ccd7ef01fa9f0989de6065f729efdec5bb7715378bbaa21c98813642d731778c

Analysis

max time kernel
155s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Size

14.9MB
MD5

5734d50c97440228b4c75215158acce8
SHA1

b5dca39ada6f38faf78524e9aed127a59a830330
SHA256

ccd7ef01fa9f0989de6065f729efdec5bb7715378bbaa21c98813642d731778c
SHA512

ea0dc9e79ea20bcbc2c089f61aef0c20243bf50a1f9a4539a23a2462da41a8c71e45eac3f6baa48efb0869fe57044062b69edd2e70b5a5530e5780abbb69b8b6
SSDEEP

196608:E7AP/NNECwHrc8u3x3AEcq/fByuKlWH3CTouXG:Ea/vQHrc8u3xXJ/f4uUWHW

Score

9^/10

discovery spyware stealer

Malware Config

Signatures

Detects executables packed with Dotfuscator 3 IoCs

resource	yara_rule
behavioral2/memory/1196-19-0x0000000140000000-0x0000000140F04000-memory.dmp	INDICATOR_EXE_Packed_Dotfuscator
behavioral2/files/0x000700000002326d-69.dat	INDICATOR_EXE_Packed_Dotfuscator
behavioral2/files/0x000700000002326d-81.dat	INDICATOR_EXE_Packed_Dotfuscator

Detects executables packed with SmartAssembly 3 IoCs

resource	yara_rule
behavioral2/memory/1196-19-0x0000000140000000-0x0000000140F04000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/files/0x000700000002326d-69.dat	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/files/0x000700000002326d-81.dat	INDICATOR_EXE_Packed_SmartAssembly

Detects executables packed with Yano Obfuscator 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002326d-69.dat	INDICATOR_EXE_Packed_Yano
behavioral2/files/0x000700000002326d-81.dat	INDICATOR_EXE_Packed_Yano

Executes dropped EXE 22 IoCs

pid	Process
496	alg.exe
4008	DiagnosticsHub.StandardCollector.Service.exe
1556	fxssvc.exe
4684	elevation_service.exe
3132	elevation_service.exe
1816	maintenanceservice.exe
1688	msdtc.exe
4152	OSE.EXE
4420	PerceptionSimulationService.exe
5232	perfhost.exe
5352	locator.exe
5392	SensorDataService.exe
5584	snmptrap.exe
5632	spectrum.exe
5800	ssh-agent.exe
5920	TieringEngineService.exe
6000	AgentService.exe
6056	vds.exe
6120	vssvc.exe
2336	wbengine.exe
5036	WmiApSrv.exe
5308	SearchIndexer.exe

Loads dropped DLL 7 IoCs

pid	Process
1564	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
1564	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
1564	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
1564	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
1564	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
1564	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
1564	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\59f0ac03b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6eb6bf9a176da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a18f7f8a176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054e071f5a176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037e37ff8a176da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbbed2f6a176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e5487f5a176da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c41c0f8a176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002217bf8a176da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000111e9af8a176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: 33	1196	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeIncBasePriorityPrivilege	1196	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: 33	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeIncBasePriorityPrivilege	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: 33	1564	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeIncBasePriorityPrivilege	1564	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeAuditPrivilege	1556	fxssvc.exe
Token: 33	2072	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeIncBasePriorityPrivilege	2072	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
Token: SeRestorePrivilege	5920	TieringEngineService.exe
Token: SeManageVolumePrivilege	5920	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	6000	AgentService.exe
Token: SeBackupPrivilege	6120	vssvc.exe
Token: SeRestorePrivilege	6120	vssvc.exe
Token: SeAuditPrivilege	6120	vssvc.exe
Token: SeBackupPrivilege	2336	wbengine.exe
Token: SeRestorePrivilege	2336	wbengine.exe
Token: SeSecurityPrivilege	2336	wbengine.exe
Token: 33	5308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5308	SearchIndexer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1196	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	96
PID 2696 wrote to memory of 1196	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	96
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 1564	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	99
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 2696 wrote to memory of 2072	2696	2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe	106
PID 5308 wrote to memory of 876	5308	SearchIndexer.exe	136
PID 5308 wrote to memory of 876	5308	SearchIndexer.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- \??\c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
  c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x2dc,0x2e0,0x2e4,0x2d8,0x2e8,0x140325960,0x140325970,0x140325980
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- \??\c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
  "c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2696_UDLFSBGUHCKFWLFR" --sandboxed-process-id=2 --init-done-notifier=840 --sandbox-mojo-pipe-token=17299423918628711652 --mojo-platform-channel-handle=816 --engine=2
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- \??\c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe
  "c:\users\admin\appdata\local\temp\2024-03-15_5734d50c97440228b4c75215158acce8_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2696_UDLFSBGUHCKFWLFR" --sandboxed-process-id=3 --init-done-notifier=1392 --sandbox-mojo-pipe-token=3824198068608973596 --mojo-platform-channel-handle=1388
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2072

