1449a1c7371ab42938213a1a2c28abfe2433ab7671ef3ca804a29ab9c8029194

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
Size

1.1MB
MD5

2e8327f99de190da407efc77f8a6d482
SHA1

ba9af0cfb3811095c8ba3071c494540707c9da00
SHA256

1449a1c7371ab42938213a1a2c28abfe2433ab7671ef3ca804a29ab9c8029194
SHA512

61fe137196a277cb8d3262133fbf138662ec0f0b4ae09ad233b2e58d509b13e04012ad6d17145ee15112bdb6c8c6128dbcc7de669cad3b2b31319dba1b8cef39
SSDEEP

24576:4Si1SoCU5qJSr1eWPSCsP0MugC6eTb/i328ab4F+rM/aXq6bJfBUam6:4S7PLjeTb/i3da1YS6ozB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
824	alg.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
4784	fxssvc.exe
2004	elevation_service.exe
1956	elevation_service.exe
2600	maintenanceservice.exe
3208	msdtc.exe
4940	OSE.EXE
2032	PerceptionSimulationService.exe
672	perfhost.exe
5096	locator.exe
916	SensorDataService.exe
1464	snmptrap.exe
4656	spectrum.exe
4308	ssh-agent.exe
4396	TieringEngineService.exe
4972	AgentService.exe
1716	vds.exe
4284	vssvc.exe
652	wbengine.exe
796	WmiApSrv.exe
4168	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9624355dc8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004edf14d89cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcac05d99cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000438d63d89cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9b54bd89cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc44d9d79cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2612	2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
Token: SeAuditPrivilege	4784	fxssvc.exe
Token: SeRestorePrivilege	4396	TieringEngineService.exe
Token: SeManageVolumePrivilege	4396	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4972	AgentService.exe
Token: SeBackupPrivilege	4284	vssvc.exe
Token: SeRestorePrivilege	4284	vssvc.exe
Token: SeAuditPrivilege	4284	vssvc.exe
Token: SeBackupPrivilege	652	wbengine.exe
Token: SeRestorePrivilege	652	wbengine.exe
Token: SeSecurityPrivilege	652	wbengine.exe
Token: 33	4168	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeDebugPrivilege	824	alg.exe
Token: SeDebugPrivilege	824	alg.exe
Token: SeDebugPrivilege	824	alg.exe
Token: SeDebugPrivilege	3676	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4168 wrote to memory of 4856	4168	SearchIndexer.exe	SearchProtocolHost.exe
PID 4168 wrote to memory of 4856	4168	SearchIndexer.exe	SearchProtocolHost.exe
PID 4168 wrote to memory of 2776	4168	SearchIndexer.exe	SearchFilterHost.exe
PID 4168 wrote to memory of 2776	4168	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_2e8327f99de190da407efc77f8a6d482_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4340

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3208

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:672

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:916

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4868

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:796

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4856

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e9425d7a746326e9436693616f02fa66

SHA1
c7dc1cb7dc250f79abcb9311033e3e1bf89bccb6

SHA256
fba61cba5c7f1a7dbd5a5351db80f9261f2f2649ce147b124369e012a79a3f2d

SHA512
8f28d90dda1c3b3b218517287a1d3ab5efc743600e94fe1a44773c828b013db2e3daed0c2adc3a31ac6ccedf3b814a430bb3d3fdb82ff5687b2ce4451766f18d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
376e6e030a069d6a13a388cc834e6442

SHA1
b1eca66111cb4b818b26c3246248cd963781ab09

SHA256
523ff008744e56a958efc0b40eada342e7471c85253600c671f9cb9901d10ce9

SHA512
b10464a24cc2525154e0d51f1a6fb6c6971da2e67df814926f765bbb19cf6548764eefa18aff785305b558c35de2fdd7ea51fc9159b47f619019ded93da59815

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4857e8d60607a4edc071013e2c4bd983

