ea0dcdcafb5fcaede3ec255a5c497ebd72cb9a9ec612d55a17ef2693dcdd533b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
Size

1.1MB
MD5

3734f4f04cc3428bb6a5d769563749d6
SHA1

7cfec88d6eb4b0527312d51576b813c9cf7cdea7
SHA256

ea0dcdcafb5fcaede3ec255a5c497ebd72cb9a9ec612d55a17ef2693dcdd533b
SHA512

57f761eef76c31c6196b1a83b529abc5db71697f5fe8a3f6d42b0cf5a67364761f9b5f1a8af1546eb5c83b9ac628866e8a54a0c313474027fcd9ed1ffbfb6740
SSDEEP

24576:NSi1SoCU5qJSr1eWPSCsP0MugC6eThRSkr2dw0tbBFWWCKPlpp1IOn:1S7PLjeTfl50VB2KPDnIOn

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1552	alg.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
1016	fxssvc.exe
2292	elevation_service.exe
5032	elevation_service.exe
3664	maintenanceservice.exe
4440	msdtc.exe
4048	OSE.EXE
3368	PerceptionSimulationService.exe
2272	perfhost.exe
2204	locator.exe
1408	SensorDataService.exe
4720	snmptrap.exe
5060	spectrum.exe
3420	ssh-agent.exe
980	TieringEngineService.exe
2776	AgentService.exe
1808	vds.exe
3184	vssvc.exe
4708	wbengine.exe
2672	WmiApSrv.exe
348	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\603f3a9b1ed82f9f.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e69b71ff19b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000403c7d021ab4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000978507031ab4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000964bed021ab4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039ef4f021ab4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c01738021ab4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000885bd3ff19b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a72c2c021ab4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039ef4f021ab4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2664	2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
Token: SeAuditPrivilege	1016	fxssvc.exe
Token: SeRestorePrivilege	980	TieringEngineService.exe
Token: SeManageVolumePrivilege	980	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2776	AgentService.exe
Token: SeBackupPrivilege	3184	vssvc.exe
Token: SeRestorePrivilege	3184	vssvc.exe
Token: SeAuditPrivilege	3184	vssvc.exe
Token: SeBackupPrivilege	4708	wbengine.exe
Token: SeRestorePrivilege	4708	wbengine.exe
Token: SeSecurityPrivilege	4708	wbengine.exe
Token: 33	348	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeDebugPrivilege	1552	alg.exe
Token: SeDebugPrivilege	1552	alg.exe
Token: SeDebugPrivilege	1552	alg.exe
Token: SeDebugPrivilege	2256	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 1708	348	SearchIndexer.exe	112
PID 348 wrote to memory of 1708	348	SearchIndexer.exe	112
PID 348 wrote to memory of 1828	348	SearchIndexer.exe	113
PID 348 wrote to memory of 1828	348	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3734f4f04cc3428bb6a5d769563749d6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2648

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4440

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1408

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5060

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4644

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1708
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cab3be8d6e205b460047d13e3551b089

SHA1
564d7b48507a55adba3c03387805698513fc87a3

SHA256
01e0e81e7420fc329c2bd9fbeea56202e9c0c8a83b9c33862bf7a459d03e8490

SHA512
8ef9a0ce04c668186d73168199b8cd2a4aabf3afa599357d427682f9b06b24aef8ca3715cacca6c11732b28c2b7df8a0030d6494a2a7958191747b6385b28791

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
dd0570899918948be186e2e831b7f033

SHA1
f8cf77a069bcf1988c4d30c764badb29a6a7ad39

SHA256
462f41db2f5e50ff30c77e9ac842cb8903a48046b69b02a702ee717ff5f7b385

SHA512
455bfeae0c4c83b503db13534b4828dd6240d64caf342630077bccb29c2e7933b14807a31e9a579b90a5053c0b7f19a97d04372cfa2303c840ea63b3c5bae7f2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b734aff55f1804be7a02806a4b6fbae2