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:496

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2520

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1816

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5352

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5392

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5584

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5748

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5800

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6000

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:5184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
926KB

MD5
85b3d38a926afc14d699a13c0645dc6c

SHA1
8b615fefb17a12154bea8930249b5f9d3b601ece

SHA256
9a676929277e8c9b983766ad201b112eafde539bbaf8605ad1a77bb26cc418bf

SHA512
04862f13a68cea9aeceeaa5ad85048487bcb902a51d0ee23167702176ff6fe5c2914332ed458c0b1a5a37552fe2430cb91b02b433243ff903af201e578c4e3a3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c7af977cbfa24c008a07cf4f4d93cfc0

SHA1
27090db65e38d8ee99210da22f2a9ece5c2db8dc

SHA256
c8dd4a8c6a35f35c6de5adf3d665d1122776589655a4bc749cd5c19967ba3847

SHA512
1b34e9be29ea5a4983e69b8808c42352ee3a7b64cc8b75132a966ca5c1fe573d94f080a03a03381f28ec596d35f02ec0c717fe540d980adfd7fafcf1dfc59226

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
960KB

MD5
9b65a5226908c5c0a697e1520463cd9b

SHA1
89c09d4061676caa43b8f2a9d1e031d39bd7b2dc

SHA256
ece5856b059fab0c3e6ff858e2f0cf5a58f2151f6eb1287a2d791c97716312f5

SHA512
356fd2aef811e6a075374bcac04978198ff583989ce49203ffe1952832156da04f606a549e7ff18bd489d1ee6b3029fe56114df39156e4c4171d6f3155e6d003

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c9085303c81834b950aeacd36b9306cd

SHA1
2876713f922535ab791e3f71ccdbead267cb5824

SHA256
d7f55a18b963fdfcdeada597e88abb2ca6efd5fdd559978ef65e49a17cf4e4bb

SHA512
591932f19ee683c7e3459684e8a0d5055deb66ef347ec7988008499e71ae3d5107146a70401fabcdbd9f16b74aa9ea37855c7706bd7d145ea8cda0884617d1bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log

Filesize
1KB

MD5
86c5e86eb55de61c239a4641908e068d

SHA1
50eea743d06cb5cf8cebeaef58614ccfced9d98d

SHA256
07eb5ae24913c494ee2e7aab6d5bd180a1aad62ed8b2d55e1e216ca22149da9b

SHA512
9731861372cde3cb794cd904787c153004c9b6e1de0e8e603e35fc2cefb36a5a2c5ad06edf3af55fb2055ed4f9623cc6900c3f5cd130ceea23ca44e8542aedeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\edls_64.dll

Filesize
449KB

MD5
79d7f318441c21d17739e43990697d1d

SHA1
9683265bf401d11313b768dfc4b3aeb10015d18c

SHA256
0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970

SHA512
67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595

Download Submit
C:\Users\Admin\AppData\Local\Temp\em000_64.dll

Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
C:\Users\Admin\AppData\Local\Temp\em001_64.dll

Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\em002_64.dll

Filesize
1.9MB

MD5
467f5a59d227ce7bdbac8637f3e15327

SHA1
2768b20104e91b7d8181658ea21241707b4b9289

SHA256
b1462fee2eac699ab0e5c1fb698f80878e5ffd454f55c80704d1593f2a966e92

SHA512
9fa450772dc9c3fb9823dd331d9437eaab6c9c6c3d206fa19d380952775507a0e046ff7a68d6bec7a7bf16a34e1cd2fa35aa33db3f2996700211f310092e7dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\em003_64.dll

Filesize
1.3MB

MD5
7f3e3ab3e7f714da01ec0f495982e8d4

SHA1
a6cdec146f2eb192460d3d3061baf4a7ead6ee22

SHA256
ebfeeac7733a77a1e32995d638d67d2e05eefdbb62782053d8354959e046d0fa

SHA512
493b6db2193cd91e95f0963b9ad898a2040c2abcf1b4a509e5a4d53980c95ec030b412e180c26a1bd504e4c839ef5b7e3b6f08878ec11cefa531157ef0f6368b

Download Submit
C:\Users\Admin\AppData\Local\Temp\em004_64.dll

Filesize
1.3MB

MD5
2cfadeb7f4a77118cc53ffc401312858

SHA1
64db628984b7fc3bff7a6d79ba858a9a88f93393

SHA256
3c03faed6b1b5446967bafacbff4fad9b2a86acfab646036d890adab977b7aa5

SHA512
ea99280e9e2fa4b9d52afad76f79c361ecaf180af8e5d599e46b2d2f3dbe5e5707af27bf432ad6542dde33cf6b6cf39ada23b50a1defcdd3ffcfbe7412ac22b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\em005_64.dll

Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
eb7ad1bf56fea9a98eb88b4618438e2c

SHA1
a7f9c5118a169f96ea9798ad9cf61ae0a0d29f13

SHA256
34f9aac0df0b5546aacc8732590c3891615c66c3eca534b668ae9b9cb065f7c2

SHA512
71e8b2d659785cce82aa7d07a04dc2d3dd2c22f3be55ad8175c102e6cb236a477ac0f6d61d87f6deca7a085ca8992fb20de15d553fcc84ba9062c021afd5d6db

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7f2026eace0d11055b0cd0ea040fcc8b

SHA1
da0606c5ec629d98bbc1008131baddd1d86b6d2c

SHA256
b9371b90540ef9e3a3812b907d0dbd5c8cb40b2972aba6f0a8d3834f065f79ad

SHA512
b899daf4dcb43ab3fa1242c5665726d77e5604afff9f173445a3ff314cdd0b543b4a27e7e4a57d0b6b48da56f08e3930571b7eeb621d2ffd8c3adee832b99a2a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a13779a8d0eafc2e53b0078d6a3b2a53

SHA1
6d22fb4b3550d40919a9efcbc0ed942b6feb167d

SHA256
0ce83b789c16950efa39ee3f3cd7afc864e620fafede3cd581a8bf9ef95ab6f6

SHA512
da75178984c031d864ce6b635d8b2ecfa1baa4a22e7ff5ce3ec7f4a3019d4857695cb060daeb61389a783e6808062f39ac455fc492b38ae1afeddda65f5623bf

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
768KB

MD5
d63377bd9e7dca1d220c778a09c496ee

SHA1
6ccd00afa5cc69056303057c2b8d01e0265c2722

SHA256
4b20d395ae222f6ab5ac50b8dc8f7658194a8ddefc8bf94e6a510e419fd8f35d

SHA512
dc582ad6b3045b2111cebadb67d7d3f74cd1fb084a43b1d16fdce2669c8842e2d9a55c1ffca40ddd8b76f57fc697b04d57b6b835df80ee207f774bf23282ec41

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
61d8a9c5f1e03f3173577fa6752e1658