SHA1
f48fc021325e483c9b0ea7a3d06de3afae5d435b

SHA256
8d21fcfa770aac086948dea4b2e7a4cdafcfb29fb55168fb5403d92f664e7834

SHA512
d395e97a645a37f98ada5ab5a03a0f1970da18438fe1c34fd678711ce6a00f31d020685d386c9edce70c034d792c8a93d069990a315ddc5c8e8f5c64a0a14f71

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5f45f2d52fdfec33a15163f8b41d9c8c

SHA1
d791ba9e81a9cccbbe3dcd9be5cc528a579c0249

SHA256
854ff5c9df2d30497071fbb6ca04c591c6ac95d56d15e2aa6043e89a7e16a170

SHA512
7da3c8de7c2b562384b0f142a008df73389ef07b30a7fad98f02db97375c95ecb1f88c0953e552e2b1fad7f6ddaf9b5f75cb8afcc755725f2ea72b9f8355acaf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9d27e42c43eb201014c578faacc36cb8

SHA1
30dd90240b959937cd8d8975b2d44e41a33138c9

SHA256
aaa8e8eeced0e4930e5b63fdcfe5f7d8fac30f114a26352f738486ac7f2ce8f1

SHA512
27589888fc3a49cba900d83a08e0d6d1d04f4c9f2b2b4e8a05f67bcc2d0540cbcac267d8cb467ccf56ff134e36e680704da0fe5448332ff7facabc440a918ff4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
606e07ef90ae166e0de9a2c6e3d49bee

SHA1
cdb27bc15625650f3fc77ec9d8f256e308a89cf1

SHA256
614f9ada221433aa3053529a2374d85adeb93330f29bd3cbf0f319a2297066e1

SHA512
b9830e03488608c4a8f8b92be5e1f7a611685da1219076d1ee0b03e880ebe04de205779ef0d2983d982d43a715ee618299275dca5720fe14d53ab3e1997eed1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7f131ece845082792b42c448925a188e

SHA1
72a2f32b090f82e1dde4e4b91b33d40472f0413f

SHA256
eb043ccef913f78126f7ebbe145af5f36155ba194a5354c059323200b9a9a756

SHA512
42505bcab7e9b2bf04108776c01fa4a8fa5d80cc16ba6801e4043e89b54a64b8fea73c586cea8f21650828d526ce542e670982ccb398580b3df35434492ee174

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a63a679b16abbc80861d1bf0e415e3f4

SHA1
ee6f0fd56ee24eac0f5461041504518339de98dc

SHA256
a7a78b45f2c59d7283017801134f55ca7d5e441959298d2378bcb4bbf39fb1de

SHA512
c2d45b06b797d4ce1edeb723d137ac900b9d41572287f072649581ff1b55a17223fb37282dcb6f0ea2fa8a48c18352e1e66ebe962a14bc80ce3962aa01495966

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
5c439b766eb99e018532d2b808fe6cae

SHA1
cd81866cb2a4338a4e35d3efe6e6bfb8c96435f7

SHA256
d046633d955bcd1787dbfc869b189cafbcc7df0d69aa6d78d8b66e37018f1925

SHA512
148272d2a510ccb1c7a8f47d16115a40b9fde2d960252b62746ece1fb2e5998e0add860fa0e0ba645771457f9a9ccd3e28211490b33d99ebea2f75307889459c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d49b619ec24b6288e46226c1a9eef5f0

SHA1
22a9b99cfe18e750c429a7bf6ad690f70f8afe14

SHA256
89cef22fe97e12d932d229a26b9551f3aaf2d3d0bf1c93fd1e6aab94062754b9

SHA512
8b670d738d80d12bf627aa1de86981f088b842a053820c1d82e2a8e2c39b09429f213d17bfce7fe30f602549775026e672fcef40e5955d2e789a6160b1d63c11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dc478ef40ee00a6682c09e9afdb7e2c7

SHA1
ebcf0edd0ee0919a2586ef628d0a42259c20fef1

SHA256
9c6d33b38777d2fa44456a137e78f1c6035d1d42591e93a7c2b271d05c1cd7ad

SHA512
66f5efd99e21fc19eb10b34f3113c8a9bf657d19c0094ba55e2af53898adf4c0ae19ddd834937327f909b286ad49a806121e52f6ccd4854ff91d55b62f089ed0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d558ba764cb42b198286941cf276ea38

