ac50f37c263351a278fab183b8a097355432189a169f74bb38f8d658b2099b56

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
Size

1.1MB
MD5

0c0388615d2ffcaf3763f93b1ca35db3
SHA1

1f5bb3ece626e384aac256f97db0e0e66fda1508
SHA256

ac50f37c263351a278fab183b8a097355432189a169f74bb38f8d658b2099b56
SHA512

dadcb5bd67ad1aaf85a16446eab1df0458c8772bf28b344d5cddfb4b01db6b1f85c25dcfab628e603da2655b5c0b52147c8d6905f350e3840d530ddd3b125fcc
SSDEEP

24576:gSi1SoCU5qJSr1eWPSCsP0MugC6eTWSkQ/7Gb8NLEbeZ:QS7PLjeTPkQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2124	alg.exe
2972	DiagnosticsHub.StandardCollector.Service.exe
1848	fxssvc.exe
3720	elevation_service.exe
916	elevation_service.exe
2044	maintenanceservice.exe
2280	msdtc.exe
3732	OSE.EXE
3268	PerceptionSimulationService.exe
884	perfhost.exe
2168	locator.exe
2964	SensorDataService.exe
4628	snmptrap.exe
4404	spectrum.exe
3768	ssh-agent.exe
1752	TieringEngineService.exe
4032	AgentService.exe
1576	vds.exe
1656	vssvc.exe
3980	wbengine.exe
5100	WmiApSrv.exe
2120	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cba5024c3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d1f2253a3a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a19db850a3a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eabc1f53a3a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018a82b53a3a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea60fb50a3a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b39f450a3a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8fadc52a3a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a00bb50a3a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adc3de50a3a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5e80451a3a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2972	DiagnosticsHub.StandardCollector.Service.exe
2972	DiagnosticsHub.StandardCollector.Service.exe
2972	DiagnosticsHub.StandardCollector.Service.exe
2972	DiagnosticsHub.StandardCollector.Service.exe
2972	DiagnosticsHub.StandardCollector.Service.exe
2972	DiagnosticsHub.StandardCollector.Service.exe
2972	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1836	2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
Token: SeAuditPrivilege	1848	fxssvc.exe
Token: SeRestorePrivilege	1752	TieringEngineService.exe
Token: SeManageVolumePrivilege	1752	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4032	AgentService.exe
Token: SeBackupPrivilege	1656	vssvc.exe
Token: SeRestorePrivilege	1656	vssvc.exe
Token: SeAuditPrivilege	1656	vssvc.exe
Token: SeBackupPrivilege	3980	wbengine.exe
Token: SeRestorePrivilege	3980	wbengine.exe
Token: SeSecurityPrivilege	3980	wbengine.exe
Token: 33	2120	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2120	SearchIndexer.exe
Token: SeDebugPrivilege	2124	alg.exe
Token: SeDebugPrivilege	2124	alg.exe
Token: SeDebugPrivilege	2124	alg.exe
Token: SeDebugPrivilege	2972	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 4972	2120	SearchIndexer.exe	111
PID 2120 wrote to memory of 4972	2120	SearchIndexer.exe	111
PID 2120 wrote to memory of 3512	2120	SearchIndexer.exe	112
PID 2120 wrote to memory of 3512	2120	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_0c0388615d2ffcaf3763f93b1ca35db3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:916

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2280

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2964

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4404

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3272

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4972
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7451ddf32436daf04975d1565f9ad054

SHA1
53a05916a44bea4e472d5c4fcd95943352d36c24

SHA256
d34182486c726d2db52769fb5036a9f1ab857b412ee6717117ad052a17523355

SHA512
c244ef5be82107055820ff182d237574dda6b61fdf4c9115ab80225de33f474ca6fb652b9a38f64cf8e701afc7c9c92a0079ed8b0bab5d1a6ff816e331a436f7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0bab9c8ae2f1623efd7333ab0da2fca1

SHA1
0a3c0ba9d379685874d6de2d189942055e8fc99e

SHA256
97728e02f29d71389a25159be6df084f81dbf28d180e500d6252f23cd7afc789

SHA512
9668f526542906b9c146c83ea9ff3c8f91e44dadd9d0042bc5e1b58d7bc6bbddd2708d408d3c09dad5a96b817ea5d1b9cd46db36ede6a134eb541e1bc832914b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
10f787e454129a6b9922f8b5d5ce615f