SHA1
df3bf4f3b98cc9646668c6128f25dbecca34546e

SHA256
c570aad1e3f1a363d49d7ccdde4362669a2a8eaa80115e63364bb77e45c54fd1

SHA512
8bdaae4f754f775a38a8cb7fcb4637a84983c6886c14e14ebd1ecce0b8aaec2d1190141aa0456194b7ef222dc01d20a7ad29df7d61adbb7bc16b1011cc9ff1aa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
aafbd0e2b9f81a4b3920732b3cbfce49

SHA1
71bbe12be1b720216797a813878b6b882da63cd9

SHA256
cac64a3dedeaf798e00c968a5eeca3ee6fab51667b3c7da95e5eb39a7fb3ce7d

SHA512
3a7dc29efc0c37ce9995e721fe2b61eeb146fba23930e95ab4a16d78372a855baa6b7547ef506f0fa65c28898ebf43e239f219f41ffe964065b0f6d6234f621b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9265d937f30a68f04ef94e315e9d7a60

SHA1
bd95e114e71f604968798fa7d6d6edf10aefd0f9

SHA256
fb088d4facb0d5c96eab7ba83abda786b23aa251fed7866f91a10fc5d9bc37be

SHA512
b2a41037f00f1183873f27a355bf3dd85f333c79d27288fe3e6c603455b628abce33a0d14eac9a643448bc83b7fdf6b3d526f9096894bcd8b2e34af72f03b597

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fe242ce20c1ddc1a49b397ad08952471

SHA1
50db606aeedc1d259f590fc8ea93aa15039c6c21

SHA256
78494d2f93433fd10acdbdbb3313804bb91e9b2fc25725db819ffda37e1a2f86

SHA512
e88dff3682bf5b23dfef9210bb0cf39c74fe4c4b8090b88beac9f0c8e03a70f94159e4952ffb3f0c9f437f0be0793eb519a6f2873e7cb100b5ccbb42810852c0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9ea52cfc0a72fd7e4827bca7203c7719

SHA1
5036c4305f81aea2cae476d9135d88b2c998bb57

SHA256
24ea92b7d0562b0c16b5a5df709fa87d310efe9952c867fd14969152c6e73b00

SHA512
ca037076e45a6b639570ce3380623535d2da62f93f5ab3281df929a906171f3b0470dde564054db092e99ed4ec5aff6d647ea625558cae2daed86fd1325c6ed1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a41d022ce44da87e8bd333b192bdaf74

SHA1
5847cc6c4feb99eee4ac3818475cb27bf8abb6a0

SHA256
783b52519da772e90b2a3996432cf36dca92b83eb683f20f02584e7ccf60ac35

SHA512
1dd1d75bf7549e77ee27d3b79452b5a2671789a597d10479caa1f6d475ad524887c244c3cd216e6c7c4b75aeaa1ac25d06222e2712f9702af044f8bdfbc4db3c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
11674c849061e95e29aefc435181b870

SHA1
f72fdb1a7e42a6b0346fd64f786b2076512a45cd

SHA256
6581139bacdd57108943878e5eff3acade0b0b12a8c87efe752a3f73ca1fe42f

SHA512
cdcd9c6e8a556bb268dc1452f420bedad9ae581258650f2767949b30fc9d0d8ab1e6add2dfb5859a5837da8c6875b3d11bb102690efe294544c251ef52af2e3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2d92e577c2df46526d59bf673fd7e287

SHA1
64b55b18a6427d6662ae698b853de70c21c60460

SHA256
fefc0bb7f663420ed5c36370e75d3e312e519c09dd86867ebc2ce6cfbfb313a9

SHA512
f640acd667372d7f3beb7e0d13094cbefcb40673d7de81e499b929cbb8000374e72d4f616dbef64708a5d3816190531146e017c9b9c5b2d13aa02ef133f3601d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a3aa5b5d3c3db1450f2d8a33b0e54f5a

