173bf88780f94e6da61b9ced99837f761cd4b4e707a4b9582df15ee9c7f9ddec

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 17:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
Size

1.1MB
MD5

937e3ae75f8f71c72f9910eaa503bc9d
SHA1

86d01d986af680ea6788a6ebbdb54774606f0310
SHA256

173bf88780f94e6da61b9ced99837f761cd4b4e707a4b9582df15ee9c7f9ddec
SHA512

2aedcc34853a6b8c6f0a20f190bdf4c59a3389e39c92083f131fd313ccafb9bec0b2bfc1752f004f5e2a0cfdb225137777ca1231ab8d4497e0dcd7506d4436c9
SSDEEP

24576:3Si1SoCU5qJSr1eWPSCsP0MugC6eTDSRQ5UOOU62FBnO+E222YJbNEUQKGOb:fS7PLjeTB5UbU62FAQ228QKl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4728	alg.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
3972	fxssvc.exe
4416	elevation_service.exe
3376	elevation_service.exe
688	maintenanceservice.exe
3068	msdtc.exe
3496	OSE.EXE
4520	PerceptionSimulationService.exe
384	perfhost.exe
4628	locator.exe
1760	SensorDataService.exe
364	snmptrap.exe
3564	spectrum.exe
392	ssh-agent.exe
2468	TieringEngineService.exe
1400	AgentService.exe
4492	vds.exe
4340	vssvc.exe
1160	wbengine.exe
3108	WmiApSrv.exe
2336	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2132b11dc8648821.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004244c78224a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000739b1b8224a6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d14318a24a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000322ff28224a6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a98ff8324a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0d79d8324a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0e0e38224a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082e8ee8324a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025adf38324a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcd6168224a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	624	2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
Token: SeAuditPrivilege	3972	fxssvc.exe
Token: SeRestorePrivilege	2468	TieringEngineService.exe
Token: SeManageVolumePrivilege	2468	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1400	AgentService.exe
Token: SeBackupPrivilege	4340	vssvc.exe
Token: SeRestorePrivilege	4340	vssvc.exe
Token: SeAuditPrivilege	4340	vssvc.exe
Token: SeBackupPrivilege	1160	wbengine.exe
Token: SeRestorePrivilege	1160	wbengine.exe
Token: SeSecurityPrivilege	1160	wbengine.exe
Token: 33	2336	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2336	SearchIndexer.exe
Token: SeDebugPrivilege	4728	alg.exe
Token: SeDebugPrivilege	4728	alg.exe
Token: SeDebugPrivilege	4728	alg.exe
Token: SeDebugPrivilege	1424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 4604	2336	SearchIndexer.exe	106
PID 2336 wrote to memory of 4604	2336	SearchIndexer.exe	106
PID 2336 wrote to memory of 2932	2336	SearchIndexer.exe	107
PID 2336 wrote to memory of 2932	2336	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_937e3ae75f8f71c72f9910eaa503bc9d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3376

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:688

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3068

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1760

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:364

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3564

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2924

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4604
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1d7dfcb9d5909294a336b11a6513ef54

SHA1
b7643bda5cef5927fa20413411fa91dec0bbeec4

SHA256
4e20816c0a93a431cf12099f6712831e727ee5bc0252eaafbc8de1d04838fbdd

SHA512
1480c7b9a6f02b8a7bc818e4d9337e36ff5d5cbc2eb1cc74169559637dfb22336463a81aa3283e86f07b31041389a0b45664ee7ea7d37db437a48e1b877eac45

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
739566be6c972eb8fc249646fdd54221

SHA1
18236867d12a66e7bdf4a536aa2521ffeb2c2fcb

SHA256
059b22c897d2fb240244e737ae1f9cdd9480712db3d8070c5d29164b48bdba73

SHA512
125d988f439d0f319701d23849f23aa4d02d08aecd37e241670e4a88f2717c3c7df770af621d94add002006d420f095a61ad14503ab72b03ec3bb5230cfa00ef

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3e116c4711ec76a0db6853893509bb6f

