2da1d52c351d866bf5a469e6d93b52bfbe9e8cde17cd66c23513ef77a6dd05a4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
Size

1.1MB
MD5

64effd6b61d2eb1edbad9a9730326de2
SHA1

77fda3100d65a32d73f3ef2c43bf0afe4429b0de
SHA256

2da1d52c351d866bf5a469e6d93b52bfbe9e8cde17cd66c23513ef77a6dd05a4
SHA512

e47e8cdf95f819fbde99e77ac5d49e1c502d7e857a1b77b6b5fa5c682c16d77b159d52bd9f806063f42eb8a2903fbd5f26e914b87abd1872a78bab7f73ddc675
SSDEEP

24576:fSi1SoCU5qJSr1eWPSCsP0MugC6eTVGEOqD5PGs2mru6HOOFlM2rFvrAt1:XS7PLjeTVGWD5/26u6uwvr5rE

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2152	alg.exe
400	DiagnosticsHub.StandardCollector.Service.exe
2096	fxssvc.exe
1908	elevation_service.exe
1572	elevation_service.exe
2740	maintenanceservice.exe
5032	msdtc.exe
1668	OSE.EXE
4040	PerceptionSimulationService.exe
2880	perfhost.exe
2308	locator.exe
2276	SensorDataService.exe
2804	snmptrap.exe
1924	spectrum.exe
3656	ssh-agent.exe
2100	TieringEngineService.exe
3412	AgentService.exe
3316	vds.exe
5096	vssvc.exe
952	wbengine.exe
452	WmiApSrv.exe
3268	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9bdca3704ba38143.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022666fbef4c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b41af6c2f4c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000776380c3f4c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000819f6abef4c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000805ccfc0f4c2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022b404c0f4c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	508	2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
Token: SeAuditPrivilege	2096	fxssvc.exe
Token: SeRestorePrivilege	2100	TieringEngineService.exe
Token: SeManageVolumePrivilege	2100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3412	AgentService.exe
Token: SeBackupPrivilege	5096	vssvc.exe
Token: SeRestorePrivilege	5096	vssvc.exe
Token: SeAuditPrivilege	5096	vssvc.exe
Token: SeBackupPrivilege	952	wbengine.exe
Token: SeRestorePrivilege	952	wbengine.exe
Token: SeSecurityPrivilege	952	wbengine.exe
Token: 33	3268	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3268	SearchIndexer.exe
Token: SeDebugPrivilege	2152	alg.exe
Token: SeDebugPrivilege	2152	alg.exe
Token: SeDebugPrivilege	2152	alg.exe
Token: SeDebugPrivilege	400	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 5180	3268	SearchIndexer.exe	117
PID 3268 wrote to memory of 5180	3268	SearchIndexer.exe	117
PID 3268 wrote to memory of 5204	3268	SearchIndexer.exe	118
PID 3268 wrote to memory of 5204	3268	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_64effd6b61d2eb1edbad9a9730326de2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4888

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1572

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5032

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2276

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1924

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5180
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eb8394ac12eaf21c1b9969488b1da6b2

SHA1
d943820071fa3b2a59ac3c8104d287d4484b4eda

SHA256
094c8a7e0d24e30747826386b239bc3f886b35d0fb6d7e1622d14bdf53df2354

SHA512
f13655ac1cfa77707e6579e822610d98c93162a90544f1004459dd088d14c949a96951f14550c6deb11b21b54de11ab2ecd5714c8910401b4acc92d377c59bf0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
3e098e27dc8491fb0c0d62a857137e03

SHA1
3a65c5e0a18c8e2189b8b48f283e59b813ebc769

SHA256
4f4d423baaef3ecbaa3a51e2135ef854361466fb21c6dfa4fdb99491f500f322

SHA512
0ad6153429d8961fe79bdab915057bc604b6500a21681985237737bd5dfdb2cc42559fcd488487a37f3e7be22059ab929210507023573474ae485cfd8fb90de2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
2bf52255d132bb4842caf32df61063ef

