e3bbdc685744de1c5772abdf2d080d2b4d0d758563bada7a7a41b9d03535166f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Size

13.8MB
MD5

43de03677ede6f012b26a4e2ef563d02
SHA1

952dda5242f68d246cfdb3d86dba56ec7843c6e4
SHA256

e3bbdc685744de1c5772abdf2d080d2b4d0d758563bada7a7a41b9d03535166f
SHA512

23cf968f61a83186d872aaa7bbaaf74016956dadf5f43ff42970b8fdac85d82ed67ffe4d759200612b8a8ca2840a0461f013822fcc6513b79210913bdabe60a7
SSDEEP

196608:X+TKnk3+z1Niml8rTlVeE0mZF8PiIik9AnSou2G:XAKKmOrTlVe4QPdik+n

Score

9^/10

discovery spyware stealer

Malware Config

Signatures

Detects executables packed with Dotfuscator 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023210-72.dat	INDICATOR_EXE_Packed_Dotfuscator
behavioral2/files/0x0006000000023210-83.dat	INDICATOR_EXE_Packed_Dotfuscator

Detects executables packed with SmartAssembly 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023210-72.dat	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/files/0x0006000000023210-83.dat	INDICATOR_EXE_Packed_SmartAssembly

Detects executables packed with Yano Obfuscator 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023210-72.dat	INDICATOR_EXE_Packed_Yano
behavioral2/files/0x0006000000023210-83.dat	INDICATOR_EXE_Packed_Yano

Executes dropped EXE 22 IoCs

pid	Process
1972	alg.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
4528	fxssvc.exe
2116	elevation_service.exe
964	elevation_service.exe
2228	maintenanceservice.exe
3272	msdtc.exe
1324	OSE.EXE
1316	PerceptionSimulationService.exe
836	perfhost.exe
5000	locator.exe
4908	SensorDataService.exe
4188	snmptrap.exe
3236	spectrum.exe
3824	ssh-agent.exe
2052	TieringEngineService.exe
2352	AgentService.exe
3040	vds.exe
508	vssvc.exe
544	wbengine.exe
3628	WmiApSrv.exe
4620	SearchIndexer.exe

Loads dropped DLL 7 IoCs

pid	Process
4356	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4356	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4356	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4356	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4356	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4356	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4356	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f30575038ed1090.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000608d98971663da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f92e1981663da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0b445991663da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fb9e8981663da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024e30b971663da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3442d971663da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000947f28971663da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038dac5971663da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000000cf4961663da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b36df6961663da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e93bac991663da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8e12a971663da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: 33	4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeIncBasePriorityPrivilege	4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: 33	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeIncBasePriorityPrivilege	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: 33	4356	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeIncBasePriorityPrivilege	4356	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: 33	3672	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeIncBasePriorityPrivilege	3672	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeAuditPrivilege	4528	fxssvc.exe
Token: SeRestorePrivilege	2052	TieringEngineService.exe
Token: SeManageVolumePrivilege	2052	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2352	AgentService.exe
Token: SeBackupPrivilege	508	vssvc.exe
Token: SeRestorePrivilege	508	vssvc.exe
Token: SeAuditPrivilege	508	vssvc.exe
Token: SeBackupPrivilege	544	wbengine.exe
Token: SeRestorePrivilege	544	wbengine.exe
Token: SeSecurityPrivilege	544	wbengine.exe
Token: 33	4620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeDebugPrivilege	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	4584	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
Token: SeDebugPrivilege	4004	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4584	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	86
PID 5072 wrote to memory of 4584	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	86
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 4356	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	88
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 5072 wrote to memory of 3672	5072	2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe	91
PID 4620 wrote to memory of 2616	4620	SearchIndexer.exe	112
PID 4620 wrote to memory of 2616	4620	SearchIndexer.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- \??\c:\users\admin\appdata\local\temp\2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
  c:\users\admin\appdata\local\temp\2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=91.265.200 --initial-client-data=0x2d0,0x2e0,0x2d4,0x2d8,0x2c0,0x1402b3270,0x1402b3280,0x1402b3290
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- \??\c:\users\admin\appdata\local\temp\2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
  "c:\users\admin\appdata\local\temp\2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_5072_OVSXPZLJKPEVYXDD" --sandboxed-process-id=2 --init-done-notifier=844 --sandbox-mojo-pipe-token=11271442000663977328 --mojo-platform-channel-handle=824 --engine=2
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- \??\c:\users\admin\appdata\local\temp\2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe
  "c:\users\admin\appdata\local\temp\2024-02-19_43de03677ede6f012b26a4e2ef563d02_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_5072_OVSXPZLJKPEVYXDD" --sandboxed-process-id=3 --init-done-notifier=1408 --sandbox-mojo-pipe-token=3526963570972709129 --mojo-platform-channel-handle=1404
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1400