SHA1
5ab4547eca8d81a048c0bc6f89908289bfd870c7

SHA256
2ffdda6dd58a9f2ebe43bb5516d1badacf036a59b4bd4fae27421f0c5e620e29

SHA512
0bf5f24a688750a037ef5aaafccd62a1e940f6ee020e171bb44599335cc793baa7a272a31b8face0cb6dc117e8b06435641d2641f5d2b1550d1142710fc23659

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
67aaff92a96de9733f286d9e0a054138

SHA1
e4eb0c71889267b63184cbbcb6185f567eea7608

SHA256
49ce1852173e0ba35b8b79d6bc7e0b216b2d2d3856261dcd72f98234699d6ba2

SHA512
51fb43f3c104510a90f22e5fd28024c4d5c8290dbb09b9e19181f23cc427f33533ed1090a4df089c1c9bec3eec9e3711a5fccc73889273ddcd4e2297c6d29ecc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4d5ab4400a804a24583f94911c913d21

SHA1
24b89054ced582ad7f4faf2ed9dd777b57d6de36

SHA256
9b12938d170ef9f23ece14ab7f30fb907f2844c9eff6b69d21576c3218d3d66b

SHA512
06d154d90a4a5cd60123314dc12ad75c4dfc1a4e4aaa2e9a5a9b07c1e297d4b8067212695c4ef57e2d47b906f2e7d23bcd30ffbcc4810b8527dad4668f3c3d58

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4b1134014effd5cb1d8fc431b29b6294

SHA1
3677a887c49f0d930140cee41c1d291f58f8e01a

SHA256
7ddffd9670218d3e4419d31712bf4490404a6710d161e1e7a823cf282148526a

SHA512
b868b3b14caec89e8b4558ddb02f1003cb2e04e966104b9ac912e8989bfdecfb14330f8b649511ebbc4cb90001ead19d77fe0780c3098badc16ed3ef311f5b13

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
5b8a97566f1af64db1c6ded1ee38b2a4

SHA1
871f2bcc33e3e247913b9f08ff9fb82b750452b3

SHA256
bef0b6fc988c7c966e59d4ff8c7b9a73479fa787fde4acd85c67a20ee53cad6a

SHA512
fdf6e562c10a958b44383ac76711fed8a416b1d84556e2000bb82a1bdaf31ccb8b964f18f4daafe63dd558f8c9b88cf6019a8368255202da6be1464bf24a49ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a8025c0c367245276621bb2356b785fa

SHA1
3ffa8ab4679eb3f0c0f9d51657d06f56c62632d1

SHA256
eaba0f7e1dd15760fd3792954dd99f07ea9f64e15d3e810cc1b5d2ca2babdb18

SHA512
c8bdddaa4ea34ff94abe69ad55606b4d7e664e8bc0eb91fc995f7d6a2e4dfa27531f05fa68b473c80d273736fbc749f8dbfe25c9f5acd62508975062c115acda

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
a0da5e38e4197690887fa49e3153adf0

SHA1
635de8ea11f504a9211ef815cb23e09f131bfa9d

SHA256
80de1233833d8f2032bd28b3bb79f80a46cb6772fa50973c1034756790d927de

SHA512
8719c980d9cba682b23455f840e9338134135ae1098558a7b2ee124a1ae6c76a7b0959c974c2c9fd5fd689c21a87ca4f1956fcc8c486b4e0fb252ebdc60ca976

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3e4962655449f2d2cf6cb7f62352ee8a

SHA1
57b653dae0ce38ef79527bd0dffe2c69d1b4cfde

SHA256
2fc2aed4ad731f0ce0842333658e68267eeb852a23c97d3897636d5e1b904142

SHA512
16e7eb7ed033f28c7f1f75cd63f94f741c8b43d14a1cd4ecd698d2e7d97693e5c66d6437717fbfcd4e75425bb32f4ee48f331674ab4700ccffec7623df90c089

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d2789ae1bbe79c54d73e52389d5ed5b2