SHA1
c29b8eeb4aa8a0f1653948039fd5629c64ceafb1

SHA256
5ff8540cd3ace1df4d5e8a367b3124aa90e6ae0e1e0f34cf0009d6a4d8a436fb

SHA512
422174f98dcc221a5624e2c85059636ea0a24b12fc93c7d4529c1d932dd7bd1664fdad7b205c73e85864829cf077cf8e0ad565a82ab435d6c43f50845116b9be

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
06ecd2d983d6bd08d4eb187ff911b58a

SHA1
a0d4401d126b4a02ca950724986c15e5e3d361a2

SHA256
b449b2d11098aec327632746d3a68bab79359d26de1bd900415e790e1f0de4b4

SHA512
826eb83f71ea245655f73952404c1fdb4eddda34705f22bb83bd20bdabc831289aa1d4da8c97f9f7b73b7cfb52334e06af55f150f60fe12d06f34d29ac96c89f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
244bb9e4070a0e94085c0b2dc1a19807

SHA1
f2745dd6e82a14ae75a5cfcbf707209f31eb57c0

SHA256
05977d345a9dfa5f344fa85841cf17d5d14e64883af8250d3016ef23cbff967f

SHA512
64da6e3a6facf9c774aeabd46015f135dc73280e75156b8b3a267814a8e9787d75632c47a757d9054987bb512f528a64d67e1c05240bbb6abe4a891301729420

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
4f86b802b0f13129d8d18b80540ac30b

SHA1
2d1059fbde0bb394fff115152abdf7810f34e972

SHA256
bb77d1d8566c7167dfa4a0465400cb8de0258872d2b6960bcdb55d0acd5f94bf

SHA512
71e332ace856b822b3d6bf549f666ac2bc75b47e91aa567dee088bb7b2d74cd6a8b5c64a5529c590ff2cf87d839271ab9d3f36409f047dd132a155bd2ebfbe26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
e97ef65876e643dc3e00268391423715

SHA1
6f573fc12b74724c2911ffa57d450165ebc5abfa

SHA256
18c8d6bdff54c9b1a9723f73c432848bd768e5b7518e52029c41fc449a2137b8

SHA512
a17154692a686a26ec6f66545077cb1edc54c5364afc062da0871b63911c0726f09718e620b9cfa11d3ff9ee6262a83d3d4f32fa6cd800a22089f41630a0c5eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6624577d3c06fa494168120b0c089e90

SHA1
4c2e7817914c90b959c37dfc3a5fcaba37fc4682

SHA256
085b696ebb98dea50f01d3d6a489d9fba9a94494e2587e0f12d285e1d2437d35

SHA512
7d01b5d1a56b33e695aa0616e6d35b3f949e8ead2f6b6634fc82b039017832c39c47c23d42af4746208ef00232bea83d0400024f1a20251e7d37a78e1ce3ec5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
557e1c78bbb366a5517de90079d23990

SHA1
51953651124ca9c6cff6c9ddcf8d2673e3ec3e04

SHA256
1bdb3d4c5545b01137fddc2f374c85a0a3ee56345530898018587917d61d293c

SHA512
bd303fc9a88d9dcbceaccbbc0e4d2c44f178260c69f0a50294ef0620421c5a967ddc7e684f7b301c6ca38776621953e1fb85c3672d2a0185d108ba7bc10cb251

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
38e83b1e677558258d83faf0297cd0fa

SHA1
0cbd47a8e86abeb57462c5863fa676b95e93da1c

SHA256
8736fcbecac102ffd9170117b6b5134b220e0cf137faa63d2fb4adc6a5e4994f

SHA512
8bd94ccea65460a67ac91671b393b8e978f4c39482115e4e42b98172dfb33692026ee2644c272eaa01527251fd1843e7cb58bc11aba2885d8c71cc93b81bd852

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4a637a0aa05dc33ebcdecf284a31cf8d

SHA1
e2882eac0ddcdb6dffe70d23ea767024d29a09e5

SHA256
552997aa4578f6dcfbbb465402d55523bf1607a3a58fb229c4ab407edf09126c

SHA512
dc7411280d9b2142d96e7c93f8937f162b8d9bd73cf49ed94480385b9410997d519d4085aaa77ad0811eb12850c92138fb57bc32a954b3e6f16ead3fcedbbc81

