.exe
5248	WmiApSrv.exe
5432	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9d75cb0d66ec4f27.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76234\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f367d524ff54da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f14df24ff54da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000927daa24ff54da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f64c724ff54da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a11ba824ff54da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097f2bf24ff54da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b90bd24ff54da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050decb24ff54da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a48af424ff54da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
5052	msedge.exe
5052	msedge.exe
6080	identity_helper.exe
6080	identity_helper.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4464	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeAuditPrivilege	4900	fxssvc.exe
Token: SeRestorePrivilege	740	TieringEngineService.exe
Token: SeManageVolumePrivilege	740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1212	AgentService.exe
Token: SeBackupPrivilege	1848	vssvc.exe
Token: SeRestorePrivilege	1848	vssvc.exe
Token: SeAuditPrivilege	1848	vssvc.exe
Token: SeBackupPrivilege	5136	wbengine.exe
Token: SeRestorePrivilege	5136	wbengine.exe
Token: SeSecurityPrivilege	5136	wbengine.exe
Token: 33	5432	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5432	SearchIndexer.exe
Token: SeDebugPrivilege	3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeDebugPrivilege	3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeDebugPrivilege	3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeDebugPrivilege	3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeDebugPrivilege	3336	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
Token: SeDebugPrivilege	2668	alg.exe
Token: SeDebugPrivilege	2668	alg.exe
Token: SeDebugPrivilege	2668	alg.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 3336	4464	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	85
PID 4464 wrote to memory of 3336	4464	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	85
PID 4464 wrote to memory of 5052	4464	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	88
PID 4464 wrote to memory of 5052	4464	2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe	88
PID 5052 wrote to memory of 388	5052	msedge.exe	86
PID 5052 wrote to memory of 388	5052	msedge.exe	86
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 3952	5052	msedge.exe	105
PID 5052 wrote to memory of 1824	5052	msedge.exe	98
PID 5052 wrote to memory of 1824	5052	msedge.exe	98
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97
PID 5052 wrote to memory of 3980	5052	msedge.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-02-01_9cb761fcd27428b6e601887ea42ee621_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x2e4,0x2e8,0x2f4,0x2f0,0x2f8,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
    3⤵
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:3872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
    3⤵
    PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2700 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
    3⤵
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
    3⤵
    PID:6016
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
    3⤵
    PID:5176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:6064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
    3⤵
    PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,12226767180013405119,17132953587072015435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4944 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9406b46f8,0x7ff9406b4708,0x7ff9406b4718
1⤵
PID:388

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5088

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1360

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2980

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3476

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4472

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5432
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7ff7edb35460,0x7ff7edb35470,0x7ff7edb35480
1⤵
PID:4320

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
193KB

MD5
2d9fae62892af378963aa15dee0dcccb

SHA1
1f2a5113d80955e100b2614f02c72df56f42fd51

SHA256
2e109f078019d7475cca9616c56c754077d559e53f4789d6e64c976803691d42

SHA512
9e73909b35d09daae15f9933f219bcd7045814b05e8097ae9f981eca3f49ddbfb609ab4801792a0d6a7e130037e5dfb6250928a32a74f355e46430c1e216a630

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
175KB

MD5
b07eac654478867891e82dce07f0083e

SHA1
905fb0f5450224ed41c213a7bdc395141bcc1932

SHA256
ca3de9d6624c008c74a4ef6f8fe5406e0d8469df2a88b20e30c61a269617b233

SHA512
e1ecb6d0bfdfaf2546b5621fe6b2e00ff5bb98dd927d9a4406bf38537dee7394daa337081711ee5b0e1744d431620c14bba3680a39754c69dcf11213d50c330e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.1MB

MD5
d12c7eb8e5f65fa07b00efdc01cabd3a

SHA1
8ed1189c7cebcb0eea6e4eb49cb01b974cf309b0

SHA256
788a9da24133ffd326099298941da1599b5c2813898d8440497db8a7c73b827e

SHA512
be618864a2c098d332420fe6bf1827820511cb00d221bc3321d46146fd08bdb6920d5dae4675f74057e366b6151d5b78a2bc0325903453d53d2fb3eeadf985e7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.3MB