SHA1
3abaf7155ff297d22b4c49edec38516f42efe3e9

SHA256
3a9b7e4bc92f12151f3cffc0d122db223a31839050fadc83ba262ad0cd72a6ac

SHA512
6096306bb66d0aeb951c19450d36cab624e76d68bf25b799b99bb9f1d5c69d8a4747ffc52de3acac6f73d738819c48109ed4ef06ffb800f2b31449f3bb3ed6d9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0a64398fac25f0e3b1d27d0d375a5a88

SHA1
27263a7d9d1deff46521f1d8a554e29290219fc9

SHA256
87816f36e3dae78f5426161ea3a4e43a9fcab37bfc92e5255c12f903fa7308f5

SHA512
47b4ffcc6e1d909438185d7b0669bce0ae1dee9d778af6ef1fc2a04a93ec9da16a757b76e21ef305743f95d78e6af74cd070c497af1eb16ed0574e6ecf466dd6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8ba00a01c8fd500a868c19d59a38086a

SHA1
9212a53fc1720e303b219aa354458ddaef0a6614

SHA256
d1ffbd1ba77056999771cf5a86ac7c30970b8583c4969fe01e6890ab0c735903

SHA512
0e2db01ad7235631343b11a66c6e70124b13477b4f0e90e97ef0208b605984b38599ac37146d8a3a6976e99ac0c5136125a258ef04de6887706b202bed51bf06

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
655c6304beb2de9af36294bd63e9af84

SHA1
6e51975081e784b863bee332015486fe724f153f

SHA256
0970bc2838f7a5079037c1a726f19b9c054fe8fce3b0234b234fe28e737cf210

SHA512
3427d09f750cb14fb90499cabd5607909e95b4e5a606046816162f2d4a8d9b84de3a6ee7d39fa3b3e52ef372b5f52d166f671f79630e97e5c5bc553e9fe57ebb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
81e64f34b1475b5d13b19915e1eadc23

SHA1
226aa9592df4aadcc1244e8c39ac623e7bfcb87d

SHA256
47160bc5256fd0d38be6a7cce107ad39eb6257017f93f69a8bab9f85a109fac4

SHA512
086889e6c92fadd1627ee7ddc2a48f1ecfcc4b61b41df5de5b1abbad7f3653e59badcf67c6e495127d613aa4df5395baaa450f2a3e3c84890bb5cf08c2aed41e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dea88e2a5e504db58597320930ccd2ee

SHA1
b6bd7cf5f342e2f85b9e90b5a1a2d30182631faf

SHA256
43b479fbbec0a28763b41e08b63cf4ac237158cffcd6512d6de6c40bddcb8949

SHA512
c08bd800f4111a9e513bbb0d58a7599313aa34edbe32d1be87255a9bc35d05b9789905359aef8caeb9e9159eefd599c1776bd9186c7b2afb8d834a6ed4591642

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
48a1966f485beedfd88ce884a1bcdf4b

SHA1
b0024a2682179f6ac0344b0a91828135a212d3f5

SHA256
e56bc4ba93500d963f6216f2e2fbbd61398e60ccbeceb91caf95f5771ed825b2

SHA512
adedb7f9f83e818cdc8e164616a898aef3c5636169968bb9c8201019ce450aaf23107b71153ad23aba7a0bec3a3f560803461bf028ce6baf97756caeca59baee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
37913b268d07e05cb0bab8d63af8d4bb

SHA1
77311c05fcf0368f779805a7ff435ac245050f2e

SHA256
21bc613a54aec304fb1e1c77d4b68db3d7c94881d560fc11d7392d3cebb4f540

SHA512
a5885051abfdc0353ddc858a957a07009d61b839f58b216e618023e1949992698becb0bb308e9658e059d294525e9d3b6cbce291499bbd1e347b62304f8c8bed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
51a7d5e30ae5216e0f361c975ad295e0

SHA1
0ac66235d979a96e9eba2763fc5556d88ae9f457

SHA256
3933e5f78b7fd0f9a6eebd776dcd903362241b754579eb1aacd2abd0d370b9d5

SHA512
61b3a66fbacb7713a2f24878ecac856af25419f753e32b32d2fa86288a9099c488499ffcccbf77cf92eea24386229fd6f9eed7e85efc08aecdf764ed7b8567e7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b382f1ce53085798cc5fdee8cf9b81e4