SHA1
3309c1b5dae6920c41b8e6e49c5833f16c11e105

SHA256
60176b36810a748b9a4ab4ffbb05d702048c7f030b980db30ae18d9ec61de245

SHA512
378efd0711b6b6b5430a131cbefec05b51c0ec71c33d2302c7f17e6da16d07bcb51f1caf967be1d8c97f09ffe4f7c3dd58ec149989fcf11b51f6c9dfd6a20fc8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
235782e7bb79f8a86bda3955ae6b359c

SHA1
9df382c0e9da691e303768aa77e05ba9f4783917

SHA256
9dab7d6b375235dca200d1ab76fee4efe031cfdbd0a3cfd9720b0e1f1c6461c0

SHA512
b7b2d9355fc4ee09f9ce0d6663c362de69503029bc3ae3b767f304f0b1ad70cb56275a7fe6ef76423cdddfeec5ae5651bfa3670284069a20ce040cdcaf6f43f1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
98aa0d6509fc7e285a12d63a7ead6e22

SHA1
dabf13a0d3607bb010c4c687728fbfca514d08f4

SHA256
d894fe12f50350e0d9389bbac984b6c76e70793b4c86b458cfbad2f62f87a395

SHA512
1d3489e1e849d49155152f95726c14fc2044080c3feea768ce4fd2374fdd14fd5af8a5bb69fd5827aa047683b8edfb9824d615de7a3ee0f7410368dff7c0925b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8a604ed1faa43c773e0f14696ad9366c

SHA1
47a434314be701b42d4181227809372d19aeeca5

SHA256
55aea9f270072c37d93f983ee26711a6ba8c125dcb20f336a198a8087c598771

SHA512
e18fe1edc1e056c62cf6390fb2aed837c8f575a9adf58ebffc5fe0fe65cc75955161bd994495218f0b555a9a25153988cdb438c13d57ec35969d8bb9e0230dff

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
128KB

MD5
0d719a560ba6e47424fc2372bcdb29db

SHA1
d67fb014ff224402653bad2aa09141c765988d02

SHA256
cb9455665007c2ac3718c48f497b5bd08e966dbb6e2eea6f1b7d8f6a318ba3f8

SHA512
ad2e7f0b677f52464fe27b039b297003b8978a05abb72365c1a3928d16ceead3d46d422e504615f6e4e11b0469b5dfaf234b4d4d78eda945618baf560c97c64d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c174fadcb77410a9a08fc4920ef49b83

SHA1
bfe15c02d52eef6629c5028471ada160ab4a1dad

SHA256
8103f2a9a6a3b36025c4d11be127830475e7711f96bd528d02bea56f267ecd25

SHA512
b1275258c2fdb4aca72c3845e101b9a6faf985c61317dc1f4022fb230b4beeb08d8f15848b9b8792a8c41dcd29b736bda0384613b6d86c6bdd37060a3ffe3dd5

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat

Filesize
40B

MD5
1e8dd57a79410ccab5c51b57722c586d

SHA1
c92855557fa6fa8c2661307e5e6657ab742cf061

SHA256
1f5cfec40b73e516a5494e4bcda45b985d08086dc5c80c07c1b12af2e8615702

SHA512
7c435cbf49ffdf4cf494344cea96af8c6440a80b7d261e5587d773b566f7479614a6a46b62ce7c6ab663ae946da3c5f8bca13f15c61287f1d1b6bcf2a102ecd7

Download Submit
\??\c:\users\admin\appdata\local\temp\em002_64.dll

Filesize
768KB

MD5
2543be1690a98ae5742a577cdb41ddb2

SHA1
58bdbfc13a5a23c03e6a45ed317eecd416b0f352

SHA256
dd75b8dc783b937dccf4e80fa43643918184c94ff48fc187e36ebf3ef9ad7f9f

SHA512
aa94e1ac3262f624f0453a63b94925c042053aa138a2105a2b43a62fd5fcc871a0de32409576ee8d3aa6b3f4bd5059f04f6c257da1c7a22f1fe73465cdc6890c

