5f78910a8f6b9927d2c175399a034383ea2b4c40d11b4253b7775ca748f1aa46

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
Size

4.1MB
MD5

cedba9bf25b79119af56f4e2cf71fef8
SHA1

77e76dfd7aaedad2e048000157799dbbe8a541fa
SHA256

5f78910a8f6b9927d2c175399a034383ea2b4c40d11b4253b7775ca748f1aa46
SHA512

be764af6856d13380b244d7537d2257bd5269ce4d0be7147c859187b9af5b00cffac021911d662b68a45dfd9055afd20b4185ccc18f7a0ba3dd5d2f85238ed9b
SSDEEP

49152:r5Viqwo4KxghcyJLBaSbvviqMjfBV+TFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr9C:rBfr+TFFqRlw6a+Kl2/V0cETQ/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1832	alg.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
5368	fxssvc.exe
1028	elevation_service.exe
4956	elevation_service.exe
5472	maintenanceservice.exe
5312	msdtc.exe
6104	OSE.EXE
1716	PerceptionSimulationService.exe
1680	perfhost.exe
4472	locator.exe
4496	SensorDataService.exe
5184	snmptrap.exe
5820	spectrum.exe
3948	ssh-agent.exe
6040	TieringEngineService.exe
3324	AgentService.exe
5676	vds.exe
1128	vssvc.exe
1560	wbengine.exe
5436	WmiApSrv.exe
3216	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\19444ac84d74bb6b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BDAA48F7-DD30-440C-811E-DBC3EB54B114}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c6c4397c455da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000676fe696c455da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b813797c455da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd6c2497c455da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad81f996c455da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000421ff796c455da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
3168	msedge.exe
3168	msedge.exe
5252	identity_helper.exe
5252	identity_helper.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4712	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
Token: SeAuditPrivilege	5368	fxssvc.exe
Token: SeRestorePrivilege	6040	TieringEngineService.exe
Token: SeManageVolumePrivilege	6040	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3324	AgentService.exe
Token: SeBackupPrivilege	1128	vssvc.exe
Token: SeRestorePrivilege	1128	vssvc.exe
Token: SeAuditPrivilege	1128	vssvc.exe
Token: SeBackupPrivilege	1560	wbengine.exe
Token: SeRestorePrivilege	1560	wbengine.exe
Token: SeSecurityPrivilege	1560	wbengine.exe
Token: 33	3216	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeDebugPrivilege	912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
Token: SeDebugPrivilege	912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
Token: SeDebugPrivilege	912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
Token: SeDebugPrivilege	912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
Token: SeDebugPrivilege	912	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
Token: SeDebugPrivilege	1832	alg.exe
Token: SeDebugPrivilege	1832	alg.exe
Token: SeDebugPrivilege	1832	alg.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 912	4712	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe	84
PID 4712 wrote to memory of 912	4712	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe	84
PID 4712 wrote to memory of 3168	4712	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe	87
PID 4712 wrote to memory of 3168	4712	2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe	87
PID 3168 wrote to memory of 2584	3168	msedge.exe	85
PID 3168 wrote to memory of 2584	3168	msedge.exe	85
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 5388	3168	msedge.exe	108
PID 3168 wrote to memory of 4736	3168	msedge.exe	90
PID 3168 wrote to memory of 4736	3168	msedge.exe	90
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89
PID 3168 wrote to memory of 5000	3168	msedge.exe	89

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x284,0x288,0x294,0x290,0x298,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
    3⤵
    PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
    3⤵
    PID:1336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
    3⤵
    PID:5556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:2672
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
    3⤵
    PID:5952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
    3⤵
    PID:4604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3792 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc458346f8,0x7ffc45834708,0x7ffc45834718
1⤵
PID:2584

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3556

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5312

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:6104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4496

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5368

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5184

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5436

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3216
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:64
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4444

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff79ec55460,0x7ff79ec55470,0x7ff79ec55480
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
130KB

MD5
e2a4d2e1107870c0de145ce2c21cc9e1

SHA1
ccebf08cd2c954d5aa8d3012b3e62496ebd84e4d

SHA256
a9e9c91739a805199f9dd7a747eede750d8ac6a9b32ba514e15c0ebe5ae52ee6

SHA512
e07cd646e3dc361e27460e742f3eda454b15eb07c014ef7b0dcaa2828e3b7969dac1d24911db8a10883e7d64dd89319e9fb822bb8215e7c0568bc0ea1777dbb2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
149KB