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:964

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3272

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2ed86e1fa9145fa810f0bf6aabf85b08

SHA1
7fe47ee8153fcfd5685309cb98a57b1cd52510a4

SHA256
ac365c9d88fee818708b87174113d2ff23d68ed49364fdf1bdbab04872706242

SHA512
542ae2244a23cc6429b3605fb07f73e284913cbf3b286bfb1d43f3ffe884ed7f2567f0dbc4c631b4f19a5531ffad2e29a4a639494e23d351644f6f088723e3a5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
832KB

MD5
ecddbf219150223facd53e40ca5af8c2

SHA1
7078b974a40070181ccaaa6781ad786d059d73b2

SHA256
1b8d6c9b7ac6ae27e6f76c83c0013dd49aee2c00051b9f5df9c992dfd540329a

SHA512
61d67dae82a0d7b0765b43ad0eb5362e11d6b1eb18f8fb8a95d01ec7a14a31a6397ab9805ca6c6d72e680e1155029bd8111fdad5c78a1e3567c61b0c794db88a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
896KB

MD5
8b275c5f3428fe1313e418a5b6eaf9bb

SHA1
1b0e7066d7449891cf687e038e381cc03a3eafc4

SHA256
3a9fb29932448ad55efcb9a602755c5667da722c2d9f4b3ddb46d40c2061e747

SHA512
16bfe4bb4a7036e76b3c6bda12242bd6ff6644f63c436b140131f62a152c730094c30e7f5936f6ef98bc1f08efa0d125f701dbb13ad9ab39659a992baa327fad

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
832KB

MD5
5082fcb5d3c7fce0212178814261af04

SHA1
74f3c92f3a8b6dd58541730b9c4676ac6bf00f9b

SHA256
065dad72222350e4bb6fffe3512f06c33d6ec0865f6566ab99a90df79c9fe6a3

SHA512
b76de79b3c01d0458e199b9fd38cce63268b2de6950fd833df77331296679859d8d13f6b6e5deddf82ecfde2ec3001174dbb4aedc50d9040ae34d28f5f8c2ff0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
640KB

MD5
1f7a53b99b44acd437cd0a5c4487cc98

SHA1
c341804b40978d53ea5cf80bf15e130b78c6b1ac

SHA256
04fd5751c3c435f52fe1513f860caebdf4316c9960a02277c1a8885b5522ebd6

SHA512
05dca231cfe8c3b67404fbd70797f57c2c98feb4134a411a73a5368738bcdfea142ba96d907fba0fad4d01cd639b5f4247ccc5d2c593d7dc502ff73bc3429cd7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
576KB

MD5
d1b52678acfc35c6265aefb2f060aa95

SHA1
8d30fa862dfdc404324eb1c9ee9275e4451ff77a

SHA256
2fcd37b02eedddf78ec3ed350a045931d10048fa1799055f981f2caaa24107ec

SHA512
4088c57d01a63c807ba723c8b296b4c98c4ec89680daecfff231815a8bc7a3067d135a3be0eabfe912e6476d96f86b7c7335d2d9ac80deb9892e0393ae79e674

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
704KB

MD5
3bd6a7c2214e882f92d86a04c69302f8

SHA1
60a57f9fb50d302d5ba6981a0bb95d3ef59a93fe

SHA256
19080d041f4b5c495266da93c448325c98be145da61499850f495c248a0c2c20

SHA512
54d802a49a6d82bc0bbc049d81dcd425bdef0f83ca5ef61eb619ef5879cd7a708f249b62462084a0cf64c2183c01e1ced980c7012a5e382fff8214071208784b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
640KB

MD5
71af6a98659300507364e9b81e127dfe

SHA1
447b3cbcbcfd9462918d7df996c639eb76795215

SHA256
134f7d36af58be7c44f811351d544f7ce5d8b366d6128372a23d62a2275b5007

SHA512
24d8b6d142250680b0544a39482de1b08b9413e6335b43e95f19129787ac8ca0f435c37423202867d4ea26195328d65adbea43e920bbaf628178e629e5c02fa9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
128KB