Download Submit
\??\c:\users\admin\appdata\local\temp\em003_64.dll

Filesize
896KB

MD5
ab994e097784b6ce8516a39c4af5ebac

SHA1
52ed2b75c886aa92269ef971d17979bd6d4e20c0

SHA256
86c246b0dbc383f0ad1074449c289bd5b2e4aff1fa3413e3d5c2a9a0b7b7be4d

SHA512
521d657532b3d491c34d8695f5ee98b8e6a4d1bfc8a6fb56ffe96b6bbb086f98596f09840c3c9e22c0d7edd4c36ab3f8df7ecb87a93c6ff33f1aa83684290ecc

Download Submit
\??\c:\users\admin\appdata\local\temp\em004_64.dll

Filesize
1.1MB

MD5
a2a79a56d97e9a83a6446721ca987efa

SHA1
1bbc687cac49d190931c2ca52d25315e2bbf7414

SHA256
657de0b6251f122ebd5351ad7aea02bd40a57e405feb4f9b4e193cccff87a06e

SHA512
ea36912ad44417aa7e6dacfc617de4ac9145e1cb1fc4df2bf4d838a0340375a7b97e07e2bd347cc8e718cf8027fb3e019aa443af77dad27537fbe1971f7beb16

Download Submit
memory/496-21-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/496-122-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1196-17-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1196-19-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/1196-11-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1196-106-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/1556-84-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1556-83-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1564-145-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/1564-41-0x000001D11AA70000-0x000001D11AAD0000-memory.dmp

Filesize
384KB

Download
memory/1564-39-0x00007FFE8C890000-0x00007FFE8C891000-memory.dmp

Filesize
4KB

Download
memory/1564-38-0x00007FFE8D1E0000-0x00007FFE8D1E1000-memory.dmp

Filesize
4KB

Download
memory/1564-43-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/1564-139-0x000001D11AA40000-0x000001D11AA70000-memory.dmp

Filesize
192KB

Download
memory/1564-40-0x000001D11AA70000-0x000001D11AAD0000-memory.dmp

Filesize
384KB

Download
memory/1688-140-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/1688-195-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/1816-136-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1816-125-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1816-123-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1816-134-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1816-130-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2072-88-0x000001EDE78C0000-0x000001EDE7920000-memory.dmp

Filesize
384KB

Download
memory/2072-102-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/2072-90-0x000001EDE78C0000-0x000001EDE7920000-memory.dmp

Filesize
384KB

Download
memory/2072-157-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/2336-316-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2336-244-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2428-326-0x00000198D1D40000-0x00000198D1D50000-memory.dmp

Filesize
64KB

Download
memory/2428-317-0x00000198D1D40000-0x00000198D1D50000-memory.dmp

Filesize
64KB

Download
memory/2428-311-0x00000198D1D50000-0x00000198D1D60000-memory.dmp

Filesize
64KB

Download
memory/2428-318-0x00000198D1D60000-0x00000198D1D70000-memory.dmp

Filesize
64KB

Download
memory/2428-327-0x00000198D1D80000-0x00000198D1D90000-memory.dmp

Filesize
64KB

Download
memory/2428-310-0x00000198D1D40000-0x00000198D1D50000-memory.dmp

Filesize
64KB

Download
memory/2696-0-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2696-4-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/2696-7-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2696-99-0x0000000140000000-0x0000000140F04000-memory.dmp

Filesize
15.0MB

Download
memory/3132-111-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3132-115-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3132-118-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3132-175-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4008-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4008-27-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4008-28-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4008-131-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4152-148-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4152-159-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4152-208-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4152-150-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4420-221-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/4420-171-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4420-163-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/4684-103-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4684-162-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4684-95-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4684-104-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5036-325-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/5036-248-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/5232-230-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/5232-176-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/5232-235-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/5232-182-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/5308-254-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5352-239-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5352-188-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5392-287-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5392-243-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5392-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5584-247-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5584-196-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5632-199-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5632-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5632-209-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5800-298-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/5800-222-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5800-212-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/5920-304-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/5920-226-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/6000-232-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6000-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6056-305-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6056-236-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6120-309-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6120-240-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download