59341d838ef5d8dbcd42ba3e5adfa11a30c280413a1dd57fa65f9ed9a7b15f93

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
Size

1.1MB
MD5

1f868d0ea8b60e1a21bd45a11bd33c2a
SHA1

ad0ae1ecbe42d8625eb4c9b3630dd0acad653075
SHA256

59341d838ef5d8dbcd42ba3e5adfa11a30c280413a1dd57fa65f9ed9a7b15f93
SHA512

a38660ce977d582d7b23696e7b54540c1089008cfe3c9381972aa87a7b1117428bde1bacb1b8f00cbf14540e4f7d556f93ceabf1e56891a88189cee5082803ea
SSDEEP

24576:ESi1SoCU5qJSr1eWPSCsP0MugC6eTMIZVGV0UUTsW2DnyyNaK+:MS7PLjeTMIZV+0nsW2Oyz+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1100	alg.exe
2832	DiagnosticsHub.StandardCollector.Service.exe
4604	fxssvc.exe
4664	elevation_service.exe
2840	elevation_service.exe
5112	maintenanceservice.exe
5104	msdtc.exe
2760	OSE.EXE
4776	PerceptionSimulationService.exe
2884	perfhost.exe
4148	locator.exe
1112	SensorDataService.exe
1680	snmptrap.exe
3624	spectrum.exe
2900	ssh-agent.exe
1380	TieringEngineService.exe
2284	AgentService.exe
1972	vds.exe
2676	vssvc.exe
4556	wbengine.exe
4344	WmiApSrv.exe
4896	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5cbb739fc8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7d14c0574c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ee5400574c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c668e50574c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa08a50574c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000367eba0574c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000438f460474c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004443a00574c8da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2832	DiagnosticsHub.StandardCollector.Service.exe
2832	DiagnosticsHub.StandardCollector.Service.exe
2832	DiagnosticsHub.StandardCollector.Service.exe
2832	DiagnosticsHub.StandardCollector.Service.exe
2832	DiagnosticsHub.StandardCollector.Service.exe
2832	DiagnosticsHub.StandardCollector.Service.exe
2832	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2824	2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
Token: SeAuditPrivilege	4604	fxssvc.exe
Token: SeRestorePrivilege	1380	TieringEngineService.exe
Token: SeManageVolumePrivilege	1380	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2284	AgentService.exe
Token: SeBackupPrivilege	2676	vssvc.exe
Token: SeRestorePrivilege	2676	vssvc.exe
Token: SeAuditPrivilege	2676	vssvc.exe
Token: SeBackupPrivilege	4556	wbengine.exe
Token: SeRestorePrivilege	4556	wbengine.exe
Token: SeSecurityPrivilege	4556	wbengine.exe
Token: 33	4896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeDebugPrivilege	1100	alg.exe
Token: SeDebugPrivilege	1100	alg.exe
Token: SeDebugPrivilege	1100	alg.exe
Token: SeDebugPrivilege	2832	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2952	4896	SearchIndexer.exe	106
PID 4896 wrote to memory of 2952	4896	SearchIndexer.exe	106
PID 4896 wrote to memory of 3532	4896	SearchIndexer.exe	107
PID 4896 wrote to memory of 3532	4896	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_1f868d0ea8b60e1a21bd45a11bd33c2a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3624

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5036

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fa8dfea0e04e2d8c3a2719e81fb1f969

SHA1
ae59c1c371f7d2aa24a4b5fd9d7b43f4684dca25

SHA256
dc1a4cf789ce8f0f5688a6b5c9e80772e29918004fa9208f0e670afb4f4dd6f2

SHA512
608271528f86866e01a4a7cc6273c416efabfca63984510b02cc97a075743e0aa71bbd0ff9a0b1e0e4f076106107a2ceba8d5b176e97e7a186c340e6d50cec8b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
12274563f827a3a0684fa153bf0e4d70

SHA1
1233400c39ea231db8a8e3d930ea138ddc03170e

SHA256
c0e67c08c83c5af6d1304e7900e3ee7da94cecdece5a0451d5ac6e715814f02c

SHA512
372b4a86e02c629b2dc1c08d078a6804681082ee11c1427de54a2cc2f89a26f6e35a1a944ffb5c74cb2a0765d1da568fac751ff4b26848ffcee24cf69180b973

