9b64b610c493568260b981d8efbca0baadfd0b2dba81c7f9901fade5594f6675

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Size

4.1MB
MD5

5e1985d4bb3e321dc10db63bdc2e7f20
SHA1

eb3f8c770d1962aaa9e3a5f4e6b4fefdc04948e4
SHA256

9b64b610c493568260b981d8efbca0baadfd0b2dba81c7f9901fade5594f6675
SHA512

8c14f6db79b69b03a8959cec997d67b07d70d54da5c305a4b0ca95b948e1cca9d65aae4b0eac865879c29f2f3abf874779fb0b675e1cfe94c9c3048a5bd75de2
SSDEEP

49152:F5Viqwo4KxghcyJLBaSbvviqMjfBV+TFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr90:FBfr+TFFqRlw6a+ZfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4220	alg.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
3280	fxssvc.exe
4824	elevation_service.exe
4872	elevation_service.exe
3912	maintenanceservice.exe
684	msdtc.exe
3504	OSE.EXE
4700	PerceptionSimulationService.exe
908	perfhost.exe
4800	locator.exe
1392	SensorDataService.exe
3252	snmptrap.exe
2280	spectrum.exe
5260	ssh-agent.exe
5412	TieringEngineService.exe
5680	AgentService.exe
6032	vds.exe
6124	vssvc.exe
5476	wbengine.exe
5768	WmiApSrv.exe
6068	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\16a7c51974f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{01C6D80E-08BA-4005-BBC7-FA9D9019DC00}\chrome_installer.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000974f00d31193da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009dccbd21193da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084837ad21193da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3f6aed21193da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003add1ad31193da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf09c2d21193da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0477fd21193da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3bc94d21193da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f01f78d21193da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
1912	msedge.exe
1912	msedge.exe
5516	identity_helper.exe
5516	identity_helper.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3344	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeAuditPrivilege	3280	fxssvc.exe
Token: SeRestorePrivilege	5412	TieringEngineService.exe
Token: SeManageVolumePrivilege	5412	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5680	AgentService.exe
Token: SeBackupPrivilege	6124	vssvc.exe
Token: SeRestorePrivilege	6124	vssvc.exe
Token: SeAuditPrivilege	6124	vssvc.exe
Token: SeBackupPrivilege	5476	wbengine.exe
Token: SeRestorePrivilege	5476	wbengine.exe
Token: SeSecurityPrivilege	5476	wbengine.exe
Token: 33	6068	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6068	SearchIndexer.exe
Token: SeDebugPrivilege	1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeDebugPrivilege	1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeDebugPrivilege	1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeDebugPrivilege	1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeDebugPrivilege	1016	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
Token: SeDebugPrivilege	4220	alg.exe
Token: SeDebugPrivilege	4220	alg.exe
Token: SeDebugPrivilege	4220	alg.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe
1912	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 1016	3344	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	87
PID 3344 wrote to memory of 1016	3344	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	87
PID 3344 wrote to memory of 1912	3344	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	89
PID 3344 wrote to memory of 1912	3344	2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe	89
PID 1912 wrote to memory of 1596	1912	msedge.exe	90
PID 1912 wrote to memory of 1596	1912	msedge.exe	90
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 2668	1912	msedge.exe	94
PID 1912 wrote to memory of 404	1912	msedge.exe	95
PID 1912 wrote to memory of 404	1912	msedge.exe	95
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96
PID 1912 wrote to memory of 2292	1912	msedge.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-04-20_5e1985d4bb3e321dc10db63bdc2e7f20_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x284,0x288,0x294,0x290,0x298,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe901646f8,0x7ffe90164708,0x7ffe90164718
    3⤵
    PID:1596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
    3⤵
    PID:2668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:2292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:1200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
    3⤵
    PID:212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
    3⤵
    PID:544
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:8
    3⤵
    PID:5500
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:5640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff75ea35460,0x7ff75ea35470,0x7ff75ea35480
      4⤵
      PID:5696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
    3⤵
    PID:5784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
    3⤵
    PID:5792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
    3⤵
    PID:5600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,4559467377727565803,13853664922038252156,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4284

