2e128acd3454653f7ea7256d5c6dbc65dc7e134c386449f31e701cbda6ea257a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Size

2.8MB
MD5

7999d52228cfa710c9fd959e005a0784
SHA1

57a82a4403f69e36bf0e6b4775ea11e0f5b2312b
SHA256

2e128acd3454653f7ea7256d5c6dbc65dc7e134c386449f31e701cbda6ea257a
SHA512

dcc4d7ad0ab45d886079817995c127f43c441a07b22d36a0ff9e74d9a4a9c283f650f90dcf2bc8061f21b2929a88b6ca7393af66ed889812b51d76cf4fc0b31d
SSDEEP

49152:ZCVBvcQxMKUDkqMfRW9Ecc2u243a01TItTbzGi2fDzNDNui0hBdH3eT6ZU6CENl0:k9chOOuiP6DtNuTBpOT69CEN6rV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2576	alg.exe
960	DiagnosticsHub.StandardCollector.Service.exe
4052	fxssvc.exe
2612	elevation_service.exe
4160	elevation_service.exe
1372	maintenanceservice.exe
4260	msdtc.exe
1968	OSE.EXE
4416	PerceptionSimulationService.exe
3040	perfhost.exe
456	locator.exe
4532	SensorDataService.exe
3668	snmptrap.exe
444	spectrum.exe
3380	ssh-agent.exe
2040	TieringEngineService.exe
3656	AgentService.exe
2216	vds.exe
4980	vssvc.exe
1328	wbengine.exe
1068	WmiApSrv.exe
2848	SearchIndexer.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ee7a559bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9d37ef28cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005994e0f28cadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b62630f28cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043fc66f28cadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043fc66f28cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035d55ff28cadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba3762f28cadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001983aef28cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de4a75f28cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe

Modifies registry class 64 IoCs

Processes:

2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,1"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
960	DiagnosticsHub.StandardCollector.Service.exe
960	DiagnosticsHub.StandardCollector.Service.exe
960	DiagnosticsHub.StandardCollector.Service.exe
960	DiagnosticsHub.StandardCollector.Service.exe
960	DiagnosticsHub.StandardCollector.Service.exe
960	DiagnosticsHub.StandardCollector.Service.exe
960	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	764	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
Token: SeAuditPrivilege	4052	fxssvc.exe
Token: SeRestorePrivilege	2040	TieringEngineService.exe
Token: SeManageVolumePrivilege	2040	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3656	AgentService.exe
Token: SeBackupPrivilege	4980	vssvc.exe
Token: SeRestorePrivilege	4980	vssvc.exe
Token: SeAuditPrivilege	4980	vssvc.exe
Token: SeBackupPrivilege	1328	wbengine.exe
Token: SeRestorePrivilege	1328	wbengine.exe
Token: SeSecurityPrivilege	1328	wbengine.exe
Token: 33	2848	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2848	SearchIndexer.exe
Token: SeDebugPrivilege	2576	alg.exe
Token: SeDebugPrivilege	2576	alg.exe
Token: SeDebugPrivilege	2576	alg.exe
Token: SeDebugPrivilege	960	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe

pid process

764 2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
764 2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe

pid	process
764	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
764	2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2848 wrote to memory of 4244	2848	SearchIndexer.exe	SearchProtocolHost.exe
PID 2848 wrote to memory of 4244	2848	SearchIndexer.exe	SearchProtocolHost.exe
PID 2848 wrote to memory of 4524	2848	SearchIndexer.exe	SearchFilterHost.exe
PID 2848 wrote to memory of 4524	2848	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_7999d52228cfa710c9fd959e005a0784_ryuk.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3068

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4260

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4532

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:444

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1068

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4244

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c035acf6296c48cfa4d4947473aca71c

SHA1
a8ef8492b6cddaf6463aadad684b929afe106aac

SHA256
9fe88029e6c5a30e33bcbbe981bfa1510e0b315a9fc5bf450b5a167d96dc842c

SHA512
620138535445ef162cd49e12a2a888db31cabcf17a8174d1e5a9e91ab7c55c9155e7c5467c39bd7b41b331b59bea278ed594e21adca74359f028250952a4a7e0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
c763f5d7f3f592b3e2e24f2ff25e7b3a

