1ec9bb440a52f8000a3079aeba06102683ea0456b4a6d4f3a3bf059c9d6aa1c5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
Size

1.1MB
MD5

51ba2225767936bf5df6e60c709ce4f0
SHA1

75b27535a47de9a40d56ac3add7d344053debe68
SHA256

1ec9bb440a52f8000a3079aeba06102683ea0456b4a6d4f3a3bf059c9d6aa1c5
SHA512

c17226df6cb6371d9a72e7d6c516fd75cad048a64ed72cbc4f15062cd45b3f0ed067b41ff10676d3b848f05712e1ed0802c092606ff6cb1d8f9b8114dbe85bce
SSDEEP

24576:WSi1SoCU5qJSr1eWPSCsP0MugC6eTcSRQ5UOOU62FBnO+E222YJbNEUQKGOb:GS7PLjeTO5UbU62FAQ228QKl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3444	alg.exe
3280	DiagnosticsHub.StandardCollector.Service.exe
4616	fxssvc.exe
2792	elevation_service.exe
4124	elevation_service.exe
1296	maintenanceservice.exe
2336	msdtc.exe
3576	OSE.EXE
2904	PerceptionSimulationService.exe
4816	perfhost.exe
3256	locator.exe
1844	SensorDataService.exe
1688	snmptrap.exe
4392	spectrum.exe
2116	ssh-agent.exe
224	TieringEngineService.exe
2104	AgentService.exe
4736	vds.exe
4152	vssvc.exe
1976	wbengine.exe
1104	WmiApSrv.exe
644	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\910593c07d34635.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\java.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d273f5f8bd91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdca49f8bd91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1e945f7bd91da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a1c1af8bd91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c12d2df8bd91da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfac88f7bd91da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3280	DiagnosticsHub.StandardCollector.Service.exe
3280	DiagnosticsHub.StandardCollector.Service.exe
3280	DiagnosticsHub.StandardCollector.Service.exe
3280	DiagnosticsHub.StandardCollector.Service.exe
3280	DiagnosticsHub.StandardCollector.Service.exe
3280	DiagnosticsHub.StandardCollector.Service.exe
3280	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4004	2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
Token: SeAuditPrivilege	4616	fxssvc.exe
Token: SeRestorePrivilege	224	TieringEngineService.exe
Token: SeManageVolumePrivilege	224	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2104	AgentService.exe
Token: SeBackupPrivilege	4152	vssvc.exe
Token: SeRestorePrivilege	4152	vssvc.exe
Token: SeAuditPrivilege	4152	vssvc.exe
Token: SeBackupPrivilege	1976	wbengine.exe
Token: SeRestorePrivilege	1976	wbengine.exe
Token: SeSecurityPrivilege	1976	wbengine.exe
Token: 33	644	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeDebugPrivilege	3444	alg.exe
Token: SeDebugPrivilege	3444	alg.exe
Token: SeDebugPrivilege	3444	alg.exe
Token: SeDebugPrivilege	3280	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 4228	644	SearchIndexer.exe	116
PID 644 wrote to memory of 4228	644	SearchIndexer.exe	116
PID 644 wrote to memory of 3248	644	SearchIndexer.exe	117
PID 644 wrote to memory of 3248	644	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_51ba2225767936bf5df6e60c709ce4f0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:784

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4124

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2336

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1844

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4392

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1172

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4228
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
246659671c53dd92394d9af7fc338905

SHA1
995fd7bb5708a85b2cbebc3261d46cdd38eebef0

SHA256
3410e8abcc27d96a4027b8cf3496b4ff204d429aae3e53a50305fcbd9eca5413

SHA512
8c41e6c76edd2b57848d425ad647c3d3137388180cc3488058df149a414e91dd2384147ccb4b50750f21711abb536544a5fc36c2429ea9fb204d327221aa0395

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.2MB

MD5
99b7051dad05015eb87e30c55e71e82a

SHA1
83fa8334b9962fb1ea4f842a33e763013515e5a4

SHA256
e9a106719ec410c3f2883fc362a5659e7d42f9ca02fb6f6cea11894790fe7ebe

SHA512
9287f9ae868793ea0833126846211a358b9ff491926cdfcf65402ac9fff08f94ee0063707a4842a3c16aca94a10cd51cfef55351fd76fabecf9a305a0623bf41