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
919196fc3f8bf6351b65f1f94dcf8541

SHA1
ce6eda1a838aca4469cca267f8d8b749a94538a4

SHA256
9230a61ec235456f66b4f1f72ce236e65020476151fdce0be3b79b394b3a9e1c

SHA512
49352d03e61bd67854bc5240df646a340a5bd5fc879df35418f9f733508b2d0078e6849330ab8c4b62ae70ef1d6f5d45b2130bc61db48585433ab7e06c197d8d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
98367ffce6d17c58423fd1ae292f1788

SHA1
de6901ccbe36b18d00d7b179fae9177c052d8e63

SHA256
d70daabdb608ab028c8c266946c4b6f561c3824b2ff087626cd6cb72e7a15c3e

SHA512
7d9f95fd8c2eb68c23f4a84a34184aaa31355f4273c4135929e75702ec160e8c5e05f66d0b164c42a007a4696fce7c61ff8a6e05b537fdbbee4b68019fdd9eea

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
46dffb98c41f389381092a4fa1f019a5

SHA1
38923b2a6cc7c27ac7a667cf5283a80cda401c53

SHA256
ff9b37c3293afe0ca9b718c226a69643436fef7f3f05bdc7b26b988f4d1b21ba

SHA512
f1621809ae4cb8dd8aed8ac7bc866e1ab19e2681e953d2abfdeb723595717429c93cb67fe9904886d419908b7f267dbba9bd2b23880ecf17154de9c40a68b5ed

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
90fcfee5c38413e9b93dc201d7cadfe9

SHA1
6fed61337de37aabead079ecf228b7679725f8db

SHA256
e4b7df64c5fe5b7d7e98fed6c79f32a4043571c90e1eac50b625d65fccf115f9

SHA512
769e9ba799e553ba282913fed518b0427090f10bd84c1275d13b91308b1860eeab5e6b1551784485106d5207213bd49354453c073396c8146f566c79107a067d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c94d44c9d272a76d5477c51b3fb2a3d7

SHA1
496dedfc4dad69834e5ec33a7f2ed765f6b87679

SHA256
2b8840efba026c9740a513128ddfb4813db3ace3c2510c3ae11f15888a6b6691

SHA512
5dc30f6817d062fcdcff3922883c5ba261f9920d71542bfd24c18f5c9118659369d18cebc52bd610296d224e92753b3115b29d996d5bb681f52cb31ccfed5ed1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cd07bbc42009520615aecb939f99cf44

SHA1
d6d996e9fd938cb167fb49e8ce82927b22d0da62

SHA256
027f9b20285a06b5da94acde45c17511907fe3e08b8a22a5a5b5dd9328fc3292

SHA512
6a2de8d9b8a7bdb220eea5060c2a8370ecc43087966fd3f3cdb251c4d0e8adaf820590e10f23f0ad087a73d231d61dd02070800fc86e7fcfd53a6d386ec9e969

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a47a2cf1ff3b019e23820f200e10fad8

SHA1
8a6264fc1bc47d089db3d288cda5126af64183f0

SHA256
26195248bca7cacba6dc31b700aad6d9a38f7963375e10567c6a044541778e02

SHA512
745e83ec5f50c4e07c46f116586f4b0ae88649db43ee35f543d759aa4e6fe843f2881c82e2beac70766a40d26f777fed36f54853e51a9b7ae9d016456fd2b0d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c4b89b74ac27feb9702726cb1ea77d54

SHA1
4df2897c2711e3a78003f764768ddedfbf798dcf

SHA256
4872a50acd0a8ab97076814708a50735b11d89928029e1e34728c21c4bac203b

SHA512
31ce26f0e8de361fb599e4471cf5da9ea59d9ca56007fbc3ca00a05b1918246926e74a827387a5fceecd6515a61718935270ef2452f39f3b616061b647cb8037

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fb549c8a20de156ed733d2ebdf87407d