SHA1
1ac9f0ac0aec2a224a3d46b0f825f3d7dac8c185

SHA256
ae7fa9b4880c4e436951314a5c6114acffabd249148b776398cbac678946a5b9

SHA512
12feb113f516151b92023fdde74f1e7733caed3645539646fc17b6f9b4bf6938e68bb2313c1e955940214728ef9d4f307d55cb0b1fa1492799aafeb7f76dcccf

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
8a94b286d9de1a6c0ce5b39bb8b8d72b

SHA1
7db515a9ad878482d4aeadc33d90cfd906dcbc50

SHA256
1136adf650779002d38ec6a21274a44cbace753c6965db777dc61e41c7ab3b2c

SHA512
bb170f5c2fe603956525ae1c72bb8eb63849e349b1affd2824b453e19affb87e0fa48d0bf61036b3d91f695f57fb4bb2e6b7835272aaea3c03e408571a26fa45

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
96fe3304672bfc96c456a095f3025915

SHA1
36601aaa18fe5082ce5ebd904512f23e7226de87

SHA256
edea43a24d16901a6a32cbf84308300d82292838afda54fe159a555e43abaf6c

SHA512
223bdcc965ecf6b9a88793be5299e57d30055cd111d87e555616681d596c3481349b1ebdfb379fe4e3633656adfd9e4bd04790bf52cf72b5a4a5abdeeb2f1762

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
ea6eeafca57fcac60a7a4f5ff51973bd

SHA1
0866300d790f1ed33c09275d856012a81c85139b

SHA256
a9fd3e82ad9b1cf85a4d1c17b7ba7ce7f4d3d1a994cc9112b548bab0acbfb02c

SHA512
a555eb2fe3961af676dbd17cd61b39046f97c60399c71757c421926f6fa41efab8971bcc94484fa12297d6266804d0cb763de8714508e268b125a77cb57c360e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
5f445ce65c6832194bcd1b9f3f6b7466

SHA1
e15b5aed2624990f5824cb759a987047541fa972

SHA256
edcf442e69fdf8dc249ec86ae51adf41de670018502e49c11225dcbbb4967dd7

SHA512
9fc46c6989bf416b17f008dad0d4de8a499891e15ad568b2fa050132f64ea3dfd4d97f8f0fdcf3bd5d192d5d023d844f3902b784800b3f240e949abe2ca54ab0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
0c16976c7962febcf9a96495630ae3f9

SHA1
e8c35502a38a524de818b125cb1b912b3be2043c

SHA256
d3230f722cb6e54d62f696dafe8cd28995a7246161cdc267a0440ff57fe73c29

SHA512
4efeb8164edad352f192352c240be8f84764073849c485cdc1066792a0e08dc324665dfa91b3a2a57c3fee49d8e4f0f66c8750e93a6679ac90655b2575e6841d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
77a4adb680627d6c03687fae8d823756

SHA1
61ea4822d7b93cb64ee927fad3021a65d6a50c87

SHA256
fbe1d7d37fcee1e602d6f0f6877116dd01dd0588dfae1efd2014a12d5b8b2051

SHA512
ea129ce3d7a6956f9ce64580bcf0b12e6ddcd04cc6e79f48649265e674ec04411bf1febf04c350f8cb9573ef11b5daef65d4aff20e0319c2490a12b61de16fa2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
611032372204a3346b5a188a70f42e52

SHA1
66ee284d88259a5f67c4e1637d7b725d808881c7

SHA256
1bce55314b4d6eded6e67f8fe1787026ee2d2e0157dc071aff83a8103f0819af

SHA512
7e8f77fb66e8604cf1ed5e5a42316fa93f0857dd5ca500ab7349796b467d07c7157ca2a80657a5afbef5bccf4510be3a1dd5fbd7686a843e5ffa4be8bcd9a147

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
5771f980737d085cb3deb5e03d897f2a

SHA1
75dbe973ae2a2f8936734a13ba0991e829075b6e

SHA256
f0dc289aa4afb8fdcbd226047c27d1e5718a81d932fa99b9a4f49b628e049123

SHA512
e564f5b930cb897a79e7a17a2c48edb98b1f913ec550e11d9c320fefab852bcf1db68268f981f9c9f92136c9a084da94148f428d38bfd00fdfbb5beb8e5965f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
7f515aa97810517ffcce907bbe75b6a6

