0adc6e96bc2fe150d02a1e08ebf39749ee0af0b7c148cd9a595dfeb1f97a4758

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
Size

3.1MB
MD5

ce08cf8e0d5bafe309093ad3d0c2f9a9
SHA1

63b54acc6f2ffde160d2a76dfceb46520f186155
SHA256

0adc6e96bc2fe150d02a1e08ebf39749ee0af0b7c148cd9a595dfeb1f97a4758
SHA512

2ce2becc6bec76abcc96b242924feac7151402cbf8d3b10d5677b009abfd9de391b2f7b2f4d499c27cd751016815dda8a7ee8cd1cbece1547f450da1f3cc0622
SSDEEP

49152:+tvAf1XBFRpBgTT4zAzb+x+Cgt5U72i5sYqPkp9nw3rtgiomvJi:Wu1++0U1CYqP1xjNi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2156	alg.exe
3424	DiagnosticsHub.StandardCollector.Service.exe
1040	fxssvc.exe
2728	elevation_service.exe
3124	elevation_service.exe
1352	maintenanceservice.exe
1636	msdtc.exe
3944	OSE.EXE
4344	PerceptionSimulationService.exe
3720	perfhost.exe
2168	locator.exe
916	SensorDataService.exe
3676	snmptrap.exe
4112	spectrum.exe
4604	ssh-agent.exe
4456	TieringEngineService.exe
4180	AgentService.exe
2412	vds.exe
1204	vssvc.exe
5072	wbengine.exe
1280	WmiApSrv.exe
4408	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\58f4475ce03311e5.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80437\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066e005735d66da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7cfd3725d66da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000428587725d66da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc0bb0725d66da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000261c01735d66da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc9f86735d66da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e82528725d66da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000604f10725d66da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3424	DiagnosticsHub.StandardCollector.Service.exe
3424	DiagnosticsHub.StandardCollector.Service.exe
3424	DiagnosticsHub.StandardCollector.Service.exe
3424	DiagnosticsHub.StandardCollector.Service.exe
3424	DiagnosticsHub.StandardCollector.Service.exe
3424	DiagnosticsHub.StandardCollector.Service.exe
3424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2748	2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
Token: SeAuditPrivilege	1040	fxssvc.exe
Token: SeRestorePrivilege	4456	TieringEngineService.exe
Token: SeManageVolumePrivilege	4456	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4180	AgentService.exe
Token: SeBackupPrivilege	1204	vssvc.exe
Token: SeRestorePrivilege	1204	vssvc.exe
Token: SeAuditPrivilege	1204	vssvc.exe
Token: SeBackupPrivilege	5072	wbengine.exe
Token: SeRestorePrivilege	5072	wbengine.exe
Token: SeSecurityPrivilege	5072	wbengine.exe
Token: 33	4408	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4408	SearchIndexer.exe
Token: SeDebugPrivilege	2156	alg.exe
Token: SeDebugPrivilege	2156	alg.exe
Token: SeDebugPrivilege	2156	alg.exe
Token: SeDebugPrivilege	3424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 5024	4408	SearchIndexer.exe	112
PID 4408 wrote to memory of 5024	4408	SearchIndexer.exe	112
PID 4408 wrote to memory of 4364	4408	SearchIndexer.exe	113
PID 4408 wrote to memory of 4364	4408	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ce08cf8e0d5bafe309093ad3d0c2f9a9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4932

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3124

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:916

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4112

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4292

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5024
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0f2ac083764c7182c0e3261876d1d715

SHA1
c7de4e19d335fd8d6c550ae84c59c4eaa8fd128f

SHA256
9a65a88540c476ed77da9463599799d127c9945f2e83778afd440258ad6bfd87

SHA512
8e81e7d842d440e4c9c2245d73e02f7ea8e22efc5bcc6e49175380e9ca14fc3979fc6bb6e9a3ae3f7d720591bff4ae079238e7f08de16c9121718b26b8e16a98

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
363cd50db4c6d826678f3a7ec8f247e5

SHA1
a4aa7ef707111592a04993cd9d90ab31f1db8558

SHA256
eb5b59e2ea3e459f6d77e925d2bb21251153444b2cd25df397f7f5efabf2610c

SHA512
e7e9b9f8555fec5687aaf0ff5a2ca9220e9b4910889a73367dbb6eb074955ce0f048ba8edf88b54612d9b2f18b381e0df0766c88b03415c815843471840456fb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6c4b9c0dac2bdb350230211e81d4339a