MD5
9383be5630164b976de05cd2a9aae34d

SHA1
c14cc3be806a6d39f4956ca6d073345826a62123

SHA256
3be853c2d00da53474a9927f3af101b07d43b60cce561901dbb598d6e47d1537

SHA512
4be9579b28f5152e9c44d7e2648db37a65531a65a4a0a4a2024f5017244b00ddfc698ddf0b68bc26887177b2fe7983fb10c3ef2360f12a0cca1e9b7308ac46fb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
1f9bd22c15322283d4d0addb1f3b2c6d

SHA1
173a1cf2294ef9d224e68e7ab13b76be8bce020e

SHA256
09108fb4c1b3320af942ce028e843cc810202e11d3a071203353a0beff7152f6

SHA512
f1dc649e945583e0c46e735cfbdf06071ba8365a3bdeb429c6572830f5f58834361d65b854ca165f8b264790255c98026bde5ea32906ea9c72721a7a1c676eac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
b007d1666c3edda2f166631fa2443291

SHA1
e315b941e6f4803e24e6924cbc734c7d350ba50d

SHA256
aadfc8b9463a7ac0fff75de0abbae6822a03dc64ded677fff358b321be9655e5

SHA512
10e3f93dc9c5cb5ab985875bd42cbccad1c5af79bb579e6444754955d29ba924276d2f0f3f867022ba360a777ff5e6cd52587706c5e042b2380428d9fa94c071

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
189e914af5c383c9a41b597edb696051

SHA1
7aa23477acc0f84840c6970bd6c30fac91d5b4c6

SHA256
41338962b460f57dd1a6f539dae1e57a5554324a14f4a6c7cda6dd5fd8d314ae

SHA512
17e106075e78eb12af47b288ab99ced3dc7c6d98292f369b9517b8c380408bd9ac8d4ba3db2426578f2678b0b36afcc4b56490397bb0b1ac0856f201894eea76

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
720KB

MD5
b3fef821795e73e181fe8942e97d4302

SHA1
1fd5677b555664f4de87fbf9578ed20f8f8fc13e

SHA256
f25398ca3d461b69ac10439e9ad883f0a3b10dd1a18a1245515bb903bb0cfa0c

SHA512
ef47885b27c63b968bd919424690bab2ae007c6b988a31c2cd071bbc5f1b1ff1809b4505a899e23331d69d5b60e48a3c82afa1a120fd8280ff419ecab8e1e72a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
ee571fd2b403c68166dc34f6d301e811

SHA1
96c1d15e4f300c4c9681df642288e6c96ec31311

SHA256
8d2c798d7c1abb7d657c017573354d4540db4686bd9fdf7c9246b12392195592

SHA512
5b449cd38ce086da429e99b9db8d0e3f4df947e2a4bde864141c5836632fec4e319ebdd2e981b0cefcbe054ade665a574a743d9109b356c31e1f96be01341bbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
bfe41df0b156bdb9b8f10dd59a30aee0

SHA1
da1c2820b7b9d6aaf5a022e9b8a3fc236b3266e4

SHA256
e17e9bdabd739bc57d445aa09f0344034aadbb9e2fe54a629c747388cec171d3

SHA512
4d3ebe9958cd824b915ab65eac3befd4fd3003f2cf5b86a44d13c854e43a4a024a7d261faf79cc3db2c36c89e618dc8d1d0fc19340562ec6f4f5269b68dc4f44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bce8059ecbc6f309c12d0493169ec2f7

SHA1
f83a81015101cd04d56ffed15e7024a2d544dfdc

SHA256
1fa7d7221e8c3420dd2ad1e7106972c12f3640af115685e20b492f069d529bfe

SHA512
d25159cdc783d2fe85aba322591907f9f207bdd16c490208aeb3d695d853d35770ac26b1f64344e7e6be7a404fcf750ae1e6603e60644cb89cba9fd6d5781f58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
790KB