MD5
7b77c6d3bc649c4318806fe798108425

SHA1
af51e89f71be1a2aa910663bb0dc7a72be79ff92

SHA256
8e88f185b9fd7fbbd521808cfd8de1b7b2f185357abe9155338291edb53f3311

SHA512
f5a1640b422af4491b2202691465c44a0d321062e1aa282352dfe839d3a2516b9e252f799326bfc4d5feb05eb5c78c2b901b7e034d4155c70ef380b3dd98404f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
822KB

MD5
057d5d590b60a3f9f1edf8b5fbec3c8f

SHA1
7f63516778ea76418a415597718faf1736db5e90

SHA256
69880cc1c9df95bdded88b8bc19b40ce55e5e80a4d0fb688813901e789519a47

SHA512
6d217108236af366d2a03bfeedb38b45dfec45d427f968c55cc0e25163acc52edf3714bd0a81456afebc3bc21a5b6321b8a49fc10809c42684df565b69ef5f5c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.0MB

MD5
d01ce1e60406da1694841f4a97ba3ac5

SHA1
e123b89285e0fb61b8b454f53057c1bcb967467c

SHA256
51b42d0c2aab6e5c71fbc04a677d31da76e1252a33b1598b994bb9cf30c3c41f

SHA512
df1a2b1cfeeecfb511d8b173e5b8bfbcc6ab92594517238773a3a38c0399e4577161376cd7e3c332217d16f996c0016a4c9cd934d37c46ad72ab9d658be4a14d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
843KB

MD5
1ec751e171080adb89eebcb2d61c584c

SHA1
2160ffb57e26e373f6f7bfa457aac760e58e55b1

SHA256
d1d4adfde1051d9565b607f5331f222e6fc4c1a2f25978b0647539f48d06c015

SHA512
a3a2fa4916fd7ed7a9d0c86c9ca3bf2456b7cd3884cc7567d2980d94fcbc4613cf29b10f5c3b6feac2e336ad8a07da16dc42af74aab6ba87dea6fcde685843d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
714KB

MD5
a44a1fc1cc2314a7f4f3e26f676dc2ca

SHA1
43fc4d86ea989e915305a7e74a8a9f4333930ff5

SHA256
bb7173bd9b74dc00816483d24578452c8941235a19d3c823c70f70f230a6a042

SHA512
1f88bb7c0ae641ea55983883897566363fbffd40ff8fe039dc1482117b9931c78e3922f82a661ad17aa6d1dc7e3c0b67d21ea519c086570197c96698ba3828ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
931KB

MD5
eee100f3b86cd095afd4102441423b60

SHA1
f4807eb86b7ca5303765a8ea6aa22087adab89fb

SHA256
0dcbaa84f3b31637694e91b9c743a48ccf6e58aaefd5385c45cd3d2c0795ff49

SHA512
9c502034acbfddbcf672ad8bd8570730b0409830ba6de6aec2a13a63b245f2a96deca1754909954b3b324f9d50f576510ccefbaca691aff3319b7efcf1954812

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
944KB

MD5
ba028496dde05f60c41f7739304919c5

SHA1
461256fb1ea442917712c65657f4c112f2fb73ce

SHA256
303c646ad0e17c204efb64d6e60bd053b5b7701007bc340e22925e7ba1da83cb

SHA512
2c618abd2f23cbb40b873fe81946763d56ec1752addfb93ae4000065428c930938ea039e59465ba8fb89774720ba7c30d83833891411e2999dba0bfa653ac8c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
836KB

MD5
a3fa90a24ed3ffd246d92ac89cc4f40f

SHA1
518a2c7d5afb19ae319a151b747d2322d28c86ff

SHA256
e4f502f6680b26210ffd74d1935287261b04593435d08c6b999f3f292a5e734f

SHA512
48cf0e863dc5937319f4d1fe22c675920ea1925ee6053d1129515e9e825b14dec9c8055653b53acd74ed607c952ca4d1ee37c154428ec0afc05919b5275e31b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
889KB