SHA1
fefa0d935b21daf4121624d58cec216c818ada8e

SHA256
111ada3f37a9fe54a5e0d77b933aa83f206eadf3f5b628d5a9ce372b8182dcca

SHA512
783063432214af88b8be5901235ddb1c8ddd519c1c939fe2ff455742171b91904707fa0d5788313055a065aa7993d2a2f4aa2378c1858d48dfced181421af58b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f98177d14ae3a72c9d3c3557563afdd4

SHA1
5ce4696814542f7fbea2414c44111122e24c1ce4

SHA256
725931037229667e54e2c4966ac55bc03119a925eacc3a9a8bc63191b88eca0f

SHA512
3f176e7ae007c53b38d8d3e0d62c058cabb433c44190baff1aa246a65f959b7c33fe9079c3d9957fdf0d1673ceb69dd9b7542188b2c48bff2449fb7ad441831b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
3cfb40a85a0b75181dc35d9b9d604b38

SHA1
d4dd689f70f4124421aa02f022f737926be9375f

SHA256
9af8c8a6afa460f9098727153caf24203a876b9871233cfb1dea0ae27b09678c

SHA512
445851a366178d43d547758eafa280e23a9ee874ca6119871ae1ba07b99fc0976a019c71d10d371820066d85d32f26d4874e1ea547bd18551f46ce54ca44f158

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
0e8de208f320999045423252e39bafae

SHA1
7c69fd6ce0c0869cc65bcdb1b4ec35a29b6d6f8e

SHA256
c59b2a7dcdb7ab65b86802ae92f139eea99c78cbef1c997a77d137131a0f9e05

SHA512
87325898c2b9ca96991782f564468720169e40b9babde551ffc469be53cd4bf0aa284360cc9ee87a0f25f7e10ba4e47372e13e701a031474feac96836af91aef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8798311fd00746cc32690b6fdc606189

SHA1
554b00234538cc0cdf8211f6fa64326a6492641d

SHA256
dfbbef9f97ca3f4d81e8dc5b8bc62184d949d1115c666028ef13c0dc8ba01959

SHA512
6b6aefdce16a1f7e60c1bab5d6aa217b8c62ed3be006e885abf11c33cd00567c92f22ed1133dbd2a178638321e185d9969b7e100d9a48d7ea07dca9a68921506

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5770c317d32bafbb8555b8a282df445f

SHA1
90f0fedb81a88c78623cfd107bf27704c81ea24d

SHA256
3f80fad7275af516a6d8651df29e0a860bddc8e143298088dc115fe8914bb7a9

SHA512
4a759b439bba65afb1856aabaafdad4218401775a631506c919d853b0ee2698ca9a98dd6aef5fe7ffc8f67486f50922bd6989d021256e20512f900a50d14bf8c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6c77371bfb331c4159dabd4fd513b3c0

SHA1
8be4d2214fbe7738f779ec0a679c17759a06773f

SHA256
6bff7bd9f8ed8a77839892399a1f8366c1d06a171e4d8c10e50cd0f99d5c1bf8

SHA512
72ff1be946f40a6e34a670519d17876f6e158a8efaf34829381f30934965e0a2cc71553649ba3b3c0f911d6ec8f8279e8aa95e9e241c43bbde1ec12616dcab11

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
89cd2782f5098ba1196988861e70b9e5

SHA1
9e2e3909b1a52a93be3c28ca771f71907eae1d70

SHA256
51c2dbf1b4eb2a78d53661645a968d574cd1cfa00925548abccf4048be841bd4

SHA512
3d87e89ee6010f56207743ddd7cf054cc6ce4918be4b26297f780f1562886e93be9e0357e90ac7cc60bc66f3b4a7bfd95ae53d796b3deb3dbb8c4855fd3c9fdc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3996c37fb7c08128ea43b2828c62c5a5

SHA1
f23747ef9fff2387b9e2148b703f03210aba8a5f

SHA256
6745663d3e5cd2c748888b299630a321095ca610ea1ce4edfb97495254fc8043

SHA512
b2e56a5de932f6610e54590dfb952a036dacffe749e49f9cf9518e2fcbaaa52a168bb85c5e43313a0067188a23d354354daf0486e3872428e51887efb5b118ce