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b9fbd34909427496e3f95be849edbd84

SHA1
0f7806744cdf0cb1b0df816fbaa5ba34bff7b855

SHA256
a003a1ff792fc9d42c83e68d7a999120b45780c43a8748598b160280c4bb19f8

SHA512
3c9127042ffb86260b6d17ebe3bda6cd027902cde1b596c26aa8a3ca3528e9ef39975745f857f9ceeeba1fd64db882e442ce5c4ee3d9b18f5e6e12b4187f885a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
b581886d03cbf75db895d0421146cbac

SHA1
05ca63cfd5964882b5b99b26e3beecb9d28b054b

SHA256
a3540d529474204513d819f9c5b91127eda849ab4a01ba6101ff16ffeca3eef9

SHA512
f54ef5b90a9d5379163656cf05bec263e820355b13bc9f06717162b809f6a8b0a81bd49e02b757a095d1fb5b13f67c79a755f61cdeea52de28069a4f5134e6bd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
343df0f5b1179a0a6ca0c46bd6a3a8e0

SHA1
98f2f4699cbfdcb18a0c31677c424944e66c4022

SHA256
d278ee8c0c58427121d1e6e257439e90930f14f85ee3b60c5d6618a6ffeb84fd

SHA512
2008a2feeb0b1b560d6070a26e2630615c83bf223486f391c5205c2bfe9e9e2af8f21a5ecd2101d0bb7205fff635706fc44eff2ce427e647fac6fee728a69265

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b4d30004d0d9255f54e3813a6f149208

SHA1
0a499caa06d9c58062bc9f0e163faca9207dbc94

SHA256
6b0c27da57ed4894a0db679fd7db5e7ded2f818bb1c9faac9543df2fa047ab27

SHA512
1689c3fc8dff19c5b924691d5dad755ce5aecc324b6593bbbbc7efebf4921db7eb18f88bd39f34e4820e5d4828fcebc9bba412f52baf0ffe9e23cfa554f1fe6f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2a6532f60576ceb357f3263f4f6295be

SHA1
e7cc2e6e197b550bc59f83044247c3fc9ff3401d

SHA256
8085975679be87905c3871dfd50e44ce7ad1e6b33554b9f9723abf5e75257361

SHA512
a62b0d6f11c6cd3aa65ab65304562bf88a6686506a1949752376c574c5cf2ea1c17449788f3a790ae3d15369106b4f3485248acfe3b8fe9f402217dc6611fd86

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9336d2bb4f3485ef1b621f2f826dbf59

SHA1
12cdf5b732bc5205ddd5b73ee58fd1978aafadff

SHA256
97e5644a2b6b1d14ffd96a87daefcfdbadd1c70a3eb3036a2dca176a20f22aab

SHA512
6c2cfb879e66530bc4cff2486ad313e3cf61037fd92edec2cfdc9547b48949488fc9cd3715327a5c7a26ac412443b9dc8df40f8b8c2a70bbeb51bd81c8438018

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0e8c0cf95c5dc07580c2cf0ca3caee80

SHA1
e8ce528ba11d3d902e5b386b460801ecef5c932e

SHA256
2faa68c28949df96f4738be23d75465bee1cba7f7df5d6b99334bef5b4565261

SHA512
1e34e8b2ecb380a4e8338bbd1d535e0675546712852d0f73e27bb8e4e836b5099537e02ca319a60a7c26c6ecc0ebf7ae7081a7f33343de515579be22a548dd39

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
facd1c80f1fc09a9942a5f605db1fd99

SHA1
f182384e7ab5ec6cbfcf6704d6f6b87962904fca

SHA256
20d4b6877f4062de655445721e65f6fa272dad6f3d199da6c016332f2b39afa9

SHA512
a15afd378b40a556bc5c64881c9ac5506dccac80ed45adee35d726a527454ebaa8a7e34277a914fa76505614471f3be5f9d095083e97fd54fb584391e6acb9b2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
dd44ddb4c9c60145b5fa5041b057dff3