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
14b00a137855ca9e7f872bd35ddf5210

SHA1
09c6eeac643741531217798bd50e6d3cddb82653

SHA256
2332b679226fa794781c2eba324b6669c7f43468b24ea21bf22e4ea1f70c3e13

SHA512
b25b194eab7489cb9f1970c6aa87a8808a7d400fd6b6e07250f8fbcdee6b8e05abc3a83c2c6873891b3d932a45d4706172dea09cb89c9e8e561b7a331cd635ab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.2MB

MD5
23f1c47067126c626c8107388a99aab6

SHA1
49f69a4534b4c3746137920d0ffe19d3a2c85d48

SHA256
bbe0c6d8867472fd8cc2ce877394181ab9f9903dce3f44ebbf29b3cef84176a3

SHA512
567fa89e4fa1fe249e9154f2a0e8f76408fc50dd6b74eecba66f8cb4cb91400181e94383025613871f5e9ce23d8b2fb170e25fa36bd0f4cde78b5b81fefe0814

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.2MB

MD5
9958596e087b7ac102d897def003a728

SHA1
219433fd74b40a4c6f2743403a854c193203c0fc

SHA256
e5eb1dd613e2452e295fd3e6c4090eac610dd0176e4ff195d2b8c2db23e68263

SHA512
b61f8635358764c7cdab9b5810452355f89319e29373bf817b5473fcc491b107947242846ea7de1cf243432be60b97fde96376864c68f1b55ff760c23c775adc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a3679c1bb5ff55406fd4c9cac471bdd9

SHA1
e65a08cfc4a8795c4d414f134a7b16a40b60685e

SHA256
d42502a52a3515c41c69f47896d46caaf8650f86c5de9edc6e98c67aa93de3a3

SHA512
46abcdc4a3f178548b0999652cfb9dc6ebdb63d1ead0eb7ca34f460c8a91be7ab42b3c437dc7dbd325d9a0c768cf2bc4a31c624067f6a1af52c96200d239626c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d6b3a69284ee7a11c91b847d4e23d38c

SHA1
89321b34d49f1643866eccfef0e5967b3b477503

SHA256
26de18e51ce6261a620e6709f4940451db27f10727fc9050b43ef4bc8417d978

SHA512
a45ce13dfe4fd9ffdc46382899596932e5b85bd6fb477febb69d51980d41c79c0852d33563047d9324f0d16151f3358e4fbc4ac01efec0e8f6025fc8e692aa15

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
0a1e9ba669b206ac4269b13e5bbbcf41

SHA1
de645ea43e7c9a25fb10c0094730b43e91f32fb2

SHA256
b6af0751cd7d2bf4a592c42566b3f43a3fcc56b98e17fa593f0dd26f383fc044

SHA512
8cdb2b56dd5cf3191c5e639828f5ee743ba0b047b3c9e0677e517383e0b067d2d7c07ec8f6b999c6fdce918c96025582491f84a57aa82c0c1b416b4002824869

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5e48a5c07ab5e57a3ed2aa9a7172f4a9

SHA1
9af88c3eff16f886ffbfe14043fcfb6cf66228b9

SHA256
2e3e7e3df35c58828db3bc38d12f2a14676120e77d5afce1f6d0242dc111216b

SHA512
681d50b30f8f5025e883492485659cae988992b1b222cdc5056f25f21b4c1870ba27eb7952ec2a132fdb7a3b7970c210960896b03f11105585012168b7fa248a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
348f02fad374b033423506538afddce8

SHA1
2fe7ccf2c18903708107eafe21ea3be8d2c29eea

SHA256
ef5ddefeba6de7368a0e029d9fe10cb06b653089b06fc22a4152b056cbbf3207

SHA512
1828d3ba957a0cf852a957fe26c7ec29aa663f3f39ff445c51291eef0681e733a19439b758a72d0775e4ae9a4c89a345c1f4a3cba491d347cb64694c9e322bc1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
2.1MB

MD5
a068442fc1fd970056230fb536e0bb0f

SHA1
a3d5491b608bc38803fe198e0b34a6d76b98cf87

SHA256
2a70b96ccfd6a9e7652843f934276cda7e9afb8750e72bad037e697c6a068e2d

SHA512
63ea1809577c9181506f2bda7edf13c35180495f9e367e85741b470b3c9a758e7b5e5ac1153f18bee763893dce01d7bb699ed6e3715b5cbd8751693c3ca8650a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.4MB