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8d7d4fe8e6f173265a3eebabb04b63d6

SHA1
4a99bdbf9e8951210c019562c1a66dbb19ca3bd0

SHA256
889092b033273840ee402164f5607eceec275b9718395a387f95f3f3c233db62

SHA512
6861ec9a5034026bf16f7fe67593d63863849868f9b9ef77c432436e68644e4bbae1c974b3b37bccac6b682ab6c8dd8232fd3bcd3f778dbaaaedb40a91612370

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
eecf4324b186a787263cc20b8d133f13

SHA1
78121929cf463d4618419d805c3603456594ff3c

SHA256
543c438efe24aa4818258f0c68c2c0ab957f83f30fb847f05ea2414804a4ba38

SHA512
18d8b01939c12f309badb577b8e1ff1f86c7fdd012c2e7db6c20df8558ebf71754951acebd651a57c4a640e0df8cf1dd6868f6defeee6f72722322d584b2fb01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f3685544ea126379748dba95b304bcf2

SHA1
3d87f5a607e1bd21280e9bcb897856e842a46bfd

SHA256
c8ec1896cbb83567cf2ab6d705d9a80a6223ac6e009458edae07e4fd02ee800a

SHA512
e368aefd566167216b6eeece6883a2ddd2b369a287a5cf1259d09d3ea63f8b9de38a380db60fcde5318f70f0af06bdf4e79898f22d44ef908a7a1df9a9f10f1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
071ad2501eff2ce0f5983689822de97a

SHA1
32b1351d2093e4876991ac2bd78aceae98ac54e7

SHA256
5416878a0e75c0a4ff66a205461e957c249675c2e4f3019e35241acb924ff1b2

SHA512
23abc52ebee170a47da68a5d7049f558ba36351c3301a0e465ae99bf9cd364ae2bfb8cf655a80201a34d028d0b3128eebec935af26fa1d940412fb7ade4de19c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c20657e383594916e7cd9602bea65469

SHA1
e27105b721bb189254ed93261598665bbb3457cb

SHA256
1fd90631e5c555a15f09d4ca6f404a9ea54dd0535edfc7d86a1579afbcc4c2b8

SHA512
09af5022557a107fc73d092f29b24661bf7c86df1b9ff0f7d1526f62191c9aedee4dc768cc106ce8591870ff61a33316438d4ff3bb1c5b9ed40bdcc8958c8764

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
82641907bdbb248520d8ecbf21eb28ff

SHA1
1900019ceeb2057e7cb834352d831135876b0efd

SHA256
8c7dd879cca147193697400feabce5a0693076e52fae4889242b824e856a9535

SHA512
db0b7a08e456b40091f6778ec691b84732c442242b76e28d7ac1bc8e91b719cf6caced6d1eef631966ed9ca287407869ef1c408598e24e58e53018bfd7b251d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d6644c1b0c10caccd9c0482a0cce16b9

SHA1
f911bcd1ba142afe370cf9fe7d5318f2936a885f

SHA256
1bf928fb2179ff937482faf62be38b9e189b951c80da44ddb8963ff17129a3f6

SHA512
56cd08b8842789e04fb27fb4252f264d99001fb3e6fbdf703a40f78ba19c1f0bdc94399ba42deef46be8518a7b10b4d508f64fc3ba0f7e3ae49b9269018a966a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
df6474a27dfeb4062469b76063563a75

SHA1
214ddf7f6761cf76745380ba88cf1268ea6786eb

SHA256
906019b39d62a6c97a2d49e60ea45dccb13b082dd3a00effba8b6a41375918ab

SHA512
ae52f34ad3c0a6c04a0924801d874acdb0ec248ff22be1a9537e947c68b487cfadf27ecd9e429553e0ad0192384ac56a0cbae79ce13e2b90bdda56bc680e8548

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3a0a0322b5870d1a539ce68f64443f09