SHA1
540e9bcb3f6e313228d797ed3bc64cf4519715c1

SHA256
9c162a9d31f6966bfefc89044835f8c33088b17619e5e7ef69d1eec21c9ddafe

SHA512
cb45666a9d17ad9d8a4be38f0c78c41f363d7cd334410f7788bba8e6a5dc16792dfe6641d1e9cec115c2c3af317e272d97db227f6ec9196a5b5bc49a95de6e2d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3151992e85c7cb15faf3698cc7e52561

SHA1
59a2dfc7d39e55511c99c46dd4d1d88d79ff9f34

SHA256
2f12aed29e9a0b9b907675ca30f929e703749b2d36f021b62fd987a87279640a

SHA512
f11acac47b8f9feeb58f6a24f7ada4cd5d612257105ef4d5bd601ab3269a9ef4dcf97f0c07b5d0b3676e19ce3fcc5dd096b1c0b114b29de6395c412a1374bc1f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7dadb2ed9ec49119784bcfc12a827e47

SHA1
a37084a3046b7c44f80874b400ed8a6fdc101b06

SHA256
1c935c4c6050f73b4e29b4e3b6a2c4fd45b2d8264cbe53ea9f782dbdeb94b808

SHA512
c821f090886aaa5fb21569e2c9763f954fb39248d89d3c86390eb8b9d6fafdbd918d56c971cdc546f8da0a583230df8c453faa6855fbc63453e7124ea695e82a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
428e03774908f5962502d8a0b5370a7a

SHA1
c3af4bc4bbf2a270ef0563dd0cd085c23da85712

SHA256
9d3d9c6437771fe33f34294e32545344dbe1e9940a9e4beca131e1be1ad927a3

SHA512
c936c241ac4906282c47c8b8548cf81903ae9e8bc69a7ba2b451f1d69e340137428f6a118343eb38e601649b8c45660ddac632ee97f683e3ea0bc6293624d5c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
fabf4774bc74f1ef0b13ca4c647a7e62

SHA1
52275ec6959d0eeec65b015cb55d8e3ce5f5af23

SHA256
d1bc76b8f58346deec57052d5125b163e7b77dc966552f5fb10645fa0bc0b87b

SHA512
a0d91a0314250449e19926d0a64f75f8153e2ac1189b9892d3e4da8fc53d315701fb81d4f31b6098fc70da1b74fde0bd172d6103754ea5665fbb7eb853f03988

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.6MB

MD5
ad700f5b9e50047b08151c1a172833ce

SHA1
9c2b5248b57b35de3bfc3b5024999279b3db4254

SHA256
ac6a758f8a6ab6db7eac62d04a15ed5d004b214771d0f30c09188488ce2b2db3

SHA512
daeb14a5036b5817b0bfc92aa172b3634da12d963dbab9364f78fa95d79fd6888cf38da96b0308cc76f9e32c31251923e619a99c28c616d9587f559b01cbd446

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
db57dfb12e2634dbade1f80f785360a1

SHA1
4b0ff0be82005f30869e3e132bf5f2124b3e8209

SHA256
32f62ed2715e6af12f2efa54454e14d68656b6f97f12c991eb07b3ed4c5f0b38

SHA512
87db4a787a1be38a8704e09181cc13e0cb53a6bbf6094fcb7dc0ad680e85789e9f251e93b36c8da47c72d7c3cffaab773d288f4297fde6a0e44f7762b2a8288b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.4MB

MD5
1e0e555d1ef6cdf8ee48d617b8edfc35

SHA1
bffa0b56c846a9a79ad0c315c56bcd1f4ea11bbd

SHA256
5401029a77b927bbaefe4a0b8f43a9856c88d295fdca36534720205c07a37e8f

SHA512
7b1841e5a70579e3078ec5c47a49e1939594cac12dfe5a35805489bc1595fb5edc64391fc07952538ce81d55d1a6660e3e93630c2e4f6e07d59bff9a60a88675

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.9MB

MD5
b82931bfe62ea78d26a78f7be98aa7dd

SHA1
1a699219360294fe5145d06847c51458e8b64b91

SHA256
38cba3abfbed884007480f1016e9eca3d657b50dff069897f96168e63726e1a6

SHA512
9d5a2421aa824b622eb4ddd70cc97d08aa948951351d3f20ff573ed7c4746ccf06b01d3b4220b29483921586978f0574846b44e1ea14d5e1ee72c395e4d0f9dc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
114817baffcd04674ea633c4aa137b05

