9bbde51af15ab56a1a59819ceae6be37dbb90e41ccd0c0bd6a9b863ab6a7d70b

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
Size

1.9MB
MD5

3794ca78fa40e0d64a6669d1ae58e960
SHA1

d2764bbe4c05dcc371657ed67146aabb2d6afb54
SHA256

9bbde51af15ab56a1a59819ceae6be37dbb90e41ccd0c0bd6a9b863ab6a7d70b
SHA512

d252ac49d6f3ebe2629ede05a830e460fff3603dbaa79cbdf0245188865fba466b41e64da45355aa3755f88d403714a339b2c68a6e3c7881b5ecc772137bf0f8
SSDEEP

49152:Drt6hFYkN8qmlouFQDLNiXicJFFRGNzj3:v+N8qkQD7wRGpj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4852	alg.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
3620	fxssvc.exe
492	elevation_service.exe
3920	elevation_service.exe
2660	maintenanceservice.exe
4844	OSE.EXE
4608	msdtc.exe
3056	PerceptionSimulationService.exe
1720	perfhost.exe
3292	locator.exe
2192	SensorDataService.exe
3020	snmptrap.exe
4624	spectrum.exe
2884	ssh-agent.exe
2144	TieringEngineService.exe
2300	AgentService.exe
2024	vds.exe
3300	vssvc.exe
1244	wbengine.exe
228	WmiApSrv.exe
2852	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cfc28c3fb3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ad1c9518199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fb308518199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003563de528199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6e174508199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000235c5a538199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009167db508199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
492	elevation_service.exe
492	elevation_service.exe
492	elevation_service.exe
492	elevation_service.exe
492	elevation_service.exe
492	elevation_service.exe
492	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

680
680

pid	process
680
680

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3968	2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
Token: SeAuditPrivilege	3620	fxssvc.exe
Token: SeDebugPrivilege	4764	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	492	elevation_service.exe
Token: SeRestorePrivilege	2144	TieringEngineService.exe
Token: SeManageVolumePrivilege	2144	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2300	AgentService.exe
Token: SeBackupPrivilege	3300	vssvc.exe
Token: SeRestorePrivilege	3300	vssvc.exe
Token: SeAuditPrivilege	3300	vssvc.exe
Token: SeBackupPrivilege	1244	wbengine.exe
Token: SeRestorePrivilege	1244	wbengine.exe
Token: SeSecurityPrivilege	1244	wbengine.exe
Token: 33	2852	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeDebugPrivilege	492	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2852 wrote to memory of 4700	2852	SearchIndexer.exe	SearchProtocolHost.exe
PID 2852 wrote to memory of 4700	2852	SearchIndexer.exe	SearchProtocolHost.exe
PID 2852 wrote to memory of 1800	2852	SearchIndexer.exe	SearchFilterHost.exe
PID 2852 wrote to memory of 1800	2852	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1272

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2660

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:3628

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4608

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2192

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4624

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3016

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4700

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
2⤵
- Modifies data under HKEY_USERS
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
95f5d0b07eb318ce78c6cb91bcc1a875

SHA1
3831620cab70ada6dcdf75a201fd7e1006d923da

SHA256
408fd6d2cf84801852ecd4f5315442b7bfa6259a63335f78deff5bbeafbcabc7

SHA512
7889c66f6f471ba053426594f7e24398057457f809a2537441cbd3e22a9434588b7fd972aaf0d60eb0bb9f367b185872f2bf9b8f69af04eebf57d872ca852768

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
8384583b6aa558f767a39c265ca744e6

SHA1
c4d5df2df55a6be076b8a3e87c57da40461b60bc

SHA256
bda0c4f118729f3cd926e910d256d95f5a89a1bef6b0de5c700b7a4829e1131c

SHA512
5f6e5ed921d98e54844a77ec39084399a521d7d44f6c38b956aee6d0627f62415c5bdce110d8f4a69fc3483972a580ee992ef9195cb88efa7b32c780f5d50e10

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
91a7f27a4d81b8d573f594f4da01a8a1