MD5
226093f7a2d3643bb5af7e9debedc1b0

SHA1
22928f92dd4b1a551ca5d89da1ff632b41a34b24

SHA256
3062a7cf5b8ed8e4f2dd4180d6b00dcd8046abc6e625d38aff291055a1ba5136

SHA512
8d2a0ae40c74b24714eafea6f69e8d3ad733d68a04a880b277ae5bf98dd0cad64171e5287036a5da9aecffa72b4268f0ec295ad7f5f4df371a434048e7e42d31

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
896KB

MD5
81d094f197f555b97433cb27997166f0

SHA1
626b5ff07aa8ac6aeff5b14aa2932861f67a49bd

SHA256
4e7f4f7eba0684d411a6aebefe014fddcc51240e572c5f1d8c58466278c75fbc

SHA512
025f24401162c78c7676d108c42e793f689962a88995f01fcb1323c438be3c82c38c01c48dbfbee1001ca66f9a82ef1f3167224b62c82134fc2e8b7b721bebee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
576KB

MD5
6de5df6af58fd3668bcc43c1453b48aa

SHA1
260a6a3b59e9d11ed971f02d2f5228657abc5ce2

SHA256
d1d3351f11226f447e4c340f1465cc5d1cce6b414c44bbf6b6e3716d89b6be9d

SHA512
04997fbae45af0b4884f2211db615c327d4cc9f7f7eb1c54785bc1a73a4d7225d1a9f33923c0e4559c84f43d097e374858545aeaf8341f6477ca711f8b36afdd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
640KB

MD5
c794d96572016dddd3eac3c93fa7e6ee

SHA1
c26686686818c4b313ab1ccdd33271d27bdc880d

SHA256
8c4d4687224204ea928cb74877b68c9943575508cefd6494e5e02df57693fd51

SHA512
c8f4242dd0f1f3d92919b2fd0d46f643a69ddfe05fa2117a8a893ef82b9f36bfa62ea05057b39512c3d86b74221990ec2ef1b01774b0b9e1e921858d27cf0390

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
640KB

MD5
6df306dd3010026e92069597a74d5f53

SHA1
f17ad151d35f23015ed41f6b36bb592c6e00e7cd

SHA256
21fe81c5f82710d2dde412d5bbc4f6f70e8386e164ba4a379e8e157c68dba949

SHA512
bf06b860177b7cba726e15c913741c723455e370d23d3cd4861c0016d60e5d61166be8797681313871dfe5a1ed39da11027b03ebf56b13dade578bb7e647d628

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
6cb7a53a94785ae806dc7679813135dc

SHA1
a6adde3386d7464f60286c33856c5ec3d16fac49

SHA256
c49789908fc1f2135ee6f4ce66f2cb05296afa4204bdad4de1fede8f464bcdfe

SHA512
50ad4c2ad3603200f05932b78baa49c9128860715c224d31cf480c7a8bf1b4256655a5bd895e8d004f57dc0ab781ad171a17a533dc63b222e519486943370dc3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
640KB

MD5
35de0092058d61238c5157256a577f93

SHA1
c1b134ee36746027866170e89f1571f674904829

SHA256
0ebf76b65851c9ef07dc8645d87e315cc337010373160ec37c4d45ca1c9792f1

SHA512
1f64f0c46e0920efc8bc72d1b31916ae638bbe72316f126e4240b732864be559dcb6ee8f1717175d07726c48a547c54c4f1b8bc6287fc11f5cdabfe6de0d5bbe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
513d6bf342735893258225736b5a46d6

SHA1
8cac681b621b687ca64309b4e25b7172a8d38a2c

SHA256
65c1e08cf4b67bdc42c25561c61297ccd83174f5c32a6b84adc8fb4a72526ca6

SHA512
3d5770b8caa7c55d9c9d4732e8231840683193baf5326f52ce34cfd2e6240bb18742c3e35a705a3dad48ea79ed75fbc4a0d708790bea0cc521faf99fa4644897

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
576KB

MD5
2fb029978facd9701a0478f082179da9

SHA1
0034fb153beb2fcc0a85086cb1111c66677e1dc2

SHA256
0f2e053029b3075fe20776840a3f0f2a2171ebd049fcb30433927d321c705d15

SHA512
8c698743ffbe2b8fb7b65bd2a42f567d05c6fa4983b8d99206f7ca2ee0ac2bbb7028541525841f3b4c470b76b6c1b3a6426804eda4946a6b1ee4c55564b043a3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
832KB