MD5
9d00bb1e067e7306b5e749ec4ed708a0

SHA1
84d9d446f57573104331ac3640c0cd3424c715ec

SHA256
86f32205d18a5298457d875bb911c97a9b88a27a96336d4baf8a3b4fc88c5c33

SHA512
5ebe4c5da0584fcd33a4d4f9224c8d11178831056f04d80ffd28b15faac3f325d1f84dc989cdbb6b9faff67ab2630e4dc2b2d9d205753f19ff2a390070304516

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
937KB

MD5
b4edcf98df24a8562c85e75363255776

SHA1
f5cc6c4dfe81dc4e2f0fa3d1b4ae1a979cc879de

SHA256
01b5856d81abe02d10964308abebad256cb96399255900f83ca542b80e4c10d1

SHA512
c7c5be01772eeb8b3438c8a48bbb898488fa006ab56ed391a38fa5d6b6b906df85c748f4a4dca0476e826d9000ea29019a81170ba005ca12af469b0927ced349

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7e9d4c97320adb1c01efacbc1e1a5ec4

SHA1
c1ad81f806778f0dbef42bf72200ec010ffbedb1

SHA256
2416be6bcb6021bda024e9da7006b37a1e0b0255af03fd3875135adca703e7e9

SHA512
e989982aee35037871409f6dc3ec68f2a7329590ad39d7ddc32a374f9a65260cbf469c5964c92c191a62ceb1e0312793f46b85b9c638c11b9c346c39e16a9571

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5b00d8409ed8200fb546505dc8654bf6

SHA1
2c6a81609b50746f4abc833ade0414e7abcd63d2

SHA256
f8bd0a1b36fae3cbdb4ed0af064dd79537edbb0d8658fbfa6ae46fb03a04420d

SHA512
b9f0d2be2fca030c1c279a0524703e8e8ea4bd828c24a0ec17a90239b75dc72e80ed259c77ce528aa7724ca091c6d49e91b0eaf626de109791020689ded87505

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
107KB

MD5
87ccf99f5fda31623b52351e05f6ef17

SHA1
bdb94a5eadfe1ed65445430ba6ce055c28965210

SHA256
673bd916ca3a1bdbd6ddb50d4dda7bf5e6429d4022aab875fb4db814296d91c5

SHA512
e171ab790bd8b7fd55c358241cde21de40558fe4605c520ae4abaa5ff71af0112100ecbac4f8502b7bca4c4a7da7efdbc7949ce478e3f3373de2d2377a73cc70

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
37f2ec399301bb62358fb6e8cf3e67a6

SHA1
105d67015004d8aa9703e76bff19ce86a8c25c3a

SHA256
f03e7868bbac8c5786def68908335c7ea0028487c3d57b8dba3660c2dbb82ef7

SHA512
7b8236b3849163e302ba83ae2c2955aec8a217e98955225b96d09f35a464fe880c1ccf9039d2592777fb84313b2a6df1df8eab91b9521a090f3b2f5a019bdabb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
46395404267b4b804339eba23548521d

SHA1
7122f33ffdfc63de7f57f0c46d6098551744a5df

SHA256
be604205c67068b2d56e8e348ea950ec3b70de80cac1a066a6f43ed64351baf6

SHA512
4b9b0aa86a5bcd0761479a19f16228b9562d31a2367dd1b50f5c9bffba1904709cb50e9106bdb378ff6c050d1a022d0c3f8e1a26e0c197999d86162ea51b5240

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7238f947a27938e8c70b2b9e8b98de6a

SHA1
40ccef17905cb1b07be8a740c0703717d1357090

SHA256
b3efb192d2062373413852204071f39a202a372cda36f1f5b51d3c525f4fec3c

SHA512
6b1f16b78690609692de2fc86cacc9ccc2c338b90f15cc1ae073a45e65f95ee793b917615a5a4a57ae21d869321fe7daddaa3a948c706c11dc1de40ea54236fd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
028f6f1f1f884ddef638ecd9a9de1243

SHA1
f7d3e5bea5d4be80ac65f7ecb3ea33388563734f

SHA256
5413d52594e0ea3395fb3c875b29a186f34454274ee0fb70f3204b07c5387984

SHA512
246eff7de187492f08df7cd0dcafa0407dd704500a1e123011daa0d9d0027362386126b6c1ca0a9e7da0c06dee80830df5a9ea88f7d04c5ac43841ea420291d2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
228KB

