4f3da9997e7c6353fd39f8ad2dfb9329478d7075633617e0c3cef2c72de2094f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
Size

1.1MB
MD5

09dc41b509137010045d5f136b4a3482
SHA1

78304e9c49c9351ddf3385a1502a77616f2f77e6
SHA256

4f3da9997e7c6353fd39f8ad2dfb9329478d7075633617e0c3cef2c72de2094f
SHA512

56bfd55e92c166893ce995f377b51e979398846d7292cbbda5023a37da8672ec149e929248e0c1763f9c3f11c066c7dd949a5f79322ef4769a10d33c6d26fe81
SSDEEP

24576:zSi1SoCU5qJSr1eWPSCsP0MugC6eTRDscnTL5g4rTeP0j/Viwlx:jS7PLjeTRYcTFBcg/Viwl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5056	alg.exe
3884	DiagnosticsHub.StandardCollector.Service.exe
4116	fxssvc.exe
1260	elevation_service.exe
8	elevation_service.exe
2936	maintenanceservice.exe
3696	msdtc.exe
4444	OSE.EXE
1132	PerceptionSimulationService.exe
4568	perfhost.exe
1848	locator.exe
1452	SensorDataService.exe
816	snmptrap.exe
4884	spectrum.exe
2316	ssh-agent.exe
2364	TieringEngineService.exe
3144	AgentService.exe
4732	vds.exe
1800	vssvc.exe
3912	wbengine.exe
972	WmiApSrv.exe
1344	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f6a7b2114a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b3e06809bbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e773f809bbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041812b819bbbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c98c14809bbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6012a809bbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1c8f07f9bbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037ae97809bbbda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3884	DiagnosticsHub.StandardCollector.Service.exe
3884	DiagnosticsHub.StandardCollector.Service.exe
3884	DiagnosticsHub.StandardCollector.Service.exe
3884	DiagnosticsHub.StandardCollector.Service.exe
3884	DiagnosticsHub.StandardCollector.Service.exe
3884	DiagnosticsHub.StandardCollector.Service.exe
3884	DiagnosticsHub.StandardCollector.Service.exe
1260	elevation_service.exe
1260	elevation_service.exe
1260	elevation_service.exe
1260	elevation_service.exe
1260	elevation_service.exe
1260	elevation_service.exe
1260	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4728	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
Token: SeAuditPrivilege	4116	fxssvc.exe
Token: SeRestorePrivilege	2364	TieringEngineService.exe
Token: SeManageVolumePrivilege	2364	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3144	AgentService.exe
Token: SeBackupPrivilege	1800	vssvc.exe
Token: SeRestorePrivilege	1800	vssvc.exe
Token: SeAuditPrivilege	1800	vssvc.exe
Token: SeBackupPrivilege	3912	wbengine.exe
Token: SeRestorePrivilege	3912	wbengine.exe
Token: SeSecurityPrivilege	3912	wbengine.exe
Token: 33	1344	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeDebugPrivilege	3884	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1260	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1012	1344	SearchIndexer.exe	108
PID 1344 wrote to memory of 1012	1344	SearchIndexer.exe	108
PID 1344 wrote to memory of 2964	1344	SearchIndexer.exe	109
PID 1344 wrote to memory of 2964	1344	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4092

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:8

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1452

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1896

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6e4c879956c253c67f3286480b61a9ba

SHA1
7d043a4147c2879e657506bcda3374c986649090

SHA256
5a82c417f7bfa7378e6bfe33b2e2bffa4212e0bf4b6813436230557d63d74c6d

SHA512
59dcb75748afe9a916040ccafc0631d63359720b65b78ea722a9ed5220fd1e503ea496ca13cbb12cc49e8cb64bbf962212f22c9d2ef509f8daa10a5ef7ce8cbe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
c302897dc0607b000ca418c42cf3a63f

SHA1
aa5ab92f3cb762cb5d5797c9e718e35a3d8d384e

SHA256
57398fa1b10c16e844955933e5d6286d2fe454a84e0789a4322067b935aee4c1

SHA512
fa86d9c5c61838319dc0c0d4e3cb97f6ede345cd7107ed437fa2fa56e7c136098701aa87479be0a618889a35c61ebfebeada90577891290617a1697eb75a8b7d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
4502af4806d89a229f4175ab421c8dc6