MD5
7b97d408e931eaab3596c3e18fb6c038

SHA1
d58fec82261588b8302283f320a134a20c8c43b8

SHA256
b0c5c07092a6a2dd0c16b8f2b1a5f30fbacecc0490f3a08dc51b42addfb6fbc5

SHA512
98aff47d93dc22a891c0d03155a85ec0881a21be0e8484e2fe534d57040914e90214634b365ba73e4208047bbd79489946e70178e8599209efa6199e3a551e17

Download Submit
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log

Filesize
2KB

MD5
5e31b4881862ebcfe91913cab37f27ca

SHA1
4564765c9f9a4940c02c5bf187263d159ba09805

SHA256
d486795835cc6dec2eeb5b5eb0dbcbf7427782ce211a89cd1375f750195d099e

SHA512
1cb926352650e1a4c7e6ef3946c408a46766c99b4410d560f315f42f3f4c1f9211572489bc48e3000dc586262d64b45113f1babbad9960ad7f9e73c50cc99d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\edls_64.dll

Filesize
446KB

MD5
e9a7c44d7bda10b5b7a132d46fcdaf35

SHA1
5217179f094c45ba660777cfa25c7eb00b5c8202

SHA256
35351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1

SHA512
e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774

Download Submit
C:\Users\Admin\AppData\Local\Temp\em000_64.dll

Filesize
36KB

MD5
d0cf72186dbaea05c5a5bf6594225fc3

SHA1
0e69efd78dc1124122dd8b752be92cb1cbc067a1

SHA256
225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907

SHA512
8122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285

Download Submit
C:\Users\Admin\AppData\Local\Temp\em001_64.dll

Filesize
360KB

MD5
d6385decf21bcfec1ab918dc2a4bcfd9

SHA1
aa0a7cc7a68f2653253b0ace7b416b33a289b22e

SHA256
c26081f692c7446a8ef7c9dec932274343faab70427c1861afef260413d79535

SHA512
bbb82176e0d7f8f151e7c7b0812c6897bfacf43f93fd04599380d4f30e2e18e7812628019d7dba5c4b26cbe5a28dc0798c339273e59eee9ee814a66e55d08246

Download Submit
C:\Users\Admin\AppData\Local\Temp\em002_64.dll

Filesize
2.1MB

MD5
fa3b06879ec3dc4835ee5ece11a84fb3

SHA1
fdd904b5546c9781f88c9e5d7b1682aa0c5235f0

SHA256
9fb8e31929fdfe9e96911a2d59ae2967896288428a4ce1826c87ecc782869f17

SHA512
35fa1ed94c49f1160b3204bf845c004693a85309aa4bcc48d6fbd22f9f131eeb471bad96b7bb26cf18ae86b9dfb36cf20068618113d08b12f74371030800f2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\em003_64.dll

Filesize
1.2MB

MD5
9b1e89ad026dbe4e357485cb16b7c263

SHA1
ec47c11341433f089dd241cb3891ee44350d5314

SHA256
054876bb76c8b0d4d7469cdac77ef33591952163d3d11317749a5e9d840ff007

SHA512
7dff5f2ffa8743a061144263c15e4b549309ffd5db4c799ee8bc21c51714efcaf8f5410083ffb3221eb4591dcd77001c39c98db56267e85023c5029bcdad0421

Download Submit
C:\Users\Admin\AppData\Local\Temp\em004_64.dll

Filesize
4.4MB

MD5
0d1a647e72b099b42de34bb69dbb146f

SHA1
0ddbd77ba71aa9f3a7ff65a0fb45c05d13a94a2f

SHA256
9a5a405362c111d42d89113b58b9a305a762ad8f0f61638619c3309bc742534b

SHA512
e4c1f78cb1dac41e50ccb6261a0b00ec0d4e510127b8d109da835f77c06b9216f057a4879c32a1b02b658f2669dab2c61a2f7e8f2ae4d270c8b06f1fee996bbd

Download Submit
C:\Users\Admin\AppData\Roaming\f30575038ed1090.bin

Filesize
12KB

MD5
2cf93034b169af2ad960bb9294b3421b

SHA1
d30c399123376529d809a0e1d29f9a2c721ff663

SHA256
e6486b1f4ae1f8b26141b5eb20cdc33b4891f97b54c03eeab60a2d1f9b293650

SHA512
5fc20e730cbde408bfe753c587597789d5837dc3afa984898cd7411c55586262ce54f441a07f23f43b73e3e8870318a880a99663bb11c634f4164f689521c719