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3380

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4872

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:684

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1392

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2280

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5288

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5412

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6124

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6068
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d49c7269d60960254349c972cd72e87e

SHA1
0f42fba380c44fa2c1ca9ee8204536e6a3708a46

SHA256
8adac9edb5d93c4c2361c1031a58091192351e46d04312606f978739ad08b320

SHA512
555cf4537fcb1153295eacf9dfd820c06497ff834ecee2b2f3914bedac2ce76a52fd5bb8e77b1383d1f1450548ba33d192d51fa41b338748ea3242a8584d8a92

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
af932c2598612fba7e48eb383fa9c5d5

SHA1
db768d1befdecb26ce9a6e9ca5ad53dbcdff270c

SHA256
be47ce0b64cf3a2fe7014f286b3389c2e753a1bb561b3df92a9159fded4d15aa

SHA512
2d7e3592e1ea0462ebb73758a24fe43b0c1681dc780b9e77c281c40d2b831555cb9b9de79b2fdc74f73a51ad1fbc5ec275234828e515c5a47b77261664fceff8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
51e7f2104ec3fe0c9a03e971a22925b2

SHA1
e7bc1f13e1b09a7e5ed5d3e8739fa5a51b6e66c9

SHA256
96b5a4ee7081a9bd3615663773d334bae22c4610366145909ec84f411cbd7a6f

SHA512
0b12e1d9743dbbc0770227c60a66db873dbf4c43149c9721e89ea2c72eeb964126496b9fc984aeb10153e1d7df4d7c65022f72c2804a3343d9ea9b0438b8bfc5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3792045b70ba13f8d882cdd3d83182ec

SHA1
bde81d11b9bc45075137333286fbc0e9aadba3b8

SHA256
1300265b0ccd9af7201e87f4a5777087be54cddbd1abcad2636dc8d5bfa082c4

SHA512
9a7b1e2b7b58a92b3f0b57a95649414e9d739f3b9167e33b1f202f8258921d1d6132d2bfbad36fa1f1183f17b3ea725c0358cdc395dbe62b53543989d2158dd7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fdb5d5cfc796ee3c380ca90b61d3c86f

SHA1
ed48234228dfbe8e81325f7cbef85b44642ce6cd

SHA256
90a6658b902536eb1e8f1ce620bc073a4d8131707ec892e75d052083f7946d3e

SHA512
ddfa96db7519943806e4fdacf6a8960fbf2436cc0190ac0f52722a67df518bb47289fb739a455c670c2801d4f8b32b262f83f5f4d38f4f2f28174e473f85ec6e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c81f491c4f67fff88e2dde54012b1a14

SHA1
a0a213eecc11e3a3abc1241cd1495acb189c0e16

SHA256
0657694029eb5ee9b71e460cd5601d5175bc8c8cd24e0d5dff747eb596b77504

SHA512
ed63a6c9c0a45af4a15c2ca3e0ea4861d137983b565150a93a4053c949ee38496d6042733708185d0726adc3fad52f44db342f5569d8b86eac3e728cd8fba9ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
44723cbe0d8adde2f32a3d1cceb3ee74

SHA1
52707eba65c5d688f395b88aa29ecaf897bd37ce

SHA256
815a1e17977f24da45e8235c5964c9fc229c680bb44f4ce156ebca92d0e2c5ed

SHA512
7c99a2f16a63b2a5e9823a29d855a5ed41855cda2bbf25a822f42b1858bcf1719d1e1675e9b0680bcc5af22ef236e75a0f5d24e8977c974a89524d3617bc3326

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0779c05c7383bdec9c6af6d21b655871

SHA1
fb10134dba1fa5b57f3678290f3ceb636f0942b7

SHA256
d4d3f8c0a7d5fa987b551c4930dcdaa7ee988972a48c1d67aa15ab7ece747190

SHA512
6f3a366e849164d7bc346ddf11a5f5c25eab18be23ef542f741b2e815f08ceb138c06073ecb086c64728db4e14bb43247e20bd84c41680d5ef9c13b90f1dd12f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
70992e51f4d211080d97deab7e651039

