b4155205988f10ca595b675542e905ea9492e9a0698821a528871b0a61cd0c02

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe
Size

2.2MB
MD5

c17083e2c2bc757189e58e6ab1ebae93
SHA1

b9f2175abeb44a921d33f7d684acdcaac7af7602
SHA256

b4155205988f10ca595b675542e905ea9492e9a0698821a528871b0a61cd0c02
SHA512

ede7d240df0b57f42a383a0a2d5cc768b7863b2cda7e22bb101b052f45c221162e0f9b02b0a55f300f6308f461fe75ee5f2201c4905299d46af3ff5ed86bc6e9
SSDEEP

24576:FOObVw4TaN1wdhukCba4oXtgLhU3wEdmh58jTduSZpUR0GHrVQ1aW4mSOgv3isi:FOOh3aN4huLbegmtGypAHrVQ1/fSNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3940	alg.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
3888	fxssvc.exe
1452	elevation_service.exe
2156	elevation_service.exe
3596	maintenanceservice.exe
2532	OSE.EXE
3808	msdtc.exe
2580	PerceptionSimulationService.exe
1772	perfhost.exe
4272	locator.exe
4968	SensorDataService.exe
2644	snmptrap.exe
976	spectrum.exe
4856	ssh-agent.exe
4316	TieringEngineService.exe
3492	AgentService.exe
4940	vds.exe
4744	vssvc.exe
3848	wbengine.exe
1812	WmiApSrv.exe
4592	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e16083d58beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\RestartBackup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007346cb7fe5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000158c9380e5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d96ba7fe5adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5f8bc7fe5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d900a980e5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007346cb7fe5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090f5fa7fe5adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000840bd07fe5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000887d2380e5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
1452	elevation_service.exe
1452	elevation_service.exe
1452	elevation_service.exe
1452	elevation_service.exe
1452	elevation_service.exe
1452	elevation_service.exe
1452	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4880	2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe
Token: SeAuditPrivilege	3888	fxssvc.exe
Token: SeDebugPrivilege	2272	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1452	elevation_service.exe
Token: SeRestorePrivilege	4316	TieringEngineService.exe
Token: SeManageVolumePrivilege	4316	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3492	AgentService.exe
Token: SeBackupPrivilege	4744	vssvc.exe
Token: SeRestorePrivilege	4744	vssvc.exe
Token: SeAuditPrivilege	4744	vssvc.exe
Token: SeBackupPrivilege	3848	wbengine.exe
Token: SeRestorePrivilege	3848	wbengine.exe
Token: SeSecurityPrivilege	3848	wbengine.exe
Token: 33	4592	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeDebugPrivilege	1452	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4592 wrote to memory of 4768	4592	SearchIndexer.exe	SearchProtocolHost.exe
PID 4592 wrote to memory of 4768	4592	SearchIndexer.exe	SearchProtocolHost.exe
PID 4592 wrote to memory of 4020	4592	SearchIndexer.exe	SearchFilterHost.exe
PID 4592 wrote to memory of 4020	4592	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_c17083e2c2bc757189e58e6ab1ebae93_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3328

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2156

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3596

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3808

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4968

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:976

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2168

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4768

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
d5f2c8e680c3cecdccfe1463b6b6c87d

SHA1
d7b19e9d79cf0daa25cee893916d9b7729ebc0cc

SHA256
7e37f8f5f6dd7073764cb215e4fd35f866c7400640211a90b22ea6dbf3fe2a02

SHA512
b16617652c8a827ad97e945462c877d2b5c8bbb32cea157056f2844e7024aa34fd316f86961c125aef2f5758f354dd779f725f298d1754e2dd657ebac6036429

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
e01be454c3f8b3d21fa38e4fa2a92e1f

SHA1
c73e12cacbf0168b3b5c9a127024b31e32592f4c

SHA256
72eecced882638b1b4332aafdc3fd5f47eaeb58abb6749f04be977c726b4e993

SHA512
a50ec34177bc4fd34e7154913b78ad4bec9f84a7d712d32754862ac5874e44c5eb6d8a3fa82c45fbbadc18068c9a33b277110361df0c9f2c57697b33ddb3e892