SHA1
684ed0d122b5556bc339ac8b187d94130e931d02

SHA256
994fe21de68c7260cb769047a3fbb343885b31eaf2812a3aa41cc1fa56890c42

SHA512
f1c16d90d681da83f887ef0cfda04904f8fa9cc95b1b2762c541014aa0a73c3aafef02dd5317716104be11abd3eb0b7215dd1ff92f9385c83d9d22343f7e1b60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d2346d87ce59ba9c5c819cb8bd5f3268

SHA1
c209cd89a60e1037950cf028a09ff92109640999

SHA256
4bf8d878265cfe1d2cfd09aa8ae9da771563b9299ab5e32de3a8e741b79fbf55

SHA512
f2a8640b249f23eeca4b6e2f01ad3f50c0864473538c12bcd7b2cde10457e7bee8c25bed21cef1c84b18cfb6bc566bb279d3eb8bb1b2459d9a0641a872d90b35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1c815f84d0b1e05358a24bd6c11a6841

SHA1
aabd7b3552b47e1a78f430a5a1b05d26b52b1d1d

SHA256
ccb8b47b5f4d2875a61125a98522a9e7601006e875723f3f144b9d740763ae6b

SHA512
2632c0ef436b6dda1a36cafacc50a627aaff27cfb4c9f3ca953cf5ce2dfc97b02e901725cc1bc995ed72ae52a3d555edca30127defbd548b337babbb73ecf3f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9676532a28ae674c032268ee506c07e1

SHA1
c0ad4de7c144411b848ed1da876803be73f8dc8d

SHA256
c6f40086ea21a41683257bc330e87994452f3e8f9a616e8c5879eea750cb17cf

SHA512
83f3969dd2673955b7ea7548e1e12ae3ae5c74c470c08430c7caeb6bb2518582bf27ad647ead89444fd5fc56b5436931e43367101168a6104301ab505fb56eb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b22f90c1209f5a9c6db2de438dd2fb03

SHA1
3e3c9efe7baa52cb843d998f0b337ab732327792

SHA256
bf724e9b2fe3c8a0cc3750724472e3590efe6326d86256a5578f9ef83d95289c

SHA512
99e075ccfa847cf3b56774ba323ee92f2752cdcc41e6a16d7cc118006c14d5d0b1fcabc4348d433993853a2ad759bfdcd6a1ecaf350e6a6507edc6aa408635c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
11237dd2208691bb6941bf13e03ff9ac

SHA1
d154c80c233108142aeaca2f01bbf2396692bd2d

SHA256
088f24206b1f26ee04d51ccd91dc9c88abee96cc2a737e8d5687445c5977c6e9

SHA512
25ed5acedcbbf8e53e051768ff87bde9dfe1041678864ce40d2dbbbc9ecc0fe3a568de96aefdab280694155028523af1aee57279fc3a39e5a8439d372e3d97b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3116ab471d39f59695f5c51f65f1b58a

SHA1
a680c19aa806e3795fcb247e342a6fac9b1fdc71

SHA256
86e523108a2a745b2e27d07d0cf232dd07942651341350d5dcbd736dea7d4d01

SHA512
529ed6353a1529a32230c56ceb6dfa11e71c5bd779477934c8a8cf3917058c6b739c9e07b69d426edc9d6003c1481be2ed9a88336b89b67d74402debede86e9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
34050c8bc9c6c09ab587895e46688819

SHA1
04cf4c5866f53aca2c7b9ee6f7ed1967cfc99260

SHA256
5d3f2a3a7d2533093bb8eeece897a3f1643772973d26a30d674c3f7d198f7d7a

SHA512
a0fc4793cef3edef899a8cac8f4b551f9335b1c63e706fd8d16f05164efe7c693ec3aa1078dd9276190c4d3ce0d764e003be82b68d69c14d0623522951624cf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
cc5a5e31b6f0f5351be1a82b6c2ac39e

SHA1
1bda381e2bb262c5bb9d9c516f3d1d8891effda8

SHA256
270bccf3cbb0911fcd30fda32b96c64212c1a51951fd2d972af102e73cfc500c

SHA512
3c988cdd3ae73fc99503d152a19d6cbbd0f717565257821e523255d52fd18d09609f01ecd7ebc7770dd61db854ccdc7d99deb09e2d67078d5fa04d775f123556

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
71cd26d268aa5660ae390161f91b7846

