56b5887cfcdeaa23fb37327efaefd61980f74fd0b1ac17462394825bdb72fa6a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
Size

1.1MB
MD5

df95d6461fecc0c0bf66b4228369bdef
SHA1

08894684ab058ec092a9973190aaafbd7688f849
SHA256

56b5887cfcdeaa23fb37327efaefd61980f74fd0b1ac17462394825bdb72fa6a
SHA512

2699157c038a88a9090f17f00e8a56d15b0cb04f81abb01b03f1e7b19ae741d8a843a959486b3440321d43d9245904013df1378fb8bf6e522bb1f14259a4891a
SSDEEP

24576:xSi1SoCU5qJSr1eWPSCsP0MugC6eTFEaDKLHVebOe2/iJ46P3DELQDq:xS7PLjeTS5e2/RKEm

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4604	alg.exe
532	DiagnosticsHub.StandardCollector.Service.exe
1096	fxssvc.exe
4852	elevation_service.exe
2408	elevation_service.exe
1224	maintenanceservice.exe
4628	msdtc.exe
964	OSE.EXE
4416	PerceptionSimulationService.exe
1144	perfhost.exe
4872	locator.exe
4544	SensorDataService.exe
5096	snmptrap.exe
2016	spectrum.exe
1592	ssh-agent.exe
2492	TieringEngineService.exe
1452	AgentService.exe
4856	vds.exe
1472	vssvc.exe
2904	wbengine.exe
2352	WmiApSrv.exe
1324	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d35cee7866ec4f27.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76234\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007013cbf02b5fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cd9b0f02b5fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000183d94f02b5fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3f690f12b5fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f03bb3f02b5fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b729a0f02b5fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
532	DiagnosticsHub.StandardCollector.Service.exe
532	DiagnosticsHub.StandardCollector.Service.exe
532	DiagnosticsHub.StandardCollector.Service.exe
532	DiagnosticsHub.StandardCollector.Service.exe
532	DiagnosticsHub.StandardCollector.Service.exe
532	DiagnosticsHub.StandardCollector.Service.exe
532	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1916	2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
Token: SeAuditPrivilege	1096	fxssvc.exe
Token: SeRestorePrivilege	2492	TieringEngineService.exe
Token: SeManageVolumePrivilege	2492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1452	AgentService.exe
Token: SeBackupPrivilege	1472	vssvc.exe
Token: SeRestorePrivilege	1472	vssvc.exe
Token: SeAuditPrivilege	1472	vssvc.exe
Token: SeBackupPrivilege	2904	wbengine.exe
Token: SeRestorePrivilege	2904	wbengine.exe
Token: SeSecurityPrivilege	2904	wbengine.exe
Token: 33	1324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeDebugPrivilege	4604	alg.exe
Token: SeDebugPrivilege	4604	alg.exe
Token: SeDebugPrivilege	4604	alg.exe
Token: SeDebugPrivilege	532	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 3600	1324	SearchIndexer.exe	109
PID 1324 wrote to memory of 3600	1324	SearchIndexer.exe	109
PID 1324 wrote to memory of 1344	1324	SearchIndexer.exe	110
PID 1324 wrote to memory of 1344	1324	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_df95d6461fecc0c0bf66b4228369bdef_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3260

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:964

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2420

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3600
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0e726b16118cca077f4f5f1ab2e8993d

SHA1
79778ac16085fb9fa219b3287a9a9b93115629e2

SHA256
beb1dc0b13c3347fc165f3162c4d2e135c39ecb7835d7ffa01475afb7457cc7f

SHA512
3e4ad2c9b0144b0efec9c1d8bdec0bee32fa3b3e78d09d2064695a0cef88657f7c8b3d6a1cf457b5382dca508c8651c0c9a0758225d2d93848943d2250e3fbae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
011beb9622a39a3ccabe18798bddbb48

SHA1
a8a6305cceb116b8c7d9ef849f886ae18fb30cd0

SHA256
4953735d0d0dc565870be0ba4475a2e5d8c42dddd13fc5e102b6f6f3337cb771

SHA512
8e5819d9a243bbc7d2d95f4051a9be8d4a8f3e30ba77466670c92bf555e3330df81466122df288f175c7012a093bb998200c82580f9ac0476132afb2e6380626