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
b652d3865d5c09dc8526901e24d9f669

SHA1
7c9dde17c79dcc30cf7b72ddea1c5c9e196112b1

SHA256
9190664d737a27d289180ea138bca1bcc0db1868fd78301cb53b5d426a7fa62e

SHA512
c22772addc90070320e2f44a34efa16176618af3af3d80de0ea5c8296eb23f6522e37e76883a0f2ad86e4d24df26565e87afdbac18f90f68bc78d82b3dca4550

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ccb3a0302bf1573019b59e239e6f6c3c

SHA1
21eca00b7acf06bfb123a8fb9cceb001d40f24d0

SHA256
7feeba1a8c290a74d584323a496c9fa52bb5539bb188fee37bd85e3b001a439e

SHA512
dee24a31b9269f98a78c6d6807f03b3b029dba238cb59daf6059bbfac7a456a28d3e3cd6695206340427ec35b3feacb1afc8e3dec48df7da91a8e2bad4379514

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
76870f6b07a3348845e0279f8630b243

SHA1
c6e89349e64cc68903ac3fdcfb14db38305774de

SHA256
1bf7939374c55c5aefedc65a48a67a4955fea1dc5aa156a0d1294a8d4caa7fbd

SHA512
3c8ad850acab2be82fccdf59a66b273b33bca933860466565c72edbc6f8d4822ca3c4c73ccc61cbd4ea0eb760c16f4f4c5334cf05dfda8320b5db64ff3f94d5a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
8d9efd56d206c0a7253d006ab0ed32bc

SHA1
c8e1ee6e9ae58a08a1a3b7fdb0ebef9c85086658

SHA256
a6498f72afec7c4098c69ceb02b0d9730024f7f5c9c49d7ef27b45bb78c0da4a

SHA512
8673b9e629051f543e099bd28db234815fe13c76ca9ff3103b22c472b5918745aca08c4b857771bc898cf4074e04b4702a50e0c498b238dab09a0858070150de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
4613a3308c47512c1a67c22c1f74d7a9

SHA1
a9e67270830c8a8326acda6fc6bc71233e6ef7bb

SHA256
9c5213d4c46e3552b7e19f79fa9b9bfb0760d9470ff4739ae4b0bc253eacf21c

SHA512
befcca2f8440d659f899710e0c17a54e3add6c1d306238dd9d82e5dbb8cf40311ad4b79f393007a130430378e6fedcad6bcb0a54a4f86183f848f61ac8094c44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8c09529ee3b0d2f7dc9954227eebb7bc

SHA1
f1c9b9080fce9712c3738b734757e6cf297b2a23

SHA256
f783fe41e46b5ee34d268828a4f2dbe1ced85e2c640b0f848138677f2a340016

SHA512
629f36a3e1c6e5edc39058303059e466d1155ebc5a7034daced2ce144fa7affcbcb45f865745a6275937c22159c7e3b64b4dfca7ee88a76de1c6b51dfc2a7034

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
e2757934cd26d59ba1c6a082098a82eb

SHA1
aebc2aaace94eb0a895d3f774283b9c81b798866

SHA256
55ef203968444232d47dabc89f61dd97794cba4a50ca88657789965bf38c0b67

SHA512
a1a9d6c878e1b17eca11367f6ad947a1dbbd24846dfc9d92b2bf0d727dc267ca2112f9bbe5ded6a5f9ad1f5b5b382ff4f1de6e089e650b95154b8d10bb2c078a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
73cedf76bd171329e65305b26426a74a

SHA1
cf675d85b4c742b9b18b4d7582e209f86cadc397

SHA256
d0cf9a1b04ef019114c2cd8d9f74fe8eb87623c3a7e0a0d30cffaf04092fc377

SHA512
84ffc659f9316958c5fd90c1e4710f77cf7de443ff8f4fc6a755c3b54ea8a811cd1eeb145e1ea2b47bf073b1d01a7c372f08e6f42c5f90ac0178b8c33a26f5c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
08ff5574c28325706a8fc37ea7101d78