SHA1
4b9d74dadb564065f8be634d14ba735b4d4f1ebc

SHA256
460d4eda55438a316ad7b2241d3ae1f64417eb0bb83a1a282055ecdf05f18483

SHA512
be28124002a70c0cca0747be43821ac685e64c15a11b41c5cab8e387c89e83ebcd712c4b0127a4efc1cbffb811c8d149462c19b263401bd4e684db21f9ceebb5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
99ff09bf9dbbc4449e5d2ed3e8c8863f

SHA1
f20d602708969e125c1a118ec52dffee1d462a3f

SHA256
81e0f0d27505028dd7f0374818fb570eda31695617965e971394f0128137a684

SHA512
b4994397e5e8822c31d765011018c33a7eda8026fbdb66e8a5e14b01b0152a9afcf3e20e38dea9d67de06bf9c25650aa76dd12b67811255e0fb7752ceaf96cf2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
646407f7d29c2426546eba9e988064e4

SHA1
953cb86da5d10eb995eb6d756a7299b1327fffc6

SHA256
f116cc31220f49c6aa2b8d1c7025d857f5e43faff5cfe20aff7ccbc9dca061d8

SHA512
b075d5aaa28be09d0c0647f99ed3e26fbff01e94c383f161210fa058650ee770dfc7867d25dcc9ea5218f56259a1e7ef5c619940dae7bb0ebb10907e7ec75348

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b9b6fb7bb5990c9e50a42dc1014ad419

SHA1
0b4f8c41afd83f8105588d0525c95063fa155bf0

SHA256
5c973f4f90464965170d8ace8c360596e74b034cfbcde52541ab20c1f7ddd70c

SHA512
682c00a8bd1c3090f2f873d52cb79b9e75f94ba5a1dbf675630e53a728fd0de065ab2cb48d49616ebe6e464fe76e1683d932ef18af8568043a8ee3aacdc2a0dc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ea385f63d70ea881c8046674dc531a6a

SHA1
2ffbca18f65768f66fd0cf774593ca6879315be9

SHA256
505e422a0b010cd73b404e5d1dac06d2d36a6b3b9970a7b71bc4f5cc33d9f8a0

SHA512
d5821b8059c3d67362e2a4e4b94dea75e4802ff0d4950896b115a397d28039ae514513e559852f40c95c3c1b8c1c42cddfb0008ac6c7268807de4ce7352bed27

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
abddf8cb41a214ef94462622e1cfaa58

SHA1
62cee25cf65f85002d75522d3bec10674b4b21ca

SHA256
c3782de9476d8e6a21c40afa5e52fe0b82bd024e84b2a979a59582ff7368101f

SHA512
6152dd52457235001ba1195cc3cb66e50f817e06ceca5a302ac8be0e37df7762501ed8bf0fac073041c67314f440f5a99a2ab331ba06b4484939688eb8fb7469

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
23da8b9bd3fb42b415d066046d18aff8

SHA1
fb53c723d267addb7bf01c86d2cd34fc28a74ae6

SHA256
e5a532f4c8abe970250e4f066ea0b6cec757bebda7c37cbb56e888a0165ee149

SHA512
7e70c35af2d92629fd748cc1e035840ac2a06826635a7e1f1c5e53820c8dae421461f4a5d073ad4adf1826a89edefaffb42e3f8ee39f0635018db998984bb540

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
68e0f251fdee5e4a91220cac6f6d81ee

SHA1
1f5f93d0e6de229a743e14b7d898bfa4ae0ecd10

SHA256
15c9a511fec9cb1df5061923aab7ea14006ab7204360fc7580ef90f389fc9017

SHA512
abbe1304d831fc36f709b971c1cbbb2728a61a04e769cd9029f9ed046cd835486f25148d65686f8e7e712d6412679899e89d65c156972fe0920807d0711fbeb8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9df745756b3ea2dde9c18aae2f23dde1

SHA1
cd29f3915ced5dc5f716fe752227a3cc5f7d9d1e

SHA256
1e058b9992e7ff394ea3beaa15e90f2ac708f901d55ed4e73561f583694ad369

SHA512
57ed48e6e22c73ef8ac8f3cdd84b6ed51dc5fd5c29c2a79c724fa35a001fee4b5298f012f57d214a490e3cb8fab1b39bdb86b1d91b3eff82bc0580b303bde062