SHA1
73a06e29d4422b6e28c854964de4ed3f5c2d5429

SHA256
fdf7e03cadacf80c742344eb400890164b72192f5617fd65d0cca63ba45d2079

SHA512
d3f68aa9121362f3b45cdfed416add9e3e56185020614f49b2cabad3614385c62da49092f244ab02be8a9d6f6f95adb330f957b4e76fc2e2d654eb1758a2c1a4

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
01396f93967bc107c86830c44f45db0f

SHA1
f6e28f20ab157a9eaa4c097891330dca9b27ae79

SHA256
c7105b29f2d767aadd201e6c3dd38819711d216cc3413fd446108a0ba921917a

SHA512
962f4d4b54c3cc4ce2efd9001ffbe5f7344de3cb15b2f30fd0592ab5ae4bc2b77e3681b9b581c49258dd8659fd35950b5fb67baeaea86d7deb54fe7d7071d8b3

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
29e51b54e623483f13e9452050ca0158

SHA1
2166280041ac6503983109e3d5fa815f82a6ed51

SHA256
f6b7d8965ed82b9815cda4e789e31a09e77db75178f7380386ed640f1d769b31

SHA512
4f85d07e3375d3bcf4ffa7fbc69f3cbb9a6ab56c6157619de325721e694ee81cadca16371af9d844ef17f23da326226d0cc824eba858fc903cb53f161018a4ff

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
3ad1e73a3e57818e618b7172f1b53098

SHA1
b96f84d779effb1f8a44e59390d5a9c385f4a187

SHA256
da4fb0dc28047e9a377e5f165110c66b0424f66a2645291e0f1a95ba50399e2e

SHA512
17ad1634ed38d939b5101ccddde1a011190e298d6d999087d62f7946b73b28cfb53757f3f7e19c4c80238a5f74a09dc76478fe4895c2883ca70216733836eaea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
f5728272a8d70d1a154ac765c2f79046

SHA1
09df1b3301f6ef932dd8012294fbb32d6d7ea6cd

SHA256
ec31c51fcd5f71d0044e0679ab76a7c16f14446da3fbac0b76e3c3216b789394

SHA512
9bec77082d4a92e106fc13fb9605b063131de50362f2a8c6eaa5ed8f660c2a32022855d8e992d74e585e57eca66db660434789ed3f3ab091f5b62a84d8b49be8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
98ec40425152550b4885eb73d5dbe0d2

SHA1
a2d090cad8d2d090b192724dc498a96219621e4f

SHA256
11ed2732e1befa9d9272d9f3bb343bd7bb63863b5a429bb1d05cb43efe36758e

SHA512
d6fa3b9402f1b3cf72fa9b9129d722ab4397967a759724b91b49d980dfd25dcceb2e4d0998b62fdab662bc156498816c462c74426bbdcfd8fbd7163be45edf60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
741af6c59bbf2a7395fd92b70a680dee

SHA1
1ec10dd7b7b6881445c49d47f8b46399e72e084f

SHA256
4156466c8f7b7eb339b766b45be376a3e0e7d175679dada06b1d40b2cacba7e1

SHA512
498ba2cacab3e04c45ef04dc8556ac2f4a0a056f7e15614cd739e7d35c732c7b167e08011a529ad1fe161b63b29b7c658d93f647aea70de81eb89fdb6aa433c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
7840ed893c8c66c8ae73ff03ec776f91

SHA1
57f2ab48e9ed9f00f442bd317183d22658a7d4b4

SHA256
2313e71607cc8adb6ad937589050be0d229d5a99215683299279bea8e98626f1

SHA512
dcbc16cd37bdbdfac01d017053eade29c13b89b733934004fe83d5869a095c477d087cae7dd3b7cdff65f33347e9acb71cdfcd3c3b6eaedc8cff8caaedae991c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
311cfefbca7eede9ff28f641a5dda9e4

SHA1
f6a33938d0ea0e216283ec9e4020d1313e1fc15a

SHA256
c43d75c9c550d7c3d42d883f07f1bd831028d1704192afa0c7f98ca1ac06d57f

SHA512
d4c93930452976c4e18ed9c40bf40fd0b375f1ec9e5599863921d8a2d38ae50f37ea8da8d3bc63f0ab4910f3c80cf23ef115af578ee101d4a2bdb26c3765d0b0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9634b90e8bdbe1328193d93ea6ee42c1