SHA1
565f2970356ae1ab6cc2078b2b4fff82f6ddc9fc

SHA256
97964657e11f2b947b1cde9caaed05ec2b0156734fe1a043e8479f120d11a879

SHA512
00f4ed2faa21658ff70f5ef838165994b41e5d6bce0f2bbadc84a6466e100001b3955c9fd177103bf968825c14c935be2959138883e1bb2d08625b85caed8bb7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
435afc3bbed75b7eb5ce38fe98b40f79

SHA1
d43eb47b9cae85a5c4ade3513361d30d24550509

SHA256
e2df9d80640b5ffef88511783620a47b811aeab94067ddaf9b99c635ee33cda6

SHA512
de6d91b31af17b17ff174b3ea835e391a464f3d45769be9b7e52b7d699e8f0a915783b2acfeca9b5bb39f080d6b4ae517401514960c5d106c33dc95a4b7bb3dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
34944200cac3de85896cb3a113e21af9

SHA1
776764c0f72380574ffa593c87d7089a60d299d6

SHA256
4402e7863df3811879bedab6464c1768c7bd90f608f97e4dc8636a2e2e8cde4e

SHA512
ce702626aed1b9c871d9242447b797b1a87e71c9268acb2f87612ff8ad81d44c905def17767e07752c7dcb3bb7cc698744fcd3226689369f143c197302f32d3b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
889a76ff73935ea0b11d7417a76cdfc9

SHA1
d507cc5083f7000688f036ce585244cda3c071a8

SHA256
431e70a9bb3d67fe917f225a184049c4d2825da1397c6a5a256e6de0da1f5a69

SHA512
16899776ce715e44689c1c1a29394a69a880ac2c5a5cb54abb79fd7f7ad53857d6c2f912cf6fea3b2b6c890a2055df7b983760195ebad492b8dea9f977d279b3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
722957159ef947bae6006baa07f71129

SHA1
a2c0e121e78ea96e73b108f590426eb29e3f8e85

SHA256
2f6aa43b57fb8d4a22afef462de698833abe152a46ed66ab96dd2120a9c43f13

SHA512
c6832112d16067493731cda86b3498cd5ec168e398c5f93f54406182bb8c255568b18a61920e095a2a9f2fd90c5daca8cd7cf3404b46560af69b0ddb7f5b7c99

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
baee741959dcc1e8c36d76640df517d9

SHA1
e6320128057ef67c6255386ec8de2eda2605f2c1

SHA256
1a666e1c7c640b971a9ebe3507814dbaa77472bcea0566f89649fcd66120fd6f

SHA512
65efa93cc917b193d78385678907c480bcbe81d7b0a7dcfd778dedeb5bc86f0bad5d62f61c60e363969e05d130e6de53ca260f98ad67339cdf93633b9c98204c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d0eaf1b65c5f80ceca0f84432e11ed27

SHA1
0d017386ccca7f82c265cfa06f12e9410aabfcb7

SHA256
b32e6ede81e074c592b27b6befca29996565d70149421ef5740f874d51070590

SHA512
e5a712834353ad7f6db5849e06399be63759368b5ee390e4e5c85cd6f789b96b32d5569019bc2d0b3d885f6ced1bf8b1432ca663b7e28d01d93cbd2aea8e6b4b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0c00b76bea5ac4c6144e4136dad70212

SHA1
272e946c74a981c6eedbd3956ec78d0b7c1fc12f

SHA256
c6fc8e0b543dd2d292565defac3c30e7b8996ddf8d0be0df602adadb6d5ed9c7

SHA512
ae97482470d4fc3bce0404e488cf4be7a1ddb636b8dfd289d9498e21f84dbefbc93a278f8ef2ef61107ee5aed470cdb307c7b95d7c2234c893f10e02ead59a5c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
97ee332a5e15fef8f6c117690c243589

SHA1
38aa83a97aa60d8e4e35395ad1884df8bd4a5b8b

SHA256
cda6e689c60ce30f15b7abd436a905dc2567406977c97f6b91a0ea4ecaa6fa60

SHA512
6d1e069020107287873f10db3e14f2cfac853523fd937a047895e4f4c255f8a93c8bda77d403af546b134ce6267370febe1cfbc9290dd03aaf39f51eae3c451b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
921cd925a4d8571b0d9848923a2b83eb