SHA1
af729c1bb8426736c52e32bf9b9c5cdf69269f58

SHA256
eb47e7a943ea3c2dee6fd10c3be084ff46ce6bf05ce08ce4d7cb879244249f28

SHA512
4352f7e352ccd0e224d64a03b81a7d162f9d66b74dfac3c41df8b2fac4e25ff2692a93ec1b69575262683532d990f968b2a481c1fc1937d2d3cea823e8feb4ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
4f301a8706ed215df7655e2c43cbeec7

SHA1
0f1ccd861b1906ba0c8b121db904ed191cf12bdf

SHA256
43b77b3630cea213c506f63c7fd37bf20d8c61bdcab70d405b2334f1805e6d29

SHA512
7109310015b68a1734122ec80848b28ebcd627b01e9ba8972a11ecee46c1208d4c0c7becf5d193d22026f7eb23f7506d91425c082e21ebc0bc13222faca50e5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
8736bd62dbc5e98cf96ea3c53be64528

SHA1
6e7ac4005e5e5dac116d2168eba7bdfc66096177

SHA256
fa795171a26f00b833412eca4926acd2ce5a369537d66f49686e8ff2490cd48b

SHA512
cc2e723893353be6b70ff222869b1816407e9003d1e12ca598909cc453b06346de2a6cc402f622fd4423fd166b90504fe57110a64f2bd63a33798ddeb304c992

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
5ec201dbf58de4d87163d661cf89d20b

SHA1
e1661e6ae9bf197557053d16af34d9878bc2d0ca

SHA256
b0df295e963ccac080aca61a33b55fb895130c71733ace7221764f18838d5f6d

SHA512
32b395dd4683fe2c7a867ff18244fc69682f9ce805961cd96f4fa935529f223ddf37c9c9332951080370e9b5774d969488cd85944ca6af9affd9361e035e1e7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
83ba9d5312df4cc932829df4c108fce9

SHA1
27d3c06aa178861eeee2b78c9414f2effccd334e

SHA256
5bcf7b54ca299e675535f5c76e982352306aeb2b1d1ed2c054d5342cf47ab7a1

SHA512
23fb7932213bf4cd3476da04f3aebe7bc3f73e2a6fbaefe5b58d0199f0738b4ab5cbd37ff00887841bc7803569987cbaaa523bb67c94775cb6bf106723a202dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
bb2be56270f55c3f27cf06a138cd68c7

SHA1
d0a28e5bfc589f66c70baed5ff02a31a7c616c29

SHA256
36e11d08c1f111c24cd16d4bde622cef42595ed52460c49c8c4b382e00f8ac99

SHA512
d89e665e89695e3b8baaac5394ec924462bbff25cbc112ff115b7694f3033ae2de7a59045b121d9cccee8eba0a7fa82dae06a0e660c7e0ee855896c1e15f63c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
ab8d49b42a11d0e1b7be0fd89022a1ee

SHA1
9db1b42052e30f628abbef0bb2e62b3ad66b8b99

SHA256
a2f50493c14ad8634cdb4e6172b5376fce3e38e2b78937d0895f5ffae3a022b6

SHA512
456e304da4b3540e46091f71f9cc20a0275499ec70928e92dd1efef3daf85c04dfc091f630c672bee466c388bc73efbbdf71048157be61248b554672b99b18d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
e9e3db7b6111f43ab285de3749bdfc62

SHA1
b5310a4dcbc48ee8e81f3f44b7df40f0b5f2d61f

SHA256
3caeb5bdf2938c8066073ec029bcc653d41575abceb5befb34cceab5ef0cef90

SHA512
2859c52b6c14cc324beee113ec2bdd8fac9989fbf23df51f5a1d804dddf007014ca100d704b606c3115d8342bb9a7c113942d8e549de888cace818b1ab07e829

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
aaa3948f5c131e3c273d2f7f4b34fc42

