404dbe9d744cae49fd3f251e91bab5132b9761e185806869cf4be1aae3061daf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
Size

1.1MB
MD5

9cdfd69f4cc4da52f453e48e0955666a
SHA1

956adfa715497ba5673d50c96e50ef70b8d17b5f
SHA256

404dbe9d744cae49fd3f251e91bab5132b9761e185806869cf4be1aae3061daf
SHA512

e37bbf96def79dd06dd410ee79e1574411be004bb455231af183ab365c3a6f2fe84f2d709bd8fb345e766ffdb7666769bbd347614e402ddbd503a2573d044d80
SSDEEP

24576:GSi1SoCU5qJSr1eWPSCsP0MugC6eT+t/sBlDqgZQd6XKtiMJYiPU:WS7PLjeTU/snji6attJM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3120	alg.exe
5080	DiagnosticsHub.StandardCollector.Service.exe
4832	fxssvc.exe
1996	elevation_service.exe
4808	elevation_service.exe
3296	maintenanceservice.exe
1212	msdtc.exe
2472	OSE.EXE
1552	PerceptionSimulationService.exe
1940	perfhost.exe
2756	locator.exe
4064	SensorDataService.exe
3956	snmptrap.exe
3472	spectrum.exe
5076	ssh-agent.exe
1544	TieringEngineService.exe
3860	AgentService.exe
760	vds.exe
1624	vssvc.exe
4944	wbengine.exe
404	WmiApSrv.exe
4540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\46e72fea8238e9.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bc47f150667da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000102e8d160667da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edacc9150667da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003a3591d0667da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ece031d0667da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4fe99150667da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097cb8a160667da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000970be01c0667da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071d0e41c0667da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5080	DiagnosticsHub.StandardCollector.Service.exe
5080	DiagnosticsHub.StandardCollector.Service.exe
5080	DiagnosticsHub.StandardCollector.Service.exe
5080	DiagnosticsHub.StandardCollector.Service.exe
5080	DiagnosticsHub.StandardCollector.Service.exe
5080	DiagnosticsHub.StandardCollector.Service.exe
5080	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2768	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
Token: SeAuditPrivilege	4832	fxssvc.exe
Token: SeRestorePrivilege	1544	TieringEngineService.exe
Token: SeManageVolumePrivilege	1544	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3860	AgentService.exe
Token: SeBackupPrivilege	1624	vssvc.exe
Token: SeRestorePrivilege	1624	vssvc.exe
Token: SeAuditPrivilege	1624	vssvc.exe
Token: SeBackupPrivilege	4944	wbengine.exe
Token: SeRestorePrivilege	4944	wbengine.exe
Token: SeSecurityPrivilege	4944	wbengine.exe
Token: 33	4540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeDebugPrivilege	3120	alg.exe
Token: SeDebugPrivilege	3120	alg.exe
Token: SeDebugPrivilege	3120	alg.exe
Token: SeDebugPrivilege	5080	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1920	4540	SearchIndexer.exe	116
PID 4540 wrote to memory of 1920	4540	SearchIndexer.exe	116
PID 4540 wrote to memory of 2816	4540	SearchIndexer.exe	117
PID 4540 wrote to memory of 2816	4540	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4808

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3296

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1212

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4064

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3472

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1920
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
16f93322a083cf1bec10cbb3904fc513

SHA1
9bea285fd163c0dba5582350e59c9ad6bacd9553

SHA256
47d69d5cb2d94a7d06805f42e0594fc463b1a0b8dc38c19d311a774c650c21d3

SHA512
dfd399f2ea9aaf3150b81bc1951791f9e17846a5d6138f136c8546508e7ce9b31d0fcbd22fbc5e353badefe90d9a3352433149e27bd9cb2d75b9184041e9a816

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
8627f1c1fb32687446f4c414eeb2169f

SHA1
c23b564497d5e46d29fa336bfcfbea0ab1f6629f

SHA256
cfbb3c543052bff1d72920cfaae61fea31fff3fa58a0053d481c9e786a775d6e

SHA512
5cd566d690607aa264c8425bc2b812fa6650060184d4c0293c89ae52296740de51cf8762c979805a00b0b751bf61121f7eb078a5a8f84e558ebfede92ac319ee