SHA1
71d557440c7b1a1d70fd62b71b79012014eb421b

SHA256
640dfed414888426465481d446deb2e1feb18a6da2202ade66518518fe77a8a8

SHA512
737dcc70be2643b5fffcf8f586f1622bf8cfdb35b5c6e74ec4d208160f79d250ef51b8bab7192327a5f174e1dd5061c380fffa1568daf18eb11edf98d2a7447d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
49ae5f643f13a2fb716e9f78d63da14e

SHA1
64579065016bd93ed08ef9bd75399f0cb5a15d47

SHA256
85edd5aae84c0ec6137ac7c2367513b98e0723dc7f2538f18b3f2462d064be2d

SHA512
d871c104a7ed8a396a51fe5b9f624a9059ca59f81091dfbbe852e765f4825f367b3100d853249c0bb14830234bbb7e8a12ca01968ce853e5222ccc1b39476b74

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
966a88a62b00015efd508ed94b4a4ea3

SHA1
b69994f9c0893a4b6300ed07f203cf1fd6c65325

SHA256
05076f6f8b2bbfee6eed8d61f3805e9ddf32026c7d440e2c27e02d1c29babff5

SHA512
0530cd6079eef6c26cde0e42c0cb5fdbd6f66cabadc1d9934d6e622bffd3ee7f99c1aa09c06a1450ad110c99029fac5659325ea136a36970b3c777cbbc33e0f4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6395ced2037581ae0c106f013c8fa0c8

SHA1
c52b907cdf32f5a2a1f42d3d4a5f6ff6458dcbe7

SHA256
eec09a3248c6a05add605f8ec236b07184b3cfd62d4e77ff7f83b15017575a3b

SHA512
b00046e36190446891ec6efb0cafa97d0851d9fe9b261400cd26ddd06c0fc66eccc733351c87aa64e2e380179804c4d3ee6be62e23f167c48a468ba8104b4e5e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
dfd0d6aae9dac61e468e101cbdd989dd

SHA1
028d4e95eedd8984b289aa7eaec5878e8c53a458

SHA256
3d8f979acaa73e1ae25d112820bba8a79c3f2b44bf28b64f6c1527b59de34c1d

SHA512
e3a5764c398040d1b93b545ddd7c4e96a4586e3a123fd8705bd8cd722219dc8674df5953e936d84f32f2e03692e1902d124128673d1968ea56ba40bd17a74cbc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e99cdd04ed555c09df5ac8d2eae355c1

SHA1
0fc9a301dcd3f51b5ab1eee113b238c9feb614ce

SHA256
778558e21ef461db2f02a4447715c4f142c9c0cd3a388308980ed60d04691d2a

SHA512
9b0049d46b2c26288ac75106d2aa867ed358b6905da9109ae6a406f1477f6e94bcaf0f6e3f453371b3f50f73c2f01bd29cc50f9886c465b18eb1bd0fcb00826a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
563f250611b5aebc0ec5db3f4d2e3a11

SHA1
c8c1e4cd7f8c29bc06a77046240e0f97a429a348

SHA256
4481c9bb39b6299e791c309b59e8454d272e9c698da29e8a8527d39dde6e0a27

SHA512
e41df4cd6af2d3decb36061e54eaa9ed57ca13618ec0bbfad35a38e221e64d0c81a872b6c5952bb85b73a59ec580b9b6d31b58f58934e3c6f513f60a105d6031

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
aebf31bd80cb07bd69f4e55d2d9235c7

SHA1
53081753731a77ce8abdfcb6495e83609942a617

SHA256
f0b3d3ca007f35094f9a97ab5a81aa5eae4c6da99630d31c492d13bcdb341dee

SHA512
0272f3fd1685cb948380308d88a526a641280e54ed5e5be084c412866bd2d05d8751a8065095d7a73fc7b830a706dea780bd39bddbdcb5e473aa3d2cb923f79e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc43da476ae3e669630ec7f95f1ef031