SHA1
828c990066a341f647d4881fef418bd5f121b266

SHA256
917346453460237f818681bd912fdd4fccbd754ae6b1d6483cf7c74cde4f16a0

SHA512
98c9d477e1d41d1c8a24ae7ad47c2355d05db52431a6767967f9adfc7e52831e53d74a62987f5b6bb5ab6e9c081fc819d3a21e0c1afc844d0261b2aac2208763

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
ab46fcd8dc19226ef82c8fb18f462f0a

SHA1
096efd921d7c346cf24431a5b0ef49777ac9566c

SHA256
79a200893121de572d3c298f76ca6aa08a24fb428a7db8ea1d4a67fa2afa6425

SHA512
8387d171bd201238d09bfe5fd9393496119039a44a92daf8c50294357b9e17f34a66ccb8218d118763540230fa0ebebd62d56409449877f94944120e47554864

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
2b499b1ce3c1b44d6823ed565a9bfd7e

SHA1
93280a0dcfa3229e47f2d642c6316419e8bb6cf9

SHA256
46d20639fc875e9e87e06d8ac7d9505bd4d980a3cc1363bb7d8da830485d9793

SHA512
1dc8afb92df0e1bcfb7213247945afc8b0977447d956eacac5c45c915a5bd77ad336776546d5e76d1d4c84c07271a11d61a4de43818ed8c0105579bbdad18783

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
27872ea0702142a7bc0f0fedb80fbc4d

SHA1
273c9435d90370d2dbbc02f0c5b69b612dd375e0

SHA256
435bd2a05e13f0b7f175355f4e8f361fc37821b159b244b8bf1d389bf8c42b71

SHA512
a1eae3d51cfb05843b32f5902c879ccadf244dbcf10f733b5288bd23c22971ecd8dfaa9ff42ee271280b99bb64d873e6a49330cb3e47052f81a7e1855ecbcf2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
959391fc1603620dddff8db59a1c4026

SHA1
95325ed99a2604246fb17bf830e3c3863575f3b4

SHA256
be032a2739846db094d11ff04149ba9c2c6f5a72ac1846085f7b4f2f0dc2802c

SHA512
becb7799bef184b437f3b7a691ac8667b9c98c4ed515aec3f7a5abad87a5e3ea21e3a4cedb471f4cdd87c8d633b430b0a10c7c6f3ac26aa4fa5e8669b186d8fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
db92ce2d3cfbb0319964ae186d1d968a

SHA1
7e291120d26a6b352666c34d271fe5c818d9e9cb

SHA256
5b9d7787316a90873f9693bc622788acab391e21d828f7b0471c727158d17c3c

SHA512
9d9f33e6b60ce50c8de6e6f164898391ab5f945e8b455beae456778622ac2a1baf7d2fb054fc4a06339e177207f012759768efcfd008f4eabe78ff7dbe86eb0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
112b43edd77977cdbf28e0388fe1bda6

SHA1
5fc6d421ac5327127282d007f01f15e085b51660

SHA256
aa6d1e9fc0a1890cde823ebf359946949179cfc54ea217aedf3ccda7cac884c6

SHA512
74b7ae909e50af2e74ac0a44a72ebfac371a3f5da7e198553ec0f59971f83527e68a3563c1f7da937251a12d9267ae8f2074114247df856d7d481d81d37cad40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
dee9586607e225bcae9e2dbda374e901

SHA1
2fda812f13a386dbeef12f17ccf56663eebbd1e7

SHA256
59ba46b02a5b2bc961cbe7699560f943445b60493c8954ae7c6079eb1dde2c65

SHA512
03a23302126a7fe356da8153612def016b71fa9021764ff7c68b46cb726c201ca00d0fe900ba45c9ca0fa7f80fe45f37136345db317301b86c8643bbc33238c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
0d8fd289001fbc97e045962a6bc317b5

SHA1
d4fac0b49269c952c3c3ce08291bb2efcf2b5ed3

SHA256
479a14490a8bc72a0d84bd85ce0f35e4d788ee32ae3c027b66541adad0251ac0

SHA512
948c16f52109be48baf56eb200f7456a7d1b5900b9274d48a1bbba4fd470886b3f936c157d949b6c70c40edbe5ce0d06eafc0e512050c5d40d0e8c9e5e134e6d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
32b30004d8ab9d231258578eed9fb6a7

