8fe34c98db9f2333a971b2230c6643a624db7842aa02fdbe20b69f07d5dd3f90

Analysis

max time kernel
134s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
Size

1.1MB
MD5

0b68f18d05dfcf0767fae3f8d03da029
SHA1

584df835e3fba6471c75a7ab1209e99e957c6080
SHA256

8fe34c98db9f2333a971b2230c6643a624db7842aa02fdbe20b69f07d5dd3f90
SHA512

a812dd9eec9a29a56eb7047fa9a0be899f3ac009c70b5d7be9c1802f08b9d4b0c222c7424aafd7b958331ccc2e45e13d266e0d7fb654b2b6fb78068f035e258a
SSDEEP

24576:6Si1SoCU5qJSr1eWPSCsP0MugC6eTOxNeyVwn1jheZ9LMnTfhLRc:CS7PLjeTY5On1j8Z9LerFRc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3344	alg.exe
2956	DiagnosticsHub.StandardCollector.Service.exe
2916	fxssvc.exe
1560	elevation_service.exe
4580	elevation_service.exe
3440	maintenanceservice.exe
2104	msdtc.exe
4016	OSE.EXE
1096	PerceptionSimulationService.exe
1996	perfhost.exe
2360	locator.exe
1060	SensorDataService.exe
4396	snmptrap.exe
2516	spectrum.exe
1744	ssh-agent.exe
4192	TieringEngineService.exe
4960	AgentService.exe
2140	vds.exe
1256	vssvc.exe
1580	wbengine.exe
1552	WmiApSrv.exe
4796	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7d4203aac3a5208d.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084ae5d7498cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006860f57598cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a686fc7598cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d10067698cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd4ce27598cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ae81d7698cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fed5457498cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e5d337698cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9bb737698cbda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2956	DiagnosticsHub.StandardCollector.Service.exe
2956	DiagnosticsHub.StandardCollector.Service.exe
2956	DiagnosticsHub.StandardCollector.Service.exe
2956	DiagnosticsHub.StandardCollector.Service.exe
2956	DiagnosticsHub.StandardCollector.Service.exe
2956	DiagnosticsHub.StandardCollector.Service.exe
2956	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1376	2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
Token: SeAuditPrivilege	2916	fxssvc.exe
Token: SeRestorePrivilege	4192	TieringEngineService.exe
Token: SeManageVolumePrivilege	4192	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4960	AgentService.exe
Token: SeBackupPrivilege	1256	vssvc.exe
Token: SeRestorePrivilege	1256	vssvc.exe
Token: SeAuditPrivilege	1256	vssvc.exe
Token: SeBackupPrivilege	1580	wbengine.exe
Token: SeRestorePrivilege	1580	wbengine.exe
Token: SeSecurityPrivilege	1580	wbengine.exe
Token: 33	4796	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeDebugPrivilege	3344	alg.exe
Token: SeDebugPrivilege	3344	alg.exe
Token: SeDebugPrivilege	3344	alg.exe
Token: SeDebugPrivilege	2956	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 608	4796	SearchIndexer.exe	113
PID 4796 wrote to memory of 608	4796	SearchIndexer.exe	113
PID 4796 wrote to memory of 3960	4796	SearchIndexer.exe	114
PID 4796 wrote to memory of 3960	4796	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_0b68f18d05dfcf0767fae3f8d03da029_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4320

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4580

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1060

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1492

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
1⤵
PID:5732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
5ab1c164091c35074752f76b74d41e44

SHA1
fa4ce695567bf52b53eeb35aa757ab4279d3b673

SHA256
bfc8a4cf92cff4d01a938197d85d25d0112965af3562e7338b28ad8309db8b49

SHA512
fa0903cb74684dfbcc02c33365a2f9761a7dc97718288b854fbb456b06defb9de858b1801e7a789f262c033936147eb7f3cfb0a17685fc8b7fc1c769b57cf1bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9461500c9771da19bb05d474b1cfaf28