SHA1
ef9bb12a23ec32473913e276112c061de21f0689

SHA256
013dffea2776214984d140150e7b4b42de5e2890d7309df659fb21c7c7be7943

SHA512
86f8383331f5e5babe59d96de465366d0b62828bda80451652aa728f3e05dfef29deacd73b598fa60747fba4c02016c2155b40fcacc7f062322e61eefb2faa37

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
a693dc256b6a997ac1b36d34ded0fb91

SHA1
d04b89b556d4a292bae1e6f02f7fa5a91f70c088

SHA256
47f54417bc1e694eb2b9a4359e63cec5d05ffdb45b95f5d83bbe2e804ae85fc9

SHA512
fc715efc522130aaea226004c01f7fd096db0838b9383830829957a49d1f7bd770bcf0e8fa4a58ab585b90872322cb42bfb3cc592164bd44a794e349095d3078

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
f92ae509559421b0cb679062f664331f

SHA1
b48540c185f394bc7f687eea5b58e1d679e8b64a

SHA256
f8cdff613c7a0edb0a169f399b1ed78103b28eceb46dcbfc5557062e2a19aaa2

SHA512
96827d57e22e535997ba75dcf2ea2da8e52f302d63b4d68cdaeee0365a7a45f5e952ccad3a7e9f498fe7c4ebc3c278c4819339299af69c68599b3cea730f4054

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
ee110dc489930f7f3c7f544c1726af82

SHA1
af7e2295432849c9076b903b57063c87da1a542e

SHA256
97aff1da0785f55b278f8ffbb6f66337744e426a3e2014b9c80af9e6c9e7477c

SHA512
34af3b70e0a4ccceacf2f3193b0fe1bfe9dd369851f6e2448bace7c7f34d36a0bb3fd6991ecbd1c80977aac42b4b2a2be7f45be10351afb9f866e688800f0a9e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
dc477d904fba0a9fb90a4b2ea964997b

SHA1
1f71b77a75c6672f6f47afa357965322236255c6

SHA256
94cbb40125c5967aeab9b75b041f6302e3fcfd9e56264b46aea00ca13c554ebd

SHA512
c05f88ad444ee8a0b3995dd175bbff6f0e3a65596c18b0e7588ed97cf28f1f0eb9c0050b3f84e2514b4bee10623d669e8fd422122286b8dfc6fa6fef656381d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
6324a28c4ac76d711b57e10a9090e921

SHA1
86910d43f58490a56e629c25661b5f0e9082ce01

SHA256
8c8911d15453308fe2ad15a383bf90fbb8e41d828f00dd2e1bea99625c4df081

SHA512
e30600fae6a9b7a16e673a8c7f61367480e45fe86e3428e7b9088ed75a220040dd2e50e604175eb19d96aa60247bb2b30bd39b5685df1d4f211e632f693974a0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
2975a0e971348f6d6902eafcee4b966d

SHA1
24a4217f78e21f86ec020b909f1871e6fe5fbd44

SHA256
d4eadcc3afbb2711ed6ae644cc6aaf5a23dcca8edaa4e62ecc1aaebbd403487d

SHA512
8b449729b69214e52add5a5c9c6852e80bf01c4b821a526c5713d9b265bf9bb13d66f53922535780134b3c4c855988b1cca3038237f0c9c84396b6ce4dde6fee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
1dfd2653a018fcd1f44760e2892431f8

SHA1
164a0ba8d99c5c4320f9531609cff1e695471e8b

SHA256
0aa3fddf0568cbd2f2892318c24869e6f8e3843ad830d326fc4b3adae34e2ff9

SHA512
ecd4dd4d4f280728798d260f5c87f9ff5c942180892961eb72883a26c997e25be602411c38b50ce769eb9df586c32f879a7bacc4ac1dd326393f245df313c93e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
11e8657ea763d19aeb3255585436a5d8

SHA1
8bce71547a17391556a580b6e88bd916dcebdb16

SHA256
83519f336d42bcfe3e9896a83f422ad59986adedef8939e952f121e9b4c66df8

SHA512
6de8c601abcac4bf923b362869315921bc75e5ca2e78daf650fdb18ad4658e1947449a69d54bb8afa5d35cb1c1af066a03cc10e4078471e6d87e9c88976e5195