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ade392e5ffb1944dcd779bc4b09d1ecf

SHA1
2cd74c8870a3f40164d4a94c59fa50e6aca4b8b7

SHA256
43cfd558ccb22019322013c6ea6811317591e8a0dd18a3222494fb3d9d37dce0

SHA512
eb083435bb55d19fe1933b7d391de8b52abef156a66b121f7c5284a740d9c0f87b01fb0850f7d184498b81dcdd21833e6ea87409c4f461c3c7303eba080bb326

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ad5564946693ef3a9e78affa4bcc61e1

SHA1
d82a199c05102fe8eb2a7538076dba8e622006ba

SHA256
3b6a2d0d495b5d7654d519c48e68270d3dc137550ea12b179c9feae71f05fc8b

SHA512
816285787d1db07d802cf6e374afb8557d3851c85ae8f534ccd47917526dfd0a8c5a34b9e70f4cc358b400cb39908284dc9be2aa5bbf7e2f826b084f576d7cbc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bc72eab630d8e63988aee3c5cd0c8337

SHA1
dbffe293c6ec629a0ba5b786231ac3fed02dc19d

SHA256
ef7977566f1b3630f9428630cdacb8de5929b969426d69ef81acd181a7cc305c

SHA512
4f62a43843cb660e72052accd1272fd581d410e71d09f1feb6a5154639abeb43fac60346be9968ebf2a151a7f9dea5be69438bba7c81a85fcdaffa0abc42afe2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ccd8d5dcf474cffd0dfcb99b04dbb956

SHA1
0c5b8e32cccb1b9417b2e4da8f4ee7175f100a13

SHA256
4df2e35b32a766118cfb61849988a869f16c8683f8b3d2fbeab9f97a98a53e56

SHA512
1b0a15cb57d8894a743d5d6674bf8a1c03152a96c94e9f2d281a41abc237a80924d015784c0edec861c177839eb18e172598b2624b77e21870952610adfbd947

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
23891a248dcec3887260520d1edfef5c

SHA1
30dc0f9a1b12a68cc0797362a8c798a2b9a8dbd0

SHA256
00c9d67300cdf46a607c8f928bbf947af059615731a60810010af14e795583c8

SHA512
4170157dfd3327307e7b0c5f1cf32bb71b9c4d6b5a8df41c697b5cde80fb14269850455046e23314d42d81720ca83fd38f7ae1dafb0838c4b314edde98db6699

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
2.4MB

MD5
8f5a4dff8500cbef1cb96217e28628b0

SHA1
0a4a3ab75852d711abeb2aebc08027e24fb23b08

SHA256
46a6cf924096f0256d5cb8e5aca86f13f6b4c6fb6be7436d657a348b6410d761

SHA512
d814b86f2bad7ceac9cae9c41b6af131108ddf87e354f9d991f3c46a366c00f74453efbd9776a3109d9204d3fd10d8e6006418162f9fd2129fcdce89b02561b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0d18af989a8001ca75292feeb05c97be

SHA1
cccaa55fe97c4283744fe80c8240ae7294e54b83

SHA256
4bf72d078e18bd47883b6e79f38f83a791ecc50d0187c25117bc7862049f915a

SHA512
4960ed1e44ed9bf86e6b4dfaec1297b6a8248c194b20884495c84e94110d614405f865ab2967a94696e75380f142a7a76447b36a86e961efaca4db8f78ccba45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
18.4MB

MD5
1461e4df67ad24c6eb4c8b3644e73ba2

SHA1
beb97fd4d2f032243d42bf1496fc3e89a6455ffd

SHA256
1acbf1848657b7ac3f11eccf77eaaa92cdcd0b59e433360326658d5ed444e79d

SHA512
ef27ee5e3ffc665e491ac64b0a1e5813877fe8df61edebce15ae2d6a5c3f4cea9dd2e19197d12a923f4753cbc2d2e0822df56240c5a609be56efaea1fe1c6c51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.6MB

MD5
72cdcd1214e67c86df873baff835f403

SHA1
d36910910c5377a0742f1235552f888b8c3a7fea

SHA256
13ae7aee4faa15efd29a0639718c61292a332bd33558d51730bc099edc8182d2

SHA512
c73a7e0371b4a3b18e18c173323dcbecbf16452c84dac90a3bfc8efb064b764f473b54a3ff77e54fad319113ec157b75c5ef1c3011d2edf3257ccc33606dee37