SHA1
d6cae479dc1b9b671f1b5f523b6e8080a21bb1e9

SHA256
ab87a5801682efe63e743cd4d1c3e31a6e50f2622ff419054856e9e439404c49

SHA512
b158fea20c4b29561d3f12444d67fa1dfafa2f00ebaaca1a1af4408ce3c249fb6a6dd559d0d7d7aa8dd88e7f62f3e297718f074b3e58c813ae7b9e7eb1fcc743

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d61adef90e91d7debdf337c667836222

SHA1
272741555ac45e41bacfb0efa9e64df793718ba8

SHA256
48d3c147d77160fe2e9120a4bda73c35110bde7dd3c4eb16c26c1641e390b0f7

SHA512
7bc5e960f4c02bf3d11a4803877eb21ef3314d6c1244855401375292994a3ac8ce901603d0147294e223f720f1cd7e58813e9dd78acf57c3c3c5469bd2315777

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9daa137d4844793292719b881c989abc

SHA1
1609a4a853a60800de4ddd9dd03c7599115c9a03

SHA256
c084efc223a5e5cb91067debe46206847fea44a22605e678f825c7270e2da6b1

SHA512
19430dc9f145cff938970971c0a9aa5f38093a09fe4167c612ab80f5187fee273ebe7e5c9e83abbcdb19c4b696bad93746024154e8d065e0b80f014e65ace976

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4f4ddd91800c2b3a61ae00580c98f96c

SHA1
a67e6448b30572243ee3502d2e5658f0d034a7af

SHA256
fd7d335e5a9dcd8c4df032c84293bdc910a75628bab42a6a6a791fd760c66476

SHA512
5210b58d06fabe0772557e3f7e6e35fce1790e07a5163c35c34ff3de9cbc8d47a87c60f79a35430e2b27bfd0dd3fd5bb70846445aa7d515e4ce3ebed607d29a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
851d16a119d7914563651dd6058d81f7

SHA1
3f65e348230c5bf84ada19660b12988ae595d0af

SHA256
433f9ebfb123b1582811d7f46c214b94177ab7afa3ffab31c7efc4564aa14e91

SHA512
6cc3f738547f30b69eda3144162552205e97af24dffd52b54a4da527fdfa07426001e6b1bc8137a10215b2c6792608722d277ed3487c9163a19d9acdca563c35

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b94018e682a358bcd4323f471fc1d9db

SHA1
d1e273c5f232b307c61f8114bf0d783d5584964f

SHA256
8ee150d9361459f7d1d35784e5f7cc3df7d5c50ece481d4233a7094af62ae307

SHA512
50fc8057269d5c9dee08265062cb05ee47e68fa5bb366b4e75573bc084762277dc37287d325024a96536d5945744b8e152dc929979065997ff5b0de6783128fa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4b14a76374a1e980e96578a4d92b4dd6

SHA1
39caace87ecad923354c68b2456d212ffb1dd809

SHA256
15bbaf4f82c7d0512f3f78eef9696db1312deb9fe1d6473ffeb434be2b96f870

SHA512
e522214d8b7a4f21bac3fef9c585b835c7f8724c9549246be8ecb519b4b8a21b2c353f062adf81e90c1c5d344ad260d467e5780a51848c11126c3f9c46db2174

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9679ab97789b87976c07af8322ead2d3

SHA1
88488d75fadee1d357d71be75c8e34b9eda1ca5e

SHA256
55dea086ffa3b147adf91813f2f70ec80a035b6abe728a2318cd9abe2d8c9138

SHA512
4b449c9477737414279e139d552cbc15d66dbaecf2be0bd281b1a0132dd9814c5feeaf8871685d0edb82b46b612cedf886d150d99a8b887c0a0dc94aad2ba539

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
38d4c79e16c66ecc6934fc7b3a90adf9

SHA1
7de6c8ae6e642668dd2e5ac4fc52bede118b58a7

SHA256
3a33ae9cc29698e451084c0ce078fb2f1756eccd5f06c340b28cbbbffa5c738d

SHA512
68aba5a7329e4d10de767cf8861453ff03aa2832f6cbb51abe3e97be9e1f9aba08b189b2c4ace784e2b67cb62ced87a541bab713f630a9bf2b8e68fe8be41a90

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f660f34c4f21755fd29dc7a76ae9a036