SHA1
73c6f073e0ab3a141a41e59dcfc8fc1fbaf4bf13

SHA256
ba3562eee5ceb22f83174c916e5b45ff97cb4e7857aeb940683d2a956b8a9c18

SHA512
6ff13cd75d953bdd261b0ac58bb3adb149c23d1e2dc196342ae86ecf830348728e43757c5e488afe912a274618b34f036e7a82f536e62188fb3300bcaef056c1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
183283a2751fbdbe3f6050e255962240

SHA1
8ffc2abe8fc3d9a92d5cc7d93d211b63fe77d56f

SHA256
cd9cab3dc546a7c7c57431074cdfbd45a70f41724cc73aec94334215a6cf0ebc

SHA512
2a08546680cd21fa46d23e9b43eff6521a2355f1d4dbd301b685a04a48ebdb3962e9c9e3931c17c060ba6ee509492a7f8cf74f8d7ce403db93f1da732c1e751f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
8c760fc070f60fc31e6363a733007ea3

SHA1
256a4aa04fb03e9e198b8f63c2b4f091aa3a284e

SHA256
cbe561f81842b8acca491b75ebd8e9fba8ca59e70f7c6958990fd5a4a1a300d2

SHA512
9bf80d0afdf4bde7434cda6bbcda391464eaad4babc4516357654f3a3940a12a3671775b0fae1ef4bd4a71f9d53859ae40937ea4ced062f9cc1a9d1652af6ded

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
16abcfe1fef6529cd9bc7ca7fdc74330

SHA1
ae57d0ac805933a3c6a7aec68b896b36be1811cd

SHA256
2712f0493f8a3cc9e229ef36f455528332befe2c10e10fa826d0c81d0a8c22fc

SHA512
c5c34d2f22124d4d3f682022c5217015b1a88adb432016fa9854fd2fb053dacbfb7179d67f6e183d11e35fe9167847131cccbdae0655c54819d7693d21a7e863

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
a0d0df68a83dae0dfa7a43a050f0703e

SHA1
0906a3b5648d227ce381ee48d091f4d3f394286e

SHA256
57e3a67a84122b8f7f60a94c79431c73738c12c097781255e222e3d7c44ba39e

SHA512
09c3fa4909c586432c5684e3b7282902ff21d3abe2b383aeb34d7e0701da9bd443927a3e4026bb13a5534b656008391131136ee2377194f33ccd6cdc44350c6c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e97891555db50d74de5874fcc1000a15

SHA1
ccad929b883b465af7acf695c6e44c7cb8145f6c

SHA256
156772ff4d87693a24a80e096fb2e112753786f90ff01c4657526890d99b5256

SHA512
8c2c356550177e50768b3d52eebac48f10e4c2992cd1e8ead1ffa626e30916ee7f7d1012af6b3c3b811e4497b21e6d2470cfc222c058d20c3bdd811d67abec0e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
76c12ecdda1c1706991250fb458a9099

SHA1
9f52be481a6ac1c93e0fa580ed8e93383791a879

SHA256
15cc210bca5b5807a9109827900cd95e09027dd6c4f0a613372f67aa1af7e67a

SHA512
56be137e9053f676dfb1196b04e62015566c2a8213c62d21b9c188d4db68f9259ca15b602ee9f01f1d1d14013801d23acf08967fb31859564ed6d773114bdd51

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
c5576799fa9c68c38fb606f6668c092b

SHA1
01339c0fde9e7b6eeb1b5ab8c2e4be09e4684077

SHA256
6129c437620107afee8c9a2dec7c4d911940a8e2b8075b767a2e853711056f46

SHA512
c6f0e8d0b6a09947c3a395cde59b89c1afc1b41baac7b0d413d4f01decb3f77b4cac8b3434cbf5ab7c8c068c698281c6521f703114757ad1bc41f0696d5f7eac

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
7dbf6bf6a0973eb0a6f5c148768701e4