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6e8d18df476b972f976474bd7e09eb78

SHA1
54383a4ee440aefc7999954b730e1fef069e56cb

SHA256
2851b3b040ba1890c1b00540d2b9ab43c664e4fb8adcd463fc14ed28545bdcd5

SHA512
a35faecc9ebb362b16aaf7e5b0d7d6f39e882fee236cb8f73b2c71f730e8612e983f3da955f3b59ca85e69d3409172f36b55a7600d18f5e77090c950d10b5d9c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f06717805d1ba7a581f0c0eae6f0edfe

SHA1
54293df3c8171af755b49c5d0f08e257449c3566

SHA256
dfcff95a78138f7f6ff31787714683b4c7cdf12f9dcbf329c0fc5a1fdd40fcc6

SHA512
4d158264f8c84aff3d34682385e6102e00fc69d62a94b404328943caaab37c8023b00d0db3376ac0e3ae7fd84eae30d7379a1fa83e8aa8f6e3b1d65bc7da24c3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f45542f9483a9a89b154453bbf17d4cf

SHA1
0b5913869be74480358617c4cec30a6b60e951a4

SHA256
d3be3dba69180793c3be5f4fafc8315a0b09ce7eaecf374286a13980ecc80598

SHA512
676e3b6eae981e1e9112ca961e5c28805f913e13cbebbe018a767fa2b412f463a28ceec2cdc9accf4aefc5303bffbaa0f4af930a1cd5450055cb20530c5cdf0e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d81deaf036af40bda00da3f22638bf04

SHA1
e5927bc8bec2be8c5d16bd03e1d7c31511f760d7

SHA256
c70bb3b5a1a64a0efb102e8a7278c30084c3db92782b4941162b341f12839584

SHA512
3b3914cd87c446af0c673d4e4d57382328057d04a758fa6bfb3c1673dabbe26a08d46f68181e62679833a8309273245231814eb074e4bf6f6d286796c39cffc8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cabb993327246981e25f230741292c22

SHA1
28a0f80e6e75619bdf986102875fb3941fb6ed75

SHA256
908621555a6ab8107abf38552f4a758188ec00547541ca71fec3da58c456cfc8

SHA512
9a0a23899ba4b43885b40c40c71d596b2fa1d4c78a4a26ce6b4268de2aceb4cf49750ea63965805bd8fdd53af26ab2493acba514e59c25f58ad90805a20b6746

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
20d362b016f13c4bb015d7651aad8f44

SHA1
28dbe950826e132cd28be9681cbc1b3255740b7d

SHA256
cbcce87be0f1752e718ea6b4fb954091e0e62e178cb46cb70c794ef91c3a1598

SHA512
0f9d947fb0e41eb7f9e1979e86ba2bc05b7f56b9abcdb249abb2bc5e26f94e3d65fd550f645ffdd48149e83558bf70478dd71bd68acf760274d3869adacbea5a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6402bfed302fee53f9fb042e091bf384

SHA1
827b4a1ff36f162ac5ac273a323a79a47b55291b

SHA256
e4d4e845a0b94f044638533d8a0d191b1770efc7ebe006ccf7d626c6eb5c5382

SHA512
dee2626d8925eec3d4ef23ff5d54334c07a0b8228cba7b92870653e57b00198718935c3836c2d02e66b119f7db14876a9c6ebc50342bbf60d5150c0e8c3f1a37

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a951a853f33acbba644790dd05593e0c

SHA1
748e45cde4e10030734666f759a048db2b3b0a14

SHA256
01787bb27af5f5165fc5ec4cd8b2d005d6373fea172d01b61b3a12375e025b0c

SHA512
6b25102c5bb2490a3a826d79e6ecf107373879f8c1c0d987e5ac8b9048e18e34671bc48db91e5975ae3c7152f569715ebc5aecaf684b74d1a38775c477149619

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4148ba39e1d69a2e0f0e4ee7039d3a29