SHA1
cbe84aa8d6c90d6a36ac845cb4942fb174ed5a74

SHA256
fbdef529a3b3cce99f24db37e47d836f5d063ba86e60caf3edd06623cb79ad50

SHA512
260083646a1505b2188fc8f15d9cb5740b3199e2d668172cc25e84cef98857471d465c89a47db3f994e94638fee2e94ab90a050f8d92107b5c645ea065a2c830

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
88ea84382fc6f3156f15e39c683d00be

SHA1
4fc0ea1c9d8e7d7789148e99e348f8d0fa20c40a

SHA256
ed59317d669d037edfda2bef6b9533d98a9dc4eb2a1b867703f82a012bb314d6

SHA512
2b7021e8aabef4a71d505af3ea00b65b36d134a2a5c044d614917b970066f3ae6cde2b4e2f4a7578b3822340401ea630fb5b22f76d7065550a140ea38cf6cb04

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cf29bcecfa46eb600a92e3a4e92b5b00

SHA1
0b6d5b1bb0bab4f25f1ede5c0b665ee07243f6b4

SHA256
36913292290baf0d97b644b60884f856e9117f2a10b4b2c53269cb7e28171034

SHA512
0ae76090b8e9611221ea0056347e4ac0c12c8efdf2e11c45bfb3399780c03a8df1fa8c0fee7dae8d47275835974970122374807d8f18e8d4b5eea5bcca9007da

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
23cb5d8d6dfd0a9e89f8b891d618b496

SHA1
b9d3ff833aea2364f685307897ad9a0b9e484cf0

SHA256
9dc4c7ecbf36d1a508c021997bcbe2202d76727e7f001d62ce8d079518db4c74

SHA512
763da41518bebccd047fef517fa9ea4c84e2251eea9f43d4fcd2d0f065527ee572f81d34fb6a3851c1d188001da64d4440b6ac3239d1780aa8681b9e915ba47b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a2cd7b29ac180f156617621e5785df85

SHA1
1018bdef532f861e696f656fec83bdcfc1867297

SHA256
c56133fa8060ecc3f4843a886fdc0a396da00b039b5c5db1bbed9b8ac533b6ac

SHA512
129d89c466085adf591a3023a5692707bef5fe3846d3cc6494d3c75f1dd8b5fdd35b7042353e08a3362e135c5d08e58e559a4473da27084b146dc24839c5658a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
993df808564adb14cc432c1a20e2f555

SHA1
b3b2da7c0873d6e8093dc33d087e342d20897cef

SHA256
36bb6680627e3b7b4e52b605e02c81beb76bf620e2c62becd0ae06fd1a3afa62

SHA512
154712ce51fd45e0a188ac51ef9bf4c92bfb05ac52e7a2961b2813a6f3856947021704390fff901d3b20c272959d9038e7a2e378534d0a079556378c4a0895df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6967b143ac675e82a42073cf4f386f94

SHA1
12050894164e5ee893624bffee2458bf64eceea2

SHA256
8174e45a1830af6894475454b10737459f1e200069324137d69a68f99d9ace85

SHA512
3cadf790c1a03aa0275fdebb98121377a690019a178fe00ceb871d70cd4143c13bdfd78c3fccc0815859bbbfce4dc834f421ca231a76a4c16364b71181543bd0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7fb3d77008874f97caf3185dea74a3a3

SHA1
d42539aafb53813601222ea612435ec96c76e0aa

SHA256
df4cc89cec8328c52d748f423028e1fd27c0da69b727391d66585cf8ea1d89a9

SHA512
bd319ce623e213aafff374e2329630b7fea5bf86bcf8d69f67191252218c3e585bac33b5244a94d535fa3d7b8b4c7620a8e7d74ccc12c52bbba4cff4ffc14031

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
72cfc97eb8a58db45be90bd505cba2b0

SHA1
6b3f15c9bf86c2c6a6c7d423f3e41988fb332da3

SHA256
437476b1458671f83ac08660a6336b130a376e931c2986ff4c2f61fa47b0683c

SHA512
9f320b865d8ad11165369c0e79e85eb9b75076df5bf470f9bd55e65ba2eaa27c590ceb57ef14e9d4f9a013cefa2e7a38a081fa40de1f10ca535e9e3886736f56