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
704KB

MD5
e8d86345859e90b03fd0d1719d997d94

SHA1
8832a4cde73a18021539891904505f5371677dbe

SHA256
5eca8fa2cd82492d95008cc44094a5f399cb42bd95fdd8a2d766cea28dc262ce

SHA512
dcefe62b4a7a43235232bc6aa324e900e4e04de20e1483b3e1e34d3621fb4987a24e677c91dd9e05bb2b51da9d103221cc6408c12a77aa4460d0ee11ef572fd1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
61fbb69098e00af0355fce2515cd889e

SHA1
987579a052532c684da5ccdd1e76efe183541358

SHA256
260b794ee2bf001297d69e78aecbc8b10d9fd250896c2294640592074d85be91

SHA512
776785c45810ba6b93d83abc1fbab119f99ca42130148828d56168eea0e0aa0d13d72ea7c7935b4b0c0c2c94d40a63299ca78e74d34aea2687e2ee856cb41190

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b81bc8fa3f4375e413d8b0d708f3ef84

SHA1
09af4d75f1fae49786c7aa5a3a7fd37704a2bdff

SHA256
821557bef25c066a973319acf9f38dc1f7afa4730c2d8b58ff7ecfee5e4ff281

SHA512
c2e98e99981d6a5039598583720c5564b0f20ecdf4647c1b76bf0e67a9f1c709e60241238563cf5d7e81676e15186a922614aede62da299c7048a2d0072bac61

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d92276134e64141170373548940a14fd

SHA1
4f051c9d5fbd45e78cf23ef638701424d8f75e0c

SHA256
a87736355c460173d108033ffef82ba4250c7fa5254af2388645e6e46ad20a51

SHA512
21ad45ded10f97b9daf6ae75a180364252f06dd52671cc568a7a57265494d24f876ea353969f97e26fbfb33376466b3e7f71e8630f9960d7b259874e9d07da4f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ea54ea98b06dcd6ce508fe2d5f1178c4

SHA1
e40b1a72706ec83e919068f8f0da493cf90e1c74

SHA256
f072fa410ea7a30e704c592748f5043301b344e140a79ad577df6aaf78536626

SHA512
bf09f5ee3facc819e7fd07ab4f94477fc866de07dd5e0aeb69621fa09a9978b87f2ead1985b9cde397a0bca4ad6b230cb0d090491f4f7d4eb27783cd27cdd148

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
7271f761493c8c4272a355bedba812d8

SHA1
84f1526b9854f22f8f9ad40baaee2ff2e40f043a

SHA256
f93288a6688fda8102c4739a372272e22f0ee328b310c3574457e597da5e395e

SHA512
ffa4b0ec72a0cf01099a3d3c1b3e00d1b10c3be1c57ed9db9fe60d02ef39d4dbd572d685001e4cd54b72e99def000c43669a38af405c35f2cae4dac475114e9c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
c35ef0d06bd01266c8bf212f55859e8a

SHA1
a761d92d56a7f3792946c873cb1a26c07b5a69c6

SHA256
d1ea88798dbafd4d288837faca8d48364c7181ef8c18829fe9ca5f729cb72dd3

SHA512
0ca287a1cbdf24e106f2c6adc9744c720274f7766ae566a59d79094be43f0923dbfac318b21f6858c58d3f152cbe3ba087d06b847c15d265d2474cf75d8892ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9c261b5bb1668e13ab44b1f2b11714e7

SHA1
8f72754d00cee4f9246571a84966c773a90eae5f

SHA256
26c69fd3886b6e1f8995445b009ffd46a381f2c3155cf245b7fa0a40c87a2a5c

SHA512
f57fe459c4bd5b5290e535048efed671fce18cbd807eaf800516f1f899bbf7e88793866b83c0d8007e1e6e885a31a5d2af6eb05b6a09a8956952ef52abe14340

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
3.7MB

MD5
d63df77fcb60d6ff9f70e60bfd3b1a92

SHA1
170a371e3674462f9db665fa1055ce437827008a

SHA256
add90de83dbf237ffb64cae5c7b70ee1ea7a3d04dfbbe1ecdfd7be8a5bafc891

SHA512
28410df1fcaca2d779ad328f3934998632bbfcdab8dd48045ff34585255e4f2f8c0c119e6d0c0255ed6711f93c311e82d155f392a196ca79108ca6afaece5f88