SHA1
464ee0c199953b65d29fdb73831a455d60261eb5

SHA256
d928b055390d2c40d941469da00bbad1757152613b0ead3eac0fd7cbb3ec625c

SHA512
6a9f9002076e582a006df529986d14ce2c441ddac7940accda0e7cb24c7a10170483f8bab468e3a09d71f2e935a29feacf58227a5f4e7d60b0835fd158404014

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
24f0f775acf12e7aafdd6e6054fc22e6

SHA1
f9a5e35342a0aec2409773fa877130a3b7aead2c

SHA256
7ee8418bf97ee524fdbd8b2634fa5b8a4defce8c11a9bde443a2c28017dedab6

SHA512
cb45c16dde21f220acc20210651bfa82f33e51a5d368fda4abac7a0bc5b0695910d514a8444e4643df9aa93388ff28d90f6c0ac6f27a10c03066828d9e48b3c1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.4MB

MD5
0bafefe465aa9da1375440515b1657b6

SHA1
b78d39891f9535be5c52ffbe03c0da8f725ed8b4

SHA256
fabcff660f06d93bf874d265cad0589816fb8697c2f7cfd0c34ae6048baa6430

SHA512
8f4725e419f258a89c51089245310815bc7ced44044d8fbc93bdad538f23dab0e7eae7c2c686fd840dc8abc59a30c6d407d892f3c02dfff96c72648c35328dbf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
7bd9c49cf5d3f3d45ac3008a0fc4e765

SHA1
350451b93579a05debac35789c76d543ac449022

SHA256
2850312d77a23e0728e7b4b07ff9757ad5bbb66db06f0149e80fe444a0f00619

SHA512
956538dcf91e99a7fb81aa9398873377095e7d089d090615cf3c4483691244678e3f4a3134ce0cb4ddd044e566a9b85b641dd6263ac62348597a2b982c0a88c5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
f807b69a742d6b5f38c9eb362a4cc907

SHA1
c28fa1712832c7d85e50ed778e00ec332c7a74cd

SHA256
5780e600d283b2c4eefbff82b26328da8389a3df46575e6fdc30088fa3e181bf

SHA512
b1739d1eedc5bb0711f8592047b16350aa56efa1d0c99d920f992a277c6dbddaed02ecd96ab24fdc65667cdbae65260fac464e1ab04d7dffac95c6ed258ef10a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
f547d0b85999e0c360ef7d3376c801f5

SHA1
44226ad1b3fb08c157cb7aa1619115d4aad0e937

SHA256
1fc1f4591626bb676b198d29fa39bca9062f7a8d93d265703f8e659229551ac8

SHA512
72a193485709efd279f3c818102f88cf336e7e8fd0527eb66f81446111f0d30c4f470dec251eb44bdfc7cd68eca429ea6f8ae8d0c8702443deb9cbb9cfd422ea

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
925750db78b40537d9c5f18a278b992a

SHA1
af156a36366e02e05202d6b08eae9832c56b172e

SHA256
ff78b0c8488b3702e7b28a3192112d0d5799d5fdff5b0d41200ef4cd171e8fb2

SHA512
d76e98d7be4746e74ca59c4a96ea80cd99a28fe6a44a53aa301ca83764069eabd32051db888e9338b3cf2dee3ff5ee631fcb1317688ffe9826a4ad7fa7c66c87

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
2e34414afef27fa09a6889076b6221a6

SHA1
d1eb9534d310c3969c7ff9768c8caab623961db4

SHA256
4d483a4d3d18eeaa284cc07267a24cc764189f37231968f6ae9cf2e9209a1117

SHA512
739a9a345896d80871c72049707ee16120b5bee5eea62619a6b8f952df2215a0d8038bbcd629ecf268924fea3a0b3407fed67f26f833086018b6b5b9dc1b7dc7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
596caa3dc995de875775c3890633934e

SHA1
743e07fbe1550882187ed03a94c08ec22eee0511

SHA256
555bfaa791da62d7826c235fc3b49f9017f2347774239dc5cf690bb286603c83

SHA512
0347dfb6bb29a8f60de812c6cddd106e7698f04418e70a004eff361588dcdee383712be5a031b64b442bd539ac00e8791aa1e4767c795399175f7c05da40ec1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.3MB