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1eb548243d787658f096c627aad168cb

SHA1
d5d61ffbb83980b7c0f33bf72a8b9b662460d245

SHA256
00dc2358fd10a5255c931486b3e7d2f6958b3a3c66cac052c27d345fa06063a2

SHA512
7ab8d657af5b14b59f14ec6767880c3ee858a315a9d28ef84be1db577b8b1125cffa65f004bf8363a2d2f48cf1cc2330af07ab658b892a53f182b13fe6343e22

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1b226e57b82e072c03933b1f29ece68c

SHA1
87e4a65a217724081f76aeaf4f74837cea402930

SHA256
e430e3d043be3c6c1d819ee715b8d4b836b603c2225236aac8a4507ff5ce1a67

SHA512
0f6fa69024f68e4739cf7c535bad8388c84cd5a39f12c51228b9a7fe55f0c199cdb31cbeef2e9bb24306a19bfccc0dba1e4f976188a78ade2cd75d45e338a76f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
3237c37494a6b4d4348597ffbf9acd13

SHA1
bfe53d24667c1f79c20ddb525ee36c7f02ea3c98

SHA256
91e262f5a6f039fe1a6aa929edd8c89dbea9332804bd816bb4014ab3702ea134

SHA512
47d861369bf0d7efa00f62255ca9600ed2f541a11b933889b3d3771f884b2ce8e73abb02a31483941a464af7fbe4d99e4f52f6281cece0ff4a9ced60e926bd0a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a6a849ac30798776d6187012354dfd8e

SHA1
b4a862c51bb51997d32a59e94c735d3f46a39dd8

SHA256
ce1ebb13a137fcf6adffacdf9a2d145e862a927e13a0f1893c143f09faa9324a

SHA512
fa82b4c04528c65eabbd4d4d563b1262ccf63518b352b28f82fd075dbcd6ad4fbc38db91de81b0ea3327d8fd6bf6d2752b32dcfcedd846b69708af5e38dc0451

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
3c05a6d3943cc6a8180b9148cb20d3c4

SHA1
6c5a9a3acbba1d3b6e1642b6046e9391a1d3d369

SHA256
7180c833cbfe1904ae739bc901a799f52bc9219123afe8b769113d0b6ec63e84

SHA512
075a1c211c07b373fd74d4ec93932438c6a1c28b4db40730d4a1b6adeddb12051149fac0eb2c6c235746521326544811cd5eb46d911865a8fe5073d07b019880

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f008217a460378c82852ea2aedfb57f4

SHA1
c8e629461fc41e257d489c803d916b0bdc1b030d

SHA256
642b8feaeeefef37113f89c8a7c1128e75d86417dd2db21cbcf6f5a872e35cc7

SHA512
2ec3eff31928cfff58751d1cfdb6727c1fa4f3746216e9c6c68a0a5e67707ed55fb5b0aecf56c6c7d56d0404317fdec08bc140eba6de3d39472185792e9009ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6b725b6883a190f0f1e140b50ff3b500

SHA1
5649b408f3aa16e2455cf827d4cd971c979d1d84

SHA256
7cb0b18d4f518ef04c00018a151402cd636eb94cf8b10e69b1e831c3b45c8224

SHA512
fe2c1f13e189466aa34eccd562e66401dc1d0fcaaa90de7529c9cedcc11512a0fae0e1210361eb0164314de02ab6df542252a9f3e8cc90f469a1a3b8f430e793

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
56910c97e92dbfb7fa9960f0243fe6f1

SHA1
eea6fec9423717122d006e31067064d896f306f5

SHA256
a343796cd155fffbb0a6d1b2a1b40c86ed176342061854474a8cdd47e3a95674

SHA512
b8ae219f068f1911697160cf0db1c98635adf0d43dbce35f1b052798ddafccef014dede8fe3a67c8d2f2e51750940a461aa67468706cd94c8f39ffe3d13a13fd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2b563837d1651453d3b27d5a2eb588b6