SHA1
c12f81146932ce9a1e499c2099fb06c1fb914d77

SHA256
5f6e0e07341dc9ea4de4927206dd129b62837e9053bad6d2c22dcd8761ffcf1d

SHA512
0fd4f4ff3475ad79746f6c3b352bd53b8152cd24d8c8c1046a960287150028084ea864253460baea3cbaf35bb45fea4ce1e500ea1d57f3d36627f7414db28dee

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
97dc20a7e609473d00fee9c2cdd7dbcc

SHA1
78ff3753ae0a235cf760245e5e5702eed3779cc5

SHA256
f18065e639305e637b1ffdb04961f051e48fd772e5f825da09ecd51da50d4c20

SHA512
57921f5e0c4a3cf2cf8f38f411e2a8200a5fd40678c0d70378bf7944948489fd8061a6c3a15398ae28475ae61820e84d70d96d44a44a0b32091a941de8cbadde

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
04ff6fdb1d2ae20628e2e89757ed5b07

SHA1
ac2542522cf7d633bd90a91c6c20961b1b069ebe

SHA256
8631bea5dba8fac767905f5fb6b5c492caa0b712396a59953d83cedc7d2e6674

SHA512
a6eb94860a47b00e3e33deb049e05be7e3a1e89f151f57d383717453bdbb6daa4437f858e4484c1832fd09828e6581ea331254d9b797b813e0673b2a08681af4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7b6de5aaa9ae2259be60f34fce7f8ace

SHA1
e1a700fbb86f1a24c002fc1d59353dc629240d23

SHA256
fce2c581eb88d61a648c2d2e1ccf4ca2659c0b8b11fbeafc9ca3a25e48cc80df

SHA512
b6150f7394e2664d4df4fce7277c6646d89de8f5c79e28b51c540d2b7deb3f086043dbbcf16a1b7ddecb6526efebd97a37f7ac71baddcad4f9dc25e117d94968

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ece8e0eaf735a213b842aaf55d066399

SHA1
0d3e6eb521579d675c37048b49343ddf1644c40d

SHA256
64ed8862594709be68577245bbcae3952578c5f4d7076f446c3bee03d5081db7

SHA512
ec1b9eba0686b1a1e6ad405db295c49c8dddb21820da4af9091cca871af39d8de32f81feaa0aab91f1d3e4247e0fa1855c74b362a31eb1f801563a3ae2b8fad2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1d90e2145f63beaf0e7e160aea2aac16

SHA1
f146ac683caf4bc8bd2140bb31200806ed30d38e

SHA256
df5e71a79673e8be835ad34307e7bbaa6562ec2327149feb76d969bfff6212aa

SHA512
99837c30c15e06fbce6ed7f7551ca9cb7c909c2e4bb8ec0c61e2b1579a2ce457f00043f828a15507d6b7dc445dc635fa190a6818e2cb8efe18d8f56999658162

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d4372f3e8681bc9621b2040fa7e07897

SHA1
3cff91d92ae35e72e6bed5a94c95f5a00e1fbb63

SHA256
7fe7f909760b69b277f6fa49dc2eb76a8d080ffd17cca6eced296d5e515da826

SHA512
e962a0b4a5cdc3b5913f8e346eabdaafbbfe0251929f56c712e9de1f6dc23e82844d280c83dd26aabd555abef6bc987f96107f9413a7d44a562f8032eb9c8192

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
cd1564d9fb24e787cbdb2519495a1765

SHA1
cdb8c691461bbbf40e980e4418ce241f59336bd4

SHA256
747aad74328275e39cd1d39207943d77f410657b7690c5d6dc5bdc73c7e1bbe2

SHA512
6e1417ca902e426cdfd4510ac08b3150f5d860066642c155453a1aecd037e66540f9aecbf8bc24600418998ebee4444aa4adf6ce8dd827da7fffcce95bb1ab3e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
28c1e4af21c3f92f4ee27eeef6b00433

SHA1
f78f846a69e01268ff113bc1a78fcdc6921fc7cb

SHA256
af96a9af0d5010b13bd5a6da5bdda787dfa4d5b44e7d9d27eaf3f0bc05ca00db

SHA512
758b395114fd19633181d056fd7e7bc5bfc61af5621ad8e9e56b3de03a2fc4ea790a3280b7fca7901874dd82416ad24d8a376e081f1d86a2b8ac7cb00f7a7690