SHA1
3365456416af2f7c06ee2062dc2c956b68771cae

SHA256
fa862d80f2560cedca3c541a227d5c386bb24019c3f9816cc932a7646bf1f720

SHA512
2241001dc5d945dbd57d53d43163230a77fbae946b9af40176d5842c374f3a2282956d8b1f8bc6a731bd5a9f742a64652f6eff7e3a2b4c77592fc451a081b3bc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f9076a49d753e55f094489f4291e4c15

SHA1
ab388cd089c2a255788a471170b99d07287966e6

SHA256
5f46b3f4caa021d72b4073825bbdbc7a6e12456e328c11bdbf76d5dba42f8a84

SHA512
6e708f105140b5f457a7c0e4581f2a8fa09491f6efa9a97150fdf7c4404a2049ca59720ea30ce40afa849768bc56e26d11ec2b57e90f6780fffed5ca75f8068d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
bc6b6b58766aaf76fe0f1d7a00927edb

SHA1
7e2bd5fb3e60adf5a90a06896c9b2c54a7ac652b

SHA256
8ba51ae48355c342270d95141f5dc61609e14e1e817318b431963fb56cefabdd

SHA512
369f9a3721ffa0efa84e9d393bb2d9c6182ab6029d0b64de4327395df0d2f8b6da365bc6bb78d8ed0133d72c990c1335663deac697f4f9b0bcf7add4203e737a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
6f88914c22c5e010663f937cd650ccef

SHA1
034d886a438e078ee0573a3714f8f1c37a4cb732

SHA256
a05bef0630066cf8cd0766d45b87f688020f4f54a43c6a19fc886ffeeed95b8c

SHA512
63f92285d4edd65285a649a664ef89ad01ca3a37c96f99cb5274a87c3a815ea022c70644d2aef2f08d247f4f18685b7d5a9d9b40ac61993a5a454648979652b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
903ba12e98da4f69b3b5c01293d76ca3

SHA1
f7be01088b8a475fabd8874e4d45ef53b102431c

SHA256
6eeac2312798c01ed9f5bd3a400173d14029ab9ffd1ab7b62f1fce878cc64d17

SHA512
710413cea24ced854977434c67023bbe715037c372faaa5e7d89f84bc1c394ba9790a495808bbc3b2020870b09a85dd735d9261d69b65981607e1c1b0c17a480

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
6db866ebb9412d539e9c785d84e3130d

SHA1
2ad6191020e49285655eb439f65633867fcb9940

SHA256
e63a83cab2f4c286ca75ce7ea9b94c5dc2e2f2aacd95faffc45d1b884b546e0d

SHA512
88dae3db188d5d6364c69c37c95b608be2d3ac250d6ad82d1c3c38c8c2103a1396177e501805011b27770cede36b0a97207e668ad9b1c4fde1fc69eb50fccd2a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
1e1ae7ca851d6823b6b590ce8aa9dd8a

SHA1
f8fb67f5cdebd98f5dac46f8f85afdb2ddf34d4e

SHA256
79187395bad660b5de0fae48ae91d95bce7c7a269929836196337a3829069c1a

SHA512
3723c6514e8e7bb5eac4faedda24f2d75bac67b744dbb724aaa028e6a675a97be83112c78be3c4b0366741c326e3c8522a1cb519fddc455f0e7ddd2b61163bbd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
aee7b6b3f31026df60ed584b8e82326e

SHA1
772404f41a9d3baf0e25346c454c40b27ade04e3

SHA256
eecef8234d1dc8755683956d90234234f231260cedb0a1308c2cc5ca71805d2b

SHA512
91c3c01af5e2570696ed316066317abc6d39f81380788273e0d97044872d2ec7193b3fd469474220ed92b1b7a5df88fa5a6cfec4d6edc125b44c1d543eef4919

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
a9f5069f93f867f6e474d27b727273ee

SHA1
344ec3b4a36b14148466a1a6838aabd786d8e570

SHA256
b9404274cd6a1f877297e36893fdeafd0d6d54344fc30b261aacaa632c8977c4

SHA512
47de95c7b39cea95669cac1e559dda0384b5684c985bccd2584b3f146032fa6cac116d9069ae4be40f6e0e775da591c0edff972ee982c3c8f75a67458fa5a5cd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
293ffbf2578b66520ee23c93a0c1786a