MD5
15b82c8eb715fd25714012634349d5b2

SHA1
6b3b60303b222da933423c6d7d1d804ded9fdcaa

SHA256
98a12db71420b1a57a797325c535fc28b4ff6504d693e643184d4f5047141fe3

SHA512
b749f0e5525fb23f08feb62bb6d8acac538151356ced2e2da087dcad7dd8204b3409a90a8dd8ed7c3bbca60d662f727827787794ec2bb0e277b695b0ad14943c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.4MB

MD5
cfa0e6060593ad470cc7c6bac3dc3b9c

SHA1
4a33e2e8d9bd79a016a6627f5e8fad415b027e52

SHA256
48e6a4c22516f35da99cbb0da7f14da5f4fff55aa40463a283eecafddd4af4aa

SHA512
2b90231911c7f0fd88d7416e8563b356052cfc4b0cdef10ed390282a6beb94f599d7bb07b3ba0a692b05bc75ccd11be25696f1d65f89c88ba549bd7c53cfd170

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
464bf2b72b7d9f58344fb2a11349db98

SHA1
cdd382b88441fd5e20299f8648a9baf471b7c926

SHA256
c8747f4ec9b154a64b331f1dff98a853b60847afa13687275278ccbc8048b59d

SHA512
590338a7af4b9e90fe7f2d6a952376964b48f5801627beb37f87e197ad6d4afe55a7486195e8efb651552fc3d813d7cf698b5bbe83260d7f861dbe44023d5513

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
8a862ff92f643f0220fb830e064c8d16

SHA1
acd03c9a1bb746d861ee9f7ea82fe7428b4857f7

SHA256
489ef8edff39f0361b61bf0fe76419932cc41ff87daab4c515882bb0768255d3

SHA512
532504aac66ee1e0cf87e89c957d38555034cf76b248c5b5fd27077201cd059b53df42ee5e06784f751baa6204d3b3cda7aebd3616cc3d93e30b783418a809ed

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
550KB

MD5
ca005454a7e7ed4db95c97a9ae079309

SHA1
3b0de87c3508a477b1c090c5076158f684f66799

SHA256
ad6a701b7bccba13f6d9812f428264c65556f13f0942abee942eb672a868ee31

SHA512
4e85f050b0673b2daf87d5cd7386983120b6bffe46bf14f78c2a08ed816caaa5cd97f7fd1e1a7509b302d16ac7ab0429e99a3eb38e4278426f42ad421ab86fe1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
fffa101282993c0d89eb83f176fe5882

SHA1
168eda956a66aae42bc60924e3e156ec73b4f068

SHA256
6380b7aa0331b0361bee7fd0791fce435b01014cff1c878dfce76058c1b91a2b

SHA512
df38a406a0145956a72fd38b348bf797bc6128a0a76bba2be8ce6120f0ae7747751fd16f25dab22ee1f5f4d38c044f1c244bedbaf00467147caed1f06bb8b4ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
12f5ea17522d20f57cfc7ed287507d1c

SHA1
683a34647d67a7f0db4b48c8e5ab2bd96b1ae58b

SHA256
25fe9a74a26f05364d78e4fef7962b5509f562c825da977bf6ee46a31e2392cb

SHA512
6ba3e8a3b7eb2fbd8edf13571a7a430b334dc86527eb4368ba3b8c2e7bcd24073cca99677ddffa633643046536bf7c7516076a9018f7b3c7c63a9f2a26de67c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
00c5725670b5b0910dd999b4fd933191

SHA1
92d607f1dff5a50540d5e094ce618c34502bfc72

SHA256
a034f846d5a047305f32dd7648c65889cc77e0cb8bf0055f2867371c1097b856

SHA512
a648e894b72c003691ee0f8ff2eb1beedee4ec361f4b7b6b0f5ad7e09e3d4a3b3a93835772c29c0d4cfd36c8546c88367fb129632d0887ecb2f020b13869c3a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37527c592bd7df2eda4d1562aa9dc858

SHA1
0ba9dec15c5a4522a268fecab64702ca62eb91d9

SHA256
e2b0f1969d24a2fe798f38d42349fc35b44f0b0d46995402c1e5b0a2dffa377c

SHA512
265b1b157a0e336f16029fec724715c395dfcffc7aa7323abb8345136ed594b9976d9baceedf9be74a6e2b14ea6f3759d3858ec6ab09f6d969b4e350f6f6986d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8e0afb1aade72e24fd5aa7b91fcc4b93