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ac4fd215186617987f14e17ca0b00392

SHA1
c59c635861a7acf316f38b7dab557ce1685bce56

SHA256
823b764918a6934e91ade54b244608bfeebc529cce5323837425295fd8bd6e5f

SHA512
b43f49aee5303ff2fdd637ee70f955c3cc928da0ff6db7d53e87ee714170db7dc6aa9776ea8cbc02bd3b0221cc73011215d540520473ec23c1b330dec94fe32c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
f202eaf1451c35d324998c0ea557a38a

SHA1
0a8350abcb13f803ae135b4b73af1c937b54e86a

SHA256
73c5a459606280ba0702a2064fad2828b0f752ef11f5b680bdb02632ffbed9b9

SHA512
fb97c43f09b5f363af0c264f3aaf0820ce7eb8e1bdffdcb1ab88761bf7791ed6fdbace0574221eca13b3af563bfc10db34e52379bab4bb617429c1a8cc592c85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
325e49a414c8f5a740a776af225d2cb2

SHA1
e0367b463a65816e985b6aca985bafdb2f091676

SHA256
55be384e86159793e12be1e44f64c4a021d7cb388ef2d275a406d320aadd7077

SHA512
61b2ad498d44596be897a53fb7ed9b846568d983b5944ef71669dad3928eba61e9edec8d06b9b54c680eb59304a238fabfa8a0c1c206679952356b77d21eac0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
26036851fe8fc85908b4cd290495314e

SHA1
91712a1586788fc48543c6aecfedc388cd747ef0

SHA256
a6bcbc0c3a208291a7aba2b2681b0ee2cdbfe1a73c43076a0161c3ac3b16d29e

SHA512
c4cd3a6a49c6e0e86b31aaf961493a4835ab6125e3f7833ec6022e28ac1389d1968a6dd9e60d118dd51a149dda553177b579f85e43b20eb6bfe7f7ac5c0d82a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
86fed66a6b1091a25209aa9ed43334e6

SHA1
20e6cc7a129b31b9e753d35c8fa5d742692b14e6

SHA256
d18ea8ef79290e176bda22d6a485fd6365ef5a360f4a5d4931f288f1d1e7542c

SHA512
dc0171b04839caf0a515ddbd556fd357ef26a62732a74f4a8d1db6be9d5c8f06faedcb9cd04b8db84075947fa93ad554b3b08d5e9f95665e8e7501d4f5a919d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
bebc7dfa35f6ea9367611cafceab6393

SHA1
5ecd204c83621d288a468842970ca8fccf175ed6

SHA256
edb0efec07d6e27d1c21e21675d046cb364271baa9c6e1db2d3acf258fc563c1

SHA512
0ae92e4a91f630bd703cb5ff31e84ab8906994c6ed32fbc5b39304560f24df2b6757c662cc35395fd0fa1b3ef2bfb7b1ede4beefc6cbca651c24239ad887b5a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bdd2e632eeb21b1ab5ce5d42a4bde230

SHA1
77633616388d8e3bf9affa6e5b77ab58aef12e84

SHA256
a64a80fb93343eb27e8b045f85af5a66c5cebff7e0db57a84b7e41470ec72fa7

SHA512
302fe3bfe9d1b06c6f9c09ab1b5ff78de579080a5e1f7c7f430b3e7e73113b6e8c43559bbcbfd0caeb05474ca7dbde12e318f460e48f36a56792170afed5f758

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
77c491c1e0a2476a9767db2d484bf2d2

SHA1
3425ea7e9a36b30301e7dc30e3226dcb55abd073

SHA256
c8fc2716a47dfa9ba6746db656b454f489c5eb7f3a0036e0a415352177e26c01

SHA512
4696a8d6fef15d842edfeb4298cd4c3f37b6d8330a68dc2eb915a8c1745fe49e75eb06ae475d931f7bead4e505ab30d02904c5591e20e18902a21c9be57cd5fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
e5dce5fc9fbba1e325dee0cbdcd107dd