SHA1
a4413d0ecc19b3dcac443a173e0d910754e9ae02

SHA256
91f468cd7add497df8a674d12338390712e3f7f1c1fb09ff71d6ead86a716646

SHA512
25233890dd92b91f82f6c268829c0ffb21993eb1a040619f5b1a9213ac5cb28a66e109d17ef8eb28fc6b577ffb021148afe9103081c6af8ac781fa1d8e43e721

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
4a43f643793c10f24ca0c3e49c770400

SHA1
c5953993cb1ec444799bf196cfd7ed50c29c7059

SHA256
dd68c90f4b85b235cf3587b0dfe717eef7561e915fb08b404504db55084102fa

SHA512
8bf69278f3a92a148c7fd117d00c7c345ee65011f66279838c6f43bf08263a4bc7d06996b6a513056cbd5b5e9effa83c962428031d01d1be683c82ddb8759947

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9f115eae69055c79dee67e329aa5e147

SHA1
14fb8b4e7db8d7d18e9bfbe2ef7e73c3313219cf

SHA256
cacc6dffd2f2250f3fbf04a7840aea7bf01da5c4fed9dda9db16eb34c03ad52e

SHA512
9a571425a3c5bce9e01df83b2389282d37865646a64bdafe174ed70e24a752e965ebb2e7ce035a90d0d0618df14fcf4193ca0f26a6ef129eb11b7e5cbd141135

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6cbdfd0371b9088cf506f9e11a3c1814

SHA1
2de15ef4d1723f6ff46aa8fc6248555394253603

SHA256
4ce03ee800ee1971836521976bf49c0b5056bf81f23daf6e33f0f91f8bba2b88

SHA512
71d4c2f582e9049b6a21744f81715cd5f76634a3dc1baeb98bec0dbdbdd3c028bcedef69f15a106b90913581d749282fe2b95efb6ee98977331c08f0c9d6bade

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c0d60fee7e8355c8db1782d0275879bb

SHA1
a68eb1b6ee710618692109cb7ceecd5efaa0e4dd

SHA256
1e20e132060d916eaf3001df370372ce00c85d5b4c02a3bc91d44d1e55a32c83

SHA512
776e274b7dd8c02eaa463ccb51370491bd5ee700b8da85d100dd752d6585ff828207dbe541dae0e6a5d7f9518e5c3dc78387566529d75fc2151159f9f9e0a879

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
483d13263c5acf7e50b9201a361927ca

SHA1
b0bd24f3b83ec24f554ae1606b872c8457723210

SHA256
2a4e8e801204c1176b5dfd5966822cacb171f31b7feddbef8d6bb7ebc7062b7d

SHA512
12654e72c713ccee2708ae4596f1fc5b6f2d819585641813b9a96b16a02f449e04b0643a0fa0c021885b43dadf34067819b1caa72b171301a264bcfb34f654b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b424942c2298041c870e9dfdb9eab23a

SHA1
1e3c596937f00c4847cf858dd6cd217b54613542

SHA256
a37b1791f562db76f02d4412087564ce22286b92e66147800525eb7bb0906dc0

SHA512
789889420310d19642a616f04cb0d45ac4143ff1d41a5e6d23e30b52b617e5e7e80fbdafbe75e0a3ad318f96b4efc0000116a6512f32b18daf0f74ebbe19ba82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a95d8ff7c705c41f5f94d38c9788e006

SHA1
f71a2db03bba066a3f2150406ac8f98c89d28d5b

SHA256
70e5be09f895e1f60a5085c671ac27b601ad4a8e9e03055409bc9e1d3801eeb0

SHA512
5e99cf7ca8048edbfa1ef816c9647d9e6b8603eb371e305fad9b9a9e5609fb31b6f249310e228caf4d8ab4ad94fd1fd6f209efa99351fda59b741389069f5377

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5cb3c8f11e1bb336e61256e44c4ad424