MD5
084d9b88ad413368e858ea3aa535f022

SHA1
9dca23673e760502894381d82bf60c0d6916b0df

SHA256
9591d74b35fecf6be814d24e35ad5c855ed81ea4dd1f106f1eaf79dc90af1d3b

SHA512
cf0939ce1d8a2fe764cf77513dbc95c8016632176b41aa125cadb9d7e758169c1ba293cf85a93ba070537775dcf6a72a8d651b1826953aa475bb2cec87f54816

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6e11acd2331a8b11e41850a1cea6f046

SHA1
d8b4ccaac579de2a0a94fd573c202531c7a13baf

SHA256
ff4df2a89f3a32c18cdaf5e37fb8843080ddd977002e256460ffd0ad74769e4e

SHA512
eedca31a014ce4837e28226641a4de0ef08a8879940892400c979fac7613e2cb52ed3f0c0745fa7009483b5286aff53df52f71f03fd88115eb451f608b9d5df5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
779e0cb2b1c5ffddd4a745631eb8e5b4

SHA1
9093c2b5b794509aa2565de3ab5ca840fac2d260

SHA256
1613fe57df8a17316136a66695889636071f3bc58ece249843883103cf28a4e7

SHA512
49d38e666f4121134dacf8d78b1cf7a282efadbfb8b4def7731386a133d651332005030697e78f293782796ee20e7a671bb4ecac6e09a1e66c18bcd2d71ecbc5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
29e67d1aaf1205173494010c261bed36

SHA1
c1b56ef2c3a1f24f4638b86a7f81f5b34eb5e64a

SHA256
63cd5da86e6a53e84a421695d9205cc2f003f4d505a66b5aa2f998ab7de355cf

SHA512
f30e1487422c9d57d214800a9a7706bea7c74203c1d376d6e9b12fcc0b3b30a16a0b46dc03bac4ee60cd16262bbfdb223e09c9d78eea9d1b1f64e7936d5843c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
2.1MB

MD5
e512675b7863c6ca24c3d32a2ea0857c

SHA1
b93850adf2ce77eb677a2a191ab41958702df9d7

SHA256
fd49d997c99cd825af877a194b48995241eea8a5e74714bb5dbee2a45f877a66

SHA512
0519775854e1912089a11530bbc0fb61a293a7b8d44680b6ca21c75c1c5dedf6d4c2c3f8c9cbc01ab5ea5872b4f61335be0bdb7a9ead81f5777ef6a18fe1a743

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
2.1MB

MD5
32cf179735422f2cf11f1e9cacc1e2da

SHA1
c13d4414f288819ff20300f6c52ad3031941913c

SHA256
cc7cd277c3a4e04ef0dc9fca890c2e2a3a0f95403ee5f0406cf3f76bd08bc2a8

SHA512
f7f6b45996348b8227b894ff07f152e68375f97cfc2bd54c573cb68655708b28dcd9dcf1aae83f7c6e3f15300ed8ca53326bf07fbc6bf25194a9bcb58416750f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
03e76fed88d1ba28e21a2c34a63c6313

SHA1
d4f121383634c6dfe7a8eee5d6f286371710e93d

SHA256
c81fef6846803c8bcb667abacc42faff9f21749e9350a47a361c97aefa7ca004

SHA512
15b3c12f4234d73c7f730ae8631d04ef702e02be6e064715780eb941ed23a993eeec1bd1cb2b77569ffadd7427141ab4a978559c6c9bac1b0e526e5d59831695

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
50849847af7e46ecbe6d3b38deffa64a

SHA1
9f6f18c5192d135811e41585ef81b78fda11090a

SHA256
d45c9d014892d133bcb08154323d597ce6849d615b4ed7ae9e1a931ef8801e12

SHA512
aa856cb243d5b35e04ea69ac7b59c7f90288b52679bde44280386d4b39bad7295ca1a82e2d7f8d1e750720bf405245bd3a1e1e5d27082ce82e92b2ea2dd48495

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
40e8c8e29cddf9ad5255be9bf0dbed38

SHA1
40f08646b2ca5e94844152805ec8b11469dbf4bc

SHA256
adf7e0b0e2c8ca72ce4f3fca363316c8af7db46c40ae1dd1b8a6760646fc2939

SHA512
458efd6cb1d29663b81219814ecef2f18cbf7668a679188ca92cf00b71908b28eb133b02f1b43a86deae6367fed025aa81e75453cd3e35c116dc56f37663772f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
99713db7a945a27a6481d55a280325d3