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
627ed83c5be13f167bd2e239f879efd2

SHA1
10671d0247a3464482b3f4760f494d315e3dfa9f

SHA256
532dbc2b75fc376bb6d219f6ddb996b3ae3053da5338025fdf26dbeacdabc986

SHA512
addcea162242d66dc3129dadfbfd5208cfd81b579c8a24b6d77d08cda260646b8e4433b8b1870fd8f88b52d97764faad796845b753ebf23634e2283206d9d080

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e15dea343b5c88661258229c132cc019

SHA1
e604d78545bea89c2307ad8a1f03e693bfaa7f9c

SHA256
4d536ddd2f120b73e23c964475df3b126b6d51386ed4fcfb6846b3382d0ee0e3

SHA512
b71adf39fdb0ad6b4aa99bc45fcd3fc4090b0db73bda098b9bb866450c16147fdc9909fd0dea39084462ba4faba13d10b42cdb7f715ebf284ae5d6be7e14cfa9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e06d0d3e28a3a64192c2db0490b2c505

SHA1
dcb7b71ba8f414fb4efc6868e669dc2281f04c88

SHA256
4608ec845c4b3f18b91818a797731b4d4b1d882fc42104dc30c62a7c89698b97

SHA512
45debaf545c207631d6fbfe823486451dd26d5d7540e44adb0ba7331c6fdb86382c65d8bbaa7165b7ca6802c967e5d84002ab8726e886c2d62db26a4374c63b4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
509b9a5d80aa4c12c6d5b555ed50468e

SHA1
de9a5fa8e026eaf5edb981aca4700651c7e64aba

SHA256
77d2219bb216f3c25831eaa9ea873f4dded7b25ea701e8904c2800a04ada755a

SHA512
bbe57895567ff0480388c2a84065fef2e726e1df0bca979b8f052a3fd1a12018315e434a3da269bec6734e07774f6e00cf1a9bcd9875cc9955a4abb49b67bf9e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
3.6MB

MD5
1dc2c5e0f6636a4906c0db709075c165

SHA1
33938b4b54ee4c45201eba40595d12179346c331

SHA256
9725d04bbfa6fcc46515c67580c2c26841c65dd1bcb5ac6df7ccee49e234b819

SHA512
e8f26d60eeffe533a7f882b4c6da3751bb8bea16343921579d51660b37454b82bf1c404a8786559fec98dde60d4fde7fba32311bc1ff057386915df05b88676a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0efa51ef4862b8f334545f359df92e82

SHA1
8ef85f37c6f6290c543dfdc0ce23bf03e0bff3b7

SHA256
ad378a751d995ef2141566a4f4f7682933fbddb5796c2bc7f495260df822014e

SHA512
7c8871632d189eca369cbee9b09f1ff3a2e68f054edc99645183610b02189084cc32edd2bed9da68389fcca37cec6c187a589e7a0afe2dd9c857ceaa28054fe7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3697ff3426022eaa4f4cf3692a4bdb19

SHA1
02fd68ac398917ea6cdf4dbdab369ba924abfed3

SHA256
2be72a13fbc91bbdc30c2378a9bdc295e75e15353743b8c52ba572949abf04fc

SHA512
cc2072a84838ecc40b1d87c13e4c86fcefc3c240b50befd0633c39d44c21de6692f9cb2a33d28c6237f7bb0ed32d2828764f13a5b6574d1c0960d08a6107d037

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
decfd97e4e87fb708ccadd1200f54c4b

SHA1
8d62789021823a29120bda6ed7a8b1289745beb2

SHA256
60ec70f883d4cab66a159bde4919b30c81d21247e5b6443d1cca8322fdbcbe2d

SHA512
571d975b8b685fc22f654a5e7a804218da65c72bdbb760e52e6c3eff572d46d0eeb7f6b8afcda6368f601f017537912339b3cd51c52b8599d5510c358ef724b8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
4a17be21c4f7396b8a242bbd89a4a40c