SHA1
98587f0e5458a6cec619d904e9c166941ff6bad4

SHA256
8efcc86cf3d63d83b9f136b03bfdf491bae8490fe7b3355ebaf45916d4d4259b

SHA512
c40a74c8e860190dc42a7e203a76f22cc0d9542a0b99c4bc7573dba199690a1e9458640be883c89e1fe45ef455987b28863bf2368b99aee07006f27488a49ba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fe2b52dbf9fe22f291fde7044f434fdb

SHA1
8d7ad1ff07e1ec9706a857f858f3214717c5f22a

SHA256
451666a851d7849067525ee254fbec674ac3c32d8bfb14dda276a2b27366c16a

SHA512
c3656f745bd3a6fed2e821794698d559fe389cf08ef1f8125293b0c2ff15648a8feb8f289eeac2131e677f59f48ea044d94505ee0b72aca552da3d2d6ed81440

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7a9d1e85b16b412106db46fc3f7c1739

SHA1
506a1660322f87002740b320ecbcd48be322b979

SHA256
c699b29358a2ecdcd4aaabda5d553c7f8ebd17d1edfaaebf5cac55f0cbb9ae44

SHA512
d36f8fba34a11d9376e0f223feb36b1f4b725e82968074d8599884c7640f90fd7f4185e0acab7dcc9188a79a6cf94fe2cc4c3cf950dc1be39443fa0097bef498

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8008ca72bfae5dca210617d70f01cc43

SHA1
6a648c4cdb181cd6a7a20ec18c6323f4e154b1c9

SHA256
a9d60a75a7e97711b878ceced02c49029a5d2bb00f31e53e3fa6c045da431f1b

SHA512
ee379d10305b3a255723218d2312c67758f968a433749f88ae0ed1383a2b9e7266eda461de9b5b3236db8290de87ce3bba9e170b1dc21080b024fed7bc0f1640

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d5934a510c29bcab5a8bcea201f1e80f

SHA1
d56cf766453a98f68055837d6afdbbe5397c8338

SHA256
d89f1c71027f47f2eea9fb9b5aba14027921d274d6249d5d0948ff6f36e7856c

SHA512
df789b152f6a695c822dce841753031c95852943ef9d8960446cfa246f742ab2b0282148c65cb037a27dbce2f77b757b5f4e879b27181143c187ff2abff3562c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ca8ed504c8a96e2935a301e01fbb917f

SHA1
5ead2c7e766ef89f95b03db012788c776102e077

SHA256
84c4bc1652f07d6022b9a985424e13aae3062200f0be946a6dc1df058a0f94f2

SHA512
4edbebc63636137c312bf5e86239b37a69e9f823449a06945402a4f94bf8be7c5d526ea21e7ea9d8a85e3690f78cfff3c986c6d6130d3f56bd0e86822a5d220a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
fcc39ec1db65526feac5ae7a3dbd8ff9

SHA1
1aa975cc9f665d29efafbe9838d474c46b3a4b91

SHA256
68474d185fe8c2ba7ff15e9e7aa55ae939e991fcc18f28e59000331bfe58a47c

SHA512
4b936a0e9aa81c45a16d8983cc4656871fb0d004e8e41cb5b8b32dad863ebfbf2794c777317683096df64816bcb6d57af79ea23b8514dc372b6e0afa220cea18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3f5b64a8fb4a61033c85217287160b12

SHA1
8e165929ddb58e93443ff64ab4af0da2d86774e5

SHA256
4c543c1dd0aaeaf2db3f88681775d212a37afa4d15b3b5b94c70b36c443c8fc0

SHA512
67b8ed31f3e8429ed7c4590e77a8df525ba309fa459de9d93c14f2ee7c265902e5b91c90cf4ebb2c7a55fd8f2f97dddcbbe2b8b641abc28b3850683c0e014fc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
2a347343de2a3deb7f463a1fad5e272c

SHA1
28aca71c7912fdc268c17aaec9de9ab324d3b7ac

SHA256
5c1ce8fcf5eb2fd4883ef7ec704efcc878cdd1f0834363d8546b2219c31d15a8

SHA512
fe61b3def6f7a3511e0a7632fd66034e23932446ef8824e9d3e932afdf0e1ee39c8fb3f8b3d6e7dee6feb4cf0c79b3d8aaffd4e8e04e1bfb798c30b657f8463b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0a26df053174a7cf45ade2c872ddec80