SHA1
2b4f0c40be4c2255e700c333b55a20cc3478e512

SHA256
8254634c35e4944b7b17fc7d8e66d93385142a889ee240aca74c348fcb3992eb

SHA512
7d9d77d5cc2980c661060ae5c221b38885c8cf79e74156b074c6e84cf0c1ff01558acc9e5c79727160cd82913dca91df3e528d30e85eecdc95ed2e72d82a6124

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
bdb35cbcf8c8229633709bcb607f8bb7

SHA1
934beeef2d4cd76e45cdf8a0514b6430eadbb73b

SHA256
dc5a31b2c9642668788fd7e6c2980765dcaf14c931a40cd3f2c606ea84a4408a

SHA512
53233810fde473b374f2f9cd26ff021193a358a583adcba11241bc3514a6084977c83de7612b41439b11cbcb8b16aa329fb9082d03045ce8c71fe4a696f4df8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
50893f703956aca068bba8dd85fe4709

SHA1
eab2740e51fb0474364cfd5e2240ff9087260900

SHA256
ca5c6fe50a8edd1de1e37d8f6c7364ca8d3d84d5b5d1acc3f2025edc46a73c9b

SHA512
8a228d003ff21a694bb6b7d758118e6d3a6357473053ff3f58c22a13ad5c39957d84699f6e1b95f22f5328139e8456bf63d82837708c30431b86b9a60feca19d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0804bbfc1e48407e1413645ff54f1676

SHA1
fe2de4f409908b642e01b62e3d72b34dc991be27

SHA256
1266963b4802d461d539ff6eb669bf0423d358e1c19dc8441d3945d9f9d80357

SHA512
70cecd0cdce4fc64c47f37de88eadab7d63ef6fa8a12d888e13880e584e8dace4700e7ee945d77ca6001965c8a8cccebb257a2c4b0e4d9f2dc217da88206726b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
65b5d2b157b38b25ef81bc9bd9c1494a

SHA1
43a2e07a9145a2737be1716a7e5e10f7c920d736

SHA256
df0ddb8575d65d01171097521b2082164be84684e91859ba9786decf79abbe1b

SHA512
e29751ba52ad50827cd93ab1ca8cbfbbd2c0e67da5ea64e3235588e54c8d5a52188750a915146ede8077efa9cabc30556ec1221e0e1459ef7bf0d16f95df7918

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
ff3791fc03c8f0f87e59ac946517eeaf

SHA1
855dfc8699553385142a92577b4ae7587fb09b75

SHA256
ffc7429562c929069d852dd00dc5c9b10a613a9fc0b6080a096fce5b04a87cd2

SHA512
0dec182915507f6a58839030c704e790aadf76285a69a483c312f45802ccc204e670983790b127dc38e3935ebfd0d74d47df55fb2da8fd5733a1ddfcd25bc491

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
88a653f86fdec88c4ad094da9660e50b

SHA1
b4f8967b48417a5c5f2c406d3ebc015628132d59

SHA256
640091ec40dae553911c953e05ccc025c66673f6dd2ee65ee923221fb3c3a599

SHA512
cf794e8cc1e2293eab0d42e42f31ad032eb400a63c6a15ddc95bc787dc69f2040d1df0a1d7f9fb21764b6e916b61096ec22fe9b89ebe5523a0e1ae8ac9ce1bb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8d72994605866bc512ade423bf9eb5ae

SHA1
1bf0458e65869a28cde02ce1db69f96b9f79ecba

SHA256
7b6daecaac344578a6e37c2f9db81d62e419cc2a6b8e628455b3a26479524431

SHA512
a75f37446220a57be06b9bfe3b505b5fda78d49da4d64405d33783257ef8b9eb12e99ed8e92299da507b787b15d0a34b2a616c61c5c641db7b1f2d5a18ed56eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
55555f15a0851bf3fded034788289257

SHA1
037b5784b131d48b7a2476a20948004110c57626

SHA256
b3320fec1591e424953465889219a18030f99779b4937e0b360523347d61f1b7

SHA512
ecbe14be0a261d681710a69871c7e8c4c9afb568d8800da2c2d5b30ae400be976a12a6a169f3a256a55aca8673c66d1119f0a28fa62e55462c08f048c2337472