SHA1
44ddf59481dba3dee9fc4b352c4c5ef2d59c78c7

SHA256
04fc3c3b294f25367dad424c9b244721de12f57e91baf0a8aa0f7c6f63039ecb

SHA512
cd3698f3e2b6b2351b8efd4e2b18d02c59c96112dd82ccee07c4c5965e2d39004e44a3eeae908e4a2d261b9439fe845df48041d82f9aebdfab0ba40bbf15d12d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3cb10672cd67394550a51afea1e15705

SHA1
f99c8050e54c20596a8fc2b50c62c44f7fc84a50

SHA256
4ca51dcb1f22a52ebb544fd6fe1c7c110bf3971edb7c9fdb91c44d8edb10196c

SHA512
525e48be1ad08806297455a07a0ce33905ae8d519c560f06a229505c1ac23e9a468886330e93d4e122069d0cbc28dc9c90387d44aa5804acf1df78fb85cd2478

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
da89b23c532eaf76c763d21b38c95e8a

SHA1
463d2825493c629645b2f544481d09069187ab16

SHA256
1a988cb258503d36e4c892875146f34248b101665ee6f6b41a9530cd9cff6b37

SHA512
c78ad139c4062f24aa012df822d178fe2a7b6cb8c47f2f4c0f4a8e1b255235434a9197cb61b7629e50964a8dac0030954da43c4e0056d2ad1bfce8b24146bff9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
71687dbed01befd1afdb803caa175468

SHA1
63ceb700b04b476ae4f943dce54dd47fdd430e1e

SHA256
756ab3a33066af14b78ea67528ee31bc740ab61ebeeb0981f1c69289ee264a2f

SHA512
52cdae4b6cf6d61f90f0718fb009b68be1058f5b17f2b914d795f8130ac6c6b4de1864d8207f1945469ecf71e9df31474e7799e60e1681a0f4b63a32b2b3ad76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
bb1fd9d215f5570f5890fd76140bede2

SHA1
54124481b4aa22f5782631c955dab4ac36aa1270

SHA256
d3ca103738b22e7381a41b087ba3f20ce4f59153e2d2e79eec81d1f48dfdde4f

SHA512
9dd5d2e10afb09dbdfc57c051ff97b4da6e828abfc4a48582fe617a0f7597ccb7894b82bd79f0e6216c710bbfa1b94ac4b2eaace3b953124aad75bdfbc50f455

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b17108358d9185b3e628ed9942bc66e1

SHA1
c66d05706f848a86a80370e142f96bc728d50d2a

SHA256
f9545839e83e5a12edc05a4ae47d372f3d0bb421fef4ebe1342e0cf1dbe6902d

SHA512
0cde7e9e100424f205bbd7a4aff8ca1cd9055c4b3309f745113d37d4990377d98024aa571474d444a47ba71c43ed867bfe9ab04ea402736292dba415eba13e2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e64c6aced18f1ab75852e7d431eabe48

SHA1
75f12f261dc9e85a24173e620b15cd70245e7876

SHA256
dc3f1a8f4eb80f839894d7cb141aae2c9c1c7bdd7399ba492b498141b6bc5e09

SHA512
e607e6b7c6ce5edf80e506f6c7d960df91687609eafaf9c645897168c2b46bcb4a8211aa597466e303563d6078661e97dfd4d2b54f02f1f253e1761408cf6e85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
09407a02dfc593058084e1f73ec30eb1

SHA1
a325f2e2848bc5fc243bbb147a777b186f0c06b8

SHA256
619a7ff0b4a3449e6812e313a3f969a94655bb0f6a7c7d5f453e3615cd462913

SHA512
e7bfeb78bd146c3ce193043c89da4e6b56d28ee9f7f3c712f29f8d622b6383f324a21d82a254a10049c3da57eecad2a9b5cd24be88aa8052e36a64b5ab4a12ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
316f8eb7e2581251979b691910b3a7b5

SHA1
226ec00897e8dbd151e63ad0db0dd454ae27c1c2

SHA256
101cf1b234093d6e929f5b58c0bbe143b82008e6f9d952bb312e57a2bd5f3bef

SHA512
d8f7969b99580fea3067dbff8fe0ddcc50338486f1e0f13a65a37a27048edc86d4df8a429bf00728639e6228ad55ddffa3e6f6a2204a4918ff6fcf9d33ee1cdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
9ecd04d4715b2d478b8e82f9fc19c43a