MD5
f0249f9b0e1f0fde6d9c90d7150c4908

SHA1
d4dd861ecece91b7fa17390771c90ea4b657736c

SHA256
4e42f175cb0352372aa25feecedea00643600e344b124837442e08f4f76ec206

SHA512
f6aede0da2805b754b9152895dd29efec43ac09d78d5b97fbaaa40c6730f58270f76edca6225d5c0c70eec48892be2f0996fec74433eb76645f1c72ea9544787

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
685KB

MD5
9eccf91f5cf18044e54af25f1b1c4ed3

SHA1
8e350a61c4c4305a0b9f871b74edb9d0efaea9a1

SHA256
3957a061879c50fe8986a74614866377b6b77b88e8d6d272c8239131b731a202

SHA512
8b52caab9c37c0d8df51bdedaf0597d6103b00cd38f04c76fe9cef9c361c29b87f2116a5491ffa2b22558c11307d3916c27424cfe44cdca31d487b84902d2ea2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
260KB

MD5
b29fcaa1dd5972de83c604ba3426bbeb

SHA1
7bc7fa2cf2af67acb886665526c28b4b4870b304

SHA256
ce8ac1bfc52e91ae9f3b6121a8d231b3e5a72e40f7b90302501bc5f94377c543

SHA512
a7b0afc9011a93d99b124bd66f1fe706c01ed3258fb9eefe095ad85af370edfd0269aa5f27c993d1d2df5beabfec1dd489395647344db096b1d2569ecc93ef0b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
907KB

MD5
b1c3e99ceefa8999e730bcf2b9b0aa41

SHA1
179bd13aa798f0f01785bd34af74cda2d254e978

SHA256
ee92686b34af41539ece798af399e303b0aba91a0843904604684783d1841622

SHA512
e9dacfc8fbfee50973de199402a0e94af805cbe9abe9e24792294776347601086031c84c59f8b5d851748257bf6ed2ff605d55aa9c1709194d944c69d2c62a2d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
706KB

MD5
a28f8a6181f06065c2b0a47f1caa614c

SHA1
5213337a153f10dccd7663a9e109b6d109b2c7fb

SHA256
d25998b5bf23af9008221f012260e766f89df421f896eccb5e985c4fea54ed38

SHA512
cc7135846db1820fa9f15fa338468c67bf4a7eae287db495f677caacb55c86d0a23012c7920093ccdec8eea751307a0fbc2118d45904d6a4813af2b82eb886f9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
660KB

MD5
1fb31de488c21dfd3513aad925c48751

SHA1
3da5bfaf9f24207a7f5682d10077eb1406f0aa00

SHA256
8fc0fa55d5600eea4d0142361cf95e076df2ba6ed8ef2b4f6b9bee404eb14aac

SHA512
8f93bad8fbb65c5864dccef581653752241bab515436c09545d63e6f828b356c0fab2e8010ba37ae99c36b9552ed081f685e2736fb7979f45a3d797406e86553

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
570KB

MD5
463588ab723e285d2cab5f1461dfd4dd

SHA1
649438176aeb79627d2ef6d135dedf7a2ea868f3

SHA256
879c3fc19627b52e427af6ed301812bf7842846d1a52f9adecdb1b1e3ae1d837

SHA512
76c81489b8a0a41d74c7c0b00c5c70a5c27bf0059d610ec96081baa09d4e7ef488346c0b68886fa6c53e7ee908d77f3a536872dc1ec1562fc76b7032d489b2c5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
626KB

MD5
ce99d10c0a3ebc327378fc06b2c9afaa

SHA1
63fd7bbf964751b0826069f9404087b25db00a92

SHA256
6447d19f3e50474f252c77c9a15e211efcc0138f8819c0ca07ed0d2c16fd812e

SHA512
1dfd1e95db15afb79a0fa39e4cb098a6f7a1864d32584087b86e3962c93e87ba446caa03549cee3b767211ee0f5a1dad7a71f1b8f535b5c844b1039315379ea0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
942KB