MD5
62620b5cc0ecfc3bf8ca7fe7a5f59316

SHA1
37e05ed7dcf7cb7a84574f94264e2e564fed7b23

SHA256
15c8828fb3c92e02e86a8e63a6a1659b5f3c7af63481b268308fa9721deb66cc

SHA512
5d9e6ee48614167456faf40f713ed9091c0c007af4d4044a86fd1d537bc3187c3422129da5447ac107f98260cb82cceb8429f478f58237a4b350662c39d1839e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.3MB

MD5
5f749b456f2afb3b4d3807ced18c4b6f

SHA1
6bd91df6e58985a52c78799905305077ae9f4261

SHA256
2581cc325293171af2e8eb9a82f4d8f656b1256505c5bee6392d92bed4d81dc7

SHA512
117b5036952fff1ed8b9435d9fff911de61e0cd382103bc9fde2b0ca60b7a31dc3d7f841c07b0605ac4a6bb614eb80ff45f417ee22f4dbb6e4554ce843610b1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.3MB

MD5
77efe9726d1c2e60b098fb202bffc3a6

SHA1
79946f506fb13b73f0ab53ebaab78ddea39fe977

SHA256
755ed4c333960881d1978fc762875a17ef5e96458eafe037f05b27cbd61a6530

SHA512
8ab9bbdc2949d9be0ba6ba78054863bc4174680f61856004daf5b84c058264ad6c2a81cef8026094dfeb11b7ecf5e33f7fbd59fe1e007a7ff47b1a3c67cc4f89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
ecd4f7923d54e7ecef17d0b616a08740

SHA1
4af86dba4d346e05ef0bf3cf761cd980f2a00d1c

SHA256
aa21cd34821acf8c7621442930477c8c3fd9f43305ee2f1eb762a5219bc75894

SHA512
8535513320f0ffde525e7ac78fbd762a0c11f3f2047c8388c0567813d51a0629689e3a95b22a9e3facb7d087cf845cc5dab79c11b61371cca0dbd7b496b12b35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.3MB

MD5
839174c406ae0b3ac4c16e83ccd63d9e

SHA1
2cd6481e6887609c645c892b97a0ddbaf8df87a8

SHA256
b28597701b31867e6de96e8905ce83def36aa06f96a13d6d13b7e939aefdca9e

SHA512
b3a33bf8711dc761049eee541359f84a4b48054ea752316daf43b71ad47412cdcd3758b6a8f2eda7bbbdab3d86c48ea3a7120607a199fa0a58ad0d4b6119ad0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.3MB

MD5
52ee79831b459dc1bd9d313e0a16efc5

SHA1
d62b4b0f47d8b02c4081c432ad1a1f9a47c27927

SHA256
20a4b5c287c5f0e5b751484e6ec0d079f0ae6a6d0fdc4b1b22045f76416a518f

SHA512
30eb5780d35c125deaaf8cc6cc3e060a94d4a03986f00996f05ed9ed610c7e54b89dd6e87c0d5dd460ebd37a107ca05c4e7352c3efe8034156454c746bd639b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.3MB

MD5
d577e0321fb68f598020804d45fc5182

SHA1
91c5753f27f37c4f9c316c61e3156728149df63b

SHA256
ccc4c08eb4f4875fae0236f33c22bc88d1d093820c58fa37cedeb05fbcc937ca

SHA512
2e7d598693c6f7a0566021243e08b3e70504ba0df390e79c72dbcb80262497b2b79cb47dbd9388721c54170643b8f9e7b1c52baf1c170ab8734a5d251dcf3213

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
90b1ed1d2af9dc2a663ac7334932e6e0

SHA1
a23175c4d95e4dbecab3b7ebbd4b3d09a62d2880

SHA256
ad4e8d4dbe54ed3cc0cabdca144c515f457f9838f7647fc8ec21c30f424bd7a7

SHA512
84a2963963e66423fde7da626eddc4381ba2e8e96bb33493e81729456a1ba79f5e1fe953f380b459cb9d5781ac3c8a19dc2e7241b12eb66f9007764d1fe1abe3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.3MB