SHA1
6080961b3ab6ca6a5e2d02451496f3d159e8ea9c

SHA256
f2b2843e59b249f5dc75027a88ffdd75a308caec59689942cb5f8607da8ad732

SHA512
1fe5e2fc6abb8520ff4003fb1122ee23fbac5190f06431ef5c099f91c5f04130972a4a864a915e0cbd524e056b5ba84323d53eb9ebd60cb0c095cbd60313973b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
82c1a86ae04838e319648240885379ff

SHA1
12c7a2f3d1eabcf2c7caa42a79e2d7092c83d376

SHA256
487cf7e465caeea2a79e8654214a16004fb50c5cd3c51a4930cfd72f5d9e5cd4

SHA512
65f195baabe183b063f7e8d2e2e24875916e52ae9c0b973b1ef16d345491e0702e7c4922d90ff3dc3065f1fc7d94a0f072e37cc90ac3014023ef50e3332c8b94

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
77c0014a4f77685b76d07e22ddb0d42a

SHA1
d1680fcfeced17ac309e7d7d2f4e201d33879f06

SHA256
3ae600cf4a26a6a5269bcc050eff3ffd0c5704fa05f538a3fe665aaca4d86844

SHA512
7dcf98f8055c27512df472bdae8aeb934aeeecd459d5b0d6a4df9798f5fe7a9b97911601e4bd81f8e8383301c9670c73d4e47a16b125c12b2449d9b3ca623c0a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c412bf50dfcfe509f941216fb17b8bb5

SHA1
c8d78a43752afe8b0f19d0811dbb3af2e6349128

SHA256
477ac774197b44f1b0c91d51a447151be400129a4445ef158d79c1e2a511e80c

SHA512
cabbca079160c1766dd8cb85f6b34044c019c758e53c39c2b78c11a4cc0b9c45da9c98921b9cdce21af1ec8c1dab68419be71660386ffaa1a747619a9a061eb5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
f1a1d58d5cb3da803bda1e287e415a09

SHA1
eaed8207697b332d557983b568d17ac1d615f125

SHA256
40b460338258003c8b92541edff9bb3cd998783e5a4bb562b01e58f23af22372

SHA512
980d71813616e4b0ae6a2984de960b23a12ee41a78e626b3853eb83d83fb9633b3e7ad31ce641fe99c7060e4093853e3c390dd83a60ceac5573c2d5b47ed5c3f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2fbdd68c717bd9819c46d845b7a0ce22

SHA1
c12cf92aa3ed327f84654bf997cdefb47896f28e

SHA256
35d333727d5db7f70eda952f65e68564a31e2f360c25b3ce79795e63eee22006

SHA512
bd2114204f80d779fad1231bf9aa06a120be10de438c48e4ba01f4c0ef9abf3266e994e54736214be9bcba1751dfb80d667135d2f08b824e499edde219cd3814

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
f2d100c24c47f51752dd9d2879435c19

SHA1
f1d518b2f919936b7f8e4fd8e7f7773ac33d277d

SHA256
7f7043266c622bda555f9cc6653757d20eba37511d216de81e034a46c21f4402

SHA512
93653901dd9945058eada8cd1a4a52f9c8a7a38709ddaa07dc9eeea644c7e065e5b20603dddb475ee87ffdaf2576f7b0dcea06c5683fb833c848cae93d39dcdf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
26fcde5af5305296f9f8b2d1e22d9129

SHA1
ccf8a419d3d813e21dc06ecf74a784059ca7a0b5

SHA256
425f32f43afc20afbad483ee5e7cdf1060cdacb9543b433a00e6061c17a848dc

SHA512
0add598a2c9d55182f5456e2d3dd7eee9c6dc5f5565a6356928786c9ba455c2dd7b9180bc1d9e8b6aae6854cd00e4e5ec966825321032cc0c427aea3f89a3408

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
194c3daa82b9ded343029748ef53dd50

SHA1
bddb637ee15edb1f11b8ce86aba84520fad0f8a1

SHA256
a83e96a5c7c4e9063715342f275d6dbb3945e717244950c6602a093f1d02ae65

SHA512
26e96a4438e8572e48dd56d7b1bd4e9c6b76b469660fa9bfba8473bba461c8b62b1f297e36e099ffc63cd27a47bf81029c14df4461ca4f84ef4f91b12820c0fa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7081e4b8cc228700fcab9733c7fc293e