SHA1
cd9cc04f0f7ed8526da7b8ddcdd985d40f181a46

SHA256
6b67a4e711726b9f6bc73bc9ab435bc4fdbc3b6ff6d8034dda04528b77f6b34e

SHA512
1e791d133ce296739e06b08833fd874944aeed576f5bcc100dcd1fd957defc3f566ee45eebd5ac355a1577658fe920f5192022636a1304bc09584d765c343b45

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e66a9946f84acc2a41639a6daec8fa36

SHA1
c7727f5a6e15d522b5e9833b688eefa27da7a150

SHA256
2b907fa3b81fe88c8692d14510af6fab42363d0805bf986de332d8c98c8d8e70

SHA512
c1a5a2669b85cdffc8fe75163b46e198e11fa7cb8ba090fec1aaf215614f565f928db062d872d7dba0d0852ed667f954c0e93002657da414667d3ddf17d5570d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
bda99ea82572f7b34c8a1c5bf30b22eb

SHA1
cbb0aa8d2a1a0efe7496ef025b763c58075c34c7

SHA256
865abc2083c1679973eb344d8d8c161d19b526fdf1bb0d6fdf69cded6015e832

SHA512
1fb4efa19ec4f8908f972d3a25919f9375dbe6cbae81d41b3a35352ec5fade19c1e17b4a8011dabbc7fe7580272179e1092f06b6616276c4d546a6115d1c249c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
00cdb9c1516d7e290a7de74cc7707a67

SHA1
abfefc69c2cbed4bdd12020c44f4573ee2ca8c6b

SHA256
043d39db6c28e4c54ba4202548f0b0350ce00e865c17812e6306764ad5606d71

SHA512
5ed35373bfc6db021fb3de0bb606ff0c210ea92305644a5d788af19f7bad7b6b156df426bd222d9b7be9d99af4a340dc52dad9c4c2bafca51ddcfbb5384b1d67

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7ac345ecf1acda6f0cfdd4784fd9098a

SHA1
2f4367649966ed6203c6c0f93564bf9598ba03af

SHA256
a314a130ed55a7bca2d32b6bc225037edce3aa5e0cf4ec02ebc569401b898e9c

SHA512
2168973b4130b45d1a8cc1cce8b3433b07f72d9add1007480f5a78bf87786b5cc00eccee3259ce5f75659233f986cbde9d2799be2b5b6ad37a69026273caf8b5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
61de7418850c90018a6363426142230b

SHA1
3fa4eee757ab5d1a67b35c2d86c39df474108a1c

SHA256
4ecfe01880569e32bbae70a1b606728d64fd366d502a7119c79c12a40470a909

SHA512
abce445651d77b075da3f501ed63ed443f8e89c3656a7cac884f12d73007e0d6fe6efbc5e4ad063ef506145f83685512c5e62c2a006be84a54f5f9318e39c41f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8f94c0e2b8f306f5005ea10a156b970e

SHA1
b953b4b00767a7d6d4108de8b6010098115b1ca9

SHA256
40718f34a7e4f115df0685af831fefaee3ff6493dc1d7f959bbf32ded76d0ca6

SHA512
befe63a0482e533563595d92a16b5e6872614fc513c3b0446eefff5a15e6db4fb5ad9ae3b19d17928160160f60825cc6b991334abc07eb2636f9eddab0fe7229

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
82468883f853b38976b21a241f1c18b2

SHA1
4f9e1d022f26e5b07d26562df686b7c0aa36ce9d

SHA256
d11d362bdb2a79a9d4e94845f1f78fc342e489d9e6deab2c0dedef4b9b64d2dd

SHA512
877542af07b1dffdc8b674f2f83dd6b3ad66cd86c5a81c3b951c60fb8625fa6fa2c959c6e6783164736d10e1d58f1d1d81b2c916060b86b9de6fe2ac604ceacc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2cd6dec7562b7279d048277db3ae4260