SHA1
d0603a740468a7043b75a0c01b67147278c37567

SHA256
720cd205c5673edd8563c14732dd77c08b9ffb969504c7889b3a34355cacd789

SHA512
a2e3613882aa5e659c5bcc7a501473af3d91f68a7ef2126315f85c00c8f27172518e75cd03f67ec9bda7b5de0ad17dd309fadde31ceea2b1ff05e1e334dfb019

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f5d0638312611e28c06e221bc9413f5c

SHA1
e50d073fd6fe826d0f1d3d9c89252ffdc65f66f1

SHA256
c8e7e09bd4ba126161bdc29bdb9e6d79cb5d6d778360b593dd59fb26403366d3

SHA512
83f7f17fec2ba7cc6ee00225deefee598b85d97bf8210f53df09eecc1133206b3b263f166d7c3c193a1ea67346a83b5d1bb9ce44dc577fb4eb18e752d79e6325

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
dada7be95eb957614d81fc5919af88e3

SHA1
9389ac3536015db81ec3ff513ca6034027339ab0

SHA256
8f1dda5bd6502842adb0f63e4d908cfbf5c637ceff59b9321a8061b108710e13

SHA512
2e8e3361d4d3964be8c02fc1f8f1ff5d44d98909808c0859d0988f17406792e5e6cff7e2cbf537c03af546970610dd4738c1e03f81cda842ce89ee32ba271dc1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
118e6da75e27aa38266d104263c26eb4

SHA1
56f29675e1663e7053e9345538dca8283efd2f94

SHA256
ff31ba08597b7d371f84e901cd3232e0ad60a7f7998277e02c94874918221d9a

SHA512
8520f7245b21faf2a5ebfacc67129c743020f229815ef6f7a5691daadb280978163ad7f5c8938825da86a494e429544bb95ee8ccf0c08de240c8c47c2dfd015d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ac41ae2c829332907c84a7a27998f27c

SHA1
741431e884900767ec3c52e254a4144459b3f995

SHA256
3491f3e1c6ba851e40dcfc754e2fb47c1d2c83e60d34000af0d7a432a42a5831

SHA512
6f3002b7782163dc3bf459bf061506b4f1a423e093f1d3dacd44f016438fbbc2cffe15503382cb1f8d893462bccd8d0f375f32d19477f681441588ed28f9a633

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d1caf845cef1eb75188a5fe44f5800f4

SHA1
4082c23869556fe09deddb5e0a50e7511efc4823

SHA256
ff6229fdbdf2bc76f00c926a8da15008b6663142df82f212de14184e3f05dcbe

SHA512
0591ffb68a9174dfdc361dbe20e56f5b6b117fe84ff7a41f6e4f3dfc445065ec73130c489db17d94dcc6075a0d7521300bc31d1cf70e8b18059ee6976e22642f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e7b31fc5e97c15c6311be1a71b83a208

SHA1
8cd0b49f2b7cc55a3204d67492db145b4bbc1bef

SHA256
5da3ee0a9927ed9176ae3901b01f998e5b8aef9e508e1639ec2ad48cadd11b3f

SHA512
377894692fe60c04496c936f2deb4308437c6d98687c1dfac4dbb6848b83c4a440c7174bbff2fd2193ce95438aacdcb909354104fbb6b6e8d5297fc4bc4ef84c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3fd6b4e393a4850c968cc89785b05e9f

SHA1
d88f598c22195b5182add95a6a6bddafd8a1ec6d

SHA256
505f78e286fdbba04c865c6ae4d3a83557787e3ad39cb433f9205a046d889390

SHA512
99d2024c177e0d22f7793e71b3cc407126aef8bf875b4ffe87500384d699add0cf2338fa97e809b56870e1ac6c4e76123c39af068bd7229032ba23f0ee90a30a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2af25ed65de47d8e2254ddbc57c24f34