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
4fed2d2a04de673cb6765be385446d3d

SHA1
b8dfd40313a215323ae0081ac8c37a0f1ae20264

SHA256
13fd920980ce377b18302caac496213801954301c7ab8fd43305f78ee76692b8

SHA512
0ff9161420c3722464ffd951e6f697567774034aecabde12221525bc59b3a6e6d75e869561ea557f0f31bf2952179bd71a897248ed2e5d87f354d4a24d1d250f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
91587b618a205cdd636796dd686a2fcd

SHA1
7e3a25d4e8ebd7ccf794167800aababb0abc9b3a

SHA256
3caadad7e5ab12a8ba035d756ba930635370df99beda4bd51de40afbb8cde06b

SHA512
a03d8d3b14133b26dffc9d34f6a36a44c7de5ce328eb4284150ca5f0281f7bb540c284b491704259dca38628b6cc6f641c9d716f76f157a585c28f3dc1f39c87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
75cde0bfd78f6baeaa36e5d428b9256f

SHA1
15ea975caadda0661fdd362db8066752bcd70bc9

SHA256
beefa483693b34ee9a9e475702924454b7a2d138073bfafc4a1b41d472dcf027

SHA512
ad1a9073814d53e562e7ee1fd7aa8f2d104adbf788aea2d52c9895e638cafe64d08730e676e79393a73a6a68bfe0ae8c05fad47b3498d73a7022a1960bf8f81f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
bebdcede0714b4fa423efb2cc22f6eb0

SHA1
7919040741b3d3132f7d65a7bd973b2aec8fd22c

SHA256
d64b2e50ea6756d5b96ecfa60c77dadab59565d84d4ab35ec6d824f0cd2c39f6

SHA512
ed75220089d0a88a22ea5087e7e3f44f98b8c3a71a501b0fe2b56009397a5db20dc33b09ad414dcf03e014bb58d2fce540086739394dc8f3805e9847836b6255

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
eaeb0f1f80f8c2e75ee0de8fa7ec8332

SHA1
b13cd2176240cb17c6201685e379a555f9ad09fc

SHA256
28626e96630639b6f766bb455e19853efd2ccd4d058e9d7fa12f0dbf8abeec8b

SHA512
1c902de432529ee2310d99bc87feb127912a4d4669844eedd8a68cd58d956eddaa4439fc5379db161adf4bc45e21068a11d48eee3a68960094ab1c0165dca0ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
0bb372b6fad3c3de7cf30fc576446851

SHA1
b1d59e3cd74016fbbe845738a6a6218df40352fb

SHA256
5134cd3112b402f9720d3bdf15bd544b73dc3ac2396529648be701a41e2ee256

SHA512
a51cf787c310d78650a2da4b0f2c1f722df567ba051d76d60ea9ef667dd49e745d8a996bee96b87224e8721464499ddb6edfde21eac866b12bb5495c7cbf00e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
e68aa218c8733782575fe1ad42b5cecd

SHA1
dcdad39aaccacb9b71cc73371c8c099c9e465d7d

SHA256
06ac1c7fa854296cbb46a419cdf3d556e0678bb6e3f958fd5eaac5e3be4a8000

SHA512
2cf900f417b30271f73527815fc24ce2f8fb150b9ea9b50fdf241f7447da0e9ef3692d61b0d2cb4221d3a3db33dea58b6807c4b64c9a062936fc95ee1e996d06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
1281257c4ac03efc01c731b5974f9a94

SHA1
f1b8482c4ba07e289ae6d28fbbf8188b829a12cd

SHA256
fb2b6ab6cbec7609f19b592ced61b29e7450c683765367c7b211688d28f185e1

SHA512
6dfd249a59ca8dd08910c861ec725632c2327d3a6137f80f1a3a4079f385352682098f9d2efdf61d3656421d45269df7c689f6975c4374606e86132a37985614

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
b5201d7fbd8f8d0d72ff7174a2635530