SHA1
a97a87e35a9dbf357c9e165c77ec261698f9029e

SHA256
86e6c045cedf5af0178e1a0f24bbccf970e9a5d51eeab57d0ca4846a06da319c

SHA512
c5c9da8f5e6a82a83315978bc786fcfa497a3bcecb98a4f4020a7ba47130edeee3b49ac0da662dc6bf9bede03fa2b13fca1359995da43c56b5d339f1c50fe4c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
fff32bbbe5f910a6ba13e9b0fa86205a

SHA1
b2f0c3eba6a751263c489a9254b16d5ddc946ff2

SHA256
16518f5ac12d342508c4334d324693a91291620732b702fe620e882d030bb266

SHA512
fe4c9fec69ea411a31dd1c6a6f3dd2c39a8ea6841c16058461bd5a367eef5cd7cf59a4c1f77ee4ef76bffc8448246aa4b69125192d1aa05c18450ad681ad692b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
63da507376f0e226016106c629012669

SHA1
0c321d22f9a4a64b2a0dc3eeb43291eda468c5bc

SHA256
a9aec74a8dc0552ff84c39d3b429cce3bd18e3bae3927faa65bdaeaa18ee549f

SHA512
fdb6238bc608c91942143233e8b0b5bb32b74cff55c46437ef3b05b65bd0f3a9199bb1e47363bb42001cbe8a0254f770d153740be6a6dea1e066b99faeb58055

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
4d21207a2b09429d97bd1379e476a9de

SHA1
4cce00278928d421702b464df73ba76c9a004264

SHA256
9d8c0faac6f4c53c6c7879e4ef70282dd45004e7dbe3d12aa00d6199c4ff1143

SHA512
9dc634f30a8e76f00473c12fc78b5f385a846fe1dccc0810de4acbc31cb43d8fc7f694b227982d1695cd4233827afadc20ede58f7742d89584d6ca173a2bbebf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
573501afb18d3cce618ba6f43ce87899

SHA1
28b91786736aef7f9c5276254524501895e732e3

SHA256
e4cb0f8d4f4679e8cde79e63d3a3cdfcf127d7cc884794c5d1458ff570cacbad

SHA512
2ee28e31f0657a983d5c67c1f8ffa6ccb54c24c750a3651a72f73b7d9144c7684d25ab7c6b9451d63befa6af1e24222d749784e6b67689484fe3ade20e3d3c0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
f31e5844f2e56fff3436d448879688ca

SHA1
0bdcf62235ccf7f10aafca44692cc557349ee30c

SHA256
897e2056e8eeecb4e612e19c1144f3ecc29a52cadee34de17fefa64bbe3bf8ca

SHA512
333c89643e0aae28a22591be582a3912464cf413c36aa7a2cc6dec2b472c5111ab79cc251b3d9a0c36e3ee931ee2a6895a3d6c58c17dc405c9b87675da2e5b53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
ccda66e969a157abc08bb08b71141deb

SHA1
7bebff2cfb8db60e0a47b61be67182dd9416c9eb

SHA256
b950341c6ae88f2ba210d0647da4e06744e3cbd41c7f8f8be90be3d6f97de955

SHA512
834a4dcdc20de8a09359e72e1783ca3ca0f9813128f3254df8b3217c6c7690add576b989fc63b3491116c7af55e4eec8c7081e77998e0771dab5ba4ac3209ce2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
d6f3a59c8babb9419af136d90a7003ef

SHA1
9e2878ae494ad580fe8c62899a72de0f6599dba7

SHA256
7580857d4fce3046d9bc75fa03a400fa38cb8a11f485f1cd5bae74211897b4c5

SHA512
bc73fc15a835309a20d89acecb3d73c74ccf61715de9cc937db397c4b2ed56d13a2baf7f41ef301635caefdbb8917070e1e377a3274fda021e9389138f59b73b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
275ddf2d7fe84aa124ad762b361f8080

SHA1
c6d09f6d0776bb3c0e59cda715b669205651d902

SHA256
84ee6fd3cf92b6b6a3a8cc7659d39abea4533154e37a83a9aac7b5a7117ff7d4

SHA512
4d94651efacc28008c2c8427270395d0d1623dff13274feab45ef86fc98c3a1fc6938552a143731becc6ebbb94cc33d9c6c23e5c29a87fdd4c9d3af8c2e7abe5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
da046a3eac6889fada92ccb946342a9a