SHA1
e702134611912bfac638d08d63507617c22c23d7

SHA256
822d9a5dfb837075db11bdf696e370fd18a10f48daded4c1182c28c213d8c024

SHA512
ffd13c55e8c4c8bda3ef67318911f9284372f8ad28c3dcfe862c59987fd38a939535a3775c721bda1920184b6b1bf5e87d4404aa829dcc80d5b3352cb22eda52

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a68086e674c9914eaa8ea612cd6c3494

SHA1
a6d91289e4eada8cb021b226e6a5d689582b942f

SHA256
dd0a5b7556c340562e3840fb1fdc828b3907652b0cd97f664ad680ab4c334142

SHA512
2cd57577647bed2f0f15a75e54e02291219ea4ad1c619886aa0ca0f79f6867c53a1218901c0ca6a1b88020e00e6cbab62ca6c9011334ef50d3db984b5171cf7c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
3eeeef086d0be01132573f870442b61f

SHA1
ea208569fa1768b0e905b2c7134e4b630f54fa68

SHA256
8e39dbd8e025d2e55dc9941b28fcad334a65c65d041e56b0e8d5b2ab45ec1dc8

SHA512
20cfe12a808b1d53a5392d98dde2c39dc1fc7df8ea1ec0058c27fcb12f07da6101a206898db7d186e67ab1fee07a3fd93f1c433d23ee1494850948971d35a36b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.0MB

MD5
179c890098b62cd3d6e9848810c4b4ae

SHA1
498421a6e08871c5ade4d62165ab7369157aa42d

SHA256
07d943e667da74f3e8630136d6d68b939b538699fdd82450e396a82d96af7734

SHA512
f47ee671003b8258870d18d99c1697bf0e53d5bbc4fe5c5136958bbd1f8180f13fec5551b60887356da64897308830d97281e21ff5b863e8803863799376acf9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.3MB

MD5
cf0a12b91f2ad8be1d4549b5cb68bea5

SHA1
67032bbb54e11c66d70f66aa40ee529e2c8cdcf0

SHA256
df4c5665eb4e4368959c86d8fa5ecced12cc35a25cfbf9836a2d12711d5daac0

SHA512
72f52950c67e00447dd2b12b49be3e2241b5081dcbea7d3576087657a508e4c0be7857b753f36f10186bfc6fbb009b386db157e3622ac9adc11b71dc603d2cb9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1011KB

MD5
6582d7050f675059b50b0cd28e23a1bb

SHA1
947aead03cd5cb3d7c5d505e6e311c5a017f4322

SHA256
7932c76f55e42b1491f62adcd128ae892627875cca49d529c850968d6d0dd5d3

SHA512
03a5143478722a20724ac0a99b1f5a5cbcfcb8ab4b06e05ad49245fa06c0aa4bc198fc320b18e158ce521ab74af24a0e19a1d0967faac60caf84bb9bcc2e74d1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
12d3a99cb3eac5d5f7e0efd99ef09245

SHA1
54fbb47cd2ae558310e8a16060a492ccf815ce17

SHA256
10eba477da1a24803e68dbd6ae9d3a01a4f1bcdaa2948e2ef4daa9c4bab1dc71

SHA512
133424751f1d99d4e211f3e5b69fe93bd81e235f8afc25eecb258cc40ad3edf114bd1d5c46220016f229fb7b416cafa6ccebeba519c74a7ef203ea8c375caf5f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.0MB

MD5
991022a1e2381725650dbebf7076548d

SHA1
1b0018c08f49481c410f4f1fdca5198775db748c

SHA256
9f477f7488b4ff82330f0b45c28e8387b966e5313420f9fa108601f50a568b94

SHA512
5da37ae7cf1d180b85efa19b8b4b730d6b0843c33f25fe382eb7b6b3f7c030549202f797e9cc9293d5d47e3993bda549ad3a24f6272134f9bea34e91bfa2ff2b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.1MB

MD5
fdc85da6113dea42550fb180d0920d47

SHA1
f75ef3bf27109eef3520c2477e66613cb90e5ca8

SHA256
44e6afffb5fb94bdf81d5be9a8e26d39aae427a5a0dad413fae6dec36014babd

SHA512
62c1f8ed75514ba3c59bffd833a4546362667c97fb9c0ee964bd95e4f6371d689b372a41f6fb37c2d0069d8d2809dbbda43707fde6e643a374b521654504caa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.0MB