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8b4a4f0da3ebfe42799d07302e63b576

SHA1
bd763fe138f3c3665426132192608a516e0691c1

SHA256
527130e69d0c54b8165aede06b8834987ee9e0a4bd9ed879c380545f1ad9560f

SHA512
b7371eb6181c7b7efea1c46a47f3f120f277a6c31db099903017adf601c25f495b78319bf078de6364bc4b520886d129dbddaf26cec39596e78c7e921e82b343

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ff4a805e82fef13a47b4a33c1f917e29

SHA1
cdf591201435a1095b1774b17cf0b778a39c9ea2

SHA256
08d48ba70611dfdba039104f9b376c0672c90371bd80aaf71162fc368958aa79

SHA512
02e5f894ebaa71ca5fcb9e2c390da7a98609653d622f2506230eaa422fba6ac2629a2846202d0d70ce11e22ca1f84e6dd8bc463c245173712c4abb3621bdd78c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1024KB

MD5
16c44f970a5cc84ab7b2426485bb6f8f

SHA1
3ee8626e8cb08aa14fc98df29e5f4f4e1ee74fa8

SHA256
b1a0e29b2882215341f42e48f0b39c4645e271d081d8c5beca31cdd9e8575baa

SHA512
07792ed441cb50a41f5a34b7333dfddccde36ece381882f7428c698e25ebd1128d7789fabe9b7a4d5e177bc6160116e2a0b256dbc6c365b84ed36865bfd228d0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
128KB

MD5
47b70d813e6e0b46af5af8a840e7352b

SHA1
8778e0c95a77f20b79323bef220a68296f7738c1

SHA256
00bda9bd2d300c33a829d6f3935d65171e51632170f9799454148203a6af06da

SHA512
3da93bce4b08a7e7e78d7a28ff1d8dbf1e02a7733ed6cbe5f605f6a1e25ee9eb6737dae3f7784b493aa882d34291fe6672fd42e59519ea75f56e1b3a2ab1a6f6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7397c5af0859db8c3c5923c16fe69f50

SHA1
b753c1975ec91153c54d7a36ee6b9aa316c607a5

SHA256
32bc5a8dde7815b2e13cb3a2dbb52e4db87cf56a34761df06cfdfda984ac768c

SHA512
42e5482e9e62e27614451e3d7a3d1573c8ff378e885c5e41e294384c87edda4c79c27b4a62d74457c4a00351ebfbbf3e795bcd637d1c199952586dd4d6c57afc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
d4851121d24cf1603d0ca7fa01919a53

SHA1
2b419890c4aad2c27cb0c7e0d2b7315adcca0255

SHA256
fd69e62452022fb667b185e367e853c4df5ecb58d8ae35876a85398a538641a6

SHA512
c84ccb7736b4bfeba102a6fae4c0fb9ae45b24f42cb8a640efa5da21aa1e123f2c1702762aaf4ceed00a9c3978886de2bf6ad04690eeff96803bcaf5e1f20de6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
40a118e35b8e4ccf944ca4a99bf5829c

SHA1
9ed7ef4eefbcf49e619b02e08b85c38270cfd46a

SHA256
c6caf7a1896cdc8d3bde028483f68a7b46f155418cde4cbce2367f1262405bd8

SHA512
3c631816f3a1b11246f67a191e023d7fc1f55c50b112b49c3731ae694af5041927397362e7bed62141d739e122baab1c8a3b3928db49d41b279da3630976c2bd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6e4db8812f10b79764add00e6fce36b8

SHA1
bc614b296fdff2304fb1097e78da82006b9e5c76

SHA256
3896347d5ebdd25b81235fe83ee8f11c2ef2bf323f76bbc27923da9510057983

SHA512
b173b25795724df6d344799da2267c10d6ec2e6f4167ccf5ec826f5d204d64858b329c02258416c55ee090ecad2500eb10bd19da25feca38bbbc579c42cb2943

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4bedb1c1cfed5125f75acf0199395189

SHA1
86d74e0a89e72c1ac1643128411769c370435a07

SHA256
540ebbbf1860137921c0fbc4ca6d57960a17b97c5972c2331fae928874c553b7

SHA512
6a0d4156b1c569807cb5ee86dcca70012e4ae12bb8f905404946456491f06678cb5eab6aa6554c9ddab8af33c5845ef3d1a2561e6ca1837401a105f9e20ce9e9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
960KB