SHA1
6b94c290373d12a70adc73626280adf89f466c1c

SHA256
d008e02be85aed19936df98d856ece08e91034c45450c4e4bfeff29f4914fb8d

SHA512
26a8b9c12949d3382b99841a767c6a20ad2a1ff7211881baa1ad10649ba54c262f547ba65c6cee8fc71c7696ade4f928149c5a5eed6a7a5330239a7f0e036546

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
1e2e1fc2d7cff52edbf7b21e85e8617d

SHA1
b0e69a4f3e95f454223ba63decd3fff4d80ef030

SHA256
186d8425ff71ca95d9f47c177d5b14a10001730a6f8cbade268bd2e6e8d2fc02

SHA512
e60fc2569ae0f6e16027fb250d4e34d9cbd27b6edf2c99172d69cf7d5266fdd452b4a6b9a0881bd5dafe72e688a0f9dfdda6c656b598a8850ad1030ee14962d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
e406ca54cb44c8dce994ca269c0169c9

SHA1
e0101964524c65f095e2cf4147830a9554ca1d82

SHA256
215cd86bf7d286fc3256109b105ee2b078ce50b6b7447501250efd7f28f2811d

SHA512
29adae5d4ea5db337372e75b35e52b9f046afac822755aafc9707c0137b70540f6ee77c9654501b77dcd0330e876220d5de6358651f64fb1f011a731ab3a2897

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
dc3faf60151029ba550c973ea18ef03f

SHA1
584ec59dea290524f09511efb717066c28d05488

SHA256
b0e6f05f2bd97ee7a01b2fe78c698bba5dac0e14e3d6fb6530bc41ec24a73e3a

SHA512
0b562d3b9361b5b88e9a83013d59523f3e7ce04b1f3dc1cdee97a6720823d25561a22b9baf1811592a2bb41290372f71392f41f1d9505a592388558cb9511b34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
e0dba0f172cbcc6a71f595c8c43372c0

SHA1
8e0503ab3911d6d97e1a0edecbbeb92772589a43

SHA256
78dcbf1d76d01175cae3a3478392c37ca6ab4266a498113208f7c43d1f6d22c8

SHA512
c33033caf8918000b20ad95bcd284376133845a33704984c7cafb15f00a00b516a539f200f6b21fbace5c629a8a0891491878036bde8bf519e80c1dc21bc408f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
a1d147779e5901492fffb86cd4a793e7

SHA1
a859da6537080f358139a89fa79edf9ebc5532f9

SHA256
3f40ad9de3a2f1a325e9b234d56ce12599ad01f912ff37083b61ca724ce7c38e

SHA512
c590b463559deef092dbb664085af793ff2080015d0cc75e910bccf9a7418c18377546d7430972e8167fe605131f53d9a8780f2fb3edf4d9ae440b07253d8bc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
8775e47139adb5a362fbf2aee8dfba2d

SHA1
d02dd979ced06a4d061ffc886c459084345d2a77

SHA256
ddd18ef58142b9e5a4698cd1bb22ec925ae980f47b8460bd49d4fc7c2f3529ba

SHA512
91d52f69b633b5973638f2b760203316aa045358188a13b5dc10b55ffade8a25d1edc8ab623f357fa108edc3a7b97637fdd1d4ef4b61cc8f076c6b7b46446dd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
be67de074275b4adec90126e08a19774

SHA1
8345f87eb3e59c9323bb14be061b284d96c008ca

SHA256
a83e4145b1713a1a82b61366dcfce5cf0d336aa97f18882b14da9180676a6a80

SHA512
04b87ccb46376e7e8f3a7bbef999a5992e313f169abfe504d9b60829bdde3dca6098af693a47227a89dac74be44c1fff9e086ed9f3d82e75a97e461ff38a6e8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
798cd12c301b412b90b5d2c9a306d849