MD5
8bda84f5c712ee0ed7b7a245c6bd258b

SHA1
4c3525bc88de392090edda342b7c5f245d9490c2

SHA256
5c8fae543ee3f99ef073e3c06db1a1fcb202d1905b5b225168a7d2a9ea4fc4ab

SHA512
a8ba5bd85eb1fb37e567d67bf117cd221e256a26c72a0b71f75ec5396a760acc113732f91a0ed4b6bbb6c717e62a4f88bc692c28f7152e7ad7cc331fae63a303

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.3MB

MD5
52d77dba0ea8d8d014745ab50466e062

SHA1
cede53e91a86fa50a6872f2717a516066bed6f03

SHA256
05f2452bd3de1b39c3d0dbebb6972f60ec2d9852678ceef388e0295cd451bd56

SHA512
c94938ec4555f7297f5e6021a7650780520868d2a4207a1ff9034511fba47abc82506500488af73c7e60ca570800994298ea8b3be10a87301eb78243f76604ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
35c321c51c40f21a4d56c09658ed0fb5

SHA1
5aeea8c8cd236aa54ee3045f5f65e443fa3da14f

SHA256
244dd888de78ec841e6c2c60f1064a8078b767c7a99a9a8661a3987ef6eef947

SHA512
718ac615cf2e35c277477b7ada71ef62a15a782e553372933b1c4da041d736ff05869fc57cdd601290e4ee8c431197ef0ccb31bbea8527417020c81470f23a18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.3MB

MD5
d1e5be8cd6194d25bb3bb771498a382c

SHA1
c26d6e74121854211e4c49c1c900accff1b458d9

SHA256
5f20674409d8ac169fbd2ebb68fc0beea6b1c8251b69da34869af6469a3da50f

SHA512
d55f319127a6a1590fb9f96d851c4ae565e762b561380fe9d314d4dd734926313ee2f09310374a64f5d9db933de5dad877525b6a6fb0962c8a3b64527b5ee20e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.3MB

MD5
c6e21908d12aac59c762bbff5cd51ca0

SHA1
6b3f3c8cd22d248c2556c26ada129ad42bb999f8

SHA256
01d27c9168d1064d921e444efde9efcac8ea5200c6a61ca8b9201077c2f17a09

SHA512
5e65bab16eca977b6bbef990e666cb32522b1fc7f44f8427f28a2912c2fafdcbb42bf440d0f94b165689b35a8f12b63e5c99b89fe2a0ce28ebb5cbe0c858ab66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
a5b154980fb3bc7e2304e3b46135f0dc

SHA1
b3c7e19a94e396b7c285124373facb3de8ccd771

SHA256
6c9b69831f8b44b1a5f9a74193694b7e5658a7e56890f314c3894e3630a63fda

SHA512
22c0494a912ddc2aa8e6a26e17d9cbe5a83449e6e6c4468fea3251ce553be32b9e7d1600485e788d21b2fe303a636b9db0facb674639d7aa9605cdbe4672f050

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
db5e67e7cc0fd1849d0d08d7e05432a6

SHA1
4742f9d3ad7dc6140f96d5556285a09d275c3851

SHA256
6b0607ded165b1a67c1078c638ac3590847a47c8352d21185af5d2a9f222653a

SHA512
f9ced31c9bf2596708a845c112d4a5571cfcf810fb3e38da12c798676a75334d30903c9f78bc637872598d285565c68406f7e822f68aaa2d9c07f2570689a784

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.7MB

MD5
da13c58717b2cd5ef67eb515a17b5bce

SHA1
92915c1d2f790fc65c560859305d18f779f54d31

SHA256
df646d958e672ab9823bf02024b0d92b937908fbc026b9c0cc4f6dc3cefa0ffc

SHA512
5b2a09e3471c595c0740f688597f82601b11f20eea2676d46fc950127f8cb45776ad861e9125c71bd6f4fc11211bdf56ac65fca642076a256940543c15397aa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.3MB