SHA1
66504623509cd0a914510e1c7fe657091d7191bd

SHA256
5a2902304eb439367684f219746b6aa3bfae59b91028bacbe0308a4b031db01d

SHA512
dfd99f17c9ffbca6ea6a25352a13e74333686f35d75dd085f7d19c82c9be259b93d1797e6ec7d1060a358a3a78d6067aa4f1841a12aeb6cd0e3aaf54aa8be762

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fcdd0159301f5a7b702ab02b947e7030

SHA1
ff867122713b4ae1f606ed6551ee1363cdd66708

SHA256
403ab295855629309154383377696509999e1839606345adce2810f0de91bf05

SHA512
e74d6571312b5ae02a5a8c0503c923f7c386210c3e164732645acaadba1502c8eed2a11f731aedb888b96f13237c7632345d69804445e43e09bf46b02591f319

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
600c41d29730501d084bb276cdc67473

SHA1
51650d09d9b55fd448835a09c4a0e8cf69631e96

SHA256
ec56e601e01abf2d697f43a83cce4ab368e0f3beb844f80cf3c01b157448d568

SHA512
25cb4ed483067074e2101f93976c831fbade884e9692c97be024c04bfb079583d2df37f03a937787ab0afba0c884466b4de84acb117d7ace5f58ae0ebab183bc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ce88741d5f4fb03f8721be87f1090c5f

SHA1
cc2e513e5ac37356dd9c0306ef7fb179e5a7917b

SHA256
60fa9b9d5156bfddc7ef775f7d356467e158a74f2c395baf62dd5fc38f08e050

SHA512
a8b3fdc323efb6f6d8ad077f21b619a766f80b48e511dab9ad5385a059284825de329a69d4759ae2996cfe724dd7fe6cfdf5b0399ec942441aa1e5cfbc1c7039

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8aa9f9ca14855b0a1d14fc51ec3e6e15

SHA1
4d897d9653e84d1cb7b81313b6e901448795d371

SHA256
b322e590ed47dc209e7c086a8c4db309216b80f1b27ed035e5ac0bb17c84cb8e

SHA512
7199219a8c7d6694a9125869d643dda4ecdbf509edb2b955ca8d8e7d06c0ba5454d5cb7361be51f59115aab9773525a9b078f740aa57f643f093e0d170ad2fc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fef1f266b9b7ea61108832a7d9ba29ff

SHA1
83b81acf461256618498a7fbb1038349e9439b22

SHA256
7e8b50430637505f6c2bb9964b6c45603b4df67f8685fda48ed46be04bb20d9b

SHA512
70c94351e4626968ddbf40e406f43d8fb7103bc9b7940be5e25d3cf6615bec124d8f96c37800992ab2e82df4ef204542cc9f99d39b64c292cb014c3b42e61f8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bddc6612830823612a6f0a9a6d65dd5c

SHA1
aa16b090349f94944d37355c48a2d00b7640188b

SHA256
c40410eac0362284432b700c199826b92eb7b6e164ed2acf53fe8f34378edaea

SHA512
9e87de1a4cfb712ab2fbb6fd9011b2f5de33f5624ebcb69e8f26315422d4aabbfb5d634e9a7d0222849b41a86be4f9c4cb843de2049fe0e3f2550a62e60c24a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
75c47ed588a7663abec5ea41e717a9dd

SHA1
f1cebe9d2c8f4c8c84f2667b618b745de18f007b

SHA256
54ef79ef9cc3b72dba17732e69bdfa40d3b95509f4a7ce1b01050f448e546a6d

SHA512
576c3072f743c454dffa60e13ba2189780443e267715bf95270647d855fb3fb55e1834b96fbca3703a272c1652cb5914f1c5e9398bfed03b1262c3740c4c264d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cddafc0859f72f7f84e9c1060248b8d9

SHA1
f7820a56ef895972e39c455094d3e3754fa51b00

SHA256
76bd9d647aab0945608690dcd761aebc6a954ea4489e489470a2e9aa4d19b80b

SHA512
43a09d0ca5707fde9c9738cab2672147cb1082fa4aa58753a93aaae0cb3ba9ebc5b50ffdeec9f217b2b08609de8ca210f8b26f8e9894998cdfe0ac7955cecffc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8598e4afada8f616b00dbbb2769ffc17