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
256KB

MD5
de74b44048a0cf57d9e04702994af167

SHA1
ec2d19a0c4e8cb7012245ae7d4bbb4b8e5f77f9f

SHA256
11f883118928f6f11bd6a63c8cb9e6cd8b146bc86bc6e8834ddef4db086d205d

SHA512
e11aaa18ee80fe762d5b91cb005fa11bdd057848914b66cefc54f7afe57414091589dfb521b63c972b7456a59b8f01c309844f555d0ce93a61b795ba15ae6499

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b68695c233a7a88fdb395950af4cc64a

SHA1
b5d72cc9d299079fdff6a774742c4816e3db5041

SHA256
78fbabfe664e4753175a78b508511092b8a69f4086d6c11416a357dc8f19540e

SHA512
5b0f26bd2dda314f369f36b7f56bff5396f5a2a54e1787db51c619aa53cc3c9a6507728e573aa63714aa80c901f7b722fb2c097175837e399e9bc0565037e69d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
af6177558178b69d8fd978771ea91104

SHA1
742656de82778aaefce290126d2848d6c94d1b92

SHA256
0ace29274d7f73af03a283d57061587171d882d7ea8f4cc70a2a260f64cc5216

SHA512
3ab0647cc0beba0ae6013980b95c63448302bacc9e65d3b1c6e85cce74ec21c4afe67ad5135cd87bca1189a9168bfd70d10e05d068939a53f018e98eeec429dd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
256KB

MD5
11336dc248a03fd450e0a6797bb10fb4

SHA1
15becb362fbefadfbb8cceb3960e734c1bfab95f

SHA256
90e0d571e7c5329ec1451ac363ecf8aada743bf444fe99c3e0780b698ef4c646

SHA512
01e4e0b0ce3d18e337e1d91f4adcab00fb565e1450c27675ec5b283d41008dd8f366416c078ba854227ae16909d7aa5f06dd603f6a5bbe36fc69479d33eae123

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
256KB

MD5
0bf230901c2e6ccea0efb633cf6b75df

SHA1
46bfa189f8db8bf67ac36359dc0d4042955bb973

SHA256
6cd985f832759d10ef642738dae4f83725df1826599894a3031372bf83dbf369

SHA512
e6ce1f1c8a61cb73a6f38769d6d6f11b06f3ed2777a6cc8a625866238dd7034a40a73676a9b036ae8b74a46ecd45b60ff2437655cd9111b1addcc47f43781035

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
256KB

MD5
117cd28c08703bacc8c06edc6b247c86

SHA1
8c3347a6f31cc9c8a349e4b9c5de4dd9ac33237c

SHA256
c24da4b26c9b04cbca920221fd421480b98a71aeb3f9dbaee718c115d6574afe

SHA512
407c9d8472e50a168eafd94d61ed13e499bf5b3c815d700de4dc82f87d68806fc190081c44b75ac597e1e0f8f71c0834a406220e51640c1022fb3a04873c4b35

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
256KB

MD5
00c24e1de58a819f9bce46f49cd5a15e

SHA1
ae97bb3ac34f7b5e4270fd01c3236e7eb7d4cbcd

SHA256
d3f3668d657741ed7614bef229900367be36f2d9939c14827817f583aac93d1e

SHA512
6f98ad437514bab36e958f4e42cb0efcb091ed5040f7c8345389f210ef477a14e4a3696a8a24d3e70820832b268fc2e94903a1e610bc007bb5973801c737edce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8797d9ff56fed092387fb6e6df1c94c0

SHA1
b171728fc9b64e4b0c4315630cd129c12fc6da21

SHA256
d7431a54eeef81d393d963f0966cb2f2c2434d23a39732b907b25f208cda90b0

SHA512
b2c08bbba60eff6ec381e3d81bc7989f6e0a87def35d9c3c54e877327206bcb9b7330d187000221e6fc3f407934d2b1f08f4cdfa70602a0319a9d35d9a473125