SHA1
43ef1dcc32d5d9e83ece8073adab209d7c4759e9

SHA256
f09d0687c40eec67a997471ddae5b8e9f1ea5b64f4015cc523be2a33f80f0008

SHA512
be6fc684bbdedae6f5efab96cdf90a8818868f6113963f92154b0b0eba6955e557f1a94c8c7eded2bc118d9c4036f161f3da0591d8583b272ff307f1029128b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.4MB

MD5
0aae806245df4f53e285b35cec06d1a3

SHA1
8455061141f1f3327c65cdb07a4f86c74cf7c146

SHA256
78315ea474ca9ab0814f4123c5f48951ec932e2e25c6b896b2ce89152eb7f135

SHA512
c76bc91ec3ae7e60d224b99c619fcc4d6ef6974b1deee4c19f994ef622e1f00316713154a77850520102b74413941f4d375177f6ab88ee2ed975dcb4eed8aea3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.4MB

MD5
74707d76eb87a74b1e082a9c561a41fc

SHA1
f89a769b8a471532d1a546d6a0dc1af02e65d1bb

SHA256
373570c35fb118163d3f3cce785b06dbbbb3f7de08409d2f4d340f59998e34eb

SHA512
c82f6171d15a64a4687b48002aa705baf53c7c483c64f19f5e136a39f004b578cc2dada7e7a4baba4fe2ab7a33b71302a5d79a8d558f07fb10ee8420676d20dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.4MB

MD5
b9431a95251a9ec89be687605621fe27

SHA1
e4b3449ff01b1b9cf0cfc3bae864a607bf0da02c

SHA256
1ecef503cae2de2e65b5d8a157a4d51a7a95616a3d455b2045dfa37b0ec8e35d

SHA512
960c9856d1729378952ab06925cbd50d2013f4d6971442bd1572f76b4be56a0587dd702bbc2ea5b59a54190f6aee23c73c5fddf54db6c3601f33bd4e72076546

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
78506c896039ff1863a0d1537c4b4b44

SHA1
40db37fda3134ee92f25bf353cdb650fe2517211

SHA256
8fe1f0a22c7c19a86dd58b0e4cc41c79951b14a96c0cd1f5bdce0affdce3c49b

SHA512
9af57e734db7c335b304ba01f3a8693bdf6a5afabd58022eb1c3efad4c537279aaffba7039e522dceb2132935407fde1418a2c04b1ba2764d4b3a8b04258a291

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
a3de26405bc3d5a172041dd0e27926a9

SHA1
d954016b0122ef7a0c0abdae602af59282d8fa01

SHA256
98c7df4b6cdf0481f443dd9a1421a62d6d9eb8b73446979686bc7353b002312e

SHA512
5fe72289dc613938dd3dcad42560c48856cf775b539f6e71eafe6677833df9d6261ce55c97df21c487a1fdc9531b87af2d1b57c7474d8c61e0ac68486cd36b56

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
8320fb5032d5e61499925a46d85f92fc

SHA1
6793574103439d318ba45ba72c09adc87a626dd4

SHA256
d3e7a5d2a30b5a7bfa8246004906ae4ccdfb82f5c2d8f2d4f95e65aef559c59a

SHA512
f73210e2342e38f3da8c3291439abd6de132b698c4336e140b925bf710f4fa057e165dcafc1a8c82005c282dc8eb30839e343392a7ec63d80ae5ef2a539d414f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
330cb4d4ba513cb9eb11838469f6e009

SHA1
122ce6e5c08df8bdc3b00065d5ff4e68b94c5b40

SHA256
c71aa336d9a67f8c789cd23259436252d00588fe117dad24a591078a4a639048

SHA512
532fb4934174594ca1ab64173d1dc25ef56736b81b10f9e80e03d23ac80b7b9c1d79864a1a4a4ef9491a45f67fe4a8996a3bc6b65346f72c63aa0136a2336117

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
916e42259762691cd84d20d5e973b747

SHA1
f96366e6571a7e7eb1d8bb4a29aeef460466ea71

SHA256
c37e1d14495dfcb011781d0ef0e6cf0253f2405451e16ae2acde0dbd3205370a

SHA512
684b4c0a75c3801d4e7692d6bfb1fe45f165533ff5d9577ca6f84ead822de67cdafad9ced762f303be878b553bae02bc37ba01cc6b49878d3830aed6afa60480