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
fe3d6d2542691d9135f927938d675a85

SHA1
8978bf39bc4117b492b2975bf117631b10c98b3d

SHA256
3bd3c1e795a092e01e33fdb03f214cd3590b1052dd10496c9d93a4a6823b38eb

SHA512
fc75a43353a6bb7f18d120a09b306d32ffa07d0e129a7e97a318705907812a6d48b1a44213bc39aaf199ebe96a688954cc38f7976601a7c6c89b0750082e581c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7f579606fd2997e2b4af714e9733d1f4

SHA1
a6b8bff60f1d5c32eafde07112a27ab8d8a5fea2

SHA256
55a0d06152561962caed96c7e7579faf6710c661cb38e9090791b5606e35e2ab

SHA512
ccc6431d9b2fb82d93a3c628904db6cd6ae874bbd54ccf84659512bcae58dcca1beb006378bfb640357474db106392ff0839f5e67a75c886c0a4115b6310f0e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
a4617f7e8c69d2b31473fcf144c466f1

SHA1
0ac0023fae5b175f642c6d09edee7274d1d5c166

SHA256
de97b2319fc6f23232b2f019ee5df196eca99b517ce45abf704fc19f260abc3d

SHA512
334201041f5e473e9a9454eb912ae692d2148dc7d939b2409111e9666fa9588cbb612460f1a39e73897f97345f4aef09502b979d51e46009e0d50d574b5f982d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
26c939c245dbc5ad8c7e38533d82e167

SHA1
8a81661345ae3031b2d00a6c7b6aa7f4065f2ef9

SHA256
dd21892ccc1e486183325395dad2a702ffdceb5120845e53fdb94db16144af5e

SHA512
2dd37479b687a95efc82d57fcc47172366145c75c55bc5b32e770d6bfcc6a2c7a261101d040212895b4f1380e3b41dc927ba5bb7dbe8580e1501637ba939995b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f802e9fb01323caae69024391dc28c64

SHA1
d315641d489839d009c646a977d08f8e5cb926e0

SHA256
a0219bc20960e283f8ec2b82ba8926392367303680c32480ec3dee0b3fa2221a

SHA512
c724b7c5065603382cdbb04a329d25af4bcbbd61c6331def749860e82674811e0d4db3d407425fe75a2f17bbfe1fe2ea5d79d459482100756540f39253d17b8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
8ae70382c47bdfd1b79b5cf14cc5cc04

SHA1
bfc2ac379e7fac3a9ac0f457226fe55671f4fb6c

SHA256
8a8df289aa1a92199949705505f13fe952fa97789c63911919847b58817a8473

SHA512
3339ea074e2db6d51c35e0d9747763b84618b1b7ddc02df0b5a12f4d91edc4fe04299bdd0673f7c914769f237cd867fe68a19c020fded53af3c70c2257d109d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
42a556dda77a913fd5ee4baffd1945a8

SHA1
276e6524c14abf38f5fc8efd0716dd27bcab993b

SHA256
a913f08c792e23a391e6928961386ba2debd679c7f93e2f08c9be03be75770e5

SHA512
ee02dbf7bf2087ab804bcbfd11092747bb9d46242163ef56bfa1482f6bc95447f7c732a11f6e50c98cf357db62df9ff011253249cd723bb479c914aface58425

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
45acf06ed2d39c2b800c548ca5122fc4

SHA1
0a8e40a50efb5ee03f54cdca758b8caf2a5fbbff

SHA256
47c74cb64ea5e26cfd5237c6d63ad492b8944400c9d25dd4a8c3674fd44dd884

SHA512
fb7ca0fa44bfe487613081a2be2bf78a9c745c6cf128b8cdf982c0db6a549e217913bd33aa37bf631fcdf06df30da32b1da34fd125e6c993f23e14fda8b7de82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
57f8a4ef4d606fa3ab50680923a5fca4

SHA1
70d2c10839e9836498cae4d0baf86b42acaadc40

SHA256
a58e845879803879094190986917e2992dd24b2232e14dbabf6773f62c0e6a9e

SHA512
aadbcf7813aa7d6e880925642286b1784866e9f28f1fb77cfe955e1b1dc40a90a60c0cdb9f255b4a04c23133b8febd1cb3743149cbeb07d3bf97d128296390f9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e9a30ae490c758d712ec247d3aadc05a