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
256KB

MD5
5c299fdd93eae0c6618fced4dd0cc81f

SHA1
f42c767e366d1e08dc81593d3ac5abbf788b55a1

SHA256
42c564051c209e40dde1ac13ee5a2a37baf734f085ecef8f2b6d49fc4e674f76

SHA512
64fc4589c0e1ac31a50a6cb665e14833c252e9aad7fc697b8a749be9f3a54f39fa1b0871b84e9c7dce3dee0b7d17e60e46fcba6a12fa516a0a1cf42ba192ad66

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
256KB

MD5
d681d51289bb8368f5f9023fdfdfe3ea

SHA1
0ddaafc900b265a31809245095386bafc10fd324

SHA256
38d1616329f1f7fb03d93fa614d6c61c3196e4f8d3e1e5de2b2a8267d1e42321

SHA512
cdaa9185599d2bad4eddaa1baa14c1ac07632ac5784086b35edb5f7ce5f57295e81142afa0fa447f8cb7370f8d7c9932c8a65f3792cf68437cb64683ead597f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d1dc0cadfe5ad86f0f31e7074c0f7a50

SHA1
5c9121c3f65b99639830effe9ba22acc809bad6e

SHA256
340f55acfe71731d8f424074bb701816883e5caea99a780a6b0df7bce9edadc2

SHA512
44cc28aab23c8b0957a48f94c81f0fe6fc31a61eedd5ab14d79836e60ea858b87ccb5517148393efea9cbeb40ad225d1294c153d0dba20ded4e6a7371de1a255

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c48a370fae2ded0db730bdcfbfe2f802

SHA1
c221d5b861794d23d9ac5a1efc16bddf79b0bc70

SHA256
8cf909d51840a4ae53829d4f753740da33e4bd9a3e36b9ee544d51323e9e2572

SHA512
ad1247b60d1755de67cdf8ad59b2a28f688888d84ad2af6c6da070136f28db816585a999c8c079ad36dd7a05dc39efd0f20ec6605fdb7561ead953dd2200f73e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c81688c252f2932d87b266fe19f87588

SHA1
619c5d16cc5fdcaa86700d5a17db4d08b07178c1

SHA256
c5abb378cefe0187e7b588797e5be0c5e85f840b38d2b124bc268a08ae57ff5b

SHA512
9db39eee77bf1392b8c9eaf58442e8d2f878d98783e8c75cf2c0b8416792ef88db40caffe053d18e2ad22336b3665c949e53c741d213c1e6578a72fa7f91e289

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
fb0c04a59c4c71854c310eadc7405c9d

SHA1
759efb0c55bf7e3344419f033920eca84810eb8e

SHA256
da9ba76ac7877b604405945c546b2d3a7d06cd5395e26986e536dd5052d80161

SHA512
4d976289aee760242552ec769969d544febdb0fd696e6bb2f542d4fab6c6c7548d4f0aaaecd1bac78f08d34bb2f40035ea8a79af5a05d3a22470487737b0f27a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
fec7d33c5129548160faee6ebe5ca595

SHA1
169aa40bf98afdefdac28893086d4b7a934a0523

SHA256
4e325a6db6afcbab39337ff67c26117c15cc9b749f37d27311eec5ec4ced05c0

SHA512
0ba6ee2469644e466729d85e044308681afee9cca3112fae7f2547cc48967c4024ab6b2f9f5b64b2b9681f2862816b3e34914b732c799834dee6254fd685cc26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
bf01941330b2c607ec24083d879aff5c

SHA1
1301abd38dd09bda660a6a5aaee43e2da9bf8dea

SHA256
161c281aa5cb448589549cab9abf08d8166562f969ca4a688a31abc1dac6b444

SHA512
6157eb7699f15113d07375d5e9924c89f5d37776f79ad1f1104716f8d43ad220719397730e2c5bc5012e2efa3e3d20206a761def67829d32432c0ec95d914ae8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
91b1bd73865fef52cb4b40738750d9e6

SHA1
1b1c230dee71a4249767f29341e170a32b504a6e

SHA256
bc8d765b380f18019b0ed2fdf41223bf0bac9c4e50e279269f1f6a84f640b338

SHA512
356fc071b00a544874afd8893266dd887310332abaf3486bfddf5294ca3ab650611e83850af2e773f29140726f44ef2a0e8074de728850a148fd61af7e2f264c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
023577f98dc42d2d159141ee7c543e44