SHA1
bb32c560d6a35cb7db8a7810d33c2ab436fedc3c

SHA256
ee38a52b64b7060aeb41c421566e3aa6e93700fae53aca1ffb739d89b495deb4

SHA512
4e71284f19a2aaa00d3a33bcfaa0101cd94d49aa8597779e3a24b42c4a7f905d7accc563fe4ea469ca3cc947f83aae7868104ec5b5a513f46b90180828184722

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
24e4a766296b5e4b9604a48618683356

SHA1
77aeb235afb99a766245059628eb2f55eec9d8bb

SHA256
c212e466711c242a232038696df0343120822c428219857478d6b83ed6c94057

SHA512
7692948452e19ae6d6ba0488c64c15872f31fed6f603f8b9418364bcdb28a9a0140f6735e183ee5a46f41c95f195a0d88278e6964a93cb972f62a0e9a1cf50a8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b5bb7e8c6382064933152651e926e556

SHA1
ff326b0f19fb848377740d9fa6eb8685332dc5b5

SHA256
a312356fbdab7b1ff79600a31f748dcbc648d11545c075a131644448dbb89687

SHA512
0a728fa70b3b1e16bd4a39eff1b2120d854d45496cd971f2cbf471425b15cb854f6f003e502931d0c385afce8385e37e943b33c1c9210a34b8c049ccdbe5c08b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
d8609ea54f0fd0a68f62e7094b92b9c5

SHA1
c4d881851ed831a1de51c0447dd6b001164d2fe2

SHA256
afe17ca93bb16791ea6546dd6e4168cd3012cecec8380be9031f9f36c4a246f6

SHA512
cac0538c54091969fd04ce0fe48d3c0acd0accfd92b1abc54061e0563f3b0cd8432020bdc1485aa04e6b03b3358c3d69e8e29ded91d6c750753a5ed0a440d240

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ee2ac949e51fe51c73a42ebd45bf8eef

SHA1
15bfe4f75ecf1aea23760fd790a99dccb43609f8

SHA256
987acf2ff148db7adf4f04dd8a86f20787edd72515119a95623b08c9e16356fb

SHA512
41f064ecfaa5b015bf561c1f01b1e8730d774b322ef15e7023de0e28fed040eb60d4c51cd8be41e8a8d8c5fd5cffe8b6e91f0c24948f316e118aa65126a1bd17

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
45c44c55e3e723ec615f6526b7566db2

SHA1
0e14bd510872dca1d9fe07088353d2576343d2df

SHA256
ffa8fe770ea5b8e729fb071c251dbef91e0315b25904c7ba9127f8d977d1138f

SHA512
75fb1280c54ce93877f2fc82e71fd9e943933a6a99428bb5b4a8f0a85bc320bf29aad94d16f5cfd95e81ca2d45a3d9afed9343752eae11eb41d102fb6c898219

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a7930fe15254339fe4b67e9612011cbd

SHA1
3bae6e40f56f70e550158d494d7b8358244ad657

SHA256
d2d5d5896ec6f8aba1735de1f965d53aed47d802ba57d6dd7c14661cb7ed0209

SHA512
3ce1a927942e1d954e84ea8b2f4d2a114bc37f87db6fb8aa76cc5d582c88d28f9a368567c1fedbf546e0c2798b97636a8f00bfe849d4e3da698c6230ca542df2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b07146ac01ab47e08c0c7d079e9779e0

SHA1
3907c1f5c56fb31be195cb3d61e230df280db203

SHA256
ff5f09e44438f279fa4345e9c4c5a1cfc9b1dd4f5d4e48fd5abfa4ef201692a2

SHA512
ab8ae830c9ee19867def704b395d982fb6880d0ece3e1655074fe3c65934a15e74e1de330e72cee11beb92db195eaaff15a57622fc94ef5a7a2441b159af4a14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8783e21114f2fdea5085bd95022577d0

SHA1
0db1adbe761154d00269ede1c31488e8255951d5

SHA256
2b5298b4272d161f04c3033dbc68d0ef4aa67e44f44605f3a6ad42eb46008a25

SHA512
d5622d1733ff085fff283926bfe8bae619819c6dc7730d10e7840fe73cd39e9a3cd05ae61fafd100c46ba37083311da9ff376ad78a0cab9445e2061a5536fd67