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
571ddae744fef99c86e9cd27398561cb

SHA1
3e1cb24a8777b3210db55aa0f7bec0bc4525111d

SHA256
b9825f7cca3f234721449668b83c629ccff43e5b5e6baad46c2ef3fc967faab8

SHA512
89d2007307ae7fac4aee47da24ad6f043f83b8749d5db267f8df0c3de8441da3aefe9bacd34b297c8fe007b0cd0ccdc1827a2e01c86765cd6a5a4677338caab2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
1f17c3954df9b000ea2016e17e172d20

SHA1
69f1115f0b4efbad20e9501d2ac1c4d1b9df7387

SHA256
c7ed25277009b3e12cb6cd7ecc2e3033b291c685d8cfebbbe0293dc72fc844cd

SHA512
128fadd2fd65f5f895c7d3341bea9ef28b9d4bf0d055ed553a646669030294fb4721be9e58c30444705421c578a8dfc9981d4ca16cbd0056142f73027e1d20a9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
df35a38a372ba10f01db64764fea847c

SHA1
84a4df1913a4d4128ad1d179a9a8dbdb09c2df24

SHA256
00ce902ef06b5c930daa7fdaae3a42f0c62ff611b09304f1292793c0a666c7d3

SHA512
9bbc7828760eab0cd9553360bcf4f23d9ad4119099b4e0d1c3f24815cb5a1d32d48f08996aad20e1eb3e06db270db624e09daf99d413c98602c15d240cf2efc3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
3c9afdb38cd0287b5edf59442ebeb4b7

SHA1
afecd1b15201966b4ba93831ba7ec0219e64813e

SHA256
a5ef7f377a026cdf8ac3d396354dc380fd234d3a9230c5e66fc1d231821b8d4b

SHA512
4b3cdcb0d4da2e0978b7eac00c21add7f0122a59c7431c8a4db925faed206076df46536600de6ae4d99fd9bb3c862a21f9c114e5564e40c10d15ef946a898aad

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
71a93c1ad383893da7879340650667be

SHA1
ca4f3db8902056ad5d2fbbe702fc896872bd9f75

SHA256
76b9cf4b1b455e78421f8903fe0157734f0aeaabe85f119210fc76ba15538998

SHA512
d67cd5e89823fc69668644be7bd8758de325e205b03b6e16830cc075e42f9898701800378ff32ca45408b692c8b37f3b50b36aacdd2965f77c4cf1a3fd993e2b

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
8ab471c313d837a0fb8cd20ca50a2eed

SHA1
ae49ce9498250db47a9d59c71923365d016d30ee

SHA256
75d79d7039f02cabd391466285204364b68ab3e479b0b3ddaf6c5d8e98ae6a12

SHA512
ef8a3d0375bf8bda175f51faa15296b7a699f6ab6015008237dbd0ea49935cd0bfa6269556489ff07a6b7085bad8244d283b663cb4a9bcdd8a8cf14d00974b0a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
c61fe14d73293f52ece931b663bb790d

SHA1
50bd6062069cb0db62857b9cd4362bb1fde59d1a

SHA256
66b205f76782dea325cb407bacf53746fcb5ad93543364a627b64e4585db1d50

SHA512
4ff9b756e65eb16e72cc7e25a3b7256287c6fd663d86f26816e76b97efabe4638b97053a3d2ccb9c6eba6e7ca761fbc38b54378af23b780ae43c6396cd44f788

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
9dc5fb3d8b0f6019b46f8cc2a7f182e8

SHA1
378e0adc790fda1142509f29d2c629c11c823c1d

SHA256
be61590f405184ade0784cdeb55ff83f0b9163de2cd8ba76cb9f22eb7b9657bb

SHA512
3b3e897f56b474fce3b464ab79bd473976eb5c81f2a05c39905a83bb1d92c48ed823baf76501e98e99e4ace07d69b7d58babd20ca82d1c8c0c7c589a2a4ce1d2

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
2c58fe9930ca6658f48f2a83e7907597