SHA1
0d7fbe2a21423a23469c79c44c8dd719a27668bf

SHA256
b0c59d0131fc6f853f2717d8b861a8198610e514d635c0d3dace91ea1763fdb7

SHA512
584f69434f22fc2156d00bcd0517603cd35e6e9a83e241a50e32025edaf44b6d241321c870d7357b504704dd3f36e482025046b8c160187adc5f8e0cc8789446

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
07e16c12da101f8f492a2e195ec3bd66

SHA1
985e19602b34863a2e09acacd66a89cf3a6dec1c

SHA256
423b0d28fcd183e2e58dcad444fd0f6f7149c36b50e7d7b19fd097fa622230f8

SHA512
47a2e39f28b738d253c34b94ecc2472bc1ae9af5370ec26974a1f44e21344318f511f788e0dea47764070548b332545aa0734b615657b8e4f91846a6811c986f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7c4f50a429f88d502d14e023ea70f12a

SHA1
a159c5c1caae9d007b589c6bb6add4c943aaaab4

SHA256
7013e18add5082d1512796848c49fca201dffe4c5b6e4207fcd43bd45a60f6e5

SHA512
cc10c9169fec80aa57ff88f0f832a0f05ec669113dd840a260426733cd555f52b339e3654a39565df844ef632d7bb24605b7e9aeb08a6e38a0ae52eb4a05c9fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a64c1a4634e964a067c0cb811c570e4d

SHA1
d297cbbb6015d00be33ddc9bfca7814788ce165f

SHA256
ce672b0a61d4030ee82573c8a04566558225e1cbd1d98845e75e3d69094245e5

SHA512
ad61f18601b2d306f3a9a1ab04a728ab9bce948b004fe3f9a7cdf2bf084af06a07de19c7d9defecde9bb558a125bd2fd7fea19ddf6b573e5db32c531099b4142

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
02e1f92db5755ddf8ce46d8d49abe7db

SHA1
549b79f0400a430c531c5d52c04c290e4d76d261

SHA256
2533cd9b9c3bac20adbe1657008541403860ccf71d9062fb53f09f3e3518fde8

SHA512
25216985b2b5ec13f8a8f1fa57d393923f54fdd5dd0e105ba2c58af02448a221df0417742f5dc1cdc4d470a1c37beea0517e06a91e761629f2c2352a91400610

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
87b408f7cc657baeb5c2ed0a3de70264

SHA1
895daa458223ae1f257fe53ebe48a8a301c89502

SHA256
cc14d6803cdaab393ae604c4105f25e25023864c6b4062524196e9cfdacdd686

SHA512
c7e94c1a7bcd9c3acf3a052142faf143dd081863c79976cb05e6e0697b3ccbf2bc46be61ff3c4298aa1a8b6f49a62f779d2c5fc84638316d8461bc4882d73e30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
4d1724ea01f49e121e15dec29306e957

SHA1
aba0b5686c693254cfc0eecc86684ef137a12e66

SHA256
a8658aff245ab4991f9a4b0cfa74b0dbfe1e8b3e070d531572e6c55c7d69d37d

SHA512
5b4f11626ae10baa8094c024daee002ecfe02bc2fb62626e833607c9e1f11fd09bcaf32b9c58a5c6672235d3146bb31619f9de58b8311ee386365413e8a58d29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
d79ba820e5e99c2f054118a84705a77f

SHA1
424b2795eb9317fd1e3282ee603bd9c6570b4341

SHA256
bc4bf1d5e5db49f81f20a77d28713c7d82a283fae637c4419ab699d57fe621a2

SHA512
05339818126ce11ded1763df1343afcd49026770ec419afc347d8a86f6ad6de7d583a8978efbd1dc94acef4addf875fec4e61e62fada60224167ef86007f2643

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
420273c44b6119f94540a0a5f546f3aa

SHA1
0bdbcc7d133c0e4b24f8352634e35ec1dcb6d105

SHA256
191322ea1ab055f61365b4c17a3f6bab2173cefaf495a8919033ae35179a3611

SHA512
6a1680d4ce3d2845fdeca0d950eadda771a62b9b37c33fe248b25284afb4dde0684c52ca85bcee54e5aaf84d7ea77aedf1c48e7dc19a32ab7f00374e613e7d8d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a54d059885400417f94d56c16b078684