SHA1
d24b79ad2ee8cb99c06b475ed667a22dd8d870d9

SHA256
7c3ce1802c99e3fad450461a50b3611124a29175aa2a085f6a2c355b9107f3e6

SHA512
407eea332e9fe09a64ca2490facb303abbf3f4ffa57498d36d4d30252359e8db91696e605f2a63b3e6480351608bc57c4b5f2179854e50d29290b15a0385136a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a16abe264a9a4c9f476863147bdc698d

SHA1
e9d229a047cbc99a9b152d4446091d1b38e602e9

SHA256
f979d8cbfdcb45cd9eb09973b7d811be42069d7cbefb9f9c06bb3608fec3003a

SHA512
f208f0303b86f12ab74abe7be88943073948336e884c028d3f23eceff76cbbebf3e2f02f0b34a1fedb489caee893b1455b8386992b7f5dab51610a93c4b54916

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ca9f961ef78652bdd1a38e88ba9915d0

SHA1
f1b352d72e000db78749483dd5c97b990e1ef620

SHA256
8058da9568fbb9ce10f5ac983037715621cfbdd1cfd3786c428a10f93b7f1ef7

SHA512
cf7e0c40c1ee025d14ac0502582965f09c6cbeebd002aff93abe95be76cac1fb2c4a0702e7a5b731c2a5d014d019accfd8d49171fc6b3d3c72f88c67799a3aef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
188c691d9580f7a16a5e74d1136a9226

SHA1
2446e7c92eb78d3d1692336505dbd9e0686e1d33

SHA256
ad5a880bed09f409550b7ca844a2ed656104bfe9eda38ccd0e1c954e05877537

SHA512
5b1f38ea96879dc21184efb39bbd2eb40dde5197982d0ff45c1956cac7fd31f1ddde80cec4eab14eaaa86fffe7b80de89e892bfed08fece765386ba43ee4f6c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
359b88eb5ce733ba8d1956f6df6e27ee

SHA1
7b64c331ce5eb95c9c0d4c779c7e6a848d6d0fea

SHA256
90cdf6e00c8b4eb10945e52051531736041bb34a3e3f69924367ce532a9de375

SHA512
2fc8e43f0c6ff265f9bdb348f1e79fab3143c1d24ba6d50b9d479d148494346fa9177e55ff8e66e510e33788a6e4aea8ab5445f7b64e985514a04b9caee54ce6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
0e326c740dad482651e3ea666b0fbd46

SHA1
381369bce50dd0c7f4e1f17e65a257ea0300842e

SHA256
08505e403c5869b94766999eaf2b398d8f75aca50bb89f3182cc05e8f8666ca3

SHA512
fcd74e6d15cff839c130a58701882f6179b542e434a7ffbd6513f9889181e3cb001d31add28d55f4e6e46f16862f4cf068e4859672b2d105d11a24a902f043bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
8634ca5c1ec2d3500b4269fab5af7aab

SHA1
fa82824c6bc76ea74580fa1ae112672387d9ec50

SHA256
dae0a8c8d548f70d20317661e3b72abf6f67c04f4d0560f2059f17eef7ca53b4

SHA512
c6a14d55b09d422c10a2c1d8e7abb3f6c83391283b14d65786f52b2b5ad5abfe8401e44e04a6daa41f7ed239c5db7ac7c944bf658076e0b4ae19531bbd9ab487

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
bc354b8201108ee10fbd6be55f9e4beb

SHA1
49faaab2357e03372565e5966cd4aba485fbca33

SHA256
3460c3f509f698a5a11011c25f92de82b6ea01e9ddc1b76f39306c845d818337

SHA512
6cc677883b060f25774a087385a868659335e3fdef3926bfb201b42f467cac3f39d94079ea171d833b8b5a9a3b079e03e15498704a061471a8be20539d368f9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
3760ae38d81b86e8cbefda5aacf3cb63