SHA1
5f0625263d98c7323d4ee05721b9deeb1e0a3d95

SHA256
1eb21dbd7dd2dcba706edb2a30917ca48d1859196c4f0b9980ea98ca499ed167

SHA512
e43b1d42ec899b5ef7ca336a63cc621fc03893bbc8e97138152232fa8ae52361f599a7d3e755c3a995d0885299632beb9e87e8f914f2ff2d3815df2f1ea6d232

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b0fcf52662bb89198e522f27675c0bb9

SHA1
00a2667048b80a8344ef62adc0305e8d07903fcb

SHA256
df6d48166b45e617fb600bce0723d984fc5ed96ac2b3f34293176ee3253af816

SHA512
f1b63879f1d33e39669d773c0d86b984fd2eb50bec52e3b493981100b178f4d923ce4d209844425ae52b7f5f6be5e5ba2377518b22b62b8a4b77f41c73fd0245

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2a207454a579a6ef4336b406fc37e1cd

SHA1
4ebf6bc9cf92f2c5ead979148bdcdf5ee0a54132

SHA256
d1706ec7820cf9eaae1951d1ef8223245ddf2abc21173a76e4adf2ee2890ffac

SHA512
686bfb1da2b0f5c423693057ed8cc98dd854ad48ecff24082579c9dff064ecbc9e32ce8132a7234c5deafa4a0158848bb034b59648a0bcb6d1300b1adfe8a580

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
258d6b50f7a09e6f356651e94f4a4cdc

SHA1
c6a79472fe896e664b7efcbb5694b02a48f2c94e

SHA256
e4300c29c97380d1ab714300a3edbf8b8e4ba428b09eae100bf769604acd8c2e

SHA512
8fbb677a59f32e5245bf352d4840447e8b1010856efebca0b0ec2dcc0f55c45d10477259d902e1fb873d63531b8308a2702e76797a68452be15ce4ff872b3b74

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
45dec67e0241d22d8e1269c96b18e6d1

SHA1
6bcbce3eb6f68a2390804220e442f75e4cca089b

SHA256
122e4fe216cf427886893d6ce5b93d69b7d926b3882fdd4914ff977ec708ab21

SHA512
fe16e9b2b85a020a464c63003159b8079ff1d72dd096f2fbfe2ba72bab6cd1f38689d305bf993c53ed3b2aab0e6efe96f7731c53430fd8167277100d283d4458

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8ac3d84103c58575079b61ebaa8feb23

SHA1
9b3fbc47a1483f6fde53554f302200dbcac898bb

SHA256
a9cd8566867358c237a63c08b2332a1e3a81fba05baf0304b24947c08c1ad786

SHA512
3c1cb8836aed7c1a6cd187dc7922d545c51ef9794c224b4a1acf0e563dd31e116782fc74ea2c7cf5a2175be2b95f81da3e1204623424cf87b59c0df235279c62

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a8555215fec1535f2311abc9812144c6

SHA1
f114122a59bf20b209f4827696ae09ce3ae86e64

SHA256
47bfa0883ee436dc0839fa492d5c96cf9cdfe6333f5acb01e9688eb741bab861

SHA512
ba668c03a5163a4a844a4fde95ae1ee2f6a10296bad818ea1bf887c9b40109e436cd478a5dce002acea0b8a99a717a30d3e1ce4dbe79a796c38c24b2ee74f3cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
96ac8bfb6bb6af019f795180c8d6811a

SHA1
5b0cc825a48439bf62565c8adec01841b77a70ab

SHA256
ad8afe14ced2b28deed226779f04c11c3b9d5f4da249156c1ba156336e5efec2

SHA512
3a650df9d719a3a9d6cbc835fc82ef7309875b1f814600a0955fb38e529f7ead6f3cd6f19a9a40aec184c21e3adb0257e5c864e4052ebed3fa62474b595c93a0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3ad9e360895aa8ab866e0cec93919890