SHA1
dfe08fb5340ded1c5567837529493ea3b0a6d585

SHA256
0c7455d2b0ca1cd9002995dfa86ba57c062b213fbd7aeb61f545950cc8ff6e9e

SHA512
7ddd7853d0f98f0233473ec70d32537906f188fcc2ee5620e1ae9adb703d48b51956235142f7bed35617af9607b969742a025baa91bd0c90629ca82afb351b5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1d5334c8155aeb3a69e25b70ed0886a6

SHA1
43868e0217dc3375d9c3e8560baddd490ca3e54a

SHA256
7c94ca391de7a52bc839c4f45bb265a8269bf61d031de10a1824de1864ce3d7c

SHA512
cbe3e235a957fbcd280d1f3f8e2e77ade15eb7715e8062c0cc95ead1fd81b703b1e0197337215a0d591d2255657dce4a40c4e04be73b3fb5353e01120967e823

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1a0df8f85c77336b0de2babe98a499f0

SHA1
79ed3d172eff832126e6e54a469152fc109c3b1b

SHA256
809cb1a33bb1e10f38a47114c648ea6b363103671df7047ce878a2d02b40ee1b

SHA512
b4e9aeb9d1daee2e7a05ffccdd31c1567c9f335a852353c60b74ee4a33343b2e98573171302681bccc96c026c5559ec803212c93920223ff5e6b4ee16efee9e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
235517e778864eef7db316da218847ff

SHA1
f100b86379bb72d5d3fd67c8b71438327af6c9e0

SHA256
3f99f9e314c5f936be3e7c1fbf460c29ca12fb630816add7df1336980e2aa3cc

SHA512
7c1cf0b1d084fb65da7f4af0f74617f0fe3cedae01269ac77dd9b2cfdfc4415dfda57a91ac31e986751b5fb5945508f111a1af9cf3e39729677eea6174b45c09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7d9a824af8a6307cd17ff23c7b52353c

SHA1
a92c0743c6eff55b15d7761007be665b30d9030b

SHA256
6bdd17086591d842ea8b900a5de8cc3075a006c454b77c6580c172dd49bddaba

SHA512
134f96dc8542926eb43cb7df33165affb609440bd91177ca031b3e1d1373b7f15a5037dac4638db50d8569a68c2b1f1c0f2aeccbebbf0e3fd0ef5e6918485f0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
00eb1b4b1377e3717086e231ceb17a15

SHA1
f6f29799d9f6971833d33b251fcf1174b143c9d9

SHA256
723140a87bd6f9528e8b0a1391c8bf594fe3f2f50cabd72ccd84c7afa6ea6acf

SHA512
5b2875119b8ed46037bede9cfb65237932424f93eb7837b03a030c0d19694bd53a6246724427c221ac6b4941e1b1fd2caa921049240ab0e77360ecf687137c83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bfe28b938f8b2acf44d927a7563cdd05

SHA1
f3d4f44f61048af578cabfbaefecceea92482a05

SHA256
2dfe459512fca932ca19e0403ac131d623b53d89d9627cf1af785b6a8bdfec6e

SHA512
430c6614aca17843b681f92b650e5c0d5f16111a529603fb6f932292ad655c94e1739ed511c930241b9fb2f1b0f2aba940aac41d196ab322385b7986b17e5838

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2700ef08632d4b799caaa7937ddd5672

SHA1
3ca66b77bf89c85f92e89fb0a165f0a39452e590

SHA256
4cd4582baf24851d6112dc3dde25bb79ff5c02d1f6af9b75c1b37861bd9153d1

SHA512
9c3bb88f0663e7b789459e971cb2048b79b58a8a266c6e3e7a93a855ce9b32580fdd02d3b9c8899962cbfeac8e6ca179c0aa452112850c8bde7e48efc42c16e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3dcd68bb132e7a032aea0081f1f321b4