SHA1
c9bbea41f65a321aee6b9856afeb2b1a3b2bc5a5

SHA256
7a2652bc9c3fe72a190a20e92d5c4b23e07b0e43e3083d85e93446f3df558bbd

SHA512
51267742a0e809262aba3594f6ab50c846dcb009be06bd23a9073b8d68957bf2a3f161a3104686894af8785658a4cd9bbe44001863e2abfacec2759add29eeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
aea46a346cc36400f381414efae618e5

SHA1
0c641bf339eebf6960db1a6541ae53bfc758187a

SHA256
9f8c0703cc21e4d3c054e10712cf6b67e3c14646724e3a63b87077e3cee81196

SHA512
8a2336016aadae999968c9879e27fd4b5e9a5e355268ffaceeace479523ef25e21778dd271391cc1f82a7df6668454a41dd0095a33b96fbccd3df81fff708cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
6KB

MD5
789b63c64e945d45c387a5822ec8347f

SHA1
12b5637241cd0a3410dd8832da1153fd69372e0c

SHA256
0e1f6eff8cff400fd38063076098d7529ceb71aa13534d0fb0848bd8b83d7270

SHA512
4ba25d3f4360eb489a4b8ca5c1f5c7f02ce8381f050d4d92a6bb0129854709511ba23a03eb05800727097d2634642b60a626ceb7c6b2e5e2403eecc7cc03745e

Download Submit
C:\Users\Admin\AppData\Roaming\19444ac84d74bb6b.bin

Filesize
12KB

MD5
581b1c40265ddc237c01a75bf88119d3

SHA1
5c1efe15cfeb1c2a4e2075fd7059959275192f12

SHA256
2740df4f3f9dabd1122313af887a95e1915c79be663cc165d95715378c8a53b8

SHA512
7b78b242800027607a895091df9792366a323e1be28d83c4c654153f1d7e6732f93948822b6ee1d74bef2f0268ec8ffb4b0c1239c0ebfc31bba3d55779dcf167

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
bb63e3e3a897a4ed23896203dcb362d9

SHA1
3bd17c1a3137deb1f48e36b043f6e2ca051da924

SHA256
7e3e2bf73a00059ac18ff38229f4fd60d837e27d43d6c14a477dace05040ef1f

SHA512
30c8960d3a238e32a969bcd5140c6447736573a891e8221d7a25c0ea67ee4bf66aeb55241b268d1e0b31fb9dfdb14309e57a8ac980a67e4a07a78c6b850ca2eb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
308KB

MD5
46be019cc8c5b59aa4a2857da6d76311

SHA1
91f1f961ed5c2b4aa1cd37648a4ce332bb37dac0

SHA256
e84e3be2299170e99d792ea9f3f6b2823879abb7387cce444ae1484477d70e1c

SHA512
d4cbbbd14d186382f4a45c2c8be71494ddc17928f37ebe9e3c1e52d2c46a68d0189a7f9ff9199d20c0f9b05956a69480d420a5a0c948abe18f109e11e787dfe1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
5KB

MD5
3627888209ed080ac649471d682b8bba

SHA1
62a2c3c537ed5f72f7e24ed444232c3fc628764b

SHA256
a8cc3cff2c5709da83b6bcac460556358bc5f9fa012bcff488d8bfb41b75391a

SHA512
5ff4126fc5931de63b271c5d06f639de9006da4215ee85bfff20e37e0c18222c55c6d5cb86879aa82a9225054ef17dc26aa8d3d6f20270a3b5b64b9610e2460b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
865KB

MD5
8350370f3a276d66d252f33571ed39ea

SHA1
fe9ba2675ab9a757f5c2c66b6c950197184aa555

SHA256
a2c5ba2dba0eb4eb2acfdd0bc739041d9d287d56a2b2b601f314825ddae3487f

SHA512
cd01a8c5762fa9284fb3c508eb10a6261d3e83d5be87095e55fffd085ed8a328a22710f99f791586dd4f459f3d97d997576c5aef1d8baa1ccd808c2c138ef883