SHA1
8dc175b176fc32cbf0417760f949e875e8c6e583

SHA256
26b001a6aa7de933f5cb409baa27052687e9819d949edf010658b055ce6a3faf

SHA512
eef58d7cf44fc5695ea578cae13d4f5c1d0b69d10c3fc7b050828ea123d136e3a784cacc1af5fac1bccb90093f10028a668dd7b91941f0a54b6089dd8f3703e4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d79ec38e1e04d62b284c59ed3973a56d

SHA1
b212db95160bc47cfebec97504338d1539e1416b

SHA256
89ec3faccf92558d381ef58b90c501f21b8d68aa7e61e75edfbdd018892de776

SHA512
2c7d9ba098b9b4dc305c8cbe04b60f68dd7a0891f07358ae2a6e047314112e814b4f91b9c318ce8bcdb55594449ad1ca7ee6a156aaf002d780a14e973aba0994

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0207f16ecd465a36007b57a4fbf59fae

SHA1
20089b0527cfafea29c0bffa786d74736a82e69a

SHA256
0781f627718a648186c2e60693ee96fd6fffae6ed0a579329666be208692f2c8

SHA512
530a0256c829760ecb5e903f9aeeab2f4b52b5a1ea1aefda3723b2be9fad22458661fe32a9058a79a9a671c3c2a7a1afc738ed28e3152b6b58d0de3c82441d86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2b65bff94b172c384887f984cb0138d8

SHA1
8f1a6619ffa6b4b9f1c97626399ab69769a49379

SHA256
7fa746cb30237fe40bce00acd4d25cfda5ff25843f2ad1fcc76c5ea566abb4d7

SHA512
f3438b3a03959166e6a35720d14b17146e68f7c25b1c08476ace280008bacec341ecdcdd1aead41ab3e3bb3b1aa4e05bb77c4116fb7889284c6264098a9ef864

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a016dbcca5e6993a43f0dbdf266d3111

SHA1
1bfe97d49a147dbb939314dbef214b2943e95af9

SHA256
e2f2a30871cec66d0368490948cba9d36a1f4c6565338357f0bf449587bf4a12

SHA512
253315e0718b4a0503287f35ebff1cf41ebcd325b95cbe9df6b087b3b8e4c943c729fa184dcbebb22c76fdd464c67aa1251e432a8950f6d985e64f682459d8fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3610b87565e665c20d42d7085d592603

SHA1
76d7e263f007f015401cd89b62e2de51f88ecca1

SHA256
b469fe7eb39ef5b517acbad97945374d3bc6d95c3bc9d20c28bdb5d0e4ff64f2

SHA512
e89e93044f969e0fe255aacba3f57e05d1825dc5a32f9b629d806f397bbcfea71e6242dc2f2beb3cab86723736f891946e9f600076befa0b927596ce18d0470f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
dedeb7431c411a7984ba8af7fdb90c42

SHA1
5ae1153fdb4554366025d07fa82b053990225537

SHA256
7c485cfea4ff7a2efd5354c8d3523323d3db256a189d0808832ff32225ca411d

SHA512
dc2eeb1ca1e63c2e6b9fd30f7465104cc0a3472d5bd25d17da47d354e8229a1978987fca52e36ce76e3a229e2f09cabfb63a581aeb0919435ed88b044a572079

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c474b3dd050fefd289cff8861e26694b

SHA1
bfe036cc5c6747074dfb506ce01aa3a3f8669e87

SHA256
9ce82c297e4add9ff546f57630f2c216805be44329460241628479e4d2261560

SHA512
4385708880bd92b74303b406399311725432c84cd2c4da5ed16980e37d1b2b200c4180eec0de5fe08b531f6a6cfc08f216dd666612007d6c2270edadecaa2f9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0d9bde45cfad13bfc6cf585116f22e53