SHA1
534d714c310a12fc5d0b1e42e5235052916bc031

SHA256
324b71f5324fe2df3a45753649ed46c6f182b117b0d19f66bf731757e80aa40f

SHA512
2fbf5da37763d5fab042704728248b8b90c9db2ebb4e214baaf4bee2e9258a70b7d1e01d3c92110e9a323055e7a7858493f308f0c1431bedef1400de4e3b96b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fe1c1972c5ae1bc7bb366c03d0cf2176

SHA1
616c6aec43b6fd18c5c9b82bb3a7e744209142e5

SHA256
6b6d36d51da42174147fea458874d9e836d1702abcc77a995dbd4164fac308f0

SHA512
3493d846a086799d4c9a3afc51836cfb12f764a372cd6cddfdbed5b2bb52b103e9eca374c9177e23112ab2a63309e11736d8d5698112917b560537fb63388445

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
752e2c7916bd48cd606560a794857e9d

SHA1
a07836b0fa14182d6d348e89a86666f5653f4fa8

SHA256
29789b26207cb662ef2649a205287b8dc7d077a10f72e024e2255845f5fb7bb0

SHA512
47de29fd08a3b81ce6a3b713c012b77aa9f39cd7bf10ab0c639501f53ff6668ceda3bd8d64597a55fd016ac1d36e7b99d8974a9665b02adf905a679a1ec37890

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1acc70cae2db7062bf97dfb2ca4d74c5

SHA1
4e8a06cfb2f039e7cd72752cd0af801123c49a91

SHA256
ccaff120aa0b1efd536932e87728c0de07dd2b2b537987b05c9d112c4e4a015f

SHA512
a11d8f2176b54cd1dd2924a23adc193f84cf3fe1d9448bda565d92a2e9497d06ee762edeef3ca36c3cec4e69ab986dd4f04e3f58d7596b81b6dcba6810b3800f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ffe19f184a2f81781a1582160946fc4a

SHA1
b0d393788101715c80699bbcf9b8e582eaf10fd6

SHA256
454e04de83042fea7a854985e36a27cc3d9feb04f8f70bf1c9115ac022e4a5ce

SHA512
4f3328a4f46b443ea999f7cdcbb06111a3f1cd2e04fc09beb4875dc984796456669ac053f629bcf7eedb11429a7688bce94227e1d15f542c9b828a08d1e0dcca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5293f2e8adcbd58ecbe2c46c4b6937c0

SHA1
bbef62eb24897d9f7d324a9f4fa82465ff396072

SHA256
42c549947cb02ea7a6eefdf1dae1736d427bc4707febbf465e5376aa046e7c03

SHA512
612d01d700cab8bdcaa443047979ad8d5c38ba5fc6fabcc8945f5a702b1b98b4499447d5288842d26950a13f0125341e80888bd557c5101852ab019b7f821aca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7f4406c49e6f336d03cdded96e23bb51

SHA1
dde77adea7ac7723219daf34a6dcaab493b94918

SHA256
6d710fbb94a7fe445987794b7c8171dfa0ed3fded69a744fdc3c5ce5332b8e90

SHA512
920ee9ad7bce75927d273c284cb357a0d550efad3d61034430a9884d8a8f7d22a74748048c729d0b3a758f1c64ea696e27a12bf678e93a681663abe1a13a2454

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
015764cb1149816495b5a2f68d4dc456

SHA1
4efd74add976d3ee75b550f046b4d65ea3486aac

SHA256
4913f8f34b571a39d1399b7da435d46fda383ae553410577a88fa9edd9ac6e96

SHA512
68d68a9b0bb65fa687f222112be0240679fe82244cca326dc80574956b001eec12de808a4d93c305603e454d6c24729fd3386c97166210beae523070001212b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7f209ffc041009ab318b184347918d41

SHA1
2a3ed5ce4a8b9e9cb838c20478e4370871ac7a62

SHA256
8f61add78e970cc18ed88976bbe78a8066d55f0b87c0bef27c44b8e5f066d521

SHA512
79fd79c9e1647e2f00e5e320a3086ef8c5ce182952dafaca9f26ab29af8df0b0136ecf289088ab2c39eccc59cc799b4dbda3b433d42af5f94992dcee143fb88a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
18f62dc2d8e29570c9f7e48907817f5a