SHA1
f749340e3df0e7b9335c2b69e3b983a63a90246a

SHA256
e9f329602b0a89eecf9a93b06f9e7e414990ab7599d9da4798d97bd3c093a2f1

SHA512
56197a816287b7f6a914c0f4a57a25744a41a79a87d233ea26e857501d33452fd5b4d7d77afc913c8255a9892ea105b1d66d6675a8ab397229d7f202d9b8d535

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
2ea6c7964d12408873e2a5e56d668eb2

SHA1
328889f1d610dee699af3d30d0e1dadbf255b00c

SHA256
46d8259186d23682c626aa41c0ee7243f3c06120ce11a27cfd23c8eb80fa399f

SHA512
c502ea493633de8d6f7037a351626d99ba9b65d51e2d551da7229fa879836050033cc2cc14e96e8175ff50a8607a6e0e1c904577d8c3334fe3388dfe88d50801

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5d88126af14a85f3afebf171c0bfdd27

SHA1
bfbfd11306e24ab3ce5fefd749a6677de9e8e93e

SHA256
8831c810bd656a1be8a4e6186e984c5b5a214934857be600e21fad9f3826b240

SHA512
d30c2be7cc6392e604a5c4ab43ac55d46372dd8c86f827f2a5d7db130dc358b1a561398693b57f8771eebaf39fae937a2dc36ddebd196c5b6e89beaa7cc587ff

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3cfca2e0492796528fd37528c20d5a02

SHA1
22888985a191c1017d88dfe8f81618cebcc502e9

SHA256
a3583c4ed5b3fc20c312f1ae4214d6437c3abb6e7a6b1cdc559891f26045c209

SHA512
ec7506df7fa3e27ca52cb50e80c634a3120ff1d79ddccb7817edbb4e737685187f6201b9e49554d7a9dbae8d3f85bcca628b9ef76b3c5ac976c89da140419067

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
503b21348bdb74c257c009e32a9b0d37

SHA1
3e1f220751e0df51ec9b9fa6e987ef8a104993a7

SHA256
74dc77a3a8fd86b2a4486a70919df65f1d8e09b57af410b8a4dfe2443f534e38

SHA512
2821a1673c9f31e38bd2c1e5204b079ff6086b31f95c8cbb8137cab5fc240e99e5b2c23bf2d7df9dcc9844ce136bae0f2f2200f41a898b705c4d8b2cf6056ae3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e846cdde0f2587974781d6b73b630c63

SHA1
d547b1e9d5549a55c9e17c857312fa10b508bb4d

SHA256
7260572efb80fd9ddb52362ca644e2b320a59faad2328e9024a695bf567b5249

SHA512
d68e575903111f1bc645be7f2921105dacfea9b2e1374f8607fd35d2e7a1fa8a67941f84546dda64a82abcb9c8abe37158e26c6650fa61e8fda86b517db95090

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c605d06a66ec263ad0d945d0ec047362

SHA1
57356d5e9448cb00c55daa364bc0f736b3f78375

SHA256
4ea57b7ec8b8cd417f18a87ac188b23ea2530efe7ec59a3566b93b3375da2f51

SHA512
05ab9a2ba5ab460cf71be4a03d803efc42a846c9c10c0a6ad3472ac447d0fc6d901826763c1a2138ff5d5255caa70ca9c4d213751e5d1e593a6ecd251842c422

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
2cd6ac4e7b74b5f19bed86fd0cedea85

SHA1
9accd3d02f5143f2874e3c7f204f4fff2a455607

SHA256
2a077eee598085ea3f2a9b8c93d7862ecd76b4f9a45c5bc4e00c0fa94a87faa3

SHA512
ef4ce1258e0b26fb4f0d21fecf6103afa61119f4a72b11c62a886ca1e09256ee64f01e2756e59c378164b3c7633028f8d329cead7c202dfc01f3789072c37cb3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5cfcc9187e26158acd7a2d62168188b2

SHA1
7fa7c0a9a8f0d6da5d1e5c8248b2d503af1d97a8

SHA256
53136d0b3e9d4c4fa58cb3c5348703356c035254c2f8fd1be2366d5a6e6c16e7

SHA512
0f0799d02bee19ce6f4955be979e882b2e4b5f7a39cd5e0eab1ecfdb5ef574fe6fa108a9e73b10fd73b21f7af8736dd7e0defc46339278cddcc39d3f2b1496fd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
82168fbeec8c4542b432ef45bd1cc3c0