SHA1
5dce82c5221cb93cd9be63772a44c18a510ed474

SHA256
329a26f2931395008dd557f91494215edd45ef8597b03f52c9252331d5b51c8c

SHA512
d807b90aa4649c21131841afaaa94afd0f8a361c66f1411c8d7206751673ff5a3387d1e3044243c24693afbe0a42be066c0cb168c4cf39c5bb368fd2d4310e5d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f567b90ff51fb4d04243a371ba426ccf

SHA1
7e7d39c634a47244b87b5c90bd4739cf8f65767f

SHA256
d31a6766edba45f53a2a9d73b35901601035684c3b677285c277980096b8736a

SHA512
bec1cd0f8b84a494af551a690c335fa459c6c82447b5329174db8aa558104e1763232be87dab11a6e38c110292681bc8a897edb9d72439d60afc3555f46dd744

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9e8bec88ea341fb68f38a868f7e0384c

SHA1
1aac8e7ea6025af08cbb7fedebe01246d86362f6

SHA256
6751b147b79dcc217b7905507bf5041011159f8afa82d4455f48ed8bedd1d7fc

SHA512
03dce1cd10fa2eadb14b65da6d35a3ca63481fde063ddf4c5852eb4e4ab78220f600792d29b35775aba690c446245deee23c250f87076a453c9a50228a21a145

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
5778c4deb60f9ca0dcbec2b3a40c3646

SHA1
2019ed2ab4316a204f9dbdb924fd600c99407418

SHA256
9c3c0cc8d78cdd016d16553d1f2ef63f15b341c1dddb410a52ede324b75ce29e

SHA512
504f232c9f040e36248023667a69a8339a48ecbbfb7ebc6355d1c78d42789e50adf39d0c13bd6d96bc28b962f956afbdf6b8384e9ad09fd672849479e1aa2bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cfe9a48bfe9b62dcfc7e7edfaac6cd43

SHA1
8c3be1927e5e6a675de567597ec9b2864720a357

SHA256
4d90fa983520ab6978a8b0f32942d598e43e4a8468ef765bf09d79e172d2f8e4

SHA512
4edb026830e718b37b3015a8ab34087407362abddd9dcb6e790ed1f20ee82f2d32eafac7214c215c1c1cd51c1f5286f9f87ab33914c624c1c2cfea40b651e8f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1dd0b51858953a90bb65338fb5af4484

SHA1
a67c1ac5a7bcf991ac810b466bdf0ebefd4e93bb

SHA256
6e6c88c0aa442d756e2cabd0c9be49baa8a5ecfdddab4820af6b913aa77c1975

SHA512
8bd2090423b06cd8e431a8be7d27df05a2f27649ab31f8959754603e6924dddaf4af7690b8ed068b051e6c6c584b953945f05e5b0a6e407e27d3a82d78aa1ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
fa9b58a4c7d71b015d15f679298e0066

SHA1
962e0ee96d5b9a17149d29d5edc15627801201f0

SHA256
8abc3711dc0d6f21137610c4f39f11c5c253a2b93cf82ba683fe094df24a5fc7

SHA512
ebfca8f9565ba11b18565b4bc9dda47659b8660938361dbb16ad228fb07fc2d9d733875b24cffa5627db185491fbdfe80ec12882e93cecf37ea00040717f07a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
6KB

MD5
c0aaa7f3a32120c4339bac8bce910f8d

SHA1
cd8871495adc680f2997ef0bf767a039be3ef26e

SHA256
e0f7812555a53d9a6a449edf7b92b75e9071bd12273f77382d6c71a5e7299e1c

SHA512
5394ccf590f646ab15a87fd331779b104038f6ae3df95029bbc016f19a01c81f7e85db6b1b6229751de936f4fe8a2a6ea4f2b505fa39dbd60f84ba2e34d09aad