SHA1
8d108da0da567e87ec559102fd9b5d272432ef2f

SHA256
c35ccc78a39d2b042a6e80a0aafaaeb12a06d6d4f5837e09183b6a679d1dde94

SHA512
27dee59742ff9a318197c84d58cd48ef19089a42dd35235b801a28e12e835e7ef72183b9ae833babcd1dd73adb8ea51ad63285da93f37890b5491f9e5a81acb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
719a9f7a61396b16a765898cfd9885b6

SHA1
7ab39ae2bab7624162144a320bb48787c2521c37

SHA256
a101f90ea4ff9a24e076664a3ed34e57799750daffd496b26489a4fc4d441561

SHA512
b526792e98bd639ef23fca0e1c2a74f89d57c06a6baedc7e8c753a423ad73363fbbc9a5d0bddf8623988ec8da0e1600b57d58fc932743cfbea50491e8559358e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
45e23df4877d0b42025881cb458e87aa

SHA1
49a64711a995e6fac5ff5afa7ccc57bb8ed058e3

SHA256
974b7f2be16edb57da84fc9837e5f7b418399955d88d8f9e2962420a5a2c26eb

SHA512
199fe475b50fe4656584704091c44e0eb54770268e2a4ec0875f32c3bb129857ba2cf835712cf58814867346b01f2b15c33705c638c5c3f0b3e3d356d255957f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1d34cee2243592164fd73e755f33dfcf

SHA1
970ce8b1620637f1c20af6c5764940d0940b313c

SHA256
e7485e449a45b6b3f670c45c0ea902eb525e2d417b04d40c430539ed4dc68ef1

SHA512
50bab54863ac039767b5458ef1cf4e6257792838eb78f5bd844925aaeea4c7baf45e2dfc8a9f9b521b05c22a62974a311450158a39592d6cb4091eccb7cd67aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
880eb1da0e2be354056b29fe54379158

SHA1
fda9e17ea8765230b686d3b5dda5e043c815c6c3

SHA256
dab4a5cc69cb7249288c0e6c57f242117d845e33d84af10e60a3ff18730163b8

SHA512
3ab3e05e7ca881151689fbb6f3dc537a6d97623c7c0256d362334bd36328b1d39464cc92b452303294d1565f12e0ac334566d5fb3f103e71f8ad486701f21f32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6043639fe2346785a3d3db15443cc2fe

SHA1
d0c9c9481b971a4eb1f1e7153816c0be097a465c

SHA256
cd3e7484ee3fe0f337710d856b5291a9e4a6daee7c9e8c3498ae466489c3a995

SHA512
87dab683873a8c501d39f16aab49a8db998239dc46aca2227658baf574cffc3b614634e770a46bbf72604f328760bf47a854b0dc2feb991efb5cd6f80c98f6d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
663b361c6db71964c29cdb7c8ad9a970

SHA1
2cd36daf29a934a22eef473af6fd607b7a6d21e3

SHA256
77d727a16aae5b4a37c3f30cc662c34fac597de6a990a63e605ee06edb6868e3

SHA512
64f0f7641a0f0fc4d1aba472ecd92f42e2421076a098a70bdb4b2aa9575ca5e6ce6d043d13fb59410cd147d3705caa5041514a40ac031332c7eae6ac5afbfc96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
91c9c9888d0dc523b06f638124886ff1

SHA1
f0c6b0e2928c13a41d5c5c1c15d526a27029c020

SHA256
01c995f7550d022fa9e2689922db9a8541d6fc8831cb3b7dcd2716717b800084

SHA512
b334f49022cdbd893f45eb36db37d9810dd2c82344fb3b508d046e50816741e9df47c7247d5aef2abb6edf3f4474fce7944321697c789a4a3a9136821267411a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d752ea96ae09d9dfbeb590bd37e1cb9c

SHA1
0e6d652a39f0124f53e21035ae24096d51a88036

SHA256
33e60be5923f4d206ef98d5aef8db4df31b48f555ada38e82fe42374565ea7e6

SHA512
211fb3fc2a1d04827af8df64f771b42e4f2c5e9b0ee757ced688df93103adbd506963b09dffdd1f6fae5bb650cd9bcdd7bcaae3b245dc19dd101c92f8fdefdd6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
c0774365a1815ee01d4e43c2eb938479