MD5
0ba99ceaf5c8c2d0ffc4945b4285899c

SHA1
6af981681f0b571e75c3268fd2e6a4c627946f22

SHA256
a2a3011367292d35c8fa51c6775447974e15434db1addd020facc73c4f410a68

SHA512
01ba0c37e3c197211ac6336faabfa2cf6556b00e3aa4b6790365c0f64978e11e8dbf0f7fccb84ff24352d07aebd42c7d237f5ef1681b7d4b609262abc9bb9598

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.3MB

MD5
a264f9524f618f179cda18a8b4c4f87a

SHA1
5c19fba2a51ebd0166a44268ab6b8a3a92eb10e8

SHA256
3afeb0c8a5748f90075518423de40254b1e87e15d8c3b3b1d8e728aeff86b6a2

SHA512
242d212c1bcc00a1d3801288c226891b33e6e4f4c50c9090b3304c1a728b67c53b6e71d13e1f54ccb8dc99d068c963e8b57ce35eba05860c6c87242f8cfca87b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.3MB

MD5
2586de394ae625aec48956141057d787

SHA1
96c9ea6b1e1b5f2de8a41a71980052b5f6388138

SHA256
e1ee1147ecb795c36c999ceee97f4142d3715e04971f696915f337a8eb43d01b

SHA512
977d82f416f7727fcf43e9038a85656ef67804ef07e819f436813ac48db40539d6019d99577294f6d813dff84834ea358bae980fb8c4d5cf1d09fb0b0698822f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
653bef1605ffe33b5bbcd7e3fb78ade6

SHA1
66f57b5f354c0edb845de8a60f69aad250ab2120

SHA256
a79e856f6d988889a3c3a4284ea11f37c4a5ea1eb173e773e52345a7aeb8108d

SHA512
6b457f991158487ae741492f33f14328d7ee2ee8a9070862f897334e65d32434157f9117f01fc303b86b1262d21d0ab4d6e34d490f56c6910e857f8f09f4c897

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
09e1f213d83266e0a9309e4a0106063a

SHA1
0d9f0e6676a152fa6673d13976b06a8b03cd8d31

SHA256
d096458ace5045ef9c630313ffa831ab16e544e92bf5a78d6ea9084001037168

SHA512
202aefd41f923fc839b195218d99a61f672abaf0e2b057161eaa9a178508c60f3728d53aac2337ef201edf0d9267ddc646e06abd63229d077c088cd468113317

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
4a3dbc61226b1a5afc7008a81eee895e

SHA1
4b113d0d673838650875f927019f0824331de415

SHA256
007554580de542637839e936192973964c7ba32fdc66cd3e35172be8dc61aa74

SHA512
8818d9715497089571a3ec932343cc13aaf54d8de8826c7f7d8afe22e9577cd25af6060d9c001fc4440c189c36411aef00a88afbbf27ae614c1244982e7847e7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.4MB

MD5
09c41184eb644354c972528018a140a6

SHA1
007b5e2326385e491f3db9538a832872654549e9

SHA256
12a99aa8310c5cd720b08c50feb924d6753f64579559f93e05fe7becbc5391c4

SHA512
8d814ffca1d5d3d8f4130c79f29d6f111cd3953720aae76e00cdaba61a295081f3088750ee25de4960014cfdaa73399e0c479d56293077cb1fa49856597eb8fb

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4bfee8770bf5cb263fa2a3128734b840

SHA1
023efd8ed1a870ed940e1380fc981c60b814d7d4

SHA256
4b8679547fe232f58a238263e6b3519cad1c829fed90b43931ac3ec67c2528f0

SHA512
6e2542ae9104ab6f7d625f0ff9ed2d7774e128d0e9ca128c128ec99b40a70ba2a08aef145ffc78f320b222988aaf5ae98b952d94848400d83fa410338404f7c5

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
f8983d71ee0bf970003ea35315450b2c

SHA1
6221f15fa28aa27f317eba9ca6942740bcca9961

SHA256
ff1411c46ba109e00bc14b540176e5b5f0282c018eb2f75e24ab276e44d3a7ca

SHA512
f6f187fe7816248a8b8d7a70712cd14d2225d9b9bacf757b11f10eb079df916e2cfd97248c560328f057f1e17089bebb69f927031d1e9e1321a617b2d8f8d28e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
77801ff331a4c2f2fdc7b583c45a6077