Download Submit
C:\Users\Admin\AppData\Roaming\16a7c51974f8f84a.bin

Filesize
12KB

MD5
e23a3db7a34b59cd730613dae97f2552

SHA1
f607cdb775306fbac11b2fc51178ce34815fd703

SHA256
b41bdfec7b66dc161f2efaacc3a43cf1922955c682bbe4e3c568341b0f923e6a

SHA512
3ed5950584853cce5358ed038a89dabd3a982cfdb58bc55ebdad2ac6459271fa6a09d7b0230ab18ea636ed3eb3f4f696f7617e34ea55bf364a8be4e7f9aeb9b1

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
8c7851b13c913dc7cf857e576ff95901

SHA1
92075c0f9cda185bae7c99fdc6b3882b9f6803de

SHA256
f8128d33728412228a75631940988acfee5822d46bf3205c0d67a12acaf09f64

SHA512
0e317c592b6a673b2d26dda3167f8ad1a37c95f856951141d028f0fa5168129057141a580835a17fe7161a9505e07f37df1f09843700934167e8adcdb20f4e6f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a9299a5dee01f260808a1906732ab0b1

SHA1
f4deb6f01b0e598f7e9d5b616dcbff9dcdde7775

SHA256
f484ea39f9fe9dca21fd64f6c739c2bb4ca2197ecb5eda8f4924483e8bfb4808

SHA512
8d6fef9847ca4616073b69fee80e0f1447aaa8225ba3cf8f8c49b651482b5240c4876082f38558715fbca6e47b84dc0d10985c52c8d2baffc21c22de768ff9f2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
81cfe8f1a6730dbc5c39606e0c78c44c

SHA1
68459dab13f50ea8ee7582acdd79ebbe2839a4cd

SHA256
86deb33fa8144489fe85451f0d604ae223b3927b556aeb0fae75c798c78c7104

SHA512
0a3eb9ce164661c43a938b0ce21e2adb5333a42282d01955c083a9d25a59650ac51e4c2e9052687a13390c766302996eaa0486fbe084880c5ac3c5c9db988219

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b4906fa9f0e72775ea2062819a777575

SHA1
50c6f6ef9953790863eb81e7eea277f46ecba5c5

SHA256
daa082d870be8f674b3b75511508dd1c581b80eb34a1c223090caeb63d94b1e8

SHA512
576cba1b945ae1e812eb2fdeae873e3e0d027d4788e7a654a4bba2ffc539bad099bdb2d32b25847d0750a3d9e9de4069ede0625dbed1eb459032fd4263a72ba4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3cd171d74ef5f6706fd6d94d3d384de7

SHA1
3a7b7a19428440846e6fadc554d01a0f27ad0e11

SHA256
b99df29c19fd55f4c28c47048dcf19fb5be28de726eaad8d6a7380edb5b24849

SHA512
3f814bc4e794e1b36603da0733e372e4ac4d1c33ae8a2e794dc8e15344280fa56c04a00d9ad0df41f81b43a38b86705bfd7e668287cd21c5b6201febc7524c14

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ec274f0b1bd4b832c7167e4247d88a29

SHA1
a7ef9bcb975faf30badddce84e3e22a852ad306c

SHA256
328a6875875948921ee012c1fe087e71542fb20c4d90d2ddf5cc17160f9584bf

SHA512
a9d42b334f3631988698d44268e3449aa7b7bed6c1f4e9b8cd75add9ebfb938d625723d70a035749bd70e73b17292e6d32c5df75934ed08dc896f369e86b7a79

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f44b495e90d14bf9ec5015357a581e46

SHA1
d6ae5550c45af84cc170fd3fcb149eabbbe930b1

SHA256
e83ef952c2d34224cab7992bf0f2db370c3a683e2f6ebf6971072b8e06e9ee5e

SHA512
43fa8f1bf6583d49953e37cccd84d59b52b01963c87d23b6e43c993d29b7171a8ba87b72168a6be6c6a2a6560b715af5388ceb3fd74f8ccafd7f7665ff6df6c7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2bc87ce5864d89bb9eea56ba7796bbf7