SHA1
e5cb9fde979af399e4411618269852c13765246b

SHA256
a3edcf92f28a25222764a15acff17d5cf107ea9e374663eb59aabde4ab4d8c3f

SHA512
35110570c897c2e76d59cd52aed2cbe89b127c854bdcadb09655e15c1d2fe5c44285b48dbdd43db68f9582e2cc6228c5cd96ee17350b55d7b1a26c605229c7a5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
60b3a2aa97c83d2c8c62803ece79720f

SHA1
bec889aac8588b5ebe7c51e8ef1584e0a505db5a

SHA256
b60d41fcf0050afa7cc5f671b732688f91c3c69bb89a57e487f8033cd508137f

SHA512
26c8bfae8b15601d6702ec56b4646c07221c153a3f03e9708c145a03d8bd276a3fb6f4e38806e9d57f082c17458c5fc019ce2dabadedfe4415d573b06121b002

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bc7c12f14d2f96babc3e21a44cb7a773

SHA1
c98975874f5af0699800656a7968311d53091f94

SHA256
6fa5fab14c15b3968cecd8c05f5a217a3d2ff2eae27647710f6e1310491b8ed7

SHA512
2da76fefbde66c5a2dd3b09b70040773f5b3c2e2c145b38f0e6d70ca74fbb797980b819464040cc59d7bad0b10a69d0b49907ee8c8acbf2145e3e79d6cf63874

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3b115d243571d6988f6f01619349049e

SHA1
6822de20b73b285c2737c7f27bf06a727cf44b3d

SHA256
d1900bfe08a944eee486b96d9bcc1708b32c41ed4b25f660e4e2d04f48fc1f89

SHA512
4611332c3dd9104f8da39f698e82cbdf79780a120bd1202df9b541154f283a9404e3065ede14911d49adbc6e937ab08696a9a7dab06408a43b3d0899094dec40

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0ce383acdc1245920e2ebfbd2c2e948a

SHA1
c29dea91819afb2d4a0bf1d0cd7c0c12f84fb7e1

SHA256
8627ae8900288bbc40c9d12157ea9b8e9499c06a50140701b2c05add670875c8

SHA512
029003cdfa7ecde07160c2d65bcbd5d22d6c5cc52b3cd59a4607482f91080aef15970f080f991e79b17b2ec55e3bec99b302072c68be46e2c13e2e5580e562f6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7212065fe535171d1c235a8176d55849

SHA1
2be161def8ce40661fd8342460180168719b4d86

SHA256
cfdf3bd6bd2acb93b3a91a9f2a846220d6a1bd5f4946a505d3c44d6148c6d71d

SHA512
148e1b26c9823c334ea3f48a4e1768a3166d3616c578ae330c71e555357a807bc52a99fdd41fe1a5e0674edc3f263c6bc6e478e0f0cb7f2dd1d04d4726269ac1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
df3008870636fd2f39be266a433c9f9b

SHA1
f850b36cd913629bfceb699003d575bebb6714d9

SHA256
c25029399687d4b2d9635842cff9f12b865c9abc4938e6e1e359ae20b52b382a

SHA512
178f2e971f8a0fc0cefca7e6618e428e3c838f8d3f9bda1fa14a9c0114cec44a18fd23f8317ba3b2d28d9adcd245f3674582b865de4b0b219567602012b83621

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
84a70bce701f8da344470a545ab4e7f3

SHA1
38271c835de06d33a73930bdd675c12304b8d8a0

SHA256
80aace9102aaf09b4bffe4bcbe9bad33d7bc180976bc8e03a6bc177855935a70

SHA512
a89fa20e5b364f2f7c9226f3d8b5856a530fc800ef7f5aea4a838bc0b779d8776331f32d0cde5f2400472a7f8d0132d56e97d2194a3c8b1c0edb9e4ef55f2c5d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
027ecadc00832f9da260a70603de55d3