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
418KB

MD5
5fe1bb9113f0573e6539bb323e64e839

SHA1
545e665296edf3d3bc176f669bb4d99251d00dd3

SHA256
74cf2aa543f3c794adde5e4311aa294d3105d24c39b37302cb0a15eb6c3c9ad9

SHA512
ed7c42407b6eb0258b23c9e0d313cac081df86921980d88db66005473a0d12ac2f5bcdb345c729ef434983e3ba2c906c4ee0e1a5aabab12bef0cc44b38ad6926

Download Submit
C:\Windows\System32\Locator.exe

Filesize
257KB

MD5
19b8e2ab6eebf64ae9bb8da53022789d

SHA1
ac1655462753bc6837111ba8eb6dbde0f8aebe53

SHA256
bf2b0f348d29aef0a21286703b4bbe810bf0766ea0716041cae0d28b75b88e00

SHA512
8f83c9e8b54ce066c95a592483d370d01091673b9783c602edbb4440630734ca472921e7ad88251d701cb455993be48a09351d260fc0f1b40e23103bcb9af470

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1KB

MD5
41b0919ec80e408bbfd8f3b6f11904cc

SHA1
e1ca0e811f93f427011b68babe2488eefcdbc2d2

SHA256
1f29813de80a743c022a2bd9e4c0d300e990a94a854b048cee0aa64a86469a33

SHA512
fde9f3532970980a6583a5d319fb335141b87b2faa3fc3203ee2413ca3af6b188a7a68b416c4191522a8a05c2172ce64142b44f5c7993ce662a7fac1e9dbd858

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
194KB

MD5
0c17c47e673dde89649790e0444b7415

SHA1
09246c2d1d15257d483d52bc1e892c5b34888858

SHA256
2a3bbb59eca7e54f6c7a3579d3835d924cd48cb1d0412f6f43da574950182969

SHA512
4519281d5e120256c52986a59d4fa94605a545525f964b2ccab69b1a53a17079fbf00f7ac2e9126fdc63dc6ba7bb3e559bf98711fb45abdac3fc72d3165d1783

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1KB

MD5
5cc772186cbdd234e31edf493060cca0

SHA1
2573bb4ceac8ce7322a767065b5c2f2dfa649243

SHA256
e6b60336cea388477cbda6d72cc984b5010d5b8f88a611c86068a4cba2bbe9db

SHA512
2f4847af6723f1d030d7a5e7cc789743515eaf651770812faf599e92d746393ab390fbb1bf4c749bc6db8519386b77c6d1c94b085412e0f4055e17c3ee52d7a9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
52KB

MD5
15a3897fe635fe62f80eaef22ab5a397

SHA1
e052fad65dd2be268bd33c53468b4a79a36e4f03

SHA256
c153441ad674757320717c208b9eff3167200ae39f9c6e55be9296d7dceddcef

SHA512
e9e4660dc2919a7838fa6b4713350111cccd8cb8cd7f98f5c642b5a91ce2a1d46ba8df495b76ea68bc6d22efb88df740e4a5bad6c14c46b16fd9849b96cb769f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
274KB

MD5
f2faa25970225d4106d0409f19024dc4

SHA1
e8385b2c4f4c19e204515c404dcdf4a20c698f9c

SHA256
f33efec9b0fe7667fdb8bf0c971ececf31f3210c64536bd47336465079086981

SHA512
475ee48f9466ef39298e53d7cc86f7236ede1d015510ed376e2ab41271ebe2c5e8d28ef3336e3e032db8388d283057e3a25c480ba83dfc481d7f6c4af789ce21

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
773KB

MD5
bc22e8778c551bf3e6a16f2bbb05f931

SHA1
fdff26b4f9110495c32a6bf41fc6b0fb33b9cc50

SHA256
be62a0bc6fd23850dfc2f3ff3b2fa0158c35a563a6860c3d63c8fe226aa34a62

SHA512
434b37d7f24fc435e8a4d40ace400b687ca42ae89f5a7d4d58e00fb2858e3d610db3e9cf3469a92d035733186ca366f9cb4876c0914666fe1ab6b4222bfce1f3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
101KB

MD5
e547c8f07c8be99c555b2ee7126e455f

SHA1
b08f23791d19b83393c2646a2b9ddbe214d927a1

SHA256
10fd09e34d2350c064efa2b130c25213ac0417c8892695c7873e672cef1e5b1d

SHA512
7cc34b940c8bed3dba38563dd5c1a6b4a0e60f8a860441a945f0ac40f630faab1f4fc23818d8da600da472b4c04e271afad1a4d868d3b6a1fe1d2cdf95c502df