SHA1
d2437b4d325dc5be3499ced746ecc54eff1253e3

SHA256
09e89986f634a3a174abf9f4d1301a4d5d28ebcde5d89f11953e059fd79ce6f6

SHA512
04ed9699d6b14800d57400bc9cf4ab6b3855a38fba9b5673a362710a602f427ca67bfac0a250934134f1a4cf36ff132cf278bea4d5233a5a8c44b09acb4287d1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.4MB

MD5
f93a660151a616b1209250885cf87c98

SHA1
a88fa5a658947647667d7cd15ecadfc54f308511

SHA256
e261d9a5d433338c8a09b248e6029fcbb5ab1c13cf560f074a292c171593605d

SHA512
90f3a9fb2b2571706e0a76ecb8b23aaa0da01571c1481d2131f510bf5409f5a4d2d44a21efa079096c6e87d1434b6b248fc4d16003dab2cbba93de02ecbafa7f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
0467174ba064ad662004d44a2d7799dd

SHA1
de294455997e883c7eceb6c4dec01653e4e41378

SHA256
4d5a152b7f3907e38a9e48e639f5a31e8d4ba695f5ec9d06bbd8c823919ff377

SHA512
75dc2a2e11996fe35dd4922830124eec2eca29d8bd747f432eb3c649439c295b73b80800ce6a9c28a18227680669a0bdf288b1161d7667c328dd2f299fc979b7

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d96bf0ceddf61d560e6eccd130c8d8b3

SHA1
2cee761c7132d0a6077463c33520491b432e91ed

SHA256
0e2b5cd65bed0103bd4b6385489c6f7d092132d4e072814a7cdab3b78dce3c66

SHA512
448e087dc57619e78b27d8e1f58818be694e4bc548ea688f0a70d8d953ee3b74ee59de78f2431308a82d340f01c013fd91721adb321a9becf4b63b264df2e5b0

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4afa258af3dc2db7f875d3a4c6120697

SHA1
7e8734b7e2107b89011044152fe66d7b68cb2f6f

SHA256
656c1d21262037aa5d45f554686277c014b9ab5a9f7c6624b068b6394f57146e

SHA512
26f1b1fef4b612bac9a8b20bf9d13940cf62c633ab76083e8cf02db36c7d3bb0f155efee3ee0f2f81a9ccbad2272ef291c420236b1aadd3194776fa78808c328

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.6MB

MD5
cd4994c93e046334d0e35ff11de43134

SHA1
03294b2ceb55bc515a7f4185bc2f4be71ecb3f16

SHA256
1bc6c40afaa97ef601e9e1c8b4c9ccd6589c1872a5515ff3d87cef5804e43e55

SHA512
5505ad22e1731f51d2a2e2f12d4730080816aa7536c3b732fe53346e39afade10d136ad6b27aec8e7939dda42c2f805a6de7549da58bab7de5f8f387f434b6d2

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ab1b786cc19bf3cdbcfd50698ade80d7

SHA1
db9f88401ff49367a52a87a8a2e8e852e7fa0672

SHA256
e643f01c717412e3fd4b51e0a25c71b7eea42c69824a75521276bedfcfbcec3a

SHA512
cd593aa28183612c5887846ca9122d6cb365e13d65d4311686853dd56faac20358890b96fdc05ef0c04c5ffbc4e973df861d87168314bb2e3c85b5e66590d4c1

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.4MB

MD5
9dd1744a68edefe34f4bec6e859fb3e4

SHA1
53743b9427450f2a1ad9206b67fcd2462ecfe7ff

SHA256
cc3df7de5ccb0608a648c286784291bbbb0645dc86c517d70fc5a82d1a1d1f95

SHA512
deebcb07837397541871f907d08dc25bf66f6504939630dc2968e4f77effd8968ae787b6f6dec8294446f6dbba01a6a9147525b2f186e3beb1f6b86adaba5f8f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
1670f2b61e6e657d9b0f9df677485916

SHA1
78ec09bc0ad3eac824a63403543bb4f62a7180a1

SHA256
1d7f3d8cb04add0abb4de6bec73d7f73e57bd29a8bea8f5ed0fc710c3b9131ad

SHA512
8641f975000f006f7fe749da6fff5bd0bf846ed0926f643ba99cf3fc394b5c8b5841de34d79bbf802a2334e675fe22865a4490c190302612e6249eddb6f43104