SHA1
123dba4080e09533e89f1dca454e45ffeb19d1f6

SHA256
bef58ee8b90952d9745c6e50d099bb86dc325ccfb835c5c1f3e244ffbfc5c0b8

SHA512
71dae7515577422892fa9a451fccd553402cfc5223583108cf552e6a008d3742847dbc6fc11156a70e6356f45e97d91d13e7e05b0d885052caa97c1817c25042

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
0e572dc9243f9130bbacb611ab0d26b1

SHA1
44ca66440ae6b80a8d7e7220fc86f4a8dd1ef2e6

SHA256
cadad9d113be24b3ab77687e7edee2dfd82eca2d0355b59631e7844c3341f5ff

SHA512
44be1044cab4c0d68f2fb4add17f644b0de71d76d9f641647a20d86b05cd48a508de06a4270fa312c6bcd050fff252fd42ce73e2ea548c9b0aa234715050a44d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
92b40d16725b0aaf08c4f46a9af78f23

SHA1
59e52dfb6df80fb6ee627727e610bb8a08f01a11

SHA256
d640d455778433097eeb7bdc461428396f0f3b3354eba3ed119ae6f07f732b03

SHA512
32d2a5ea98898d648eec35b8ddf91b88ffc8258e62133250a07808a323a74a0588cb9b27885c9064686e95c261277ad05318e43528e1f98bc37363f97837f09b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
2a18f2bcabc7e5b9ce76749dbe7fca13

SHA1
0beafc400efab594f310329d86016aadfbc1a93e

SHA256
74308a3275d5fa9c9243581058b51a9fae5ba6ab675605840c5f2fae871d640a

SHA512
50f3dc9969fcd87dc06c3a1377a44951ccd8d366d4d787c91e972f405599a93219b6accdf64005bfb8311dab0449a849c5fb2e31204774bbc18adf221b90422d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
6bea0a19084e3e8a05a5beed51e834ca

SHA1
ca28a502f2c47b84d72a40258ae5cfe27962d2bd

SHA256
50b1507f43703c8dbb2ea4956dc0d687174fbbe2484ff434fd6bfb4c7eae1207

SHA512
287ef977b25349e53c74284829a7825b0196883eacc4e356888418318b4a5895b2ccf638501dfee819262558fbdddf53bd6d684e2e6c6509bcd4b2961a8b7ec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
eacee90988fee310827613fb6d04e069

SHA1
c274aafc8a4c8b3d9429cc3f1294b751f0c0f107

SHA256
88a7deaf7c96663d076a046428f0c7f848ed80e78a0743dcb300c624da686fa2

SHA512
2b3b0c0e2c5d147e3725f20f4d4b30eb35ecc4b25c5d4fc3352f6b8a5d2db451e3483d47cb849597e919d21a522a4cc46ed09bbf5762a91ea78957a925665d73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
ab9cf22b338a30f6bec95ea62f4defe4

SHA1
bb98f0563dcd851804e268e7cffe8984920aaeff

SHA256
7dd86f68fb4f81f91483b3687f920195d3aefa178876ff4ba20bde403bb71277

SHA512
ef893fe8ffc531024f35313e2746f27f7e47c3f61db7ed47eeb7406b3e43447ed44c7f52c3278753fdbf6ceac7a6027b9bfe224217968ae49659f5b2dee9afb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
47d61d111e66c7869775e24e010be697

SHA1
a6d17f7a490c77254ea8f54c7472e06f0d7e8106

SHA256
240e756c233920414523067a9e462fa4dc16a932609cee24779233c003e161e6

SHA512
cf014f120b73d19509fcc826bc8b0bf22ac9f26fa44d6fddb4baf296b247204dde5a02fd81054b32092f017f983ef75872ffc4e6056e0305f3168dd7f48b00be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
e647fe195d29f12511c43fe0768303d6

SHA1
0916d19ef43aa215518b85598593ecd70a52d245

SHA256
df7c95a4766f37c771b29ed99ee69ad8830bccfd34b5241b4e075854e56b01ed

SHA512
e730e095c052c83de5983f65e40be6cde9c9178013396ac7453f1350f5807d36353038fd8046a380492f68838ebe39799be65d05d33e606d765b4eb84d9e5021

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
c76a8b13b87e6b62eb1a663117e8ee50