SHA1
b664dab8951abe8289cb239ee3a9909446798ce4

SHA256
3b9097659276c32e6c30d0e0cee5238364d7b3ffc9f57b96b28e970e2ef66bb3

SHA512
c5ab9cb6fe050494c0b6254640375b7057c46e1cd744faaa37f510f26ee8c41ab94fb6dcdee95546061453ce3e45bae8d918b5547e6705cc47e4f456d482e40a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
256KB

MD5
a6338c32709c7739b81aa403e6383ce0

SHA1
098a6ef92a4c377c087fb0aea6eb426cd5cd3643

SHA256
c2f03833a3f89e05db90afa70a7c1d77aef42df898b64401e861d99cdd6438d5

SHA512
477965c7589d6d4488d10bbbf04b1187d4c71d3ad41b6054e7e6019b9b91c8f80e8ef8bf9f955dedfcc755074961b9854282de746dd4346c79d4d8f9df006bd2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2dca44b3cb48ae5cf22e31974ef2cea6

SHA1
911b902f8364cf90a678089780f15fcd35227654

SHA256
ca19226e8ee78f546592b7d741992eb04de9b74f163cb5f1897f3545f3ecec7f

SHA512
83e7f4c6d83aa215d7878c62f71222ffcad76373b2480100683305da130b7de3bbc08e4bcc0b51ae700f05d0cc49d6cac56e3dac0ffc44a9be9dc6c37b602adc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bf1319d379a9bcbe384ff407aea4e65e

SHA1
016144ba6a56a25dcef754213312eee57cb13b8b

SHA256
498c8b11134748b2297847da529cd08ec6b39492c6fec104c61d0679510f602c

SHA512
0989b83ec22986acf1c682149d28d383033751636d92a7fda945531d658948c289479a26ea62c87622eb44f36bfc7e65cd9d280173626dda318370b6250e44e8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2224fb5a7384048711e0cd76ed0f76af

SHA1
a7d7ef7311cff0fc17947a97fac0faaac63447c3

SHA256
4dd48e811907ee86e86b56fc00eb3573408fa7482e5fbdef32f38a59556e0954

SHA512
cbf882d96e5fd4e96fd387d0d19faf4a259cfa9d71951a38384800cf720186f1d7b9095c259bb73f9f7194c448d351517c180614f1c508a9aabc8f48c17c0ceb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
94cc1bb822a619a2d2cc42c1eb8b9bed

SHA1
f5d3618ad9810ede50fb851e89babac551dd646e

SHA256
8ad8db3193ccd25d89ce1ef16a2bd74bb23f3dc2db677990ee718deb63c2280d

SHA512
ef411c6608d2be5ee29c9efe4fddb74c04ece7653bd34e6ffd92d4f429ea2167b0a1f4a6d043e6f9a4fd113b7bd63d20d145db83b555f957707f0fb851467ab4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bd3e5792ad8780dd6d9b4d241dc46acb

SHA1
ba43712c5785fd60ab6ab7a345d264f449fee40f

SHA256
efc5f4ee59f5c703ce5f6568467e464b56a32e01f9e0bb3767527374eea0b078

SHA512
a6f241f47aa6486325b2e78e9861e942a070a6cd805b15c88c7480a7471dce413ea8fb6a6a73b0f40a5e78b7d1bb14627f1ee55f930c35ec4de4bcab39b41349

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
65f75474c03340d1e29b5a81355800fb

SHA1
fe9f8d1cd50a72d62357ed61ce8d5513d11f2584

SHA256
8e13613717fc0f7b8fcde42c9e32350b3fc8fac50233f2ce6ab22263b24450d5

SHA512
2c841985a9bb317b0c5fe4172774844d938d7a331dd8d77aaba9fca6aab089db68cc6db35909505870981a109c4facf5564120d601212b9fc75cac40099b9e92

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
398e03f9e3f173fc9c4fb457d4403d95

SHA1
a3d30b1c511f8b63513eb73105ce07da095ce597

SHA256
3fbd4fd1850ac7e441087f71b4be2089a35a56ba043abeb39ed8661849615612

SHA512
c7519d28ba0ce4530a6edd56c7830979b64589f81e8d188ad1a454f6174fe0eb8f73279ec0f11b5fc98da492b09584abf0df618915903eaa7c4214dfe28f929a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
66030a84ae1ad0646e1c9c36e828fba6