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
205KB

MD5
f6e414724823fcf8c56930074795d224

SHA1
5ae5fe99bc62fe9e685495c011f271ad60cd15d4

SHA256
23f186e2caf1f7cc3f47055a25e5310ce0e1bfaee3f11d614dbdc144dd357787

SHA512
7f225e25518cce15d6aaf8c534a34a8ab121c092dd2413f4b3260f90d97329bc8e129bf5bc54119a9155fad8ea9dd0ac7d643e8ba2dc66f1c2c25010835b72e4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
39KB

MD5
802eb094b4299c15dea2c8c0f4f6477f

SHA1
09c6e8c3399b1d5ee4cddb8df5d0348848332d22

SHA256
dc0e4b1e29745c84834098a58fa2cf7b6a54cb9763300447b9f4d09b5d07dc65

SHA512
c5fbd64ec946513df16731ae1f728c2c02783601cf5e49c0a1491752b26f436d413d71318246af991d53b4c6c6848c31163510acff2b6a85609f0196ecfcd17b

Download Submit
C:\Windows\System32\alg.exe

Filesize
310KB

MD5
11f03d468c30884edeff142d3ca3fbad

SHA1
db0082ad5dd717f5522ddd523f3eca63f151eb3f

SHA256
e03fc701d9f1d7c5c7ae2dd00f001b4f321ab003316a1dddd77eb7a47f03807e

SHA512
ac7820c40440a711755e0cf3bce50b46e92b26db6ebad97a44b4a7dd982eaabf919a0405c2d60f30ff4c9fe5454fc67cf85d09c64075311addb09c69cf625c9e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
142KB

MD5
b3a1cecda6c9fa5d1ecc65095949f358

SHA1
68116cdc54cb07ea2694077bc983c893a517bb8f

SHA256
278a7e26beff8d5c26f86fb60c2edad4bd34d2bd68842d53caba60a56bd60cb6

SHA512
f2da080a180ea96f495058478448e4c13e5ec3a0fe435a914a60868f62e1877a5373f027ba55a3b5d3f3c19ff87f9a9245734958dd122e50db75afe7a54d6777

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
33KB

MD5
0877b9f39ea5c60e037ea0bf862f3817

SHA1
515b149fc84ac540e5e34fa7d57a7ff7be834210

SHA256
0dac3c965664e1360d0d97aad3ea20c416b6ae7af7d9710f6e8886401ef12e47

SHA512
23f21f6ed14c689c14e61aafa985cfe34f1ab299e9dedbbbd54d8beb40f3a77a72bee7285c3655dbed117fbfa2cb4895bc61ceaf493167404e36a6c8ebc017dc

Download Submit
C:\Windows\System32\vds.exe

Filesize
115KB

MD5
ff36cf7f2452018e3099c3a276e66cbe

SHA1
e04bb1f4736aaf868fdfcd0a0307e28068a82d3f

SHA256
51030bc812dc514c799bb4258b41994e95e75b001286da068ce5740d9042b681

SHA512
50ea255d9b6e13010729866126d3954e97ce7bc8f0797ad9abbabcc85c72247ffeff999309ea16dd5d24e3751366dff79c62c6d30ff62b1dda9a020635d5314a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
168KB

MD5
097f580a13f4807a05dfac9fbd992328

SHA1
5bfb132f87fcdfb0da30cdfde930edb9ee417d3b

SHA256
df95701ce8b65a2ef1f640fe28bdb9debbbbde41e3db3331297e217150f59b89

SHA512
7736de6f916955819f4fabcc284efe5a74941099015b444cbfb72215056ed5fb27ed834dbfc861e00f268fc44392239343216ae0df4072b4cc9193c782b94445

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
59KB

MD5
6f4ff6ac6a75a60ee029545c91564c5a

SHA1
a6c8bc973db9227c2aaf8562862bb9e70fd7c7bd

SHA256
4e33e3a38a2cbfa612750e3d91a52c049c95b67d787d95288cd2b75473fd68b1

SHA512
a0ad3ce46838b1e81bfa11a7d56cf041d07164651fb89d558d5190e79a1e1bc86bbfebb36bc81ae8b07d3aa154ad1b4053867a5e4da80ea9f0e17ae46793ae24