SHA1
fd0388762d98d65d0565b151f7444bd20a527f31

SHA256
3d05e5f067a35e4e739dcb9c07ae2f03d847edf30d513cf86b2c54ca874a475e

SHA512
8169e4b9be83380f2b93c9ecd0c33cc15e0814e043672267616c4f2bd0999a4d0de88024c61884241355e926f0a996738f9116acf1c4f9a5e17ed607c5345dd6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0b85179d3e346a2b32a9357feca0972a

SHA1
b5b2939718b811e50f74f445c0142a8aed14052f

SHA256
dba44371ca05510a0418004bb82b4c003bf9c92745e9aed154fde07b828aa830

SHA512
6c61bb4f5c3d8248bd31f29a1fc7e40fd1ad8d5538a99d941f78cbeb939c225544baed30a4fcf6b318b191a7544996172003830cad648598b99dd6d69951fbcf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
be9d2c5304d79e56dae7e5d1dac86778

SHA1
feec348beee0048452261d00cf5653b4301bf65b

SHA256
8cf16abc5d8b175b8ef4e5aaffd44ead14be9a0784c148ba87f34bea7befad5c

SHA512
69f6fd3209d745b23b8ca78e0fbd6f664a084a431aa08b7ef4d777d4a9bb1b7070d76094f02825b092c77f580ae90e207cdf3ffeb647ca9e248f5d2870b04b3e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2dc42ff99cd7d918d80113b85b5163e3

SHA1
99259da7cc63c505f0e46ca906c0a032d31a1124

SHA256
2c0438c17a586562f4ce1844f2e57102269a369aebfd1e0ed93201660fffa18b

SHA512
345e3f719b16fc433f498e3bda0249f10ec898fce113967e1f3973199597074ae6efcaaa974beba378308cd5adea71369cc1117bf6b7249d1ad373367480d4e0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3c6039d47d68e9023f73e83d4c9268e0

SHA1
386e6d477eef6ca8c0131cecd9d3177f3e401f33

SHA256
7150c56e55d454a86413504a5e19043192d592e733e577747a966f8c6b7b7f1f

SHA512
a15c2dbca823c2831b1732248b78edfb16df1138269199e1fa9c06b42ae9fc452449396fd21c88ab3019ce41a6fb17e6cc6fb346453341985405d72bd73eb649

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6e970ec5ea254b9e06c2b4e5cbc16e5a

SHA1
489b3c957958bce1559bdd1b9bd253c3d0a5d945

SHA256
788a472490ffa0a1e11259ffd03d05a0e2e7484dc61fd943330804564d3be7c2

SHA512
3939eb82121173430b3f121be47971d7aedc5ba591e85a7230c98fb4bb56736654def40f94ff51c36e26e9411ba47b87fc43d4555c9c470d5999243e157c5968

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1b0bf2995269be5ef9397da3a9727556

SHA1
9b69c7f8f293b90ad4eb48c3538a7daa1a672252

SHA256
e941b2462d9eea42761db6ac16b85142286394948ad5465ed82fe4b83436d5e8

SHA512
848b045a2c1d0e855213b832b3f1e17a027f576ed052dc5e0da3f651c0179237f708284b33ca132b0346d4d6f2b01676f149567476c6f4463060d278494565b2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
86fd93ddc85bdb0665e057b2c17668f2

SHA1
9d468169da0a9cd94bc754b6f3d8277198e59011

SHA256
d25a7f7c473cc9428d7c14834098c459bd03cc60d578c8d0c381302aed0bbc56

SHA512
2150179e8e98aaecafdb7738bf1f6e8642dfd05dc79a7888ccbb8c2d74877dcc2d6f1bcb7add3a180d43c949c753209518e038636674fb84c22e09ee1bbb78c5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1fea6f27f39d938adbabceccc56d7695

SHA1
865f4fba57ff73da774f51fddfdcc7013745dc7d

SHA256
c56cd737f0235f97130dad351951e29e229887371573ab78f4c062a59061daff

SHA512
ddd7eb4a4194fd2e8fa038e52e67abe187d331a166d9e0a261cca8a24896e6eb18f80914c74df661141ea1134592198861fa8ffbca058c9b34701bafee1e502e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
658e178f27d962fc69ea0b789e24c85e