SHA1
8f59992cebae1903c46a3796461c71fe31d48784

SHA256
7beeb0e0286fb356215d342f7acc353df5a23be290559952a02880c606041279

SHA512
b227a8a9438517c7ef6f7c2ea5263d6ac22ea896f0901d326e78444c8f9dde7ffa9f17201b0de29f5908ad78ea10f19b80e01b8d0a8dbad846e881055119ab72

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0cf500e16218e758be38ced5f40bee02

SHA1
6dd410b6fb020b22ca74a23c821648b603ffe312

SHA256
56238d262303b3b34026a422227005154c526da4ee0edc68e43ed4a403aabec4

SHA512
4dc2ca3ea9939a90e6010db55d46da84e0150f934c4333ee8a4c930c6cb52ceff86efa8f10f24ddb11d49be8cab812b14af13bee53f1d953a755acd051a4f9dc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
84c6f8666ad980450ef97db0be70509b

SHA1
f7184b4a10b30d7814c7a131c9df15a4aa2f238d

SHA256
3872b795b2f1f50f8dd079e01175684ebc7228b93f2a48a074001e326dfcb10e

SHA512
a96d109af552393d8d54797943687a1e635c8f4bea5d4c8a916fbb29f805e0164308ad0133bd0d5c9e7bd82f657261451b296a1007e18cd30b004ef6b759b5a3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8c74f6ed22a9abf5ecb2cf1c6430b935

SHA1
cd81e8826ac4a1add9cb05dfb30d44250b56db2a

SHA256
448642fac2f1f819bd6a967a4108889f516b0c8966e66262aabb18e49471124c

SHA512
723f4d89e305882650712acdf9149293ef6255d1cd8621f68625c31a0f423bba827c0dd6f17790cdd472fc3906146e6a6d2690b10acd3552232c1998a75df693

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b4edb5a5cd25172940a61846c9ac0374

SHA1
4111c2ba2d5d6f25fafd9a43a17bbd45cdfc5566

SHA256
2fa896dd001514f727ec640b9429579cd37324a724aa2c7cf3335a4e835c5d13

SHA512
ddc7cfba3984e02fdc235f906ec02504f5faf451d97cf96afccd34094585bfb292649cd5eaeb9219ce0340c153189a753eb6468f8f5b5081cc5ce8bd61b96f0a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
874ef2b54a716e829d25f444837964f5

SHA1
6b5f5856574e27da3e8143c2120530791b6b253e

SHA256
d6d67a50181d1adbb9d9c25bd4765b1189970cbb3b83da0c77c0127f8dd66f21

SHA512
bea7ab87a017976aac7e344373592a41a32f8282d2f3c346f85954a19733716020a2ee4a6ae92ee84a3da259595f7c50c8784e206335e06ce45986d33d15e292

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ff98ff7e7a525a955619728ef15e97e7

SHA1
b9a3d7f80b1868530addb27beb11e593a1747c9b

SHA256
ac99e38e251a482093450c9fd795a06d3c9046e55c896a84d55a400aa4bee596

SHA512
60c7a85c70ec27854d9c12400ada45f57903db2ce25a70afb7c15ae5c1e0da0146a335d25e68abdffe603e4d7e0fca2bbf366fd1f9d9eebd3ac0c15daccee410

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
29f65095787b66bb9af3fffa5e239959

SHA1
39a5584d3d0c6f9be48f60c9baed386b010bf94e

SHA256
a37da5ac2d15196fc39c5ff13042bb1415ff1a4e9fcb560271d4f22656803b80

SHA512
266265c452543e215def77aaecebbe1473d1047474c33def2534dfe76d2a78a221c76fb21d965b33288e25a1cbee7c6134305e5b9a2370dcdac384a84ea5f29d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0b4a8f3acd9ba2afa746a5d259382ec9