SHA1
8604193284668f03316789b4d4e1aaf4b36ff5e7

SHA256
ec21da22927d9a1a4384f0d42c9e0d6b5040eec770bf03968125d217cd601204

SHA512
b6fe1fe9142e38d0d5f0061ce45b278ef3a46128282bf7a6ff8ba31ef74fe9d0da49c65b3d66dd86bf5f8df814f79e4ed21a020ed0aec507137c2c3a43bf9ce7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1854216b3f5a96b22638f0c933520b0b

SHA1
e0ded8c1f349d0968f8a025f457573931919d481

SHA256
d6b6d4e5426ccb5ea56a2d5e8d3d94ac9f847985ffbffbe0d60c8c1a22ae4722

SHA512
c580943e64188e68cb5acfc1ba298a006235c36a4d7cd9040480466bd93b532739337c050081fd3d012df1c563b34da082edcff2f13aaf8137b7f9c29722b792

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1b00c8c1dafdf185253f26892be17c5d

SHA1
e548a685ef59d2caa221d8542caf2e6e678bc5e0

SHA256
62883356902289dd65d2af5d435bb2b887cadd2115db895b2039f96d6a885f8f

SHA512
bcbfcdd68ca4018d4bf08280226963ea96c2ae933ab405a265ff5802d9c5ca67b02bbbbc3b714eff89e3878e67aa243cea056a98590187620fb06454436377e5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b56597e0d0a629aa89ccf9f50f06a8bb

SHA1
a8bf8061e35df02a80d17604eb9653e25477dcc9

SHA256
f807e0aca4839652bca450c32f0ebb490aea459000f12ab7a72787275ff31cd6

SHA512
72eacea477c6e7f18d54c16d002edde76bd5867989e0ed5ae2e4290db15bf12ba4b55defdfb82647821c1727e4c43be5ff362e9e075599c6920041b495dcce1c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
de69870113a6e62717c491f4aec00be8

SHA1
d464a990a9b1d1c7e9270fe05e581122300b1c16

SHA256
dd5c2de3ed44d4fef64810907a274ff7ad08e2b31e892297150bd7870965cdc5

SHA512
43f80e7f754d9cc7564809446e9bb64ea1b1a609bb3af594b32a325a2167a02565728cb8f355dfc30bf99d92381c51556fdb1515e7a7058255118b7e8f2fe7fe

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b469d52503738dfa659c10d5330d1e0a

SHA1
46d5647099284a22b47dd47acba13cdf160c627c

SHA256
bcaa2ccf6422ec19ba62002391ba44983cfa5269db23fe66015ffa904dab62ff

SHA512
bf736309cc736fd996fdb1098137095cdff7a74a287834b8049eedfd37d1efec41a9eb4e01cebd9ff451dc05d0f74e918c300d4f4c990dc22b50646a1a4c7411

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4d3226a70286c77a2110b61d9df3cf92

SHA1
63a467902bd4313f25e71891ec76e04637d4c199

SHA256
d693f166d6cd008e5074a02bfe4d35f8f444eed5a7f2594655c70bd5059b90e9

SHA512
828d3b737770c2eaa1b3fd88890025c5d0caaecf83472abdb999ff3e94a6b6c98e40ad6e487353c5663fee8841d679fd0940c9b7b3a25bc320a6ba144f44b5eb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7dc394e4d3917dd7020ce1dec8fdf8f4

SHA1
2fd7a4cfbd85488fbcb2ae19ec60cb7ec24904d1

SHA256
9a994c2b73659107e0cfc20ff0fa71c96a3d94c7999c670195de9cc0163123f5

SHA512
12cab1157e1ed0c8f8eae529d742ad212b3fd5f5fbfd0dd72f33ff5c0c35fe63294b71751766b503eb80dbaabd8b793e5481a7c0f8d3649ad1b8ee2d76a93f03

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
22f23e65807081ea0423eef39e4596a6