SHA1
957e92c5c7be1874dcbdf850aff4f725079bf75a

SHA256
55833875870b7b088bc879331352917f01a0d356282e8f91e4d7d19dc53950f1

SHA512
85f6136130dd497a6133012b05f19b4cede43de42d07aea14eb50824a25a7f0d43debe7972f10adaf57f78787da68ca7ee35283667f56d2937bdfb84a80c7138

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8d66d5c08ca160254a25e9317118dd95

SHA1
1cd80c3455ba9f1b02ecb13685e1b3f29396dad0

SHA256
1a66335d53fc4e878e6d6c68935c1d25e2f5a6930910613905533c562fa05015

SHA512
95f4d0e6a404d1d92b25101095c9ec25c4bf1e19557f0bac6ec491648268e473481d2e16d3bb75a629b537b66dd6f9be2a9d48656139b71e5a7f5528bbeac107

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
855f047ed0daeaa1a5733faeb920fdab

SHA1
aaae7b4de8bcf7cddf3584c27643e40c4d3dc86a

SHA256
789481688204c3268054fb20de2de267bcf83be6e70574a5725de0edb41d70d2

SHA512
b31b70c54aa5b843416672472f01d4c2ec7ca6796487e585a91e89c9baa550997782dabf7014a07f04b531349827e4cad60da1852402e9f203276433e80fcf25

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
332df8c4f079ecb53ea042fa051b4be1

SHA1
cf8fe5e4e9c001961cbf7f0f602c57b222af8774

SHA256
7c7991566d4819ce19ba4ef8d0740c82ed29a58f5dc10188afaf65fa86a38c48

SHA512
5af82eea307b2e21539b9193ba26630120216012234f62309d026b6dcaa59a45548e14dbae351fb9f0f3887b0241390931cbda2bfbbc7707d02d0375358af7c5

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2496fe0e0ecf0006f3148102d52c855e

SHA1
d17981cabdf183a21c9e463e70171cf71af9939d

SHA256
80b64198f990fde30cb3f3ae8e3b1022e26e93046857d36f6f734f6baae70c51

SHA512
13d1e0d9d4eafe0f1e19d60b9d1609ffc4ea5387fad9b98ec96456dfccc1944a00825ba2d3e6d8235542539218a181ad436c44e2a8f7abbdf9c281fa46b25b2a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
998a99987ac0c76ca80ba987dbe4b4c2

SHA1
1eb117f65ad87adf99a7b1b370086ce1fedb9da5

SHA256
84c882ae704181f0137d9b06796bf8821bd8e8e619f4c98428abfb8a7e2f196e

SHA512
b80025564b8ae9a7447d38a3bf4c4a9b8c9b7a3579f2057fe63d17abcdfbb379fab1666821b8dd5603669d36f9f8613c017588d7920a345be449adc20fb0d69a

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
0b2a263560a91ebaf49b7d1ba17692ce

SHA1
803121c9b6b05894ee5a282f737a9476942829a3

SHA256
a779864cad0b64d08238ee7d8b83fc38e194cc3d035124a1c8fc3f9ae9e40472

SHA512
f47a07e8249f361a83176d501246b759d22ad78c87d48e2fb6f527c27d6b23e768ebe04d8bebaf8f0b193e885834b0cb68ee0d55e3d834a40d5b02c111858999

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
b1d97cb90e42c137e4aa853945a9f430

SHA1
a9d3a766a59ad7ce190ec94c2afb0231a507f9ad

SHA256
81cea457c467f4098edb948e93361122c5ed41f7b35dcb14ec3aa1c4284b9a51

SHA512
b1dddee49a4b2b8da1b7dbb0de59c41dd97f547398cea6519a0c93fc12001fa41b14ea053f581161199e21fc8627e5aec4cd9f0b86792919c9f959a33f23f184

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
6242b637dc21236d12f0add6e04392e3

SHA1
607a81719b1db8d47d26ca9c32b186bb84a23d1d

SHA256
138207d98d94b76f16f1da8630454c49b3b5675fd4234438a3e8a7873c8ed9b2

SHA512
51862c144299c0bc1029c189d2018f831d55160fe44e93ef491800b0a8468a28e889990549c36308343a15748c694a2261dca1e76b80fdf6f45d212b0f486816