MD5
668f8e53093b6f328fcb8ac2defa4b93

SHA1
349cbab81184f4e9e9c8b40f1b3d0fc87bb8ae7f

SHA256
2375baa640004095eaa5830b6fd1b6721c253ec63c14e1eaa6f746bba53351e4

SHA512
669ddd47363b86708338d40cc966dea64b3523a4dd279089901090eb4afec49c06f49843049762d3c66d1f939546dc36161b26975a740bb98ac7bf87d8817268

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6d3a02cdc4f1a34f908cdb330da88830

SHA1
93a22ed35d17f0606259d5f42860860ee375f505

SHA256
9fe326ed3f54143b15ad9671f95d563136663e6344b4ada5b00fabce99491718

SHA512
32d80ba2ec7bdaea69ddad6ae38cd5d56b17acde69daccc7efa0f9407fc2763fc691fae11e1ae38ba0a19318d3769a35059a96f446a7e46187faa897146a893c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
286a8343e2ef1b3343f14f9bf0e56490

SHA1
e590f55aacf09e7ab3ee31ff78139122598b144e

SHA256
5f00db0ba5026f752e66593ec4f5ad25906bbb7b58e9797360f4499cc8f2e9bd

SHA512
a08389fc809ca6fdd80267b6ebe27a6a6e86bd64990167f208691ca7ffd06c704b75ce4dc9a2d9a0d8febd00b778f2819cd93962340b0ac9e92ea235cfbe7608

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.5MB

MD5
0012abfb71c65fbef92a63fc8350eee2

SHA1
7944aac92969a9df1b3fb303541dd5c0aef1f0da

SHA256
243921af8ee78e304d86a2295da75ceac217f4a017ac0d21b6879cd646e93265

SHA512
f8d903e28661c7e336cfa3596eec3583051f92e880f7b96c25611d3ad1cfc7f2db6084fa5d4b4167ce1d5760b831b57ca2401c0a4a973ef3554ce6a30bdfe9d7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
87ddba35e07a5481e2665d18208e0f50

SHA1
cc5a64b26c754b4d2da03b1627317eebe9919490

SHA256
7d8d188d2df4e743bdbff3ee18851dd2d66011772844a686fce9c550ea7f7d01

SHA512
0be6dfc74686f28a187eed7ab733495c7fc319d4e72bbca74bba89c61740a8ab9fb54adf78b8ee9df803280e614687ce816e056466c3181ec9523d066e7281ec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7633deaf5b3619120c0636b4349763dc

SHA1
6be8dcb0420ed22457c848fd3cd23383be2b56de

SHA256
f368ea7c7a1b7a2ff70e8ab0559b809aad9661d06e8ac52a03156ac265a55c17

SHA512
931754b878d144c9bd59bd281917387c058bd43e37a27ecd1ff5e22e081009ff20768b876e406d1a9086349017eb44cafff98910cd740ee847942ca8ad8cde6d

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.2MB

MD5
55c8542edfed1f21527d54ee9e2390f0

SHA1
2d98d606542357c25287a51d4ea569cd7f1bcd28

SHA256
17640051b88cb14ae25be6960f079eff38afa13c9ec407c1165d40d35df25be1

SHA512
5982e12a35fd14e32d4fcf7634319549d9ed6d858bd532ae512ef71ef980ea96352a6bed687f535771234f72187cb8eea4bf555f7e92074ddae531bd813c8d92

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
58f6e5fbe03db9b487200bf8d0be9bca

SHA1
210c05e90f7be1a7daba33ee69f9f846b1fa0cb9

SHA256
7c6c135de8f88f08b4494787c4f180262708c8b967be96f66938ed71b28a7928

SHA512
ed154482a38114d8e97dd28838e17b765e97c68a349558f9f51ab9da0fe2fcac492811b1d7826eaff82532b8ff1efbcb3d99be655ede7cf9e87b3d5eb50297c9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0727a1462132343b68c0996087238c38

SHA1
4b082988eb6f877f261954aa06814acf2b36f715

SHA256
b67aa4ab153bfa7d23790847409003d3475c58962620a1901a1d289a13802c69

SHA512
25ea2cef8d9b6a95b39500dedeec16387d265d76ba22d9a5738c59ca0ebf369460d6517b66b91e5dc603f3aed415f63d8708e36c1333651c988980ebe63f1f5e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9cc53abef7f5d1cc7ad5e12d84308289