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
15e6bc88bc7b765f23f182b088aa0cc9

SHA1
35124c4a7bf48bc57023c55bb611f9791c2201c3

SHA256
0a27a53d7a78c964327e3956579a24f2ce08a92fd6c4b396f3fccbf4e373285f

SHA512
ac9ec527088c9084a38e84757e500edef05184f24643725c8904576164ddf4b66a7de3a5154ba155095255e8f712ef56eba9035be83fe301f35bbac54cf6aa2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ba881bfcf4815f925e214267ed6bc901

SHA1
df6e536b9fdfff00e5b2fecf2e6f8de98ac80d92

SHA256
00f9490629e13ab34bc51348d8f685e04290940c4698e7faadd250a876d6a4bc

SHA512
57e7e2e7f9073855d085dc833df16792d17e9823c0c008e534bba20c67c6c5efb1b1e7a4e8a047b1512c3fe83534b08617e12a1fe83a1ea74b8865cda6d5a508

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b7f8b3b44ccdb63442c57053c90ede38

SHA1
33e0572ed0e273f7213b225d3cf992273d8db40c

SHA256
d93f48e1f05cdb5910b649bc249bd26bec01137f97ffd43f199ee7dde1b5e043

SHA512
64631467c849cdce01725738a77d2c04a920bc4ca0d61921be22c46af6ec936d1b204aa424a0deff9bbf19b3621c6e6693500760e6e63fe1135ca9c5692d8242

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f823b527464ea1e448152910e9eda9f2

SHA1
dcc27e4134771ff670ead9cf41310025322201a1

SHA256
b9fafc309b1ac626f3ef981aa6f116778abe8c642ca8a36a7efd2d3e487f0c6d

SHA512
1fce2cabea9fac2ee201da6aae81122bf5c196a323647546f599a6101114d261ebfd2895115ca8699b80afb9e0caadd4b0149d1751120e2b3399c2395e4a6032

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e60bd424a65ac9086be6c6254b44bf26

SHA1
fc46d5f0332c12ce2d31d0f265d494ed3b498b16

SHA256
cedb035457e63a77dc4e91fe84e8a014f322921eec9ac63aa5cf0eae815a07a9

SHA512
32846f39bf4ce996e47cd4b30ec08602754d0dffc191ca5b8302868bc98f5c07c5fc10f477ec729e0b9daba21dfcb241cf823e77e73f37e4667f4295b7b1f32f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4cf3d6bc22004166e41f7f7c5f3682e0

SHA1
1e3b03c3b4ad6b43a9a7273141bedcff1a89c69a

SHA256
b5fbd6dd0afd7200dd2a6860274b091d1d17c540bd28e062c5af1d518bdcc203

SHA512
d1a169c19ea2f3ac11d3f12cc1535ada803ac793e91612786ff1ee16ec37f73df22f3e4b73034c9b2732839162e388277c74de31a8c315e7f84ef1dd425d9e47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
786c2258eb155c5baa8095c2e46c1c60

SHA1
508779765b2e664da81cc45d3a9e060a98aa3d75

SHA256
00ca601ed6b8428c9512f9c42c6d1f82ed7c242d5f94f97142fda4adc1984cca

SHA512
7a4b7391701880136feae23f0d790b913469ae91e9a6fb77e8a041847dcbdca8f1ce68fe59e04f74532bdb5a7fc8ebfd4d563ae28aa2efb65bf6c54f9f493130

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
7ff07811a6831bd4dae02736da9c6334

SHA1
e5459343c7e27b15b1624db040efc1f6e8b37ffb

SHA256
68866b493ebb24596e9a5726ef8b57873a4734b8debbbeb0a6a4627739899ed1

SHA512
7df1156243d8522a835356b8acbd655082f2de0599cf356ac6adc652f6dadd743ee7f115109b22207ae988ce431e95c4b287a37567cd64956f008183e6373df1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
fae10d78fc4289754805a3b63633a462