MD5
9783851051357ac139068158b41bde67

SHA1
87daf74e793dfd5dd37e4ecac362ff61ece9c6ad

SHA256
2b7f65554f8b42bd022802458d6bcce9af17f4b9257f63a7c4130dee8aa79dc9

SHA512
a8c4e3b8727c8c8dda01aa518cb2412030ccb87135d112c1f3bb323d2a2aff9ec875d61ecfd74f9e3b82ac739234e236388033cbb443e942c33fa52fcd755901

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
894KB

MD5
58aef181b85e0aa5ba113a3a94b45d40

SHA1
259822fc131c7732ab740d3558485518854acc00

SHA256
dc101c3c6684efebc76d91e2007ce5659847f5b0cf8c8adc61fe1f2119eceae2

SHA512
f303d051471307a3318c3213c32f54a9bebb4dd23fc3d464ea0bac7cc923bd988f1c814738bfdacc7a4bd40339bf300aba64537a94a67474d43e956e8d457a1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
751KB

MD5
89df0eb4e68d18194c3da4aa481549a1

SHA1
3914ec69d494e4298c7d1cccd145b273c4361b96

SHA256
c075033537a2ee4836a59db7ca0d4b23fd5f8bb3d4f5f1e8b7660a8babdf2249

SHA512
1fab8c9482fa4785590fe8df642b418896df126257a80ef978378e00561135cc260765f8947a54cd3267383a5ca324827ff921d2571d812bba20def93bc6d903

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.1MB

MD5
8fe8ddf323085925835fbacf91dc5a12

SHA1
c5c4b9e895c78e3368bc7cafa2d402f3db512997

SHA256
afde9eb0d7914d0a303183cc548a7edab3997c0082d200ba87e4f79f2c4c9069

SHA512
89f833741eb8596222439a78ab80ca70c81f515c0e58bd675f04fb035b4f8700574e29ab79ae45b063b1825d7dab745b2d15a5bd1f5259e6790cca1c8e19de78

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
658KB

MD5
498ec6dc8145a4d9bbd6cd207c397c5e

SHA1
4aa5410129f3b5e63c324950308fd286f04262c2

SHA256
f62b161f72e1ab2e325ca1567ca3fbefacb8ab04824e50fdd01cfa2f736e6f2c

SHA512
2635aa6d0ede3f94498ad722b559168b154712082968bdb092be78411c209335c37de67f313d3647af5ef06acd5fa9c82f23497df4a26bbdb67be19148eaa81c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba867085de8c7cd19b321ab0a8349507

SHA1
e5a0ddcab782c559c39d58f41bf5ad3db3f01118

SHA256
2adaff5e81f0a4a7420d345b06a304aafa84d1afd6bda7aeb6adb95ee07f4e8c

SHA512
b1c02b6e57341143d22336988a15787b7f7590423913fcbc3085c8ae8eb2f673390b0b8e1163878367c8d8d2ee0e7ca8ed1d5a6573f887986f591fcababc2cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bcaf436ee5fed204f08c14d7517436eb

SHA1
637817252f1e2ab00275cd5b5a285a22980295ff

SHA256
de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120

SHA512
7e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
97ccf64d562e186fd420fcc553f49116

SHA1
874589b38499135d7303d213a7286609a1661b4c

SHA256
b66f714144423f9acf159ec24a3947560ab968647bb9a8b9e9af499cb6f053d7

SHA512
c5e231a3b8dd31e9b2cd2e54f9149fc8a07f1c6d44691980cae9534d85983e2b0b6d32e4568a78612f2dbbd58e544549e2921ee48428cfcd924b441bbbd9b702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d2066c4f0cf303ad7569f196e67c6bd

SHA1
950276b833cd60d38fec12466af048615dcda634

SHA256
8c20356d380ece0e40a41fccc7aebf036a3bb8c019a91142d4ceb155402dd238

SHA512
313929c65902845b61c794a03869a25d7550a321c291d8bb5a39c981fc77a788397c584fab659d10a3fddd1152ae1b1fd404d4d1c0ea00a8537e3c68ff451ef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0da4e4b62db8c90c0f2cf6c5ced8313