SHA1
da77dcbe65dd822c85200f881507bacae0d12e7d

SHA256
037bd1efd7c3256acdeb2c90374d68b65244cb91ec99ea8c67139724d724210e

SHA512
f6b3c5f857660143f711c5576d3f1712500a6aa7ff42a181e3933ea2076de3694af51640d728df2366ba5bf158b860aabcd54a76093b0164e543daf3f9bfcc71

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7d8652908f76a2ffdf379b9744f27cf1

SHA1
36934f7bd1680b6ddeef3a0ba24a220eecb756c7

SHA256
7e74f8d45d4dce718ea841a71c170ce94b1d1872bfdf769d61f09a519efb9a9c

SHA512
a70af07ead2babf4884413f36b0c504d55af761368a1f393d377cb018310b4d6d4c83cd7f40dd906816133e713def9584169306f145c3e2fbac65b2f2289d2b1

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
576KB

MD5
6f45fdd8d672bdda9767c7a241a28638

SHA1
57a5245a7035ec65c8a6000d7159a85ce1a6f942

SHA256
e93329dfa109bdc7526ee4ee24ee5ea6b9d30f3d1a4fd2ddf42220f30973b658

SHA512
d18bc9118d03b72b760bb01307d9b61a86be9b6b10f9d39d612ceef7e2eef4fc46b36bab389054e07418dff75fc770f6c4636d374252e494b19a9baa88101a3c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
896KB

MD5
d115f9981cb599aa8fce046c30a7b03e

SHA1
c7d9a6169f2a344c73343d2a680190d260e7d716

SHA256
55743649ea32d3b7e96ce5a1b8671d9cddce11e0fb80b0d668c8979913d0bbcb

SHA512
48b89fbb55fc64511f79b29de2a220e0ef28801c9b9577d7e55e442c0fabc7b7bfc0b8a7a53caefb52c4b09c19eb24aa45d42243ade43c21ba847a1432c69235

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1024KB

MD5
9d7ec1ec3aab189f21ee26542cf99309

SHA1
9eb61eca5ca14e8b115298e5670f21906a2342e8

SHA256
a03e77cf79226d062551b3c77929a3506d46d94fdce36afb8931792741e0dd1c

SHA512
7f1492918f09bfd02c1770c27f37dd3e12e957e394c87ea8c84d44abd1fc1b791fb070431cefbc9fd9a35885e89ca5d97cda3ff451018756446036e82fb55074

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
960KB

MD5
60d58b8d752fd06967b555a87d822758

SHA1
36b7cf4a926bdf43bbdeb4b709e63b8d5caaa4d9

SHA256
7a24e87b63d80efe16fb13051aaff52a7383bcc0675a0655ca6d19af7017b052

SHA512
ee52b60a74349e635a21a815610990b8395d18b9c79a1955ceaed1723238135020f6cca812b6cf75ca22df1ccbc743657e643e0845b518509ad277ad17b73175

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
d22130aa7719c2751081959c3327dd22

SHA1
fe383f7cb8404efef9b4258eeb21de4f486d3178

SHA256
3c6dab5b9919f521cbdf7f7a9669c18c476f115dd3c5da3591a7fb5613993541

SHA512
fdcf0196a26e663a526ea5cf9fc5f41c94f252527067e2ad96c43c1ace80e6ec72fca9809b85d5ca342d34b17d15c56e2e9ea962210a4271fb7f6b5ff2c82f29

Download Submit
C:\odt\office2016setup.exe

Filesize
1.1MB

MD5
72969f1ca566dca1abc2c2bca063b9f8

SHA1
4f5293a8e5e9bba3747daebec228d7a8b3b37bd9

SHA256
954e9b000d9f9c240a7b8f59bb00eaea9a38bb02619c382bfec9e47a5bd4c747

SHA512
4b8942d2137cf2351a5cb3f6e2e8e9a2f3b2a94afc657927192990757e2c2577c14b4949e9756141acf7099db8d94f061f35206e16c7517840e239b889fb52ab

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat

Filesize
40B

MD5
3a328e5872ad52a6e60166408ba2dba1

SHA1
59a671c272c6281176a6968b417b401ef15879d9

SHA256
5b71317e4ad698f4618bddb4b35efd5ddb7b25998c1926f43b313678037c9e1f

SHA512
ecde03995a65eae14b47a385c24027fab958af4fdfe767805fa4e5611a3b4c34d467df3e3051a730706520d3dca7f053d4d03df0e538914e0fa914ccf025c8d3