SHA1
833df64fb04a0cda27100c700562743d4592cf96

SHA256
9b37f094f720e5d4726bf1d33359df0b2cb0c70362cafb1b8c50742530940645

SHA512
a26d8695519eaf6dc51058124d85af83382aeb42f5604b42ef03d2200c559e1f0d119af0f49e58d261afbcd7b86b7c69b6b78d474db35adbb42a9b6967bf92ff

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e0ae04d9c4f6b2854e272b59f4e22e07

SHA1
32d7c33fd00e1bcd47f05d36f2a17a31c9e3af2d

SHA256
d63d30bd05495a4f2d632b06856a7398a711924bad3430434dae33801b17152c

SHA512
c615e61bf0e6bcb2ea1c6baa55af0e180d39b6450de5f5c595a2819b47c690d80e1a68715eed83c694635be95df8db6965e33dbd98a3f00c9e175b48e7f4704a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7f29036a3af0c6f2d730449e54d7f513

SHA1
a654b883245c03ffff034abcf7436ed449991e27

SHA256
9f698d4232d97e273b5a1b665c8604865a9182212ae9769ce44b145296faf932

SHA512
8b3b287af831b9d740389a5528876b45fee13472f69f5a5faae4782d526d1faef8eab0bb54bdcbc8407c82720d9df5848785e76da7b20666a814b8749a48be60

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
17abadb795b3b9edd2d945071b71ae4d

SHA1
1aacface878fe0b6c7feba6c675f5ca539e3f15e

SHA256
7f9af4a040f1be89e39d3cdd4edc2127937e1128b5114d0a0d9b95e86612ae12

SHA512
ae27b438ee0716641fee812b4246acaec289a10550e8bfe243802a0d9af6a9945afd7bc1eccf821d78e66eb42a79c72fe034f7caa470ad4b51c66e5fd5355e91

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
bebabbb0a37823964fcd12eae069fae8

SHA1
162f4bfcab596e2251cadedd8ccd8b197e0127a8

SHA256
ce39b91231559c43f04ca341000362bedb07eb00dbbefeee16f1b04afe71c2a9

SHA512
18a1f48610473ae7cd8fb5a90486cc79ee6cbfbf7e8474cd05ea0772ba247f6745110c7257b432664c5907fc930e098acbd9c9e8152838ff5a3a84505a7e9ed2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c4adb5a87142444bd5bd25dad69ad69f

SHA1
79f99212239bdef47505aa140ff509fbe6a560aa

SHA256
c4739a86eae6682b7dabeb83810189b815eafc36fb06992b29ea574ed70cb00b

SHA512
e01cfb4a3ecfa327bd4fbe54bd4f95d9d1df2d154dd5f00622eb442f575347e85f10f26f7f94fbe6ebfbe8b85e49b6137b4fc051176c09512f1218c824a13705

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1008fb3eb2076fe38b887a0e4e4e9d97

SHA1
610a065fef6da690155f0823c1a770e27dcac439

SHA256
20c24c0c94727d546ea57bbd255ffb46944c17a47fbde962d679547cfef1c7a4

SHA512
74122ecf2d1eca9db9d227347b3183be907902631645e5062e4628f160ff9d355f688b55a9916f1ea527cfb0431092558b0db1447dc18272aaf277d42a6e9f62

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
745897a0781899c173e72b505bcf6638

SHA1
a01c8439fc72591215292c8c0c89bb77eb5b6ded

SHA256
d6b033d2bd3fd8b321f9a1c64955aa990bbaa7c1af6c39db2d625e08c9674d9a

SHA512
7e12029c8fbff8a650b2c9336b29489f16f4459bd076302123bebe6cc34387bab20c812eb7205e84fcd6e9b002ff2dbb892ecb1b4572fd481cc87bb192bb1ff0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1f0b73a07636344baadc38f10598d2b3

SHA1
b4ca5a3416366c3dfea20821b2d81458a90aae96

SHA256
957db279b0bc025548c6765a84953c824c8bb6ddf82406b5f28a85d9bab0f4ef

SHA512
295c9a327bdff3011f39ddd888d05048474ee553db003decf99215589b971e81b19bee47b97f34889d19cad6adb2a394f2c9b9d92d56c0081eed1250d78fadcf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
48a1e97ba449332061517473a1f8d4e1