SHA1
008966c6a413b9c2f4a767f2bd8328a4cd2de175

SHA256
42aaee2129536a24ec8ebfeac25cfa1bd518518cf06d6c94782e3c70773e5dda

SHA512
9e8150facec7c0711fd4fce72ee6337310e5e7ec8ac84824a0c6f2bf71010f5fef57dff3a6d08e06331433697a626353cc20c8bf6796381a58e4dee8cd238d3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
536a1619f8b9915bc2d8d271f2e1cebf

SHA1
e7794e8e5089c61c603da07446ae320d10091712

SHA256
6ac5868efadd601e115d582420938a4699c7b6768915bcd7cc60ac28a157dab0

SHA512
04509b3b05f6199f29077d7b5b96430ba4e21e463b68a1507e8d8bbfbc5d08373372d4b1b40155eceebd1cb71abc36bb7b04e36b3aaa068ef15b009b6f7ee09a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
9e0ebd7bb36fcecf6de08e3b5c804a56

SHA1
32069a75fc13bbedcdcbdbecc90e4a28fbe268d7

SHA256
4e88fef4d448e1f19fabd675fa7c359813e0061f69553f918ea45803eb9dc114

SHA512
81b518fc850ee07e06a362f4ceadb8ccff16e59d54e2b100d249992f80f5ccda3636a76b0b063d553502c8c9d43fcb90e91923eda276e4a8dd60d3a5ddd0badb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
c47dde1b903022c238ae3430d145d2aa

SHA1
1c4b664e99dd93ff9e0ef9e893cc64d094219b74

SHA256
c285ce25fc6c7b89415474d073e34432ce3be79013965b3b79580ab83adab31d

SHA512
33cea425bf619db017c3a9cfaea84b0465642686d0062acbdbbf3fc244b0450ef813aba7c560230f313a53b9a78adf412fd156ed5baeea0ddd47c6ac13466d48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
071f4268259eb3e2d2d4a44881b78ff7

SHA1
64895aa574c61739b6740acaeca969c6a07808da

SHA256
05ce580226605896f6d13549790c7544d0e453ae3557fdd7cfb62626d6453682

SHA512
fee3054f28d0da959fe5cea531999a4ff4615081eca8f7d018ccc9d9be9b2896409e1bd7a6c4853cda68cee23a7df5f5d838b1ec301fe469b9f6ee03cd6e6f82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
551907378a0d1df72c2fe071f75bdec8

SHA1
00981cd6ef1b53b466dd825c2fa61b1791c9fb22

SHA256
c4c49cb1dc024ce601b0225e68022a3db1381b95e1e97c00c3e76d56096b8c6a

SHA512
94d3359e1b3531d52add6a92f54f2734c1a6f9f374647622f39c47bf715e602fb05daba912e8dfdeb39aeaecb1fdc2a887225dd604839469cb394c7577ab502e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
51cafe859f7acaae80fe37bfbb134b3a

SHA1
63bc45ec30783333b19a63e3435e8879d7a6bdf8

SHA256
eed22e805cc95d0f1f69e886a0601280e47ae55f0cc85ca526df46ac2e142e36

SHA512
83159d4c6ac0466487e23806e6ef4a8f797d90290561eb3ba6c8268547117cae078c184acbd92a10414259b8ede3ff9e4e8f98504c6a2370193b7361fd64ea8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
649d528d42aaef6adaf1840b7644ef8d

SHA1
f1cd79a568299fe5ddd33947301b932a77682470

SHA256
7280805fde3ce7999f21cd852f1ed70eda3142e2ac955d34e9babba60698b7b7

SHA512
12602fffbadf707e5cf443088a9cc8d89034af2fc020c4acb4bcd325c7679c25253ce9d5ac82c04aa230aa8c673a1b9c2b75190abe47258b4b04ae011f80989c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
25888b8c19bc6d18845aff87eba5cf09

SHA1
157828bfa17d33a984a53aebb76de8e600bcaad2

SHA256
8b2388ad976291803c153c8397f4d6c84502e3c96787ca9cec61c6010f04ced7

SHA512
25d472a24d96cd9987010e7958b1ef58ae75bf9bc2be72a16d60fed55f8a1f3c6469bee45304484fe6a948a8cb46e9a59dc5be2fc4b9096d6468ae3570f3e8cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
800f9b9f315f8ba5d1032e63fbba63f4