SHA1
22de6d628a4ba090e35234fbe4e0921c5a4b778a

SHA256
c17ed8506e0f31dcdce875a75cd9497620ac0e9e7d50cff77f973154869a2598

SHA512
dbddc7b8a869ae63ed6b3610799499e630c9b1ff90173fd16e0500e50d4b1cfb0d054cb33e7957654996b55ab57dceb4a01f51f6c77f3413582c5d468a06b85c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3a4238112cd3de84bf03e0a87f18420d

SHA1
b5c8f7c1c32a1b47a4cd61dec852dea01170617a

SHA256
0e07aeb248c2149ddd7b25a476646f818857b8d235ff2b0efa923a500094c1ef

SHA512
30b4f7449f84acc6a92463e7dafce8f93add0e845846985f71657d53f678d6281a1d07b1a4105e6d31bfe39faf0c42ad4323c4d6bee91314f8e716c3ab6442c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b2c401acf03161e88805c1d2b2bd7aa4

SHA1
71316715430c88cf069e4d80cccb1b01aa5a2bd0

SHA256
ac379b628ed6d203ad9b21707c5df31f3b1b432d56adbe9b319b4684aa25065b

SHA512
c4fb5fee71865dbd8fceaf59b96f3836f72fa3a951d1817a6696de0d040a9df3a0317fb578a32d16da9aa4eded6f11f71ee5480f653741bf2b3a6ae1e5a6fa16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c557bb356297b85819d98b8fd3ff4cf4

SHA1
b27edd51e6e1774a1f665ea933c4f40649a246b1

SHA256
5371ffed5b4951b9ef43e7362cf7cb898c04b536889080048f7ed59bb599919b

SHA512
29bdf1e32e29ae223f5b07e6a147604892af554244cca0415dd3a0bc157197c2b7635f2ab4227f2f490d273f90d1c487fa4865c3be774f9dd995bdb6035f8a7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
5757dabad3543aa16964044f8ad814a6

SHA1
0f7a2769b4f860e432b535edfca80e1a1039ae44

SHA256
a2774f9c800a53ed0733b826be4438a5cc094c7cd1bed339a094b33d77e61814

SHA512
daab90ae3182e64bf0f503bcadfec0437f4c72c5627a4f98621176106bcfd5da07db5bcfd1f5ddc289d694f35aaea591e1fb5449b8e4df17876e89ebb3e1c53a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d37d0599b99cda85029919408a52666c

SHA1
75796767bf6340c1d77cb75c0bc11b76408efce7

SHA256
d8132e1f212445bd4222692a99e5ba85776553beccae1eec2954c8f39db9eaf5

SHA512
81784f21e7fe492d5db1471dfcb4c4979e82be3581338dfecdca911e4cc5662fcd4a7f1f57cbf3f957f3e02b054a2ac77dcd7c21e0a62d173f4572ce0dc2ef85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1ff02799040d960111b7d726e04e52d8

SHA1
099ae9ead508911103e7cbacca1107d9c45149c0

SHA256
c31ac9222ecc7b05fb1dff7281624321a74e0f66a55d2b2b997ac6b9192cc7a7

SHA512
3fcc73dd8cb1b7725198b1a26b71f9a686026dc2f109c9d49510d27743dcd13caa3a90f7e39831ed9122814cfcfe32438804f571b8a0f7c78b8a108ba823ab66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
419d24841749729e1ca1b70436991f1f

SHA1
51ecdafd7fd7331ed1e5a81afc6e998b30ac28d5

SHA256
c0fbe6edf0d7d19400f30c4e982a46d861dc4fbcc875c00d5313ab1b2bfdbc04

SHA512
349618afbd1650618205f4fa12ddaf2bebb1db0595fb9ee6e76fca201a27f394f0bb251d06550ceecb74b7020cf20a130ea86053251873e901d034d2e93f1163

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
c267a55915b17b9455f57b19e3716e6d

SHA1
cdc4a56cfb0257095725ec659d3e4982561ec46b

SHA256
d0c28deb5cbb1072f4390cd04ad5d6e6f5e75cfbf3bb2d7cb852c0a6eff2962c

SHA512
7b226190eb07335142bb037c5ae2ce49acbc3f2b9c83898079df19e9cc32feaa01b631a80bdc6cab2a0535acb8840479a091555d22a7d18b684d171e0f11a6d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
1270591098308c99b5c7be67c7eeb3c3