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
d721576def4693323c95b6b7352a8f23

SHA1
ee8176f821c91890ad20b1b94a74635f23e9ed26

SHA256
a31050ad28331b0ce066cb5a04d58145961e97a1911043d39627bc07b345bb5e

SHA512
1e43cba190e735b4b49e23f1fa77403071e521c3f7685b9b3f908646bd392dcee3492189683a57ffc89f11abd89e789099467833c782cb7a84d99232397b4203

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
728d82c94480bb33858d9e7ed6a4b0c0

SHA1
85c13d02e5d7d65ab8dd11afdd5fbe0b17a21c6c

SHA256
fa778804d0f0d82b64b2e0a12cb93e0c047f729a6cdbf9a1ba2fdd9d7d9bf775

SHA512
6a0d6642f1c155260d8624082a6388bfc4e2192675230cb9a53e6c0ebf0a28b082730ae2c3e72f9d9936fc1812ca72def210609b820d2c2f3aef7f8f3cbdaf6c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
16caeb83b8fc6b0d7f9f67b54ff705c5

SHA1
82e73033191bdc384eb5abb3209bbbf59805fb39

SHA256
aae7a37d625ed9d2f9990f14e301247f4f9d20428a4b126c7d648d07aeabe7d9

SHA512
5e7ad679696817637c72b6b82b6edc2061c72f69fb7d9f1ff2d88567a9fd83e27caf0d7892d6e14c5ef3d256d2b0e72e567cf85d76d7b524d4374fb0d9c74e34

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
da8b0831f551d57c992f101572a2a266

SHA1
1f1c972cc70d2a668d8a8219d913f4eccf3af3c9

SHA256
41f2680e1a775fd1232d774d817eb3c3650c42761876e1c90f92a0c0e32aa776

SHA512
30c656b6b462f9303811d97b0088211232dc3b4154f9189aa19f3ec9d50fd4f2b31bad799c792d88154850ec5f1803cfa76b72e4b2ee31794c393ef33df9a25e

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
1239913ffaef6a54988f99c02e80930b

SHA1
6fd0d7561888b64221b2e029e5653a68b368e876

SHA256
58fe7a65f14168e108b8445c5331ac6bd56517d8b3a2a61b6952f30bd255bed7

SHA512
88a56fed1251105b4aa4362814a661bc22796c8c7c9c53e03115ad6eed4d67b8a40bd6e532812415be729e4d3df4bf2f4f97019dd8a54aaf807eeb49b92ee4b5

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
7f98edd10d866706aa4752c142510e53

SHA1
b2996c6b126e66c7dc553a235587c5a66f8c3b27

SHA256
093c36344f6866ee2211a7ba71dcf1e1b06bf92d477a97410a074829f9b5de91

SHA512
8e0818373b0c9398ebdb54d45834ac8be7086f65df7e0eef26bbb38aae560107476d92eec33f11dcebb13eec504482d7aa9882758a0c8d108be8f702b95481c7

Download Submit
memory/228-338-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/228-507-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/492-241-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/492-39-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/492-46-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/492-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1244-332-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1244-506-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1720-331-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-274-0x00000000008F0000-0x0000000000956000-memory.dmp

Filesize
408KB

Download
memory/1720-273-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2024-504-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2024-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2144-451-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/2144-316-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/2192-413-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2192-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2192-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2300-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2300-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2660-66-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2660-70-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2660-60-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2660-82-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/2660-68-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/2852-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2884-418-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/2884-305-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/3020-416-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/3020-290-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/3056-260-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3056-259-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/3056-266-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3056-327-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/3292-335-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/3292-283-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/3300-505-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3300-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3620-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3620-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3920-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3920-57-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3920-56-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3920-246-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3968-37-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3968-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3968-9-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3968-8-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4608-323-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/4608-255-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/4624-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4624-417-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4764-25-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/4764-17-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4764-205-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/4764-23-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4844-83-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/4844-247-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/4844-74-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4844-80-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4852-13-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4852-204-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download