SHA1
7b36ac682e9005ba1eb82dc6c6a3adbe1a22662a

SHA256
3103889587196f46bfd01597418be3a4dc5284b05f9cea6eb243e2fff04ddb86

SHA512
44bac832ff2151bb44b04a620c0b9ea53c481636488fedbef884d603e202f4d28167f55a48190c59945fbb9abf6d2187ef75f36f72acaad7532f92859522056e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
11KB

MD5
79d215b8d9c7b716fa98d0642d2e89d2

SHA1
dd6d5d1edd65969917318a41900ca4d338040799

SHA256
8bf24cf54b261a90d4bd69073ffd939bfd2e27536701f91eac1677f89478abcb

SHA512
da87cb9471289ceab697d7632d04fea59d56a88b8b2d6a62879ad91658414320321b2a55bbc9bbaa511d4aed43752421de3211c1c81f67a38be326e739fd746e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2fb91939b346547745e33369650b7dc4

SHA1
9dfc1ebdd3dd93a2118b523f1da380dafd97353f

SHA256
5e80ec776500f073461a9278a77cfe35f7604e013a377ee9c7b9919314c05ff0

SHA512
2eb05af0e8272a533563e73890dc8587bb1af14734a6b3fb5355af602aa62dd58d57ddd62de072b847b5034c8f748730c0f4912583eb6caf0daacbe99641b950

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
6KB

MD5
87eea3f69f1888f26a0e58e217565025

SHA1
1416839334b02362bd6f64a2d8a6f43c1e09bab8

SHA256
014a0a4892436030dbfbeb0a486caa7f5cd5c5a9a9c19f2f44809312e2c2cc95

SHA512
00a291760c3983528839952778ea58f036d79c14bd8ec1c73f3ba1b8c577cdb9adcb8c55094a221ab22cfe4698525389050d23003456489e21d1dd4bf6b33851

Download Submit
C:\Users\Admin\AppData\Roaming\9d75cb0d66ec4f27.bin

Filesize
12KB

MD5
5664d2b3aee169f41d5e0e49d0af2aa5

SHA1
00bfa6cfc8857555156fb3fdd092d81b2e818d50

SHA256
db1a60e2d08a4fe2d18c5c716263d3823f874b5dee7a5670677e3520fec67e49

SHA512
f9ee5e94bfe62e805b0a4e8d194cc751c4786645c88290f8f8322bc7cd141572af9f1955ded776ca4e4f3185391b0954b3c358519142a19fcfd016c155c72a6b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
237KB

MD5
9973a63f835e790e8943fe5c82cd1bb8

SHA1
6602cd4054ea936026c86966f86db78621baecff

SHA256
356cbfef6be1577e8f6df7e08fdb85657f2be0941c4d76359d781adf3f4dac95

SHA512
8b1715965163ba4df1ab92796f864a83cad0ffba6dc07a2ded613a0f1ebb781fdad53e98755661efb307e46fcc4ce68c9d5f7ee5c3e301af175ea5fc02ce57aa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1KB

MD5
761b70aa7091080fabce53bac63480c3

SHA1
1e08f3a392cfc66559df0c75bbdfd270e2c65ebc

SHA256
8ed806c8cb3ddc46a55872ed38966689252325e75ba1061288d1c4ac1bb219e7

SHA512
524f750e4333ce518d56531e42816b0917a3f434ac7e3ee1d535b0c2902a66c5a6fbcf7267ee7ecddcac9eef9a60f31d8aadd6b6a8e26ddd79bf1b8346952abe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
950KB

MD5
11b06c75838ad507a57d8dabca95d738

SHA1
74a002522050efc88fd5206370073c078e99fbd6

SHA256
e55cb3794e1e6b0831a740cd666f1a119ad9a386f537559d300571701765a1ce

SHA512
c964f85ed5f911d9088001a2ba58e88a5929127aea58f79c324d5e335e95a8a76d35dbd6f164159e0b4e37d4cb91ee5589c2636510c81837e0944c1587f9eb25