SHA1
40f67896e5f9f509050449982193089b6aabcde2

SHA256
403ed7543d7133e5162a0d0b9bbb5ef68c00ae9c6353f9ae80aa66b89f567781

SHA512
efc023be06c27448463491a170464664de3ba1d12c3382ec1bf85cc4fd433349a935fbec800c34015ab86fc902e6fa8976640f9587b0a6d2962a3cef14b9e129

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
a261082784a4e6a49f405dd9844deb73

SHA1
60f0daf2f2182c400c8659375d40c1395258beb2

SHA256
c988a7a413056fcf8a61381f3fc787c753eca46fa9b3adcb9fd93d943fe49e8c

SHA512
61b106ccb1c797d5fc4bb0fa876bb1264e248874134487ba72ce102712896c93c198be858c075277827e4890326c91b905c84b78feb340b29706146123691b36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
6022ca488a6ed9b9e1720bb7c19b0550

SHA1
16ea411f0fcbe82a8459991d7df31b1781d9de0a

SHA256
39cf1f36317b0b465ec178b86b4b0cd52d1b0ca079582a6d204157f2b6482720

SHA512
b319c979bdd5c9b626acae3ce3ea95017da36776eb171946c747a1ae763679682dea1e6906ae179bc2cbe52199dad5e4e5ebf8fde8fa56fe3df2fb9179285e2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
c60bd3eadca42b517581bb225327a4f4

SHA1
658a68f46c6792be280ca620a6eefc402c1a39e4

SHA256
83a956a7e5923ee92cef0ec0ad41f47c41ae7a3e7338bb0c73099b4ead71ab53

SHA512
440eb78bc7a810f7caf513ebd9310590cad999a4620c88645de2d73b5554535357c4208778922d7c2a0da3cef10b10cf7765d0d31402a916a997e47c4c48688d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
c14350f35bea1b795ee0c45f6c9cc56e

SHA1
a3a342fc2167f1fa70925399f3fb302f5f90fe6f

SHA256
5f8d0c3529a219bb91573c150926a896d1383b05023d33f00d26536132ab076e

SHA512
39b01fae89bb8c57a70aded929f691b48ffe450c820f39a552d818d90e1a44d3f5ede0a9d25e35726fef5ce79db472cacaebd8ede334f88a3d7b5cb2392d1fa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
fb3961e2cecbdd000b45a1be40790d58

SHA1
76289ce6fd607c60af520d289e141a303c566f50

SHA256
3d291abe8fca31e6e8e5acadeaa6309b6d0c858742e4575cb8c42690f2298cf2

SHA512
6b1c98b10375554e86bc1fbf38b1f5963e112fbfee558c90dc405c41022c85b09f19c870592ae1b7f14b971452987296b3f8a4832ca23e0ba913dac97d3e3dac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
388654f730f7482032f97a274d2af1f9

SHA1
c5ae7921c24d974601ba0b88d489cb7aced0d735

SHA256
31df75c2fdbd945f290704c294633db6a18e9e5bcecc9547bf483d407a776be7

SHA512
5e4a103df23652871ae564fd93395fcfc74a7be419ec3e4d8e78e71880eb0565999746b9bde54ba512a8fed10aa1b1b95461c71519bfa126c98cfd2872cc6a85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
597fae51f67cc49d4eeb4de01af4a6fb

SHA1
80f19c6c0b09597039f134c3d6f7d8abeccd9324

SHA256
c59619ee5f5c41474171e7bef7cc84051a0e8b8445d44ae11b15cf14bdeb55a1

SHA512
f222ac8c0e99d2ff31f4e344fb658226aa76935945b704f10b91be10a0893d987efccfc2775fb2edeba2070bd5c263d3bc38bf728255ccc543749cfe7dafb746

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
55b50b70329c271ce93129b7e8af22f0

SHA1
1ea72fb202cc2d57f038958ce1bf9e555740869a

SHA256
5b8a029ba3571670ec0cd9396ffcc470aae63cdf0a06d5f5024eb2acca29537a

SHA512
bf85c3a81aff0a58086edbf88fb102a09ba3eb719c36b21a4812cbe322da25d22a5ae2743c4f88742122882ed13e023539d37040603572661465df0d14512df7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d6d66231333b1bdf1663fcdff5029e59