MD5
2661e9835b7e72cd2087353f4dbd200d

SHA1
850ec16c80113731d48107d21891e80d8518747a

SHA256
7b2cb03d4ae53bfcf80d174de6aedaadb7b619061a4dea4909d9f24f3f1db83f

SHA512
99eeff3b3ea15fa1c93efcadab856332eaa6a94ec479e26b85e1737da3f80e6cf5ac631fb5dbdbfc28efc063e1e16477e51eba3b3395edf6a259a39a361f0dc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.0MB

MD5
bbdd256fd2b6faa8392e5d609d83b5b4

SHA1
4cc3557e23750c6b138c097a6d15e5a317f67b64

SHA256
220997188f4db4f8d632b0742435c9c4e13afe9d8dcbfdbf6257c64ef02afaf7

SHA512
1062230261888124503a92b6261b026df7a78d57c15566c664434f74d1cc76acd1d0e0fcff3ac754edd4b973122b9733006d9ffbf3e1d57ce6908c858b3793fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.0MB

MD5
d6d8200bbf5d5aa0cb64fef2fe235637

SHA1
f5587e3b87ef38d845662cdd539a6cc7daea3a7c

SHA256
67d82303c0c069aa323259c2fdabf3fb7fb94b1c1903eee5b048db609e5aea4a

SHA512
228b9daa629f68ce25bd4a2c8641908e6436b22098dd0a7b21200f14e43a905f02ea6eff0174f56cf41c9dd40ef2c9e4dd90e7b359ba83d1d762570f8345fb5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
983KB

MD5
13dd55e12e3f48cdccef120b6a8f37cf

SHA1
62833e4d8b8eb8ce44f161099d99cfa1eb6c81d3

SHA256
41c53d9f8ddbdb6c8b39e682d766c223176a6de1e386b6e6f33511da282b1629

SHA512
58c4364cd890393aae03abac2dc73786cc32f6ab6aaa2ab696339b7aa5cac94b2188982079f6881ad8468e0a827487c18bf3796fc81653cb85743749fe879fbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9caafc76402e3d0d1fffaada9af09ab7

SHA1
cdd0713180ce57a675cbaf4e80ff903b27d2a699

SHA256
9366ecd92e4dc487f78aa90b8bbf343be3d39a12595cdd97a6cb310213b536b1

SHA512
1f418502eb77253681b8b14beb537374410ce8212329b164e04a1a8f74c17e5cf26efdf58647157cee67008d85cbcbd31a00864966c72662b5115c5528cd77c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
4ee37a07644d6f6acffa4f8392d85196

SHA1
5e59c5c9b198396ff0cb2c3acb11b8a8246243b6

SHA256
69d564f3edce066b42ff537f1877ae88ff80623fc1112fe8fd5ba0f0bda522d0

SHA512
9227d5cef1450517f313dc718e2d94ecb0ca7cc95c15e5c4de1718bda16c201f1d677151feeb4d0e8fcc2ea70e5229108e7eec0988d011a6c10cfa30cad28698

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
146c53f80e5d0530adf4eb27aa25aa30

SHA1
4e7951313157c7b56e6e67963e04ba845e06ff90

SHA256
3b7bf443209e6951181bd2c9076d585b85093a1a07df226c7a291020068aa5f7

SHA512
be2e26000ad09ac74c3264d55bbaf80b9326188f4bb7ca8eb09165318eb917030f3d7f776ad4331da8e76e8cb745208ceb95e6d5037700ec421b4f30b35cada7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
641112d2da44ca0fe318bacbc384b6a9

SHA1
08c949e84a3bf49b7bf7e4eb74198a0909681f74

SHA256
1246814a3bb53754696b90070c55623ddcbe790bbafe7dec5a9b8a0200997147

SHA512
1ba1fe7737bdf0c11249c3b6abb53cdcdd199f75fd727c442e36c37ad19090241ed38c2bbbfe5605deb362ea6ec18c5bae2d893b898b455c9db70ed316adaf07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
306db79021a6cbd8f313d262fed4e70a

SHA1
d2f4884838dbe33a20f557afacacd21f4b694ef2

SHA256
2c06109ec9ec6774363ecbf55985fb6b85a35d1ac06fb5eb63ba0fd0bc2e1e43

SHA512
e2db68a0cc522c8ba15ab78c70e31c02023ef7e318ecaacf284e9fc43dffaecb334928008c77fe09fdfa29ad60f2ed088edc1b18580cd31afa8f367c212535c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
01dece4774bc8f05af87262c35ed5145