SHA1
d9d0c99e5f15039a8a065ab2fdda4613785296db

SHA256
a687cfa71f9ad99546365cc8649c91049adbcaba4516aaf8c1a8a232dbf5aff2

SHA512
04c80daf6b4ff383cfa93f7128b4ccf38756c0cfbbb31697a2a29d66b826e3044f677cb2975654d17095c2fe885ef7501a25e421e1fac9e171ed6cbb616a4265

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b1353cc06b277e4083f11b113ad699b7

SHA1
450f2df2dfba5792f12d4942331f3f993d72fc10

SHA256
c703b87ffbe638dbd2f448c42ddcd8500b19cb1b69e400419b6da79c784db7a2

SHA512
f55e0c887f5f2df189a825a6490455f44e5ede638928a6501e046efbfcd1bd6f65fdfdb893bebe61257e8d87bbd76b010e9d47b965ee03717dd3adb56e9c6bba

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
134cac2c8afd196976fe99663502905e

SHA1
f7f9ba6c977c5871cc9dd4201e3e5d5f1e4b0ca5

SHA256
3966a5341bc3775dee03dd22278cb49c10e4cefc6cac8d4c8ce477a954ce1248

SHA512
38a66c191a392d40331ca8866f9e94edd8101735232d4a0a7175b5b1851472c66465a7e5f2796c0867ffabace857cab48371bae43471d36f00af61729cf058fd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
578d0f0651b08017c7f67c8a26b36c5a

SHA1
b96653fc112b55e500675c07224b39d336d0e9ae

SHA256
73c4cbfe65dd475993f7e78e2025f6545a9dd640a5eefdc1f339c838a43b371b

SHA512
00f22c5556812190c3777a686e9b6db0b71609c1a82bf9346e8bff47412aca97b521b00fc022622a832a021c643921be63fd720de666bdaad92d4ba253d8ee41

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
52fbc9fb434eeed4e9c93e36292bf92f

SHA1
441006f017245b197634ceaf1ec9dc6d2f7ec65e

SHA256
7117e7fa3e4e123467ff0381756fa68c6414a8160b93c59d935d3119125dd631

SHA512
0fb980a12143cfae360b35b84c1198ec6fc3ce7d62e56e80c8111857c876e2a1554bdb9747072fddf2c98e27a708769e4a103f9018c38423ef1d3aeefde4d08e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
4f008b031e71f264c23619845ee90c33

SHA1
c4b3399124b0827cd45220ebede8d5a6843f5adf

SHA256
88714b23deab2a6cfd33f9ae5acfbb1d4a3fd882b0aec250a0c1f49665ccea49

SHA512
e1c53a47246ca31c6fdc3f4a35b6aef1ef83fa249010edcf30a093accf3bc087a05aae6ed43a620380139848a15fad475d61ee544eae79b0636a11c79f387d26

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d31d48b273b97677981711528423ffb6

SHA1
e844a3eef598259ef0e27489922e6ffc0c5fd482

SHA256
63747429863c03d805a2aa7e22011881f7bb99aa04bb7b3be453dd6c86c4c5de

SHA512
ab368a21889cf62e89e8c073422e3be3038424df8f24129ac61ae9afaaa4f03f969e007bae4332371c42f6e0119fc81e38089290d9ad0f51ed19155c6d99a3f8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1d45f6a57a319cd27ac3d9b153885431

SHA1
9215843d65ece1c12826f9cb81f38f5b7c83effc

SHA256
6cc70056751c1a94f714e33621f2e6572d04660090626dc7e49f122fe583a4c5

SHA512
6cb863e38a124908f6a9a2832ed7d5b3332073921cd93f2b28a6b7db7486e5ce744862884a7e18037e7eae7645c9b7fe5035d4eb7bcedf3f890a3201c6fb2158

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
3a0bffd319d6bb760db5da7307063d22

SHA1
31ddc797d2846eaf6ae680d604cf8892e09d7473

SHA256
297775b29d84c61301a954a9731657c5bbd35faeef01d4a257fae6e2ee566036

SHA512
13e9f2631bddc1c1dc08598d11fce53c552bc8cc6ba2af2969c0313494dfae0c6dc7a5611bda439adb02243b682366388a94ad9cece6d81962c40bd3203853b9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
1357bfa9b63f6974270b16b112f18358