SHA1
d47f7d34b259997b9c05de1ab2aa3253613db429

SHA256
c3e95d00f97d4411ed7691bb7afa9a244dc85af640c30759c336b1f47a0277d7

SHA512
d1beb528bea1c4ac4f22b80a526aa34a1d4218bf1afd58dc29a208e9b2f1667286481822e70967c0ca1d3c41e44bf80b5a87d155883240985ff053c5b0336dd4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
44feb6a9ad7798710bd419b9c73a07bc

SHA1
90ed38b02c071e432920496617783b5cae30f064

SHA256
8d20f3f17c93fd11c9c34d8bc894304b84d7f36505e24b4c832efc48066598fe

SHA512
3df28e7a4ac142368461ee9da39b5275d7049cbd64cbbd0f87960ba16a8efef6f4214c6de27750aed71728b5149e923829ee6dfffc944332097f1ac903b21256

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
b0ff609785f2326e970f0a8374c4a571

SHA1
2fbd70989bbf88890779c78954c7bc3a3fa98941

SHA256
439d864c8b80d0db4a33f7f3f809355da6a34bf5304d984a6549aa037ffaf685

SHA512
3f60de64ae22d32a27f0db8cb5820b7239b46409f403559d945883284adec995bc2d948052168e46d2d01b585db696f8391cf6861e13fce441bfa8218cf29131

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp

Filesize
8KB

MD5
d1f9bc582f6df6921f901aad75c8fe2e

SHA1
aa0ce9570cb5e078a01ba1735395756d16f1f7a4

SHA256
822235218475010b3021ce482b7362ab6e64f2c6144099d80ea06983b6a4eff5

SHA512
057572523ffa9bedb52fa7e81ca6f2b2d9b2cbb931adc7813a3957fec4df8b209a5e71e4bcf6b49117b388b7ceb2895315089fae581c0fe29762c5c184a85d7a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
cbf2e783c1a0effe297477068124c9e6

SHA1
ee0cf2d53c97a8254c124c95d6e745201c344f4e

SHA256
5af23b44c956ad916ff9d5ec17d8f87e08168431c80bf97c8b878f6b53b19876

SHA512
be94721de143ed085428e6ef7cff893acc27c8798e26c6226219ffa50aa34b7c98fa008045a095435fb8941837e48d1a1809f072e9c53454ce744538a5b947bb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
de0d3f753c5d70415940960436047065

SHA1
048c06752828283f3f4192ea9544afd4d56bb1ec

SHA256
6e130a7cc118e1a473ee541ad2c2046d5c55b537af31d4e194da3623c0e9f926

SHA512
7e4328813e07b8502d91154fb6c5746f4f2aa8032d310088be7bfeb9eeea947462a884ca3ef4a9961ef7a16e37f2c0b47029f973fedd53fb115e4ccd45ce02b4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3e4401c17c3ec3602d76a0de4bbc2312

SHA1
b9dab5d74ce3aba18c3b9ef679fb845e5d20a4b8

SHA256
9ad2da96161cae81b5457e95091f579fa17a525c893e7e75d6cbafbfd359fa8e

SHA512
f74e8881d7b91b52800f5dc30dc600bc83874670cce8d9b67c8279deaf5018958e098c862894a4873638c717bc1325e55004db2f2757419b4e862966e8049c0b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
74cbabc509dbd0e3ecfb4f7eb1218113

SHA1
cd1e86b60966f97c775cbbcf15739347ef36237b

SHA256
aa7ffac2109acfe1fb24f37327e3e9ce5448218dacd6d2b6908542583a8540ec

SHA512
4c14dd4f0b72c276e0ca7614e514aef2faebb0451211025d0941c85aff9b7cc2bc53f8b5691767697990fca563dba14c3b3efb50791c8cf97dfd4d5a40a6550d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
fca69a452ba944b1330ae4554053d323

SHA1
adaa04b6ab04f12c7aed55c1e57465fb1e2b4a80

SHA256
1c4e94ba3337c6c02a6e533695e189a5f3d471e32cf4805932610871afc3dbbc

SHA512
bee2153c6e5051f978625fff60585a2b83f64ff18960c6f2185107a3960b6c8c20f64d3aee12fad7339c9d26cf96e39e8fba8fae832fb447fa3fc55c6f40119e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c0b42954429775832d329752cedfbf8b