SHA1
f0eaafb1f747896b836a9624c56668aa7270fd71

SHA256
76aca9fed34f1b69c455826de5241fa083b5f18ebd8abbfd0b478868fd8f67ad

SHA512
3d8697d3862fa6f6cbe4c4ae9f510bc794af03916d4d1d4586914492dcf335a96cd11d4edf1391eb04fad9448482f18af2318bc90672c4cd841324d921c8cfc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
886e6b42bc4e8fe8d9edef0a7be84009

SHA1
3e897fa895454aba9c9e93b93a3310438782db03

SHA256
d7da0bdec06487469f3b8aa496c1524957cf40eb5cabb5fa3d0fcb8e927a8780

SHA512
507ff40c19f2260cf8e2ec2a52be21c367d6fc0e1b4e26215122b4e124d4986b069c42f6b48cf39edb0cb43b5a6c427a06caaa719352a299f926fcc856ad2bc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
fe3f10f8aca93ec54ea1e5554c9acc35

SHA1
6aca906760a27cacc9e237b3590e756b68625a2f

SHA256
5130982d17807edacac916a14a7f096b68127a1ef8939377e939724460fec615

SHA512
c9cb0347a225ba842c99325bfe08875aa95383dd3d3b9a3b28e0bfdc3a04d1483fd9adb67aa705bcc7bc10846f96468e991c2ebb82b0bb9109d3e4f6ccaade2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
9fad31d6db3c97660ef7f43bf3039689

SHA1
97d91489e7a42d61eaf2c83396dd3433738f3b6f

SHA256
8f117881e70afa3656d659088282e3291e95a0e4718f7585fe2cd287f39eab59

SHA512
f84f1d0c994af4ef35a43c5f4ddde7b2a95ba148bf792dfcdf5f9c865de03d66be2c2909c5d5f1a3e5bec0cfb3d1d055e73f5e68b2a06a6a4caaa46bcea9c323

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
68bbc169f07d217734ba000bee7b1f93

SHA1
fe9a108ff1968b3fb9f8589ee574400a249a6caf

SHA256
6f3b7b82fd733574298f28c21b98939c1fd91ad02720067daf60ac9cdbfa5223

SHA512
52525008c5fe4dfdb3ea7ae0ac0c5173586623a4dfcc8fa0520f6158ed43ca0ac9ef6c6041699346053f4be7e14ae9e366e313065a71a0c00d6a74691591532e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a65ac0c751b5f6829e3f376a7a1a4da2

SHA1
42b1ac1df8d3f2708700a60d849baa057003de82

SHA256
f0679907dc52244b464eea82df62b162a2db01386c04847642a8b18eeefab4ee

SHA512
ea89bbffc5fb9ba957c1b5177e4beafc25169bf666b1783a82a6aaaf2693e084f3fc7f8ee68269dd2a9a109737a2ddeded0ecdc93c9f6d72471e672e7c198291

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.2MB

MD5
5214e5046a05f69c930e2c8715f9b61c

SHA1
3c5d5c7daff87b5aa0669315303945e637848215

SHA256
ae478b6933009f6cd5f2b246771bfd008571753b6fd41e9dc033b5be95f8ea1c

SHA512
529fae1f3baa0cb963f6e9b23ff51472aaa3985beaf5bcfa01fc7dd72de5cbd7986c36c948f02b5bd3a7a1b8121cc850fba124df0d88cb51314e70b5bf85828d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8e2caa6740548de54bd8a059a16ab5b2

SHA1
40c26bcda669294ffbca9ee6acdc4e5991a09164

SHA256
f487b1779a634203b3662a1eb176ef2c4e6cc4ccbea2b953838ae3203fcdedb7

SHA512
1f5570a41a23d6e897224bd004777da38872677cf190e310ff173f17a070a1c4009acd150f803f2c1a4334b4a4e8e15123eaba4965b8e8f0f86a7b176c7586ae

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
42cf5c541c3b486786ec9c6449f3bf59

SHA1
298ad030046d18ff466f148cc01cb1e12348c7f7

SHA256
bf8efed048f22032809bf0bd57ce1d6441aff46d16aae254dbef32b163215a14

SHA512
e4c02bf6416d16d6e06d9c07641af0678509c63d846020ccd333001eab2f735db2612ec63a099a944bacb1645a680097f54e37710f2d3965cccda404632524e2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3b66366e0a5db36eced10211f83eed9c