SHA1
99baba98da852bde737ef4d3e5bc12c0dda6f9a3

SHA256
6d85c529303b2385c39a9aeee4829486bb22e4e25032548cc17f755d8c9d79f0

SHA512
cfbc5dda17014dd77aa30dadfbed1e19d50a10d0c3a9b955b1b69008d0a2fe58184f1aa8dcb5e608924b61a8ee7de51b87d724ad961290da3d7786cdeeadcfb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d9693f1612595f2d241a5527a02f5546

SHA1
f91346d212478cb5022c062c295cbd0a3e1b0c17

SHA256
540bdc89ccaaf758fc2ece71f6c095c92ed4b1020ffca19e3125bc02730abc8b

SHA512
c7e0b4d0cae6431f0d9cc129523aa62af17f82f8eac3e791ffc528d9ea10715b83b7612cf5f80a2cc942e1e759aa263ce2af52e03cfaff6a624ee0765c8485f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a648eb8a68692627f1b7c51a0c1ef8b1

SHA1
62c52a8c977f6e25cbc0de722692d43a01e6fecd

SHA256
375c8e183fee724f58dafa9b41381e2f46d5904bd7c5199915ea07e8db86d37e

SHA512
28762ec92824c49c2f93abe7eed04abd077bec9b8e37ad73ebfb6c56987f0ad6c434680002e95ed28ca688a40ff106bdc36766bdcae36c658b538e3ab54c7848

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
79f006c3109bffc53856123ff38dd116

SHA1
f0e36c2e264f1c1c6e3b92484b3ec2a46a531fb2

SHA256
80fbcf858172bbb28c808047b4b1f7b9cfb634f7ac50f7eb9dc665bf607f8298

SHA512
c5cc5afed6d1949fd3cf71732ad295feef7cfc065da332bf11f382a9b1f5693cffb719bd6636b27d782b8311cc88c12d81344595b42811c9070e5b6d8bce8ba3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
48a142f29197b33be12f5a779715238d

SHA1
58e3718288b45265eef528d5bea82e5b69f061c1

SHA256
1c6a8c417c66954f44cb46b7b5261c4372da5f59d783d9caa5f5f041ccb5ca22

SHA512
0075b345d1516f3feffd05c7307eaa4234c526cc33f3af1a555d6a09c305e58e5f796230181f9118dbb4726825e7a33c4fd705f3fa80592709ddc44252b61b35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
4d6ae9aba48967e4e4d9845547366dd6

SHA1
8dcbf3f345dbe54e3ec01af82f0c0346d3dca7b9

SHA256
8d37aff5b3166ab2a15ccb8630d04c8477d5872dee1b25378e0494bbd281b81b

SHA512
2154cc13873c379648795a407a992bb41dd94fa5b7bc8d3d5dbe7e8bd9297d87bc401fc96f0a7be0e876c634679f09f4d8f0ad380a2fb927bcfb23366e6ec6f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
61a2e218f7b10fb3e52ddaba13994577

SHA1
30978a60b33caf1e6b499d11ebc7ff7cf63c7935

SHA256
3e6d5758afa59f308d9a202285bad81b91586fdbdc38ddb607b5796fd4319f29

SHA512
ee999cda5a99e3af075ae1b9efe84a879441c93f447fe6883a8bbf46e3204135d6f94a74b1d86dff78e2fe8255691d41969e50d9132ada0279d02ba019fc5272

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d809c5a66e3cf6c6a6ed42c9c3180b7a

SHA1
4734813cf5ac40b16621bf39732a36bc66e3f1cc

SHA256
5cc1cab926f29133b7a01398da0e8e268dee9f94461e3ad80d6269f6ccd93cb7

SHA512
057e9db01b9ea7d1cccdf31b24ad61261f7ee972f2478dd4386fffaa49bbee55c80b7e52b91444c88e5f2e3f38669206d4965c42e865dde122500fc4b421406c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
199c1040af85ef41c0a9ea4491b268b7