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
801KB

MD5
dc904d0c0bbf5d453c5cf878a5eb3a9d

SHA1
e3a39a28f42a83808135257d8f8bc3b330f34731

SHA256
66ad4d7444d801d3004864fe3b2796dc3598d9addb92497e5403262447f12028

SHA512
e8f6fc7cdf555bf79e902df35a7075c6f414a42d2f15686eadbdc807a5b0c8cc8fddae5a0a3b5be67fc2e178904e4a8466780b8ebeab3374b685cb7138dd5675

Download Submit
C:\Windows\System32\Locator.exe

Filesize
149KB

MD5
6eaa8e12c276f99664ab6abf6b1a14ec

SHA1
bd39981beb99cf04e9087fe8d880cd117cb19b57

SHA256
23af66c4781dcf4e6b159361c577aa90086efb8ce803ae55ef05407d39d71786

SHA512
c010f22f2cd4f233f2857794b47a2bc30060997e9e1139b5a676b1c8cf4427fefffd62b7eacdd261e677991a2d39a656cbe4b159c3f742868f19e204f9aadae2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
111KB

MD5
6272010debb0ae7d24ab8eababd6a029

SHA1
2547dcaddd4f163a2624ddf3906298e7a05fa1db

SHA256
66543d39a2d9aa897ad29373cbad4cff819a801073507082bfe9d51f8ed532a6

SHA512
808a4f715cf0b40376d536f4ef278738ef785cf95be17e496117fa66908166b01796653654dd7d4ef5a21f42ce8e8a744e4c9835753ce6b35e12b0d8db285eb4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
136KB

MD5
899d50b97fdf0ce1f06c0c90699db645

SHA1
579a2ab0267275688a700a1c4170e737b824a032

SHA256
8835aebc6bfa588f265690f2f33088f0b0847a149947acaac81ea54039a8a4c6

SHA512
27bf9dc9e2c6bbbb126152544dc9b68509b92306a27b6a68218e80abe7de688d5b23ceb96cd5629ab624613757fb679a8551b0a8dd48b746076c809e1494405b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
135KB

MD5
9c1323feb2670be324f388d93dd9566c

SHA1
9d5dbb26097c2ceb47bba70186d5e41aa009d5de

SHA256
ca6baa6f0436dda86049838cf3156247067e6488595b2d2ee433cde52aa655e2

SHA512
1d1a96f09b00c40b9eff5c888be56f4a3f918914f5984611ad2d4cac506ace5bfdbb2c8a37171733f53901d6a1c9100f36d4dfbd8674aa36912cfe6e42e54f5b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
89KB

MD5
1414f573f56f006a7f1ad628fc448c02

SHA1
3e46bf87e5b8a7966833a28e5a5b80cba99ddb20

SHA256
a22f1380440c6a337fd605ff338ca67a38e85c1008d491f93496b14a465ee14b

SHA512
cc636927efb6130b6f63fef2b5a516798a0940cf0e50dff158b7e8fea78efa637b3d44abd658939b30a5f048381aacb02e604c293f8c2f4d8f2ff97c2b1e2f0f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
69KB

MD5
d219b386256b0da6efe4b4259b8151e0

SHA1
f8d896d712a7b3f73292db2f004bcc41754f0bd9

SHA256
60ffd0f7b136b0f6a6f47352c973dab9363b89f98594aa7de2e3422a7bf9f25b

SHA512
f378446dea2579ae6e69d1e27fbfb5cf3e583c6264e4d774912b5bb48aeaf38d431952b0d07da3e46f86c8f6d32561427bcaf4e157da7b3e70db1bad4670262a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
898KB

MD5
85c1d3cf857990217360a135a3d51c22

SHA1
804a5abe22cff54711d7a990b572a4d1af0058a4

SHA256
84ad5da976a89b4e971e284c850f6e70d4dbbfa7cb9fcecb075fade0a6944417

SHA512
de80054e68544da67dd5a5cb7b73a8eb19f4eb6e176e89b321964b16f847876f664b4d0c58388981b9dfa943cf262f0525423090b240954be59c31e60769eda5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
134KB