SHA1
423456f07d3c3e3ebe96e4027d78362c8fbff2d7

SHA256
562e37de14252f2b8a2120f8d1dedf23e66fa119644d0d78a2febec414ba8b8e

SHA512
dd2c2a514e5b9b18870e95c79e1db3b4d1766aabd86cb35386d01fd508886e1f7283b72ae17de5e828e535a9d2568f706b6a00fd43bdbe0d4afabe7c6d2aa85e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
567fdd7e0a7206212c152cd7e69ed8bf

SHA1
016481d6a3333d46147701cfbb5816cbe846c532

SHA256
ec059976cdf9a8258a9e938fa7efbc57b42a307da0b11e1c1deb740e266a77e4

SHA512
3020b6f8659d9b517ae0596a0e29d8b2f0cee72f764950eec051cdea9a8b521cc626f77d07d1c36f651a3a0ebe52bbb7827c86ab42e9b5e406d46ca386e991bc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
766f5007adc8c86e8e2895858d64f71b

SHA1
5a93b0f1ed528c97a390cb470598f4e6dca3ec15

SHA256
536b9d7653bb56ea9067c3643c96ecfe3a2731646a658999269232d13c198094

SHA512
b46b9e6c31f49403bbdf3f1cabf84c729b5eaf9cfade4a13198c3fe66203b03bc582bbf8d9a8e7fc38782cd4af20fe062ffc418e26450f8dc279fe75632fc6d5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1d1e14dd39e0e4ba3d8968d024f70317

SHA1
e4c85f54a037fb8f626202f42ba4afdec48dfc6b

SHA256
46a0d3e082fec63231f92f85e2ed6c40b16816158853c9d55e38b6a6076bbadf

SHA512
8495ea108c876b6a98e93753b347abd8db1fc12b5edcc84ef84cb3b74a54dcefda01d452260eba5c09c5c21c0e17da9bfd508899e2e0784dd119a13833ff2768

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7bd0624a45eefb53df0724290e448986

SHA1
f24d1689324a6db17961f3c3e8b67ff1f4f4cfe6

SHA256
14f969fcd51b365fad5f37e17bdb7240ebdbbb243e15259513fdd9c94413ae27

SHA512
922cc0fe095648de3e38d1c4bca1b6f91e5f23380d6adf8a92c76e68db5cc2b03a2d59632e1dcb51fecd039af38fd36c6d64ad2861fea0f878ed1b9e40e59d28

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3023f7aec3e40930475f81b69ca55b00

SHA1
7e87caacb7b289f280a51204fc9f884703942c57

SHA256
b02c665e8449d92a98aa559252350441b9eff8d5cf1ad81217ac44a62343b6f6

SHA512
632bd23de0bf41bba3a846f17317bf5754665c7ab851c6eff009880df2915b316c0aba326fd19014bccdfa6f898094d8355f71e3a4cc5668843369e37c716bb4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a866a8a9410bd629f956b6e19b330e21

SHA1
9b3a36495ea8f07a2cc3879e7016745183e98e4f

SHA256
96b088cdf8eba5851e8c9df19b25dbe829a7215b04201f302b900092d0aeae6d

SHA512
1c64c135f386105287398f092d1f1c9793f0854e7998f1ac733d1fc027a7190192e4de553b4e2a03a0a3eb07216790f6e3401aefb578b67cc59f608a0d361119

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ab6e0c0900e2c7934e497c8d4aadce0d

SHA1
5c2fa6a8b12547765833aaa932d8015ac3ad1d9c

SHA256
7a9bc8cbcc4a14c1afff0ac81fd7da78589b371082389744736f58c83c18d9a0

SHA512
c0cc7378548f029262c68634398a2d2671caca68cbc081589901d783b2092a7b26ad02c34d6daad104010f29152e848a7ee57d9695b5529f497e1d1b50d95151

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dc44aa94fd818d101d951213dee516a8