SHA1
c495904fbb47b1f11bfda8d772160f9679dc6e97

SHA256
f83284b845417884cee83e93fd7b95e33eb85f2397bae6259fd1f393fe204a42

SHA512
06204be93c35e4cbfc7631145211d3026c1377f8c24e0f021125a2cc6ab88aea9e1b865929e0ee888be4e9bfb4c3193b7fe6351add468a78940e6783764258d9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
db491ded8162fb2913d4555183da858e

SHA1
860a707eab9055194815b5ecd8b4bffe2e831fa8

SHA256
02795e0c1c6ca7606138ecf13648b29790798978f1cca7d01710164bd5c656fd

SHA512
7a5ec530c1519915613e3a43518ab10ba9d68f6ed29ed2e59c94c1bc813bf6b1681f7d5c70396952641d17944495152a8059f66dc5561de4ef37313d1aa47693

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6d21191b0c40f66c4f904e722e27597f

SHA1
49df93c8866acfa2f56d83a0f566a81aa7274bd6

SHA256
66973680e6844e6ce4c8b5ce6da66f5d2e65747a63dd836d1c3e6021eee7b7a3

SHA512
69fb07991ca433b7456993b9cbebbf602c22e0550960bdb29f87acd001d1ba29ee453e5719088b61a303816f73b49de23fccb70eb7efb60d93270bf9aab345d0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0639901476ef98d3a7d1399b96801cee

SHA1
b0e79f9e0733c48c9aff7c07c7b3854d36107e60

SHA256
0cf34b59af40254d8752f7cca78ea787e77a36ec8efc65ea881441af43b6005a

SHA512
2cf8cf1b291ac878d7b4a749c407025a77190a3c13f73f8d8bcc8a0fed9067f0d4315e4d0973bf3a7c6633e25656a89aff0621179fc90c54ea6a4fbcc3fb06f0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
bfb1a65edff5f62a7ffc5df5f0091ea1

SHA1
6da2e0eb726e0a48a9ebf4487b0596cc0c235896

SHA256
20b7b1c03e79205f829ed7a667abd9ac761b14430b026662abbc8c654d5d4875

SHA512
efb5fb865768fa1926b409f9e575608f8078d539f463c4ae9dfe3973671c56bdfe50c4e335fd7e11f10e75418aeaf572aab99a5abb42f1c9a794ffde82a31d0d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
d0e578a805fd49fc3afc5bf8ffc10e84

SHA1
48b10f9ba607f0580e7cb21df4ee7e87acba3ec7

SHA256
174ce05a0b980cb836e2944720b518c2baac67389c7a5ded697bb356dddcb272

SHA512
aca8dae0faf8331192da9399dff14f3c63767462efcf6db728a3947adc6bce4225bb754a4a08009d08a29dea1bbbfc3d00fd9f2d9e8302832b44a4e8b62f5c5f

Download Submit
memory/684-144-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/684-136-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/684-208-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/908-185-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/908-249-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1016-104-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/1016-12-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/1016-23-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1392-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1392-200-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1392-209-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2280-237-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2280-315-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2280-228-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2712-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2712-56-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2712-46-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2712-135-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3252-303-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3252-214-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3252-223-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3280-65-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3280-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3280-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3280-94-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3280-84-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3344-36-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/3344-27-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3344-0-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3344-1-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/3344-7-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3504-156-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3504-226-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3504-149-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3504-221-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3912-133-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3912-119-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3912-132-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3912-118-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3912-127-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4220-107-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4220-18-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4220-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4220-37-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4700-170-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4700-180-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4700-235-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4800-254-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4800-189-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4800-195-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4824-168-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4824-89-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4824-88-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4824-99-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4872-103-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4872-109-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4872-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4872-183-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5260-243-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5260-328-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5260-251-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/5412-270-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5412-342-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5412-257-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5476-331-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5476-337-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5680-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5680-300-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5680-292-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5680-299-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5768-345-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5768-350-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/6032-312-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/6032-305-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6068-365-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/6068-357-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6124-324-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/6124-316-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download