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
a9011ca0bfe7d2d5cceebfdb6ef57daf

SHA1
108305843a4c15c09d574651c1cbbb93529270f0

SHA256
e7740670e2a181c641afc002118fc047aa5efde4232b51b276c05af545ba1c67

SHA512
f7a10ddf4c9e26a0c2aa38b923706fa129c1eaf028cb43be9b404414502ad7509d8a024dc2e04b01387fe484cc0fd109f6e57dc9b7cb2ed59f3ba326530acda3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
2bea685d29ba211056cd256953d9e815

SHA1
8dd2c6561271bfc09256b87264755debe8c8f27d

SHA256
bd46329108ac2f70eabd7a6c927c2e0f22ff268923b45408e1d3322980ac0ea7

SHA512
f35edfbec00a3cb31539fc4ad27cd297436c2ce6eda1cf27725e24d3795ab5e0890c688a4800be40c577f325ec341a54932c3f9e4992f1dccc6bbf796582e097

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
a15dd0f48c62fcaa44172a5dd706f9ba

SHA1
4028effa78b727a47f97656d919112915e0c0010

SHA256
33965ea93f189d50acef68c9e2144663f26277aa07ab0bc3119687ad5cd34c47

SHA512
18cdf00da9181c4306dd5c14761ff07bfff7bfe3930554b67d1de7fa99e63d33b7483f918cc8883ccc63037d19d46784372d93ba7fa0ef1614d8ae970545b63c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
6af6012dc5529b9d65cc12defd02d74c

SHA1
00db387b25d2d0dac2bda22e32d7b661b9a9e986

SHA256
8c8d4e17099d068f9f15fc4c69f58f3a93aa6df0b782c22fa824bf870bb65075

SHA512
936423acf5a29160a339e899d16379f5b1af831659ec36ac57ed04118e6148948a90416d2a0b1827c57b8b9573657ce8114f4f96e6940fec82efd463104854ee

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
8e38e1dc64c03f42b1641f120aa4d6eb

SHA1
dc4b0ee2a672bd91ea467ae3bcb5a285f760da60

SHA256
938822f045e5a65ae629c9c6e6a7bfaa414a854c0c6d73db10ff462059c8823a

SHA512
3c4fdd98b4ff5de14a3935b708a3d194168487af05e2ce9a044848e98874467405f275f4e059e15e870f0bef75383a07df4ff96a520af251aebda99f41026e0f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
678d0d9ea8633703c653c58412a67b11

SHA1
a975a35498c028d6089ddd439496409552524293

SHA256
1b85abc4cde86d5220e5ede0ec146243766dd14db8d01ac9e31bb3f0658d6ae6

SHA512
9b5cbeaa640c1ca7d5cc464a712d8f70be5ec6cfc831c953db5f2c730c6bc93d3326c97a75e3cdc4af35a957cbfd53ac5b1eccd504dc859f7c588c70bdab6a36

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
1fab00aca62ad810264350fbaaf6b9ad

SHA1
ab540d5a3a31b8901cd8f126feee917dc2ce86dc

SHA256
19585cada408e84035654785c5f469463be9107c3a9354e2475dfa432bfb52c0

SHA512
9fc8946abfa3a3630c22a3cce52c3c72ae96e01bd10a35da06c095e2a6cb8b62ceb4e9f1419c7ef9a2d6f3680bd5b465534cbac2aa5025f9d6c978f612b87293

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
a2d1f594529da0afcfef52d9a7a2e42b

SHA1
80a1cd6496912e54bbcbbb0488efa88269d8b79c

SHA256
d279d5c3e3cf7dcaa880412a0d31055a0edfbaf46d544e84e7c4b146a1736153

SHA512
ab34d0ab136e1f465964ff24fecebdfbe27c15f6fce818d89288af8a724ea883dc34e302b2e252bac7f6ee44be32500c5853deaff84f9c22bb60282dd4765097

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
60ecc3430b4b6e3c441886926f2f9658

SHA1
15b0d624d49902e7da8f179d47a1606791198fdf

SHA256
f23083642b6fcfcadc2d0a70dca68f7e5ac74959aea58e63934d2ba15b72994c

SHA512
0ba18f7fadd02fdf4f2dc67e39f10e01ddc64022fb4fdd9aad3412c02abfd96c0e6380375320010660b705bde8fe3b3317fc7e1e44997ed5b42ae2a29e9c581a