SHA1
e7deca83c8a2a3fffe745aed446d6b7a79b395f4

SHA256
8e406e99753a534176020597862557532a9a92851ced31235929454268332432

SHA512
4fd2af11dbf7aae706c0128b66ffc837e5efe33a8074c59eefb72c33cd6c35293d14b056f1b16155f82bdbf23914cd3de1b2f719297764ea0ed7c0e8bfbd4001

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b109a8e7acda7d3d82c985629b4f4eef

SHA1
9db55e20d51785170017ad68450845635060fdd1

SHA256
71b2cf546022e3e78629ad2eb1eebec5d40c9f63ae14b53f2232980cbcb59170

SHA512
f9eef626174c4167630ed0eced1107bc126f2237cabeabbec6b5fd20d95d6efd8bc34ac77bafb2bd23a68e335e64016c0bd562fef84d0d79e25485fc3ffd961f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3a0cfedcfbaebcd2a91b5dbc3726de85

SHA1
7116356941206357cd6accdf04c6f9e26150419c

SHA256
e01015746329b1606468be813b1dd260a9dc064937a2c6071c78738100994e63

SHA512
7fb287e5e5b3e655652a4412ab9ec986dcbb511bfd82d69c7b21396c37bb6cfc3af1d1b0ffd04674f93e6bb7a9197d468752be1857edd0103e38b54aa1f15fb0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7cd4115ce8a971ff25c9ad211804c1ee

SHA1
bc76e287f3b9317163b7f4b917bbd064a41a8bd1

SHA256
e3f15803d75b247896f65cb61e7c7d6bf6829b5e4edd97d176e5d37cdda994fa

SHA512
c616ac1e532c7e2ade06c2a17d7690d2e54c279eef9878d385d24cd473daa11a481318c76e2e421370d96d2600b9e82323768739f859c0d6fda624e8cf7cb4b7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
48ecb8727555cd3d12bb0b4542365a83

SHA1
47f6f922c0e31c8eb837adfe5b67ac0fca0f2824

SHA256
fd3a6bc0ae07c093f2d2cefa00bd075f7b02efb0a69cef15f1c472931074fbc4

SHA512
3006e2fc2889d8ec71f7a4071b9146ec3399b35d9d3e3cca2cead6a671365f7d49baa7632d92204442f3d87e289827c85d313a9febbf2dd4f882c04a373c4747

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
41b9e66f949c1800ec6c60e758f0e9f0

SHA1
d7f97c2c27694f3acaf2bde63d21c58b40b407d6

SHA256
53e932f89990d8ef6019a51e268419cdb51bda540da192c9c61ee9253b570908

SHA512
5f8dbdd95c85f3b9cd6ecd2dbd82ee38acc83961d6ff59da6b2c936be0732939204ff52ad87d44027a10236bb6cd161ee741a66a4e1f220fe2583fd8d3330bfd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d487e8a3826283b74fd04e300b901912

SHA1
5fb4a230575bfb9884afa968a3cae0852109b449

SHA256
5b4a41e57a5f9957cf805f039f35872c4e84e521478ad188afd6d0822b90cd20

SHA512
e2712ef96a4ed99df5b0d0e6f71d1320383585bfa803e5d03aa110e5931785560adc80faa4b47e41ca5f9ff0f79b99b25cb0f03f1851bd0ee34218f0a16d250b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e988ae1091a5adc3d87170e3f5f1dc10

SHA1
5c23a7dd8129c635264766e2f12cd9b5ff240331

SHA256
038ebae583894be8374b1cdbc88bee7b7cea3a91c31006462ef7a553aa92daf0

SHA512
2277bb37a8ee69dd7e2fe2e0cc6d87c237e55517bc5214fea4e693077cb64efdda131d9368ed5a5d522a2012adda4f0dbf9ab3cd6d55972f9e29e8ca4e70710e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6e196097de3f47db896f0e01ea05c23a

SHA1
57eb70b006ea04497637ef3e1388e0d95d5fafe3

SHA256
fa937ae7b6dcbc6149a03ee4524cd9e08a5c1f9fdff41b2f252d020e9b186fc5

SHA512
46983e0cc1e992777f934bcd4387d97e9cf83038b136869b14f09620bf7971b32313f7a07d0f62287eaf34d119d6f9fb56945dcf5b20c81fa98dba77ecb3c946