SHA1
5615d7f9b2ddb261d2dc7a0315f64558df94b689

SHA256
8b40e7374258568f9f69435ca666d92a1c2c44ece18d0dc601b855d96d8852b8

SHA512
f24bd22a4d238b1667c9ef453be5d27f5be1d740d3955f9ca63a2642061c2458aa60ff309aaa83d1951ed3b8d1cba4d94d23d8d26cb86dbc0da76a4a537d40c3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ef493dc4c519a83247dcb0841344759e

SHA1
bcec8b456cbc9680c9c844ce7660205dfa1384b6

SHA256
ca9c7c0931a3c1d77402c90017ef44ad92992efc7ba5304ff191aca22de8a866

SHA512
8c266e30de2f775974f0865337814c99fc46548734f103834c3ef57524fb50a8b2d8e8c044b3ba9bb7e4204fac64aefbe23dd2b634584194067e3539cc7ae4ad

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
88148adee8c89beeb98d35babad6c33d

SHA1
0d8da757d473a86274c2b608996e551541fb8974

SHA256
e8b6c6db33f0377429d5aeb800c8453e9ad471dd68526b81908861f89172acd7

SHA512
92579b293f0fa5ab90f8f24e65688266555f71d2b830be54ae0015652f87502ac43fcf8ef50cc685f64abe3137bdc929633211722a26fef19d2eade8e6abf6b0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bd692460641945181c8e3500bd0d4c1b

SHA1
938613b3b4e8a04c013520a591691512e0c397b3

SHA256
dcd950b526e4303edbf4ee786aefcdc5dd3903e927d5bd74644ece790a416ff9

SHA512
b41d4c46a370a3729c3bc515935a94c57d870fc3398268636267e8728844d43cbe93847cc08100cd14d6dd1cf85448bb8202ac39a3737cafa5f2283556b79dfa

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
71c37104dcc5503d133a1735c5045746

SHA1
ec1874bdcf014572aa57b6022dd36b55a8db65f0

SHA256
f64374d66be3a77576a039602a86e892113361e5143ab0bb642000db1f872308

SHA512
4cd2bc571694e2fd6e3501b9c445d51f8936064108524b7c9b531bbf330806b96692e855181c273d8ff94425165d9267e0ed4ae2e5421283654ffa185ff59a5f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e850f60c8230a198bd96dd0dd965af50

SHA1
6bdf9091e5d10de6784637b0afee7d72121102af

SHA256
c440194164d9ad6a89359a8e837ac96413607930760b9d3e3c414bdff3b8c6e5

SHA512
6fec43f63222990ab3b91fb03a72ba3441d512e39d5edf8a4c6d2faee07a7db31f34fb013e70821503ba72c1604624d8496f305a51e14bf7fbdfa0ce69dfc2fe

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f10e84f2ecba61c70f333f2aa7b451c8

SHA1
a3603583f949d77f940df2a8c3153a2a534cfcb5

SHA256
59ccb1600e9d2ec046b60fdf8f15687fb7c4b141ec0097ae88a94d8e60a57fb2

SHA512
f4f9fef978c1d2b585560a3b4b2f74c1f8c0096816696410cc54b1346fd6866d25541069bc14b73e13773718f551999e3ea7dc708b1726cad8bfa4a14de70819

Download Submit
memory/364-203-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/384-200-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/392-205-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/624-197-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/624-467-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/624-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/624-465-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/624-7-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/624-1-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/688-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/688-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/688-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/688-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1160-266-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1400-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1424-36-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1424-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1424-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1760-202-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1760-574-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2336-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2336-599-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2468-206-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3068-85-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3068-94-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3068-91-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3108-267-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3108-598-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3376-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3376-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3376-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3376-576-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3496-198-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3564-595-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3564-204-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3972-45-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3972-47-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3972-39-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3972-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3972-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4340-597-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4340-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4416-58-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4416-52-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4416-575-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4416-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4492-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4492-596-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4520-199-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4628-201-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4728-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4728-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4728-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4728-265-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download