SHA1
6f355b40f8e0c8369dcbebe2915648343cd8ecef

SHA256
33a4de96f1c486bff0bc0ba3e7e1fd067bfbc5b93c17b9952d1ae4b30cf2549b

SHA512
a257c80286ec2aeae204f3fc205e96ca2e8e6022f81615ba0624474ac01366010062d084f33fc21d215ba493dea786eda9274a6793e36ac46e17b4eb6578ccf4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
bdddddb2d88c40685eedba413a5328cc

SHA1
6fee623b28a6ad44535c096551c2a5ed6a8b10c8

SHA256
1d6887fa31379a856b26a1413b4eaa875f4f84c1e5ed34e19afa2f221caebbcd

SHA512
c473b327f62ba6f4ea38869cfb40471cf955d4bea87b06c9056ad8a847838dce2c4ce1fca74904c66be020c521d4b90acb075eb0a13b222c05421efb7ccacdd3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cd4c9464e39b1f2ec4edc058df0a130a

SHA1
7698377afff24b0aa36cb4d1a10c486150504ff4

SHA256
70444ae73b6f4be8c8bcc07fa4955237185ee5c5f6e6c69bc487d5e1adcdf88e

SHA512
cbdfca986dcf5757d7f9efa12fb9d6683c0e1b80f84969737b7fab6aca94c55c131d71045f12b5f7cedbb4dbf785713bc4f8bc4c991fd84c23e5a3a393a20cce

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a34332abf205489f135fa3f70fdb3a1f

SHA1
680ac0fd14b667dfe9576e3196a06a95cc1f8e67

SHA256
646ff46bcc66926edc13ff49a7f571a8fb0db4256236166f9b4f6e84c74dd91e

SHA512
fde145f03af31f756cb87655bb17d6b33bab82ae627f09f2a48959ef2cc7b46f48acedeae0812ce37ea3d0484535ff123380568aaf87f0649ad4bb47a279c1ca

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
4cefa02193f1bc8320a3edccf961669c

SHA1
543bb36b42933905769f9fdac373c2a6ceb95f0d

SHA256
ef8164ebd41abf5c992d5fea8ee2e26931b287445d2d1c7a7fd2fa162a3536fd

SHA512
2ddd16cd10871f7928cf4943c825ee63a15c552f3c8c7ba7e11cd26a62fef661d9567945ebf5cc0de5ac6573ea2b6d83ae89ef6660fb8b8852da18603e2dfb44

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
5cba9bea756b9d0f5494b78a44968ddd

SHA1
ff11258fca31a346e3e28f1ae8ba1e1c89a90aa6

SHA256
11701e55dd89a4200f7a0c17c1881922fef8358bfdb2ae5bb3a7fdd104d53a3f

SHA512
eb6e0ed2ecfbbe0c38bf1d7b8df0af1c59ab17df6ee04736ac5e4cec57c8c8b03062d765dba1d49c9a6932f700ce704648d324f1b9093cf86925a3d24018b869

Download Submit
memory/400-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/400-28-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/400-129-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/400-27-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/452-653-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/452-262-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/508-75-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/508-349-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/508-9-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/508-8-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/508-0-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/508-352-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/952-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/952-652-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1572-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1572-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1572-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1572-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1668-114-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1668-217-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1908-50-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1908-56-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1908-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1908-167-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1924-547-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1924-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2096-39-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2096-60-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2096-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2096-47-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2096-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2100-192-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2100-567-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2152-117-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/2152-21-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/2152-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2152-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2276-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2276-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2276-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2308-259-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/2308-139-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/2740-84-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2740-87-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2740-101-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2740-76-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2740-82-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2804-490-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2804-156-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2880-131-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2880-250-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3268-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3268-654-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3316-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3316-648-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3412-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3412-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3656-566-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3656-189-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/4040-229-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/4040-122-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/5032-100-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/5096-649-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5096-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download