SHA1
0b950bdf720ff6b9f74bb0d0d2df3497f2e8be1c

SHA256
9b99a53fc5de32fbd5128bd4eeb3dca6e05f130919243cd41bf128d80f425b19

SHA512
5ec1a6794be7cb05eb37925f60057aae3a28f2ad1e934ed8d8acd3db9f7efb7d418e891fc7b3c65f43992cae8631e0720a6c2f4781120ba854888f481dd01795

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a8f4475dffa0c09e96cc6ae3d0191d09

SHA1
f47a5f2cac999f1cff1d923b754080ae60828b15

SHA256
f040fe7cd1d31d4a5f19b7b609e6e0c19d51cc900a10a08b2875abdaeb8c1ca0

SHA512
bda84b1a9453fbd5c48d8b0aa3936bb79c83cd51b6c324c05b7cd7d82deaf4131b2e3f14996e96ed3045e451e1d622f8d87fe14bc3f5b55fd2930441b90f088a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4650ac0c7219695ee690f35bcdc98a26

SHA1
45e2aa87e48c29a2fabe24e84f07920456c63c89

SHA256
c18deb8702ead5d9d82a4a4a3ed9e4d4ffb3ae7e6445b3b140f493c3faeeaf8b

SHA512
cf8613c33be9e462e2aa58b99634ef3e74b7ab6afafe578031c30e9839e7f7947e60b25c7323e5cbab7f157edfefa1fe131e2b8a876e324c038028ba890436f2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
31b1b7093eec6329c4f6b473ed25b02c

SHA1
55a231f3b0a68fcaba806a1a85a3b88624285ead

SHA256
e163ef9095b9311f17a7a96029c471e3d0801a59b8283556f0df0e0510e4317b

SHA512
750e005154fd36193758b49e996cca449c124fcc882bf269b1a29ce4d8204b2e7f63fae82c39bdad7fdc3030a21ed01288a47ecccc9cfdf7a0e3af79e0e66051

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fa08bc7eaeb10e1df591767dadc283bd

SHA1
a978b63112fb120ce5fecc1369763b9ae3b56db1

SHA256
c7983d5297ba1c0fb1933636e232438bd0ea66b584a6c59c9787d838752c992f

SHA512
1ea73a7043dc6dcec9d68852749099656b12997c5aec8c9c2fe887fd76ce7f5ef5d483eb4a5e0a42055cb8f8da66582babba97ee0063165ad786c09d06703482

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
500a575cbd0234879e270ed2a89864f0

SHA1
9b40d49075fd28105b39ec3027a741a445eb13d9

SHA256
d4e5082982d6341b8640b10356e4faca6a2deea83c7513140372991fb70138a4

SHA512
6c821339e3ad6e817c099e6a901a0edb92a86ea9fe2947802e28de4eeb221e6f1f967a7d8ca89a5bb72816b1b4e54e0a42f1f5c49729f9463724062b083d625b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2ed0268a94dc5f40ad26f1783b1fb15d

SHA1
6fb4e9ab04f783acea40c9c712f43c71371fa746

SHA256
4f1d7576e369f87e1ddb11ecc6ffe6d1acebb6606b99591e7087b93127d18432

SHA512
3dce479b345050a888e6ab249e169601f92a0e6700a5479072f744328754c08d4dc9cf34745da25fb01129690b78c6606d6d0c4adf1fcc2d3cb766731b3deeb0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
56e2eb9405d8b267848bc50640dc33e7

SHA1
b0c2493b27a3f34272f645827ec8691a25f35074

SHA256
934df3adeb7785d9c193c9ee3f8abcdcf32fa47458f50f767db17c9ed9316d5f

SHA512
63c5dd0f723d2b26ba991c7be526b3b760186bd87de60ac5904473432eb72d55275f3ab4271041fb596d785bbcb265a3e0bd7ceed40c46a76a7d483429121ead

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6c6968f82172a1d10bcc924cab1dd03b

SHA1
d87494dea197f48074e8c699d61749954b0296c5

SHA256
828a61e7a6ef3a231455ad13bde607924093fac011d0318a1bd6e13d73511775

SHA512
c5fb37b61580b0d1fde865f25f2554d0786ffd218ddf04fb6be928a21972bb66288776ab83338b786df77b38fe39cf6a14ab1760ab9bfc6d161d956e5054c5d3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ba87028f36083994aa693db4a85b2fd4