SHA1
4929620f1c41181b686c87fba62f0085343ff9c5

SHA256
2fd0cadf6db9a92a471c71eb89f5ba61ee7d986d8c8906912e4db2d9c0bd042d

SHA512
4e0385792bb44adae31e1402875e6127a24824aef69888f16801af6ecad17a280702c99fb6ab342efb76c764503ece9b682e7f7ae277cf836c1460602248bdc4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
ec0cd9d64b7512a2a721f65eed10445e

SHA1
1297f1421aadaa8e88fc795ff2b57fd9fe5c9ce2

SHA256
a84c59cd02c454d29edaf59dd8bc89acaf1445aba653f1428d4dcbaec7af309f

SHA512
1eec787a52a2d1c808ac796fcccdce62a5ad5b9affe8b243ea5a638dcbf3f005d8f32729c13879e66a56a85a44d9e314958fd71aea572bfa462d7327da76fc56

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
819KB

MD5
99189e1d459aa49fa04680ca24607e07

SHA1
0332d477bec0a12780adaf8685e9840572f1ddc6

SHA256
4093627f701582d663ec66415b0bff9f4eec2bb2c8e604c040acca18cabac9e3

SHA512
e99b89be77fd46de85997c0bc2dea3d48b9236981d5f9f53e0fc7ba71a7f337b9713147e4233f3d67ba586c5c029cc9fdbb945d03c9571e76315dea6cdf66aa2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
23d3f148263faadb90d7c2de0269036a

SHA1
87e2ebc2eab56c1ff4ed0bdc133ba681d639cc60

SHA256
39008c91c0a6588559651200bc11a53116bf8b77d644d63d6b5f4a2bb2f77edc

SHA512
25123580be371e36baf3e9455dad10f0bab24518a3f37a0714333f4ac2ba7a646672d87f925724561d27c32d393f21c20b2f3ba7c4aed7e101fd28922984c8f5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
177237fbcf66294f7fe7861cb285a9ac

SHA1
8e8afaf70b6ca2f495ee89b1dbfb1eaf04dfcb4f

SHA256
1549a713606a0b8fd941f3aece7807db51bdfaa6afeecc4a89a8a03cd29178e8

SHA512
5853e4acdeb23c54c30a1c12226bb03757216247242bda18660bfacb9837b0c105fe79bdde5a7c9d80dc6234e634a3aa1cd3dacb10e227ff4da554c8d3e82df7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a385905936221454d8694254ca2d7791

SHA1
f48816620b5775d59a55b0dab487dbd1205bdd3e

SHA256
326ef285696b99753db4dca9ecb4482a26da3d60b4f730144cc47e3e0b22e12f

SHA512
27eba1500931dc167f7eedba268f3cba5aefb43fc364f349b1f1f9b73c6d8fea6a2e138c7a82570bc80c9931885531b478ad86d649022257625768f577af7b43

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
24f50276f962bfc7043b680fed416ba3

SHA1
4c95f3bddf04c5010672a37251ea5b0f80d108c5

SHA256
03f58f4da21114520c2e5c1c1782f0a42547dc9de78593078141324743ef9bd0

SHA512
668ba529071b8f485c69287e849143618fa7f6e778b82970012b2cbfbcf99149dea16db0ca50e38bf9919e590445ec10ae491602dd68d6932a5f9b8ca4983c58

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c9c4a190c1cf5cc0208c98b308af593e

SHA1
5614e61f8f6da151cdaa63ad706e0369df64de81

SHA256
a16227ae23555aa10e6616fa57a9cbe77605566d07fabb5336695c7086a63c30

SHA512
e29a762bb1879fe58cc4be9c0623e6e92196b0cb6b0bf3be680855b2adaf3d1532bce09c28b5e9ddf59eac03d700d07f69acf6a4edf2b81ebae191fd66226cca

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b55af659e08a8e5b47d126c56e7730aa

SHA1
73281d2971c350b28fb192c33ca83bffac05d20e

SHA256
b09c16773b0d7e28580b9360905c727f15b794bf4c3af7cea37a9e0d8dacd61b

SHA512
71b310111350ae79cf485c3881241b69dc2e804ae6df6c9a7958347b1020ea076acd7a6f18b6054a6e9962253d8f345b1f50a96894a0283426984e2da1db91b8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
49f233eda8f0101fca7114af9e55252f

SHA1
8726fb49ec9ee6f8f44e5798ca455d77f2284a00

SHA256
bfe62aed7b2614ba52a550f5b2a93456a10e8a51e20397924a8dedf00445a385

SHA512
dc8d591c6b1568bcc1ea89a81e8e40cc5906534a5602cda17a831860fcf09ababa23580a35f07b96aa7c35023149c1efb332333a004e0f7e7053016cc08d1aac