SHA1
e407f688e909ec6e56d4b0eb037b037176b70b53

SHA256
fe81c4812dfd4a1f2e5b499c706d7427fc1a7d9dac95cc273296f8776b9462e3

SHA512
1ce4d1c20c5a9739b0b62209db30330019d6d2be18ec8ccdebac99c7990268a206821c0106ffc2a74b1db9b5297b158501ffbe91a5df680052ee7941ad330e2c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
93315e42e712ac5b7cbbce06f218c4a7

SHA1
ed95ba3fcabd34db82e58ecf189e6a04fb0ee24b

SHA256
6b9b073e8c1bb674fbe95f55437d5591785cf7a55e6adddab9961c0d18dee5e2

SHA512
2f92bf5f01b6880252081be3e8fd8f301485d8d7983318607ebe1ca476c7d5b7d1ff69b17934825040b0cdc3fbf2f896d49a806854629e5c208970add39b89e1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
818bef14f82857c645ffd7aa3703511f

SHA1
6c929cf10cb0069b91a2fc2d932058a7eae9c57c

SHA256
ee510f396aa2399b0c803d34fa762278b2f2105aebf4b228566bd5f2f920562e

SHA512
82b38fe64972599b2c8b5a09274bc3207d30e95a270a4daec7fbed5fcf9de6f086bd057f2617e555ceef8a49557a2d92a4ed51034288b82eb694f6ce7f404c85

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dd5c01c39bf96b4bcb3b7802aa8164a7

SHA1
40801c6a1bf9aabd807fdbe322b07f1bb61ad9a6

SHA256
a6974c176095412d6c6032ef04eb15bf5860d06d621a75828fd7a0edc5203e51

SHA512
cdf05ce1055184d426b5346140297f0632073dcf271a673d726f98b48587603fefdadbe669db311458f947d060eb82d6b97a435d220f872b9906060929e42d86

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
bdd322b8ff1b64f72b6f6355bd3de82a

SHA1
c5897f3996c45d4015f64331eb9d7113e1cf25af

SHA256
306458aab19b0c4f8531434db635ef73d87ccef09dac5ee25a4b0531331f28c5

SHA512
b2085a4ab7eac41a76f15c9e9392a481a8875b692244402a262ca2917e787993073a7ab27b637ab099bda37396e9d2262202c72b47a5a6c17c9dbede369b6a7e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fceb1e1ae7064c86d8accc3cdc457ca1

SHA1
ce40b969b8561b555c76aefd1628b81b9da80cc2

SHA256
19e9d8899ba5da90d3dd653406b27c0b9a04d27d6ec4c83999837aade9ac99ea

SHA512
73bdf2d81d81c17a729cb057e40b6191aff174fa95834c4f6964637b1afbf60b67f2dda4b3330f8e8299c6655aca29e6d7bf30851dd8e3d2311da6ea9a2f1c0b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d7061744521a4291880a53b110e03e23

SHA1
3e60e5868d46921d171b9cd000ebc67c1f53069b

SHA256
d7be8c6b287c92ebf3be6aae5e146231bdd318b242604c6d0561eb8107aa31f0

SHA512
6a62717ee4e29f8d7a57772d02a01f5d76007eae587f4abd333c2d429d5e8c27b5d3b91cdeb711b7196b1100d51b2db1429aa8f9536090a369f8189fe3407037

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
bac0543e7ce7e87266d7b582fbb88f84

SHA1
affb0fe4b5b09b16f62102dec84bef8ec5171daa

SHA256
478eb93fbac187afad2e1fd829046543b1dbe4aff14a0e14e7c5f19391329c6d

SHA512
b2a6782b0b8719a1c86546fd1fa4e5f880b21975b7939c6807b0bb932e542eea02b4bf03811d7cae5a53283f685fc2fcceb26889cfe7ff04e372dc7dc0d49937

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
63b4c8407247c30d2450cfa047aaa0d9