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
808KB

MD5
19b56a1068ae13e61789ce65103b1964

SHA1
c01552e14a33476ce90780b8746a7885de1a055f

SHA256
13f459da65f1386fd27d3afba63397b036efc8ff50eca763d07dabb46d44b335

SHA512
02d3b6e73aaa5e7bb8fd8bfe8400882853e385ae67bbb3b4581638871d8800a19319efc88515f9a6fd106f87aea09a9587a834be3f51173ae436e45697f5b845

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
da79aa8b74ffa5f173c80f6048f6471c

SHA1
7cb8f1e9d6772c307b5dba1421a539f43602ef73

SHA256
20f3a1a065eae3a1cab50c1854778ccdf903d0c9b07b547cd3fa31e18d127c9e

SHA512
d0697972d3542f333354f7d83dc3ba0f659e6f3e84c37a1f73925aaa65eaf9c18e0f0c703d2a757f32c07c57a3559593ccd527eed9b3ab7e5854a26b6a0d2e5f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
661KB

MD5
08f80cffae4c5d9eb585e03683c2d220

SHA1
3a701d33f2a9165633bb7035d071c0f38ce82c36

SHA256
abdb7f41b339828199dc5485c47b0c96d504aa8595d0a6517af11c3430d36bfa

SHA512
c51f29ea49f4a4604ba55f33d27a3395f2afd5cfae5c8b3a430587892e6a346379e6b25c4d7fd914b15d28b4d8e7d7a0e8ea1ad612b532e46eb2eb2eb65ef016

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
494KB

MD5
f63ae6fa40ff8d1f1ba5db9cc393a45f

SHA1
cd9bd6719dcd0b15cc0247a287d2e4dd273eb276

SHA256
f3be035b546d2a26770ec6b8174ba5f3b4b016eb3667868dd1d34583705363dc

SHA512
0f3cea4da62e61976f181c968c168843abaa63451fda673261fdd6510fd1ceee85bf5801f9a9f6983a08f191f68eede9af5292e3f81e2bfe991eae8a71eab80f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
995KB

MD5
4ad30272b81d422d0ba14fc213b50c3e

SHA1
e8a187fbf7c903e78e307503fd92e100adcf492f

SHA256
ea01c8ae857aef5a28297875c660ba53459a740e450f160dc7c2098081c61fc7

SHA512
d9e4c4fe0e229f026db23b23fc80924bd2440b0475a85548c1a2a278f5b0958971ceacd9d3179aaa428f74cb1d990e40e270078bcb3500a669bc7b5d9988182d

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
8824195bc015684c2c30f64e9d3c1872

SHA1
06ec0fbbf845fa07a4b43d1a810308c01ee8d89c

SHA256
2ad328a95b511ac1a40304c87765c4148d9b94e2ff9f66cec7cf7f918fd54f42

SHA512
2f0aaaa8f3fa3daa00b273153bf1add84deb5b1dd96099d80b9fbb51ff4c5e3ce758d5ddb8928171f5fae0955fa40177dceb1072c376a8849801db760720f26e

Download Submit
memory/912-19-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/912-12-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/912-116-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/1028-98-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1028-106-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1028-99-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1028-179-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1128-309-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1128-318-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1560-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1560-331-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1680-263-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1680-191-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1716-246-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1716-181-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1716-186-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1832-129-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1832-30-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1832-25-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1832-31-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1832-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2340-52-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2340-46-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2340-148-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3216-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3216-357-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3324-293-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3324-290-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3324-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3948-253-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3948-321-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3948-264-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4472-266-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4472-204-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4472-195-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4496-206-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4496-218-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4496-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4712-32-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4712-0-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4712-7-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4712-40-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/4712-4-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/4956-190-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4956-118-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4956-124-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4956-115-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5184-222-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/5184-233-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/5184-296-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/5312-149-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5312-214-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5312-157-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5368-108-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5368-111-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5368-80-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5368-67-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5368-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5436-337-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/5436-343-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/5472-132-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5472-137-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/5472-146-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/5472-145-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5472-128-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/5676-305-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/5676-298-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5820-308-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5820-247-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5820-237-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6040-335-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/6040-268-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/6040-275-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/6104-173-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/6104-166-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/6104-231-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download