SHA1
a116bca9c8c4c89f577e2751af453cac2e49e663

SHA256
59d955cd4faa73c012346fc62d4a27a69abac11b668ec043f9c7a8008974dea4

SHA512
2b778c11f4681a959b91444f53e5e6545ab90842c48b9574cd94f60b7a9be15442f8efee6a95b9b74983f3d73025254edd8a42e0b1a19f19b087a20e6d5dafb9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e7533376d63392585bfccdba4adf97a0

SHA1
84678929c9a319641c96757b334536450d094c29

SHA256
7a184206d8b5344bbe79bf27cb3c1856c6329b70c6bb50fb0153415c81973757

SHA512
bded2255f9eb2b6506684c3daef61a7804dabb2b4820132c52ac7c3f84addd21b4f3e644715f86eb3729cbd38905fde690f5ea29a9499a515bdcc18bf83a6b51

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
aa81c6d1fb700766700f8227fb611243

SHA1
be8b630a9a98cffec4e65eeb8f3d459db13199bf

SHA256
2af5c59bb7d05fb2e98512c6ca14cfbef8864ff6e96f74b3d04531fbcc16de04

SHA512
69a74a34e87444afe6a3f64f58cdd342df557317067daa1b54be664b8f2324c8d40762f157aef078bff125b75ebc97cf4f0a8656b0833589906c46db9069b301

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
67a7feac4df5e3dac8762d6207f5b42a

SHA1
d7b6d35914338ab297ec6345542c8b9b9100a9b5

SHA256
32ba7b2f10ed2280966572cf37cd6300e4ee53c17bf18811d2f95000e516821b

SHA512
49197d93a82aa175041578fae64be032d293db417cc55d35ac140ac8511c2bb2a17cb2e2996a5af4c6ec733f317e4f3d97a0fa683644a2e1dc28a95799205f83

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bd27021db5f2cc02d278c63680aef3ae

SHA1
f643f110689948d7ee9f3a95a948676a03414421

SHA256
a5708a5f512627e43e6859bdcb0f1dfa176f713c2b53e6ea30555cadf1930ba5

SHA512
a6928582e194f08afe7f88c66d399ab4e53fc95f98c328b95f12b1af7846666819312e0f7461a525cc1a4364adc2da610398617dd37c0bd01313c1774328a1fb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
af9b53b6d6eedcfe68d3c13506640063

SHA1
9be12d03b6ecdbdf06e83e7ee8da95ad6d96e6b6

SHA256
3079cddeb53de5b2580fb2256cab9b9b9a946400dc0597288e84dab9ebf72a23

SHA512
491236def2f6f559aa8de046dea57c3ff874738c400b9bdc7a5d9823dc5a980a2b63368040141d5e93eacdbce862d9a5e366fc8cbb094c188ee804d447bf7a62

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
79657a61eda268ca9c05d2ad94c5fce2

SHA1
2c4129dd1d22a4c0d41e5b5a32dd6225ec359466

SHA256
a9337b4f919585af58c92861a3271703a1a73a9ce66442c0fd0dc87318453a20

SHA512
6d50c2f530cda9871a469fe16249b91307f569e7a303ea3a5bffdcac013d53ac0f34cbee9231508176f248045d83258a57ac3e4c1589158af0cf1551ed991889

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a397c03b71844b570797f2f2060cd42e

SHA1
9f4394c4d751bad3367388c1b70e5cc9980a1c6d

SHA256
e3e38237a28a6e63a0e503eb2355654a771ef2e46f4114c95080f9dd7d2c583e

SHA512
80206a46e1833af53a99e93c4c083a2a1fe44d548e9430aa07bec30d639a46842c8736356c6af0cc38e8a35b6d7ffa3a290a0ebd1fee1c514ac96b62fa8d5efe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2f4a8944919e4088e0028961347aea79

SHA1
a200f510ad4cad7c449ab7a2c3ccff16fa11249b

SHA256
22b479d0ceb8d0d94ba4777fc7c910191a6b25f9d58853130efb1ef8d50dd358

SHA512
7e627fbb4693fe62776b0f4b6dac0427b12cf3dfa026532f936fe2de477ee68485ad4155488e74065c96e3f0f1fd340a26cbd55f969521db9b68489a54205267