Download Submit
\??\c:\users\admin\appdata\local\temp\em004_64.dll

Filesize
4.4MB

MD5
700943b61a069d745e6e34e972ec984f

SHA1
0018566e617ba51ed585f3eb381a42426fd7bf55

SHA256
9728620f1abed445c2517bc17adcc99d93fe35eddc6ba0f9ed1ce5f3c4b5a935

SHA512
7029b4eae6a4784189cbcab3493b3e2b1c34538f134b00a12190ca6dee3593e84c2d42a2859d0354008b99f96b81d8c8c9c08ce8692d1a2050751bfeb0b19b5a

Download Submit
\??\c:\users\admin\appdata\local\temp\em005_64.dll

Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
memory/508-343-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/508-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/544-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/544-347-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/836-227-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/836-184-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/836-175-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/964-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/964-183-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/964-114-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/964-120-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1316-172-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1316-220-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1316-162-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1324-159-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1324-150-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1324-149-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1324-205-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-109-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1972-14-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2052-224-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2052-323-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2116-101-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2116-171-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2116-108-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2116-102-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2228-137-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2228-138-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/2228-133-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2228-128-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/2228-126-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2352-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2352-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3040-331-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3040-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3236-207-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3236-197-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3236-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3272-142-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3628-394-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3628-244-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3672-88-0x000001D606EB0000-0x000001D606F10000-memory.dmp

Filesize
384KB

Download
memory/3672-158-0x0000000140000000-0x0000000140DDD000-memory.dmp

Filesize
13.9MB

Download
memory/3672-94-0x0000000140000000-0x0000000140DDD000-memory.dmp

Filesize
13.9MB

Download
memory/3672-87-0x000001D606EB0000-0x000001D606F10000-memory.dmp

Filesize
384KB

Download
memory/3824-211-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/3824-221-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3824-305-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4004-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4004-125-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4004-26-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4004-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4188-194-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4188-243-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4356-141-0x0000000140000000-0x0000000140DDD000-memory.dmp

Filesize
13.9MB

Download
memory/4356-40-0x00007FF8D46F0000-0x00007FF8D46F1000-memory.dmp

Filesize
4KB

Download
memory/4356-41-0x00007FF8D35B0000-0x00007FF8D35B1000-memory.dmp

Filesize
4KB

Download
memory/4356-42-0x0000000140000000-0x0000000140DDD000-memory.dmp

Filesize
13.9MB

Download
memory/4356-43-0x00000182CCA90000-0x00000182CCAF0000-memory.dmp

Filesize
384KB

Download
memory/4356-44-0x00000182CCA90000-0x00000182CCAF0000-memory.dmp

Filesize
384KB

Download
memory/4492-306-0x000001BDD3C40000-0x000001BDD3C50000-memory.dmp

Filesize
64KB

Download
memory/4492-348-0x000001BDD3C40000-0x000001BDD3C50000-memory.dmp

Filesize
64KB

Download
memory/4492-344-0x000001BDD3C40000-0x000001BDD3C50000-memory.dmp

Filesize
64KB

Download
memory/4492-332-0x000001BDD3C40000-0x000001BDD3C50000-memory.dmp

Filesize
64KB

Download
memory/4492-330-0x000001BDD3C40000-0x000001BDD3C50000-memory.dmp

Filesize
64KB

Download
memory/4492-324-0x000001BDD3C40000-0x000001BDD3C50000-memory.dmp

Filesize
64KB

Download
memory/4492-318-0x000001BDD3C40000-0x000001BDD3C50000-memory.dmp

Filesize
64KB

Download
memory/4492-307-0x000001BDD3C50000-0x000001BDD3C60000-memory.dmp

Filesize
64KB

Download
memory/4528-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4528-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4584-22-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4584-122-0x0000000140000000-0x0000000140DDD000-memory.dmp

Filesize
13.9MB

Download
memory/4584-18-0x0000000140000000-0x0000000140DDD000-memory.dmp

Filesize
13.9MB

Download
memory/4584-15-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4620-249-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4908-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4908-239-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5000-235-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5000-187-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5072-0-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5072-96-0x0000000140000000-0x0000000140DDD000-memory.dmp

Filesize
13.9MB

Download
memory/5072-6-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5072-7-0x0000000140000000-0x0000000140DDD000-memory.dmp

Filesize
13.9MB

Download