SHA1
3727cd6e6d554bbe3fe6443cbf09429beda34855

SHA256
2db656d4c7bd424cd2c7623a094e71f8416b09ce0550ac72f218d943695f0d9d

SHA512
844e65a007af10dd55120b04f7b5e2e281b024b897b8d13cae8486abb81a2a772d4358d97e967a96a64c06db5d1e546f16e3ee28be6f934d1db0808c50ca7f45

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ef8e2d49a0fcdac9c4a76cc781d8676f

SHA1
c42777fdc09ecfb860e5b1cb3d9c8e59d5a0dfa9

SHA256
102cb49cf452f56712a17196be6974c379d5245b50242d5ebd8060379fbe094c

SHA512
a1d41e3ddee9420a04e4b8b27a1f231f2639c7654fbb0a865d0e5ae6544a724fe14edc8d0176508044b25bc9823fa2ffbeb4317775e510c2a85cbfc307c8b537

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7e9bc076970d238859042f5eea47b040

SHA1
b55f4c9099bfc780fabd1259be8ddaedb620e9e6

SHA256
069718d8c302bebf3bb47d0a7d7b739f8a95104137d21fdc95247d47cc133a1f

SHA512
160c72b46b1242554f8b40452897af8020bd64d1e606b9ca70f3fe9537abd276181372350ef0263bc94e912ddff5c8f6f19129f1dea32438ae8ec19f4ca6de0d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1ac00e84ced342b439471c3d0bba8bf1

SHA1
0bfbd13dc04982a0aedf70e52d3445162e37ad6d

SHA256
8219927d1e14ff76e4d3744459e1031be71f5dd72de87f4d5ea93ae26eaeaf19

SHA512
e6b1986eb3eac39bf1ddd7d5357a24632457f9261a0a6e94620fb43b69eb4fa598c5d45c3d3345b59e70b3169e649afae2ac28378baddabe2cd8c779eed86a1d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
edc51d73d617dcdf690524a6f84641d2

SHA1
da9ed3dcf33070c870e1a4431a683c4589657e0b

SHA256
1a8d5fcff2a4e1e77e28554fe1ef7ebb35025b1494a309775da083c80e840b4b

SHA512
aa34c5c5a8f075b80cc0244f8e4cadf1177505a7ac8584d7ad0f962e7593ef607ea3158b5967deae520add4713e41209b4a2a2d2267db55c109ed53db0e21c7c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
34945caee7fe3380aadd9ccf93f3bd44

SHA1
0fd0b9b5119ad6d4b748d4438e055c5c289e4467

SHA256
612d4560d88cf8cdb7697be803199befcf8e1071109d6594481a64c983e346d7

SHA512
05406545ad6a96e68cfbd46f5a468b93b4aec5abb8562b92fc0040d0a3723af4d72222664c3117ba3a014cab9a0c896cb8444a23d64010f96b689512a87c80ee

Download Submit
memory/224-203-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/224-211-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/224-271-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/644-291-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/644-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1104-278-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1104-273-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1296-87-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1296-77-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1296-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1296-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1296-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1688-230-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1688-162-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1688-171-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1844-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1844-158-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1844-214-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1976-266-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1976-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2104-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2104-224-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2104-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2116-198-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2116-189-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2116-256-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2336-156-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2336-99-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2336-91-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2336-90-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2792-50-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2792-51-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2792-57-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2792-118-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2904-121-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2904-183-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2904-128-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3248-485-0x00000233EA710000-0x00000233EA720000-memory.dmp

Filesize
64KB

Download
memory/3248-492-0x00000233EA720000-0x00000233EA730000-memory.dmp

Filesize
64KB

Download
memory/3248-491-0x00000233EA700000-0x00000233EA710000-memory.dmp

Filesize
64KB

Download
memory/3248-501-0x00000233EA700000-0x00000233EA710000-memory.dmp

Filesize
64KB

Download
memory/3248-484-0x00000233EA700000-0x00000233EA710000-memory.dmp

Filesize
64KB

Download
memory/3256-135-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3256-144-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3256-201-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3280-89-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3280-32-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3280-25-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3280-26-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3444-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3444-76-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3444-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3444-13-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3576-170-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3576-115-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3576-103-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4004-0-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4004-7-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4004-2-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4004-63-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4124-131-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4124-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4124-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4124-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4152-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4152-500-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4152-252-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4392-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4392-243-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4392-184-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4616-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4616-46-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4616-43-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4616-36-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4616-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4736-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4736-483-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4736-490-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4736-239-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4816-196-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4816-132-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download