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3363623d983cb8b1fc371e1642645b3a

SHA1
2fe50cb7608ca463a887b29e6fe9567f7d76f70d

SHA256
62f75e44cafa51fa46db9fc7ff9ab651797e8f7b81462618e2f4398b71d4646e

SHA512
c7a83c286149e912d7b4eeeae3da185c21b42943968b1539ba87cbb3d38dfcc63abe05f04dd05fd0d7b0df3705bff4a3dc79497ac240015caa35d71b628a4913

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
2cc490a3668916eb8ccac8421937b7ca

SHA1
d5b72c044613829a92931f384cc4b3aa9775481c

SHA256
0b5f69d657d42a977b7c22617e69252030ba98d5061121d335a59520f9d4100e

SHA512
c7081a653be6d7376d373de92a0cd1c0c547c46a6724c5c9df79ac93e2d21f81c8ccbec3f0126100abafbe92966405439730bef8f6b94de0dc8e39e414f6e77d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2359ef876b542bd6dcb8827396144e72

SHA1
de9d0ab9a8eec48f17548290f5dad035f63e85ad

SHA256
af751241807941f869dc6277a8cad5c4fa28e5b810dfdf6b7fb0ce2180fc0738

SHA512
9395a49eef1b2af5cab29e269f9f876501b994cad364f93f6a689346e97f77f421e8c8b2887ed7e45a7527cbdeed7e31a6aef2d9135403d4f666247251e32b2c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bcbcda45f2e813eeab59039b05ac59b7

SHA1
4bde1392b66b7e1d291ebf4ee816edfc6b522224

SHA256
b5574e1d0c96ba87f0aeb09d8b35b75e7cc84f5f702bbfcac975fb06d9ddffbc

SHA512
faa9c575bf0ba9bbdcfc23c2257a7e970e63a39c1b3ae1846037a4b5b28127140b00677a96362d591b60599d95bde0ca56c0c142353a4808b0338c4e11921b71

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cd0bfbaf9cb4ec9af553648fb23de048

SHA1
3ef85e32ec318f4d456c4e52cb644924b25592ba

SHA256
9e5ceb9c785fc15a8c032e9af052fd3910e548589ff88f9038e84da94b649fa3

SHA512
45f67accf3319fac9e1349c7f2d446d34716e1bc36afdcd7633a53dfe85eddf9f0fc6b3652df73f4f6f7ebd38e90290af1ea5ea3f500ef39641618ffc7b45010

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
51394093c9ee78c7c5b5ac352fb48147

SHA1
9e40dd79133493b493e9c18b4a3207352605891e

SHA256
72c4840ca7decf69080b7eeec8a76f7e2f801b600c3595165b26cfe1dcbce6af

SHA512
9278d6820baa88b837fa763a8623a95e060f6d832c73c8072907094f3ae250d9a68a69a388b1353bb4d9f555ceac7e231690e1f8d69ebe5a939bdaa8b5929e49

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f618c41e4885d308122b052fd9207f70

SHA1
a0f799a7efb7e12910215c1bb28610b5c78818ee

SHA256
5c5473fe465e12196880e0f38a81f2db03ab5226327b77ce3d2d269389a7e425

SHA512
e544d5bd0bf482f77a8e9089b46574c28dbab3869e35c16d3da6d1873ccf8a7687b12780fe408035652dbe94709b20c06e31e5517d5769a0c6f1312ab6291d13

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b03ebdda08f339609201b50126271ea0

SHA1
1269242be64afd5f268fbea36a149e7e2f2311e8

SHA256
9a6db3047ad4bb14e2b431b949d2e24768358bb015de4ac4a5a129dd7d15c6fa

SHA512
8d295bb54120afb93722914a76a7d15a59986a325389aa0032b51f45b19d26235080c7d184924db370270b193b5e4fe53df6a9d18a7e8f1c38b2819c5d14d402

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
faa8fefcf9a90a046a172e7c4c26fb66

SHA1
a8890af6888fa04d7aef8b3536ab73ce4369d381

SHA256
9424516a57676a8ee3fdea8fdcb6009cbe995546b6002f9c76402068525870cd

SHA512
cf961c83e3d2a037ac53b5e597171f6e9e74a6e032e6825bd936b1a1d337f4bf0e459976508dd0b1acab01f9bc37a5913e96ea06124155c9007c65a4e528a61a