SHA1
b1cf3d2db8f8fb5d6a6c86461fff3b71b0089ab2

SHA256
c801c039550d24ff0ccb62d0b1156ffc2f67ddb92f9fe698a85399d5536619c9

SHA512
6fa2528eb68fd66217b1ec2a6ebd7a6702f84029bba17f552ef47a2b9b25f54db578c3d4240e4e80ab43aa0700c53a4a28a8fa1050ae44c24e5500cd25be77e9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3800094d5597aa4dacf2b40e72e8beb6

SHA1
d2291fdb98c24bb304e63e25dc1ec34d0d530ad5

SHA256
e7c1baae63bf7c4cdf88a69e29ea10a1c144dc584cf796dd319c244ec94f9531

SHA512
6848132f229e36905401a06378d5a7742c05dd92fb5946c5d054d7aac246d55709e51a7ae716feeeaf7929adbc6ca73ce59bfb70cd304866975473e472fbdd85

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d05528f19e869f4fbd417985ebe82f8d

SHA1
c055909ee4db79c3fae5cfb0dfd337fd58a5ce42

SHA256
2e2d78f7affc839d16dac3be5342eefe2cb30f2be8f6c2bfbcbbdd09db86d317

SHA512
5c1ace7fa5a3a57d465da5dd7bfa268ad7c310ca600a1f1978ad0cc85d5a0780f9a40bf8fc04da63ad5b881416e9c21c42a37ff11a573ade21f1a1ba8976d1f7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
164f383e3c1e41475b342352c5060834

SHA1
d834857763711e93230245b9faaca929d96eb275

SHA256
b7fe8f9ef8e8b32c0cede602568774a4cba0d2a0fb52de9c1bc1720b027231c4

SHA512
dca8ea845050e221c3a53751e9a573e03264d02ca52d150e0eb6a32779be1267c0d101e9971d53b9675d4cd4ee10403da1bed22858706e1a075c3601245bd7b3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c471802696e8e1db01f1da4f17bdcb8d

SHA1
eddd20b4c333b85ca8f1489b83ba597f765e4511

SHA256
9f1f7cae03f519fc8bb23cbcd1f469314c054cef9e98c1627fba925abe0b7afe

SHA512
134b698b3782065fbffdd4743afd4e544300d26be30cbe64681fa728d62810ce3020f5114f3105be90eff36c73a77f7915de98d396ecb91b00712d5403bcad83

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0a225a4eb1eced5e8aad7d3bb333b237

SHA1
1954c1cd1f666b138755197488bb86603781fd96

SHA256
7312b5df19990abb4309761ad8b7c07ab98bdabf816764a9796e63bea9ea7e0a

SHA512
d55e37f9307ef7a40d9d61c62b2fe79bce8c61b3cf4cc8ab11a7c96475095f75d2b79bf7008c473010f2c635b98c129eb1fc38f42df5138790545649c863d292

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
31d8de7ac3fe6ed2f018986b6f4ed2f7

SHA1
877e78a2938d3c009eafa4361e93ef51f9a663c3

SHA256
5ae2f9fb9fbae643741e03109cf1a89b177fd8d02fbee379da59b7efbf12e75d

SHA512
725c0d743893f42d551007fc272028682c771c315ee555cfcd09dc3da4574649d8f50d92c6eb854269a0d3797584c2b727821aca2982263b6f5bf47831fe22ac

Download Submit
memory/1100-14-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1100-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1100-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1100-219-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1112-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1112-664-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1380-227-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1680-224-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1972-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1972-671-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2284-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2676-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2760-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2760-669-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2824-620-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2824-7-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2824-9-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2824-622-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2824-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2824-72-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2832-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2832-35-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2832-472-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2832-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2840-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2840-666-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2840-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2840-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2884-221-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2900-226-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3624-670-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3624-225-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4148-222-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4344-279-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4344-672-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4556-278-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4604-58-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4604-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4604-40-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4604-45-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4604-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4664-55-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4664-665-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4664-49-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4664-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4776-220-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4896-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4896-673-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5104-90-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5104-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5112-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5112-86-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5112-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5112-82-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5112-75-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download