SHA1
947869f22110027a9e46ba1688fad95f2909e52b

SHA256
1787c96e56e2dc0415396bb89aa5a988ed08b133d328f8c1a332698cd407a187

SHA512
223c3352ce9b1d9d3158398c3a5b4595bc6e28496f2700fb910af40db6ce8423363a6140906a841ea4a260df1c8596ec2b5b2a5a633e9198ce17082e53e6712d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3230e85c847315dd3eb5e022129bd22c

SHA1
ad2c9287aca7b1fd9ece4df8e6890115b4d9d450

SHA256
5b159a854d10d566796ca78b3a4d910f5548cc08693b0aac31db667e11902653

SHA512
2850522adb0a5622e531deecee5b8747f825db7b30b493e15f4aa09c94513c797544e5bff2b3ec5127fb35a715a993021625fa205b2575fd5515eb7cf5bd36c8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
de4a907936bd7cd3d5bf7c059560b884

SHA1
cf4aa0abc706003a18924012b667299ee84483d0

SHA256
938cba147f0f0cf3f1b1ee174490ff2b5eeae1240dcaa46fc9d4fa04d919db89

SHA512
d9692ef08f7946e27c8425453ed2d3e9a1821a93891725b9f0b609aecec23afc4422e611e9bf1389623d515e0b0df2eadd36aef636af42b1c052ed560908f9e9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
da928b7ed5a36a4933aad2548bf55951

SHA1
315f3c04dfef6d4083d1324964ce2ab7c04b0313

SHA256
ab9c7053e632c247c06e727316806f070272e4a5ced05ff3a2b3555b7eb59d5b

SHA512
10524123d50eb55703b70d60ecdb2137a942333c80045d0797d2a477b2e63023d8b532b36dc04cfb502784979fde509a53e81c99c0413a02b2af5f51a5b43b59

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8a01633d2047ade46c6b6096c7f47df4

SHA1
57baa7b6e1414fe3f555db5249a3bf51a4028608

SHA256
0124c1453c2f84907cda2746ad2924d1eab3f25bdd7fabb17954b6ac8edec27a

SHA512
1c4b2c054615a7fae02b679f09b17834f9ec61e0eb6f91ec08dfee7f859fcb4276210f46d440e55d5979c79c76c3073e45885a713fe8cd204ca29e4dba0b4514

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8448635d4e277a9b3bf87a9a1ebfa4c5

SHA1
fbdf970c7fc602646c763b0d59a9b76d16d4b2bb

SHA256
973036030bf74d44c1184747fb88e8feb2871e70752ee438f2239dbcc441896d

SHA512
ec3d5a9046f7a74ba782a8cd2fcd9211f4163c3dcf2ffe03b8416301e8f400aa29894d38f9463f023a2b3d04e6dbb72a3be5e768f688fc04ff56a4738287810d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f75325c032d393a5a10314cc058cd8e6

SHA1
66caf6e8e36e85b9edcdffe8ec1dea1d26a6ea32

SHA256
fd3f43b5042082b89bc716bf0cdd4a5c056bd43aa914871c152305c2bb761466

SHA512
763511a609112d66c5e2e8849bdb39ef23cabf9bfe238e0970fb64e1aa94c64a32e3c4468adca980884f8ba5dc279ccf4ff1ba861d40767b2ba35454ae4955d4

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8680821b5c3f32ead7b76352a8091e51

SHA1
101fe6db72546b01d2619047cef9470561a4269c

SHA256
4ea20ba77458bad50cffa57cb4cb61d2379b9800aab7bcb63899646bc8455066

SHA512
01adddf371327a8056ce60967cbffe19a4f53cb96def84f691499eb4bc4750916af070886c95ba61ce7e59e28aa3fe769ed7f9c674a6d330145e0978938ed68f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b259972ad4d9a054e100be32a0e0edf8

SHA1
788431b415f949a2a69629bc50150db2950eef56

SHA256
711b711a1c94d43250884acd10ab7b381fc91b52102e366304ad89d161086856

SHA512
c075b153f9940819cea70d7f0d6fa4ab13c85962a49b74f74fb1dcc6034b597ca927dd33cb42ff7afbcfd614d6c4fccd44364410395c7b4efdaa7e5ed2e0e862