SHA1
6d974069b8f04e6708865523d55b794ff165193c

SHA256
41cb9b560d73c2c6548a0d3fd5e98bb7afef4c9e3bf0a8b68bdd907b4e6a3d59

SHA512
e2b0c984a32eab942d86969ac5a737ba6add699d8efa734db0d0205e17cbf16e259f5767af59e03174245ce73b343d3db696fb564a020c050268afe136109ae9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
f94a43bf9bebbd6a81b17ea2ee0aa52d

SHA1
e9589772fe7c46e14b52ccf13491f1284c8ce661

SHA256
34f4ccacbc4b3362837ad2de67a68315c6865712768a533d08fcc40a522eef33

SHA512
c3fb142ba55fbe066247e50c645d293f2b4ec11c7837f785b5e2ad4e17ff955ba363217f699d6ce3a835feefb282e48f7ed9934a36a9bf469a679146100d2407

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
bfec358c8875296448c6f63d800e12f0

SHA1
e4f3eeaf0d5b6f9a9507df0aa8da917a30b7db67

SHA256
e63a2b3f855c841a41e0113706434590526a61b016a1ab01e19cc05a4f60a0d6

SHA512
96bcb75e5940c90b0aa899abcf9ca678200cf5bc776328a63a97bb8d14ca554e297021e51f1025c0699d6b09d4b5621d2dc8e3335e25c1b30fc8ea756262c7b8

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
43e7a252353673e75456f604e11b67ba

SHA1
7348fee79c24ebeb892a25b8efff175430f93765

SHA256
692ac7399cef2661f899318e5b52aeb2725c36e191d6f51d7b1ebda2a181023c

SHA512
044880f8d0732e724c7699449a5b3ab6ebacf99e73501afd400f97530865a3dd1b9cbfd57c10d820d0b7e5e6dc63b3e6a84f38237232eebe9fc2ee7dfbbaa69d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
28c416aea95e765c6ac417449c13b24a

SHA1
683f9bb2fc1aada0447ba6dc1c67ca969f1908e6

SHA256
64cc45801eec72a3f12249a894bd0c0062bf6219d522675ea856dc2bf2474e7d

SHA512
2c769bb19c6ee8f308b5571c95bf105a64aa2383bc9a4fc1a1542cec04e7ba635c4e5cfaf95602a4154907474a29045103aafdc8bf51fcee76a0cfa0cd8b11b9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
f1ba18bdb93a5fe321eacc4945f7daeb

SHA1
aaede9b5eb44c7d4ca7289f5d122ae5008da2105

SHA256
cc02ea54160842ebf0b0f8270e252add5eb0337e5c233b23d638776234c37211

SHA512
5ff2fcdf8f8819f5c3bbb4c837f3a900c1263baa961171d6c4b03d4ee16d436a85622c2ecb91c21d778109ff7cc203387c72c081e78327e7e437b8e8f82880f1

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
fb22f2ca81b441624b71046afc9a7572

SHA1
4766f013ef4bacffd0000b6e748afcacf8dc8c82

SHA256
cf13da64d531c8f4ef9d6dcf4b63ca425f19edabf8d840b6fd50747df8d07c16

SHA512
0d7dca41f15ef866256cabe3422b316eba031773b4d4c83a2378c37f20639a8112d2d8461ae842d347caa55678d634fa97b8c9dacf74ac461cc5f6f2ece97da9

Download Submit
memory/976-292-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/976-495-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1452-41-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1452-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1452-34-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1452-247-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1772-272-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1772-273-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/1772-330-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1812-335-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1812-504-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2156-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2156-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2156-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2156-248-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2272-244-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/2272-26-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2272-17-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2272-25-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/2532-76-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2532-84-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2532-82-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2580-258-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2580-266-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2580-264-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2580-326-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2644-290-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3492-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3492-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3596-74-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3596-67-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3596-61-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3596-69-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3596-71-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3808-322-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3808-254-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3848-503-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3848-331-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3888-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3888-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3940-243-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3940-13-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4272-282-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4316-315-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4316-498-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4592-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4592-505-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4744-502-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4744-327-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4856-304-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4856-497-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4880-48-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4880-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4880-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4880-9-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4940-501-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4940-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4968-496-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4968-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4968-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download