MD5
37fcc29162ed8ea45b8d643ca57391eb

SHA1
684065d67ed39f798264ba3b8d738fd9d1771638

SHA256
af2b722283435c24feb08991a16d254176bfaf40308f87ea661c4bbb4325b6ab

SHA512
2eebe028b2fe6bbb41832e71c062f40f29489d7de2bd6f0defcde6621d522df74fd5a888ea28e30baf0269deed10e46510419ca0044994e6e08be0bebc12ead0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
185KB

MD5
e7aa9bdaae31f1c2f234268dbdf8f1a9

SHA1
dcc69b1773e9866fe4c6a538d400bdd32cc44257

SHA256
7fa2126e9363501aede797171e0c3fa3b8dcdc8a9244ef1898caed3bb632f5c1

SHA512
75cea067d4e723960f47302a57a69acd470a6b6b65e2d421e8817838ec5ebdcbe62cd7d0554c3a08036a8db7b2f7ce2a30febdd42b0f9f1ff8e7a64870026cbb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
91KB

MD5
fce784470701a93131d5d891eed3174e

SHA1
de2e9371a09eb5224e5e563dc29177e347d44c48

SHA256
6429bfbf72fe88b213bbdab6d5895b157f6425d57b898f44651af3c925cc345e

SHA512
d5bd95de05241011e29831c5786e75504613d5b55080d62880d48e1ff0299da59e08ff6c2a508863edeff9c9df6340d092f5cb107a6948e945437a17954e17db

Download Submit
C:\Windows\System32\alg.exe

Filesize
401KB

MD5
b435b398ea8018768ca0a91d2449d398

SHA1
2574f3647cfaa40e31e08aa14ee9835062e8a6a9

SHA256
5eabbca28fec262fa8b69777031132e866b4663704230f8ed61cd399c338f9c1

SHA512
80ce1c8e1657828f1a674d4302c0a05740e31e4ddc29dfcd5349a22829283255663d29623a199756227308824d547ad4d413453f275e224b081dafcf04770185

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
274KB

MD5
956d1f4f3ab304b5ab44f3a6bec167ae

SHA1
a550b88ac011dd8507ee53838bef925fed43e2ee

SHA256
bff8e03f682ff18e1be4de866e31c98b5bba85bc61e5310edb5ce70d8686cbed

SHA512
aa36cdd6120f857d235c4e251dbece8c02c518932a34b87e8777e083c53bfb1c8bd877f9b091dcb329f5c1a80ac47f51c07e38bdd6cf68aefd01a8f388633e52

Download Submit
C:\Windows\System32\vds.exe

Filesize
156KB

MD5
bd5cbd2a7b238f99722e258c14c2b2a9

SHA1
39f9a7e5f6422fa0f6f9282037ab4dd74cedbb93

SHA256
2701b4592d41c583b1349ee850fc433b3702b08fbdca224812837d77aea477bf

SHA512
69622ddb0965438dc7d18d70fa6c1544d303770c43642b03ccac1e18d03e3a76b3c415a9ff47003974b79a5b5e844ef5fcbefbb36f439f92415c4d06e713f54c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
73KB

MD5
e077e67404d650d6fe7c87da073ae812

SHA1
8a297586f144b1bf5b2f028ee56856a9dcd1b588

SHA256
a1a854ca37d352980d5a54e62d4b259241103f4761516875adf6e86cb40732db

SHA512
dcb10b6e7d875db91c9f2d2e39fb8a51e156b0c65c57dd44139ed46e3660bb4ac9d374f5b759b63101ff439318deb992f7df923a334814a2aae3923252737b19

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
51KB

MD5
0ed6012cfff6a1b88d7b28fdc57e1e2c

SHA1
1450be8a6ea23e66fe091dfae972116aec821e82

SHA256
2dbd87d46189251cccd73ecc95ba3c84e491926fbe6c0336d73d5dac20875130

SHA512
cec2982895b875b2cbddbb836ec28d8baa7ddd8714699a0be449ef6f32b40d1482279bef624cc2bd530db7a8795090353a96d4bbfb77ff6dde552e96b8b8d729