SHA1
2ebe99650501e0d07891863db2afb470506e2536

SHA256
0fbc83f1d89f3d22eecf5b0e5476e18d14650dd0e088672e2b55229b29ff1b0b

SHA512
932551e533adc13a160732fcf4556460593285275f5c274c243fc01233cbf5bb2e9f18001aca1bd9355733ecc26bb20aa7222a42b6588c817dda011a6f389faf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
1176903a2ef376c8bf0b6c73fd085450

SHA1
0f0c3a94ed4880f2f707b6e2e0b29bad865708b9

SHA256
3182f12cd2b7c131b70e681fe868d162799870b29a62c8508933522e3cde8015

SHA512
b564eb8a1b38c8da0b0977d8ff4ce35efca74c3461261a29254bf7289351f45a88550d855a956defac249d511e0cb256faaa5ec4c93a4320e2d6785fe4eea83b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
2f2ffddbdc2c21655c69f6db3ae29fe2

SHA1
bfaa4fc82add80f0b316f5e9523f18bd5c464f47

SHA256
ec6b2c52ad1675678cf7f9f127aef25dd0a41e4230bd7313ae202d9c8b776386

SHA512
9efb8493d1970003bd2e28a5e86325f3b7c712f684529c8a28f8a14a88670fdfe042ee7b1e5a1d22d5030bfc0d0fbad496d5d83524fea52add74dbf476836fcf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d5dfb601c249f37d64821828131f8f05

SHA1
e1bef0a4a98860eadf56338d29f3222cb93400df

SHA256
332e4bad0af241584aba2c26575ab66ce5a1e3640ab56656759fa53aa8f88691

SHA512
c3a6a8465582c4ec28b155d84e9ad1344f68985b27afc3fc46d58ce017e194a50f805021edc430e041b8c58d6c87476fd82e118cc7cfa524e1dfbb0b11e221d5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
2f4f0c638cfa458742d928d77c8f5e59

SHA1
0807bf3d7091d9ccc53ec9a0599013fadb64c007

SHA256
65fb7f47fefe297248d3fb577c91101b9900783bf344008f7966bb14426352f7

SHA512
ee197f0a6eefca070c7cb671d9ebb758f7b04d281d97e288eb84ec933c4fd9a173cbdb154771a8d349d771758fd01ea9860bf54ff796ea40e3f0a6fba8fde621

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ca2046e9d0bc2a3fdbce2383bc785771

SHA1
00df31a2bec1e01b6e2bc90fdc52a1bbe3711281

SHA256
5ab1521cc8ec716765d0254bd5be1d4705551483add5d56605b32350d99242b3

SHA512
95f61349e9214c96c3c8244acf36b8105b85c9c0a21a83d8239d7bf6930aa801ca735d6f602adf1a95c46fcc6cdb5b5e5a95142eb345c8deb4e06cd542df9be5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
32a5552e7cbbd68023f81b8848f373ef

SHA1
a519db592c0088478f707419c61d14b4ce4ce818

SHA256
ce63157fda12bf0445909a9edd9813ea15e90e72fd1f3cc10267b40ae88fc356

SHA512
5c039cb2f9ba549cd077623a5ef6b5b697e6b39395523db62067ae5d0cb605d98e2ccccdc3c510f7fd346190edab13220024d8f198e9bf2fd69a73d5a2e8b7e1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
78d1810d9b71ba539d79c461e9992946

SHA1
120e24379eec8d9e52db4b56fa6f5d8ba364dc5e

SHA256
3373aa21cff509cb548c249f9a29dba6f9203bab1c4ac24f910c5d98089b4c0a

SHA512
a45bf270e977d7f2abbf842f585ad3f6e3bcaf432da36b69bcdf76ab531367a8c9575e3f77c7b6e42e25d5bd0934bb4978d74a7a546d89700d6f0d41b990b1b1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
cec06923804b22818bc4b1cc64d493c6