SHA1
d1bfa171d09585365263f272691be354e7fdf428

SHA256
2f786c6a2141c17a7fcabd00802aea213914ff6e2b4dc2e3ee7b0931fa13f394

SHA512
cd99e14e0e5d7eff876ac380c61dcc5576b2ed592401c07913d117b410efec2a0df33ccbad32428aaff78a3617d10a70fcd2b54ef32bce95de1f47dcfbb23224

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
977f1a2637fabfa31e19a652e780fc79

SHA1
821b9c4a358f2dd0293e82f623824298f8144d9d

SHA256
c1fd920a01270491857bf728f13ee23ac992e1cfe098bc85d144ace3493163e4

SHA512
49885829ab8d862cf0b9aeeade1bc5f2de08af4940839edcc9eb275ed4f1ab9c164746f594dce6f5b64113f44552be425c7cb9c716002b8ae9b27764fd7d1775

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
50c6d1d848aadebecdb96aecabc85b44

SHA1
2d422e03aa5f0691979b01c5f48d6fed4c6f6155

SHA256
8169b4a82b2605e5e50714ececba05a5f97f2c90dd8ffdaa1e533912bd4b00d5

SHA512
cfe7da8035bcb09c13e2e023f1f1c3179b35c3537419d8a1af0099fb4c21c5c08e3e84c948359a18518ff25460239ece20ba81529d3ab664aba9d908e6113bf4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6620b0fd4c4cf5e2019832352e825b79

SHA1
f54a5801434efe71ce3aa8bc9448fae23896136d

SHA256
c3070214f44b95ed18e29244acab719955f769ff7d7acdf7878b1077fcb19e86

SHA512
c55a3625d6a4d07c19696cac24593c1dd875b52ccc8c31828de3194f25bf86901009f1aa8645ab3227685928e8c2f114c95fc1a9348a562bdb7939c4710e6321

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ee680200ce11893dbc2d1e4eec087346

SHA1
63d4e1b075c33b1e9724aaeafb6c4e838ccf57dd

SHA256
314da530fbc757dee37d5c870d38c5e1d06db118ff2eaaf40427e2a399a79bb5

SHA512
604358887a0fbdf4cdf370ef5c963a8336a51ef2fbc4802028bec7c2e89741ccd8cf609cb5e05367831fb541fb2e5d32e506a8031a882551d985d27bc0909c81

Download Submit
C:\odt\office2016setup.exe

Filesize
2.9MB

MD5
d4cd80e2c7f1d01485b3a9e198b5611b

SHA1
898a2cdfc107346fd3952fe3d46e4fcfbcf58af9

SHA256
d9f900067e866a538da50ee6acee3790a961c592d55974d828a3e233170e66b3

SHA512
16b5d8387ac4a7fc97074c93798b3c5b590c507cfa4c73cfa6e5052c4d4d5e115e40eee110b30f28d3200622f4f2e561a6ad97bf5906d6d728e590dea77cf1d3

Download Submit
memory/404-273-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/404-282-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/760-241-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/760-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/760-480-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1212-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1212-93-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1212-102-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1212-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1544-281-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1544-271-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1544-206-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1544-212-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1552-121-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1552-129-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1552-185-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1624-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1624-254-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1940-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1940-198-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1996-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1996-50-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1996-52-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1996-58-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2472-172-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2472-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2472-117-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2756-146-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2756-203-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2756-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2768-434-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2768-445-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2768-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2768-7-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2768-63-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2768-1-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2816-452-0x000002199E950000-0x000002199E960000-memory.dmp

Filesize
64KB

Download
memory/2816-473-0x000002199E960000-0x000002199E970000-memory.dmp

Filesize
64KB

Download
memory/3120-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3120-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3120-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3120-74-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3296-77-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3296-75-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3296-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3296-87-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3296-89-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3472-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3472-186-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3472-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3860-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3860-227-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3860-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3956-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3956-232-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3956-174-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4064-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4064-158-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4064-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-295-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/4540-287-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4808-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4808-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4808-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4808-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4832-48-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4832-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4832-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4832-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4832-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4944-261-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4944-267-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/5076-200-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/5076-258-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5076-190-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5080-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5080-91-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5080-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5080-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5080-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download