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5979714ea8714fa33759100145d52355

SHA1
df45f6702b62195b5ce118c0514ccbd7d77dcbc8

SHA256
a5c46f34447066230c32e107709088e260f8b503991db78addc1524e8a3b2ab5

SHA512
1fba87bbaefbea532b134d4f18f0539e106ca8d9f8c1f6f6ec122d587c36797300cd836b083b1ba477b82d3160aa969ec9619c0312931cba4ca0b78fc451028c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e319ecb9de3829c88679509923de9acf

SHA1
a8f99ebd83bbdd91951ae01f4189cc98bdc02006

SHA256
f056a1db503ec60ee29f04fa7357793662464c4ee09b0e22de041af35ce8755a

SHA512
2f3b730f8bf0aeaa79a8ec146ac28274507ce3ffd4eab62f1dd391e169f8c0c80b608be3ad6185ae180a48366f9073839caf496fb7a7bc0698709c39cedf3383

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
df2caf825290de20e3fe580f59fc9d82

SHA1
a1e2f31dcef75747f24db488d226c510889101a4

SHA256
6cd51ca152cda90aed7b01681eda144408c3a539e49d96534836ee6d2d1ad15c

SHA512
96ffcff6816f5dea520d47d198eca3da03db3520efd67fe190da84fc7fb7e35cf7113b085bf65987db290c6a9cd0e2dfea6dbb7810a5e77f42f3d0627d1e749c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
37b898538920c0bfdd5554cb153d4b8c

SHA1
7ebc4d4fc54bc882b7cde6c3cfaa6bfea45db1b5

SHA256
0823acac0fb97b3a4d60bc02d9b6967c1e447fc0a9a482eeac32de98039b0ba0

SHA512
4c60187da1dd445f5d4b43655889172933fa73880d89c71f231e2ba45b1acec72d153180bca34989953ac7d91304df60b62dec3ff898d442b6f99e2191c094d0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fcb1474192031ef05f12093fae502485

SHA1
f115c4f8e7ca73e447ff18b370432ce2bd3163ab

SHA256
aae0d17165b99c1a708985c61139d55dd9c4c56d8ae9d342ca70165de61e7dc9

SHA512
0af10bb1c623d525c5c0c6099bed4d35e65798970083d4bd1a4b206c93d4729ac9dcbc09843ca241cd8feee580d2a681d11c31d54250f21d66a351d08e03d34a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5b112125d733ca0b35652f53b808d46d

SHA1
cc714bc34f3c7fb795c1915c77d8ef83c19456d1

SHA256
8e3a1133fecf265e0ea4fc5b0d0b2ff28a1d256c2f89d61776e83caf11994d3d

SHA512
f9b1c6c431d58253dc26b1441a480eb744222e88d0d235bf8963cebf687466b227e18c5723c06f3f6ef428ff44627d13caa23347c013e7154d0615b29e7a56d1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f381a6c337034c29cfc9d486009346e0

SHA1
c9d42dd10634964d020e513ccc436d9519487112

SHA256
b208356e446ca154082e618e80b683cb38985037e96983f117fd827bd0fe568f

SHA512
9a8d9fbb8cc36ec50019c0c57e99559ba82fcc96c1d725458bf2826937162bd8db651325abf817781eb8c209a7654651315afc3e2dbf88dbd8e48787c05363da

Download Submit
memory/652-262-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/672-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/796-263-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/796-612-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/824-13-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/824-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/824-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/824-606-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/916-605-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/916-243-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1464-244-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1716-257-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1956-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1956-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1956-610-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1956-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2004-56-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2004-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2004-607-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2004-50-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2032-240-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2600-611-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2600-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2600-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2600-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2612-500-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2612-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2612-8-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2612-497-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2612-83-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2612-9-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3208-88-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3208-265-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3676-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3676-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3676-36-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4168-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4168-613-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4284-258-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4308-247-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4396-248-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4656-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4784-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4784-44-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4784-38-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4784-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4784-59-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4940-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4972-197-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5096-242-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download