SHA1
af99c4d16679f718d46085a7c87df75fbe8cc376

SHA256
c771a3a238945956f377eed8c55a88d893320c23a5078091a65e50deea522c8b

SHA512
e7e0cf409b6ad779672f97f24a518aa9a2f116010f7c4b77c73908b593eff15ef7c7b920e460421b213c9f6c849ce955a0b283648ad0b4cfdba4e7cd85fa05e3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9d52025d0ee31b0c300547446ecb994d

SHA1
33a92f59b30777b5f446191f2b8ac0554514ee10

SHA256
c1fc3d43bce3ef1a397a47af30c9dbdd93573338d5c40d11d24866ffc55f3a9e

SHA512
6c7e12e7470c3357a386f9119c1446f7945dd475fb0ae2e3775e2533c4afd9d2e12e68306f0f357859e4c4c2aa5237a60d8fc79d57fb9b3aa90214c35a9eec04

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
351f0978340c9ca67e744c81f5e698ce

SHA1
826e9d563a0c93038f4d2b2a5e74e926f564169e

SHA256
ae26bfd5708ffd2b2a190e1ac500887bdf77dee0c836a776c4eb45b5e39c858a

SHA512
41de365d211f9f7259ea71ac979f6d0d56f47cb002941984db5e6e4f4c8d895743c4ab6f890c7b2528c89417ac92badf0cc4d251873d350ee7955df379304382

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
da7af8ed409b1db0be72edcc15f7e778

SHA1
8ddd529b42b850562e8bc5e03e395614b304859e

SHA256
308bae6d2d245ac2d5df9676c3968cfe84dbabfc975559b60432c694641cb086

SHA512
541d9a41c317adeccc9f11cae48fbd95fd0291d5c452e8f013860222326477458b85cfc054d5429a71e6ab314f86257c3e4a3f4f13f9b27d38f412dcc551e171

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
473ecae1c731583e19f7d09412d66f05

SHA1
c79f42cdf526af6e96ebdf6d30f9f6c026b4a211

SHA256
755a2550d96455568a08e331fd897808da06bfb992a5947556ba8d4f267d2923

SHA512
1256add3cca5403e3ad3c2540916dfc8c66985c2269f58acebc637c500b75b13ce4f63f7650850a7d61defa2ee784c378b6c30671fba1ffd55ea227ef0708a0b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ba692665cbf8388ca5b63b04673cecaf

SHA1
930ec162a9f27252e38e9b8d676b1536291fe7bf

SHA256
7344cd2233556e834f066c84f6ef19d7e4cca30cd26fdf28bf96ba7088787ba3

SHA512
bf864d1559a3a66a6605c17eab06961011ab1a0c27c560d98e9c7bf7291690bcb14ca770cff288a66449e5c9d0d707a2654bbd9379752976010e5394dca59e6d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
a261221254885b1903a5a17ade040db2

SHA1
a6d103aad9604fce26ef2a6b920d044e9494170a

SHA256
283d69788292d6ae46ed8db4dede08dbc489410cb4265b9bd72011f39a1f603b

SHA512
ec7c999a221a197b37f9bc40f34289729aa1f74bbfcc3c001c23f846966a91e385df6ae2a4db67555cfb30601826fec8a32ec1f9d76c4713880e041b25b65c17

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
5e7b4cacad1130a9a8c147340de0b91a

SHA1
97fdf5a0fa8d80c363f8e68afdeed2ee6300d71c

SHA256
130ff5666bc807e017958a9f914ea160f999f6aea23a6aafaf858c881a316b14

SHA512
1a701320ff4d056acb33c6a9722c0b27618a4ce58dad9569c47e7e8f22095ef1f7ae4414cb1061593ce58fd9e9443c1321f976113a3a8da810d2b90921d0fa07

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
e8450b30202f158f90de6a58977ee96b

SHA1
e2ee5e8cb9d1474cae4e3d1bda698dc50df30d4c

SHA256
182cec6eb2edea082cd320f32668b35460ae2a6aa99c3401a1d86168b88bd5e0

SHA512
6169c2b57b9c6ae30d10cd7ff9365bce7c739043a2c46a8035f0087777e38ed8a81970a5987b40ebcec7422ee220b38f038e4b58fc9a409b3ade3694582e5d01