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.0MB

MD5
460de67bb3c77883cad5735903f46fd5

SHA1
907bbb5fa49e7785ff3eb837aa10bc35baea3d26

SHA256
42064171c83279efdebdafa0f5520d28309cc89fc31b540a4aefe0a711390394

SHA512
f4592d4388dd0db1af65efac95f4fb2f104329b105cb24f1739221e9bd6314b3e8afb0a606a86771d2eacb2b94905cf5a0faa579d6bd318e39fdd100a61d8bd1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
935KB

MD5
caf97a24184564230707be5db1acc1d6

SHA1
9e669784390636614d78b9dc572737db740dc3a8

SHA256
187f1bdee6931b9998a1a8bf66c01aa7631ee63bfd89554630148eb0d091d381

SHA512
e291072dda3be13a5d3eff3118988160bb6d2eb6ede3b8e2a7e4cca105e61befcb1480628868c201f86cc114649c246fe77fae8d9a0a661ee87e8ee5634c33a0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1000KB

MD5
02139b20a8ba9b96bf2736bca22ac15a

SHA1
ef861d37ad6a2a5632bbc8c68083c1d496718b52

SHA256
72048f5a98189d92524a4995eda1f67832f2a6eb94f781df16b00cd6ba8023a3

SHA512
26db745f48ff534944428bc1d406df73e21b87380b6b9757cc60d046d9869b4202857117fa76a1d94f4dc65d10051eb5a214bed3c120618420cc3b878fb70ca8

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
02d3390310556fba6ac641dc60ca0da4

SHA1
e824fc806084f10202ae47ffe0d9717328789c10

SHA256
08e1aef2b462161d1f0377e6a67b1fe841150a366785db43ef5c1b272b116b72

SHA512
dcc9e967076794fa4aa7063ece10fefc99b85a6574dae820ab2449f79e6091b9670a41d66c1acc2854a57cebb6d0e4c04ebabe2f31010867c15efccd06c940ea

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
f70c826655964e7e429368b482d9ead8

SHA1
48f747ac64b83ec8e5601b90fa863a093a98f892

SHA256
d8b8e8a45690bb71debb0b6acc250bd33792ab7c8456bc446eafd7b35936f9e4

SHA512
f2003d16b549505c834731123d1ee95dfa6ca81cede496c10b08e4a47e3bf3b6115ab10d31276b82ff1b773013d941b0f4f9ee41e191f68fcaa8806156258e28

Download Submit
C:\odt\office2016setup.exe

Filesize
1.2MB

MD5
dc1c0e0751d0ebec98d8161600e75cfa

SHA1
b37c5751aff9a3bfbeb74aa1749427765694a3b4

SHA256
2bdd951bd642fc2b6605cde90a7f1126d94553e1ea6b43be0df45f45a0b07a51

SHA512
62b5f941a6d27556d905c01d6ba773117141a5bb55e5109739aa733228725715c816c0c8e0abadd65a4a7d980173893e8979b0b16ae83bba313bb545c83e7ebb

Download Submit
memory/452-190-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/452-264-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/516-114-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/516-124-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/516-189-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/516-119-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/740-336-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/740-270-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/740-277-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1212-290-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1212-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1212-296-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1212-294-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1360-214-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/1360-156-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1360-149-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/1360-220-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1464-307-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1464-299-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1848-312-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1848-320-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2320-176-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2320-73-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2320-110-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2320-79-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2668-19-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2668-125-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2668-18-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2668-29-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2668-28-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2708-185-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2708-249-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2708-179-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2712-297-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/2712-232-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2712-224-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/2720-146-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/2720-52-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2720-46-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/2980-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2980-205-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2980-215-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3336-24-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3336-11-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3336-115-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/3336-12-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/3476-310-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3476-238-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3476-250-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4116-201-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4116-194-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4116-267-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4464-39-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/4464-33-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4464-7-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4464-0-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4464-3-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/4552-165-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4552-174-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4552-231-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4640-265-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4640-254-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4640-324-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4900-108-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4900-69-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4900-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4900-62-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4900-91-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5088-141-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5088-147-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/5088-130-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/5088-129-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5136-332-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5136-326-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5248-346-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5248-337-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/5432-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download