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c2cc874707f5585d74429d420a024e4a

SHA1
19fc807e8c460741a91597b69740b9c33c014fa2

SHA256
a106ace886edce106d894a7f9c87bd82b7bc32fb942576d3c35373f3203d34ba

SHA512
d5e277c31577b6ff1e30c57c729ed661ab474a29e8c11679c69f4e9193237ff6d22cbab6b0918d7e9a9a681169bc346bd73c02e9e87a48c3637864b7c81ab641

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
32bdc9264582be77a9655d989a85c4c1

SHA1
83cd1505d00927b18c1cf342346d607d1286584e

SHA256
e212fa0f569e1fb4dfa948b6a850aa3e811ef67f2c9c40f121b1da8a1f29815f

SHA512
d9e87fc03de5d5cc38bd89bffd46d7da15bbd69125ace6d9f7ee27ee40b909e05480895c6934807604b3e8dd564ed7ee30373d8ec532fbb0bb8af9407d17a4e3

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
52754ac023086294ee5e339ab7395d9f

SHA1
6e2267a94ee58619bb31418ec5fbb1054c0deb5b

SHA256
e747c4d16fdb9933ae53bc0e86bd7517477a225986c781ad8e9aa50416e583fa

SHA512
ec9393db138502a9114b2fbf052585d10183ccbc9aa69390a4993ff6edc4a456459287638f03d81fb47096807208c663001437cd2df133d3d03f9781f95f608d

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9eec1f8c006366d10514e1be5dee1895

SHA1
71fd84e07aa32008ddb55deda554372fb0b63d05

SHA256
d6b7fb884c628165404358e3f36c80e6f14478904d4ef6c7f01d9a34b5866642

SHA512
c460e0830a31013442a652ad350602a01ad2bcbeb7b7def9f0ac6f5f88b8e701a4be169e32ff50140d9c1c2f32ea87b8076c0665b226dd438c2a5c735d81436f

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
6b066512c3f1792aaf4575d6d28874a9

SHA1
730a7556fe0c5068a37ca79bf7da57673f85047d

SHA256
82e4ebb624170ea9675a9366f47a8121f10e26b5eaf42c13930173ed7dea2e77

SHA512
36f331c95ea6d697b190caed3e7e51e94f064f05de9ec037a8b49542afedfab2d77353bce910434b2e5ed77ffad5d50f5b7e97575a40c12dddb3de850a8f55a3

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
c64ae769c82bbf11bfc6cd5de8acf301

SHA1
888d09cf20bef20316e445784fbebc8c1ab6554b

SHA256
4a28afc6b5f197d4bf5b4eba71d5eafc42fff79d83396e361996094fba4c7d4e

SHA512
edbcae685cd4ac66ee0e08dd773e2be2a07e76e00593ec512f84a713ff41693bdc269850a0f345e17708cd25ca6fb1370215cd9e27380f13953a6a7e85f44fea

Download Submit
memory/444-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/444-493-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/456-254-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/456-142-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/764-0-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/764-101-0x0000000140000000-0x000000014036E000-memory.dmp

Filesize
3.4MB

Download
memory/764-505-0x0000000140000000-0x000000014036E000-memory.dmp

Filesize
3.4MB

Download
memory/764-8-0x0000000140000000-0x000000014036E000-memory.dmp

Filesize
3.4MB

Download
memory/764-9-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/960-29-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/960-37-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/960-130-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/960-28-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1068-582-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1068-264-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1328-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1328-581-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1372-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1372-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1372-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1372-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1372-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1968-104-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1968-226-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2040-201-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2040-576-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2216-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2216-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2576-13-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2576-23-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2576-22-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2576-129-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2612-57-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2612-51-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2612-168-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2612-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2848-583-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2848-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3040-131-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3040-248-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3380-575-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3380-190-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3656-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3656-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3668-157-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3668-466-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4052-89-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4052-87-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4052-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4052-46-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4052-40-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4160-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4160-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4160-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4160-189-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4260-91-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4260-102-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4416-126-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4416-230-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4532-153-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4532-574-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4532-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4980-578-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4980-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download