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ac19433e67c90ebe723a598a5e06fd66

SHA1
33799a2740d4ba1d68c16adffb5fb4944abd95a1

SHA256
04ba28a18eae64f205ce36261cd2fbcfce6d5d3b967b71250a6b4d06c7e80c61

SHA512
3b9e68b3289adfc79d1b3fb77094046ba87068fda090bbd181867757895ac2b5f44b31cc6e3e3ef764f14df12ddb8bcd6e38e6f2f90f3ffad1b7be9e8f53f68c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
6217a4c1443c8a6dab7e7e1cd618ceaa

SHA1
94c0a31b59fb2989221223241813bb9ce68f9518

SHA256
bef70af5667de90c3a6550877a67c7eae16332e1e687d43aec721f4fb55447e3

SHA512
23d64cb57ff5e4acaedea4965f011781d38cccc975d206c8d33ba347030e0db10787812c34e8dead92811fae4862f65613b6b313084c81d1a60a2a5347fc1d06

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
68fa351eeddb167434a8b7dc1c3f4ce5

SHA1
adf42b214e14c08a0a096990d3355195736a672e

SHA256
95733411ab31364a6f863ce56fc347b06235803c960d4ba56886c27f244a29b5

SHA512
a382e4e06e9ce29f3d6ef2bd13c81b55b4a7811c7fa553d236fcf6de36feec970f2235e39ffc58e0c3cc75433ff5b3e91994d495c12f66cb019e222d978b8c0f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5cc91bc135d1cb82f148144c4ef5214f

SHA1
bde5623adbfc43b591810f6761f0bacca202e9b7

SHA256
9f486d2e0afa42d534c307f6caf75bdbd3802cdd8931c3439b6de23ad176328b

SHA512
6fdab387c8a047818a690c5bf1f64f10c6420a5535dbc202312b0c798b2cf65fd3a420640b38f04c2b614873190f68e0b05176a069374b8126451102cad53eea

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
53e7329a1ad8dcf85f91480a20fbdf9a

SHA1
7f05ba15970b97da41d1049d3bc029ba26e24062

SHA256
7a1bc743c5d318ea81124314a581a5c3962cdd6745e3e8f3df8f4a49446d85e5

SHA512
719c8d376aaecac51d31b1ed44ef68db58e01c96ab32933168f5a68ef87a2ea96a332939628923a22d9ff8598953f751b097d62b5cfd5ef75f54a3bc299eca39

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
60da16dd5e3c5b13f4d6f7e287e8b31f

SHA1
31962867a21da65f6f3c769a3b226172493d6c86

SHA256
a93a943d09198d4d36618256c601687f6a68be3a9cafaac843ec20646e23e838

SHA512
b8c05e82f429a9a43e40fd689aba48470a92d39033a40e41c5d3cb7212a20fe84fc0536560b3ecf64fa79bb64855f253c68d5dfc67308827353330b8ee475cd0

Download Submit
memory/8-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/8-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/8-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/8-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/816-339-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/816-117-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/972-467-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/972-166-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1132-95-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1132-85-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1132-157-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1132-89-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1260-38-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1260-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1260-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1260-32-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1344-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1344-468-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1452-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1452-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1800-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1800-465-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1848-111-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2316-142-0x0000000140000000-0x00000001401EB000-memory.dmp

Filesize
1.9MB

Download
memory/2316-460-0x0000000140000000-0x00000001401EB000-memory.dmp

Filesize
1.9MB

Download
memory/2364-145-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/2364-461-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/2936-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2936-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2936-55-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/2936-68-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/2936-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3144-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3144-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3696-148-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/3696-70-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/3884-16-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3884-25-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3884-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3912-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3912-466-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4116-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4116-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4444-82-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/4444-80-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4444-153-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/4568-161-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4568-105-0x0000000000890000-0x00000000008F6000-memory.dmp

Filesize
408KB

Download
memory/4568-100-0x0000000000890000-0x00000000008F6000-memory.dmp

Filesize
408KB

Download
memory/4568-99-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4728-6-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4728-351-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4728-10-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4728-0-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4728-352-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4732-462-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4732-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4884-426-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4884-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5056-109-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/5056-14-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download