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d8105b81f06b9b36d22721ae4cdf8767

SHA1
50cf00d5d4294a37618479a00263e2afbc25c6a8

SHA256
3be2621f5192c79d7e4f14751cc20660ac5e159f3de259c3f5f841a3f29d9a9d

SHA512
40ed4b48615da081069c60774a74f7f02d5df6fdb1424191e3808b4849790520c56448dfa56e485f4b7cfd2848e878395af8fd0040d2a54460b455d3629c9f3c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
71149dc89e63a09110bcf8f4ec09dafe

SHA1
bc3fbf4dc4468d448263ea478602441b13694c86

SHA256
e20b945dc5f6095ed7f53e62ac07d03fd53caec413c161f7c1ea9b285338667c

SHA512
d04f5b2e6ff190aa5740af103fc62213f009a4d40f676863b3c83d04bb6c200c98d727d11e0d336e5237e4d0049e31b6f2c33f59759faeb503b2d1bf672f8435

Download Submit
C:\odt\office2016setup.exe

Filesize
2.4MB

MD5
e38b743b13f7b2567a3a87396572d0ec

SHA1
e2d9046c196699f35f52e58e27bf9822ef4dc2b8

SHA256
685d4ae204594cca7371eaa6a29783a4abb98a18d3415d26b29e18702829a700

SHA512
9caf53b35856b5818e1429af2bbe10e438b7c55db4163a5931ace56d8a2f866cf2a514821221208dd6f5b90117bb01a35beb2cbfb1b5bd0febf3a8d3a48dff27

Download Submit
memory/916-170-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/916-163-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/916-227-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1040-46-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1040-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1040-40-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1040-54-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1040-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1204-267-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1204-258-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1280-285-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/1280-293-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1352-92-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/1352-89-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1352-85-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1352-78-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1352-80-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/1636-95-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1636-96-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1636-103-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1636-161-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2156-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2156-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2156-77-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/2156-16-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/2168-214-0x0000000140000000-0x00000001401C6000-memory.dmp

Filesize
1.8MB

Download
memory/2168-148-0x0000000140000000-0x00000001401C6000-memory.dmp

Filesize
1.8MB

Download
memory/2168-157-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2412-530-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2412-253-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/2412-247-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2728-53-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2728-60-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2728-123-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2728-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2748-8-0x0000000001ED0000-0x0000000001F30000-memory.dmp

Filesize
384KB

Download
memory/2748-67-0x0000000140000000-0x0000000140327000-memory.dmp

Filesize
3.2MB

Download
memory/2748-1-0x0000000140000000-0x0000000140327000-memory.dmp

Filesize
3.2MB

Download
memory/2748-7-0x0000000001ED0000-0x0000000001F30000-memory.dmp

Filesize
384KB

Download
memory/2748-0-0x0000000001ED0000-0x0000000001F30000-memory.dmp

Filesize
384KB

Download
memory/2748-369-0x0000000001ED0000-0x0000000001F30000-memory.dmp

Filesize
384KB

Download
memory/2748-355-0x0000000140000000-0x0000000140327000-memory.dmp

Filesize
3.2MB

Download
memory/3124-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3124-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3124-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3124-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3424-29-0x0000000140000000-0x00000001401DA000-memory.dmp

Filesize
1.9MB

Download
memory/3424-28-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3424-35-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3424-94-0x0000000140000000-0x00000001401DA000-memory.dmp

Filesize
1.9MB

Download
memory/3676-183-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3676-177-0x0000000140000000-0x00000001401C7000-memory.dmp

Filesize
1.8MB

Download
memory/3676-244-0x0000000140000000-0x00000001401C7000-memory.dmp

Filesize
1.8MB

Download
memory/3720-137-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3720-145-0x0000000000990000-0x00000000009F7000-memory.dmp

Filesize
412KB

Download
memory/3720-200-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/3944-120-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3944-109-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3944-175-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4112-257-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4112-197-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4112-191-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4180-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4180-235-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/4180-241-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4180-242-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/4344-125-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/4344-132-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4344-187-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/4408-297-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4408-306-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4456-223-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4456-283-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/4456-216-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/4604-270-0x0000000140000000-0x0000000140233000-memory.dmp

Filesize
2.2MB

Download
memory/4604-201-0x0000000140000000-0x0000000140233000-memory.dmp

Filesize
2.2MB

Download
memory/4604-210-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/5072-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5072-280-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download