SHA1
e52cb83a867dacbfd5a30bac72a2fbfd7e40596c

SHA256
74bbd7f1f64c9c008ba5ecb288a888cea689397fe5f9533b5e6847357278df10

SHA512
8de3a2ab5ee2cb40467ea7848f2d3d9ccfd68aac007616baa2e58f90e07ee3e97eee97378bc0c1b0f35db8dc5d46c72201d9570608a75bc9f51ba05e71f4afc7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ad5914da0e5ab63691d90749c461e9f4

SHA1
6e11a282a60052f6825d8d06641c0c67b8b702ce

SHA256
cae600fd9221f443837629b768136f00f95b2758220623993f1bfc374f65e76b

SHA512
88c857a7d5b2c9a265d23284f50445afeafbfac7508b807e88f85599d21587ebd64b0c78de05c7403a35d625f1a0eb890b77ff1503cf6eb2f76105885de2034c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
704KB

MD5
bc362b68594f94faa955ef461f4b1f59

SHA1
6e9d65687c53357d4d0e8ccd96acadbb7b26010b

SHA256
4a9f43d46cb0e9897fde837b3f7f7a3098ef1e4d2ee50750a0d4a89eb06c3fb2

SHA512
eace2fc53b9a11f16969f65af4afa4eaa6ea81210dcd623f07c8d18addef6113ad4218ab8f9b770453b45c742da94bc0617c06a2b0c418831939fab20583cf31

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1099410bd12efc61a56c7f4d41aae7c5

SHA1
30ab7d58ae7fbbcc3b2f8967fd5e628015891fbe

SHA256
a062c6411b2ee568237080dafb6573b4a0e7a6ce34c54a36273a779740a12d22

SHA512
7bffd535e77d89ee9578ad47898a29884d0ec9e0f93316ece7084a7fb9b406a83f716977dca769189e8985b5b0a80bd437032fa05196aa40e71a254e46f5388c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
320KB

MD5
3d17b721942ebfbed4d88d06a297a913

SHA1
87ff2418a70237baa1ac0e3ff06bbb6ae66e5001

SHA256
16a804d056013fdca71ce670be7879c847211d313c15737dc48c48aab6279ce5

SHA512
1a7d8edc6fe8be9338491ac5e60849a12924928c804838c5cdaacbd9cd6368f2dc9606465198af4f5981c990279e090ea072e04720a59987c4a0cd0410c1a57c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
3e4f54d607410bf86bd5148496616b08

SHA1
2c5a4de4f0970f4d9226ec630cd059b857a38473

SHA256
2b70c6661a03f19ce44c63d138f7ee909ee7075e555eb361a57cd0e20a539a2c

SHA512
5c1201d2bdb8f13ecd8b1f1237f6ac74829c61b273c5ae4d5415e56bfd02aa0362bcfe357a0611b433167d65129c3f84766aae1e10480d97b41119cb8ca12509

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
f1325404df8857cd5286c469a664c962

SHA1
09c90449b95f6402d68b2124867d35059f5e061a

SHA256
1cb44f18619ef2524971d3d633f6fddff88b80e725e69e35ddfe0aa1cd4d545d

SHA512
d8a4f6bc0b728dca81fa7ef2d92cf614166ba5428fd70bd4f0bdac8155d7dee99d28366b8c9b2a872753c85427771cc5889c69e94d1ca12150940e2ec9247727

Download Submit
memory/532-93-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/532-25-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/532-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/532-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/964-108-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/964-173-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/964-119-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1096-38-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1096-44-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1096-48-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1096-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1096-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1144-199-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1144-143-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/1144-136-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1224-91-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1224-89-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/1224-85-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/1224-79-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1224-77-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/1324-305-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1324-296-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1452-241-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1452-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1452-236-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1452-240-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1472-257-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1472-266-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1592-202-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1592-209-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1592-269-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1916-402-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1916-413-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/1916-63-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1916-7-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/1916-2-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1916-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2016-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2016-187-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2016-196-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2352-292-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2352-283-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2408-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2408-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2408-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2492-216-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2492-223-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2492-282-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2904-272-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2904-278-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/4416-125-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4416-186-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4416-131-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4544-168-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4544-162-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4544-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4604-76-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4604-13-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4604-12-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4604-19-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4628-159-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4628-103-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4628-94-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4628-95-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4852-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4852-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4852-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4852-123-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4856-245-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4856-252-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/4872-213-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4872-147-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4872-156-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/5096-243-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/5096-174-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/5096-183-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download