SHA1
eb8bf0bfb4ce5cabca8f670ad85951e8552dae47

SHA256
50b3c75723aa5c7cd6a4f32679ea9d114108499103dda15e863254aa40c75951

SHA512
7ac4602e3787ae7384c64d62d1058ac03349806993c537ce0198feaaba504ce99d1789837aac103b278ffc25906078515e8df84b65cf27163e0e9d2e51d2f4e7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
846d5dc9ddb3e93f86af08da3355e00c

SHA1
2cd0d0a7fb43fa1d38786f782e82e5ba46717b67

SHA256
19dc8cba404a652a0f8e7f2bf1eda83b81762cf138d8721a3ec358fa7b70a511

SHA512
a08f49ba01d5e0742bd6424162ba7628f9fa99980c5c5250ea34587f90ffad217be5978e4f9837db74036c4a99625f70e30b067494f0921b85f6d8599f51e463

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
c37fb85d118473d128f693278744728c

SHA1
c61a8cdebf091f3db2645e4ca40d68668b12db8f

SHA256
8dc4d0ad890c7692178f6266fffd35f6ea5b0e0814b433f7d1bcb201d2bc9252

SHA512
80752ffaefc218dc34c6b9c0036516b8f26a3a1aa4d789c0a22814714617df533c49d93b9a3e7a195eae09f4ff033f7faebf2a544248e1b3deb1530bbe9c29ca

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
67d852b3060075dea924e5f9010e47f2

SHA1
e621e916481a92f5d2ff5f62a7ff3eda375288d9

SHA256
2f4b56b42cd129ce3d2c9427b995727275fac9602feb85b60e6d3ff231d6de37

SHA512
77f4d9a4f41f73df40a5526544e629324e8dc9232264bcb9d76f9db4da122597e1aa4ea8f2cf0ca61ade86c8586113efcc8ff836707a3972b1088506222c083f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2aecbfca3a9a0ecfec3cbe9f3804c64d

SHA1
60b059b6da8545deb2df988585047baba33178f7

SHA256
434a7deef304e6a823e0c2fdf312027128fb7c94c20b3249eb426950bcc13598

SHA512
21a8a70c32303e1d567151e6a6fa3e598c6b3590b09b94b805dda1e3b7940b96c6b70493456465e61ed04dcb6399d8083d405ec31b58656ecdf9a352210e79fa

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
e3e028f5d70f5cfd07df5c1047fb95aa

SHA1
62f72cdbf9d5292d6825c49b236e4158b5199324

SHA256
996c2bf8727662e15c75013602efacc67c5ea18e62417dd4252d9d9f6bfd3874

SHA512
f4a69d85b494fac1a5acf6d04242bfed8b1fc932e61d1fe732dd85f4d8f0869c35d36243267e1189400f1a95a0bbda8bc8ec9058f7a273f7fed8879a68a6b512

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
721ba7424b315960c7ad77004997cc78

SHA1
f18c5cdb3ec57039ec06c69dbd856cc5dd57afbc

SHA256
3453d45c17a503d0ca0516679c30b403d04ee2127b0f1f9e36c4115141e22f6c

SHA512
43740bc58f1ad0f45294bd30ad627126b17d76ab6e7ef1469e7d9d2f9edaf84a0914881625775e14580e311db8117dbbe7a083769c6de4cd83fd7d2664ecc241

Download Submit
memory/884-246-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/884-127-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/916-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/916-192-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/916-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/916-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1576-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1576-623-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1656-243-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1656-626-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1752-205-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1752-622-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1836-440-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1836-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1836-87-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1836-1-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1836-8-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1836-441-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1848-56-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1848-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1848-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1848-43-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1848-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2044-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2044-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2044-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2044-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2044-72-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2120-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2120-629-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2124-18-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2124-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2124-23-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2124-114-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2168-258-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2168-143-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2280-216-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2280-89-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2280-88-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2964-601-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2964-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2964-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2972-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2972-25-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2972-126-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2972-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3268-115-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3268-242-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3720-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3720-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3720-47-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3720-53-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3732-228-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3732-100-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3768-621-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3768-194-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3980-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3980-627-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4032-232-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4032-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4404-618-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4404-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4628-547-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4628-160-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5100-628-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5100-259-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download