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e4b1819b9b0f28e32d6b45495819844c

SHA1
2c1c1a7b799e86ccb04e662f0d2990da722a686a

SHA256
e0b3a206e0ec21d5395bab1ee606be3325f76a33fe5ed47f3b884b68e69eabcb

SHA512
fd469c159af973a5fe6913900ca3d6a5f825c2601e29d0bc62c79ee636db8f6a1b772861c0138dcd148e2d011fdcb276041fda70d553bfa80975cb57b31b796e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
13dd9bf237467d7b15bad3d7b59c5bb0

SHA1
f30e269128cd8a800528d2cef3b0eb7eca8973e6

SHA256
430c83a5de91524f768590115a6c797eb286ac71e5c3ce0602cef0c46664cd69

SHA512
4b415dde33c7d682ce8096f36f5f079ca167b97d07b1eb310b39675bbc1612bf01acb0816d709254313c1978c6e574a263be8937515534bcc1412d947aad015e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
486ab3b05847a95307a3a758bf825877

SHA1
d51dd50015bc588c7aa9b0b014a75d40ef9c7243

SHA256
64c72ebc4faabd494bc3b7ce2487e32d98471dbd4a09e189c482b76cacdc2435

SHA512
5b9f8423aa5b3318b7bd21e056c6c92aa6a85ad571b5e36724237e8a6a4ea4bf94b03cb55c699c50015292bcb6491fa9df32a83e3b6169a4b7d8762815c8285e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
eb0ce24f7ea3ca37c7f1d4b665832de4

SHA1
650dba39563e68988936892e5e04647def7d283f

SHA256
504257666296987c5330a7b02ce902bf9c0fde5ad80ce9c74df646b38412b6e2

SHA512
66c41655fa5eb79385782c8b68238795f60e30c241fcb888e496e6e59a6d749feb88cb4ad1b83ff7d6d82903348b6a57011f1ec14e9ff0710b9e5c32aff7c3d2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
05860f11bb37e01233843cc4b9608708

SHA1
5123344fe91bfec07e4e2f19e56fe3550a9d194e

SHA256
a99a7c1f7768bd2ab9a3fbcbcf9b67850af9b21f47614fa76047efc36e0d4fec

SHA512
be78a3c9551bc6b871715781e33ce6b18a13360116c55ae4cfc9d6eada4521d7028f4409d83bb78673e43bf0ab269ccad9ef748213941d26b0d4b2a946c25120

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
b6173020e1951c730093948515deb618

SHA1
3621af1c5775dc323b23f38ac6513d904f2f7fab

SHA256
ed15c2a50903566cd9e61fdb76900178e57e17f0f2240503779041d350f44bde

SHA512
51267e8cfdfd86f1689e835339ee7d92d24ac07a963d315c46e83bc019c2d5633e70af618fb0b0079a1fef56cf1d574a85f2628cc1ed649400406acbdfb02f22

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
7c4cb9eb8aa434c4aa752fea768cc7ee

SHA1
681f2d50cbcd49a5befe681c4a5f007d32df6496

SHA256
c076cc7a1e23e502e478dc2863741badb5cb64bf66839b424242d34735a39338

SHA512
186687a69c753b0ab359585a07a7a6b71a4c37a367a4160237367263fd14d761356724952f38b7568f862d9a4e66a1e904b34dde888e1e8186b4342064219c0e

Download Submit
memory/348-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/348-602-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/980-268-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1016-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1016-40-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1016-48-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1016-60-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1016-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1408-509-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1408-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1552-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1552-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1552-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1552-96-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1808-269-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2204-152-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2256-126-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2256-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2256-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2256-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2256-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2272-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2272-598-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2292-51-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2292-57-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2292-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2292-438-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2664-0-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/2664-465-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2664-466-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/2664-8-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2664-9-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/2672-274-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2672-601-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2776-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3184-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3184-272-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3368-127-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3368-595-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3420-267-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3664-76-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3664-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3664-101-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3664-82-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4048-115-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4048-594-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4440-97-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4440-87-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4708-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4720-174-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5032-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5032-542-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5032-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5032-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5060-599-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5060-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download