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
63549dba511ae714bf76d4819d6f25c1

SHA1
6863d633507c1a3fd14f8fa424025b321e9415df

SHA256
9268d28b7bc57428d07fd3b223492f91eb7923cc6840de8ef9f771270afa408b

SHA512
d38330a5730ef03a6e5e8bc35f5e23a2726a9a1aded0b2a9ebfbba1505ba938221329c88bc42007bd54b4b01dd983798b1af41f6b7f9fd9010bc317bba50d4ea

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c3e2372a67e1d3ba51ce43d08fbb73c2

SHA1
86ea45a4dd0d93f81d15a5399d4c3168998d9159

SHA256
dbcc705b1fbe5065d3939ef38ce82a0be8519e24153175f41a01bcae3e4f40ff

SHA512
6c59fcef66bff03ca3e91bc8ff5224197db8731da1c81af26a32bb55abe6a5bb16fb009bd696810f318555b010c7d396c7e1a7ce40128256c14a0909b4d17e7f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2ae838c3c9c5f3f37f04095fa2c02a07

SHA1
a5c5fa2613e26565020cb283c45d1f9445855d28

SHA256
be799da084cd2fa1ff912891fccc7ab5c0f331a4347e212596519cb719651671

SHA512
5c689f89822ff7ec6d107c8c4ca1633a11ac4c13fd0a4af69d7ce8924dd7adfdaa7495dbc954d7812d7567c0e4b1a7650d79b8c5fdfce85ac4e36723e0674872

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3c3ba46702af7b0363a867c89d940025

SHA1
0a60aa96eff40241a837dd8be932b7b85202b24f

SHA256
33b6e915d2223f1e34a246faf6b57fadf510c417fb9d17a733868f0da14632e5

SHA512
9ad3cc4242b3760dc1c2f503d7c5eb89c91bb726613a6b5376e934662e3b95d6a3643e63d898b48159ef4d3560bcaa0889d379e98fcca62f144e04778b8d2e77

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
69bbbd3fbb47544eb55d934ba03846f4

SHA1
80f155e97e4edeee951a4f60dfa546147e269b7e

SHA256
0ec6eca8ddfd88b6d0605190da15e86bfc26c9ae12519bfc6c8c6dd26b0792f8

SHA512
798d78b95ac49dbaac3eb99622d26fdd04dfaf60f32156e1875715c8845cad9123176bc69767bddf5572614e0214f52bf41380e2300d9ca6b49f031770af795d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
51a19dbd81d34128c5408c0d0e5137ee

SHA1
a274d167b1a1d29aa0b16e1df6268a347744d365

SHA256
e8cfd999e599e4693bb4eb1d8319c8b627ca9be9fd49654bf4c2de230652d9b9

SHA512
f14c22b952fbadd4ee083c8af8761d2fec05f50666b06acb0bfe91d702c6cddfe684db323801450f4bdc16e5e4d67aec4cf445709afc6d5359ae15e3340eda79

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c1a650051bddcd7a652fd9cff3c63045

SHA1
08f91889e1f064cd7a49382b2cb3dd077e0dcd1a

SHA256
6e4d009efb2c346043715788ae00dc21263a9b2f2f08feb9d74935da239b63d9

SHA512
0f98924c1e5db5f375f58edc76313a3773d6bc198d512b4e628f54525b79e51700b5700e276080457a879595f6e6ecc04f612ddc47d33031f12ac9f12f9414ef

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2d153cec6c936fcb232d71ea369291f7

SHA1
c092ecfb46f806f1436ae45ec6fc11d70f2135fb

SHA256
287ea9f54cf1af9fa4dc18e8e937b6d5a135d34de82af0843f7272363b4c2b1f

SHA512
b7c5518117ab0e077692a49dd6916aa5833785b44965f1714fd6a636fc09cfab3f336828278582be12beb463e86d291e26a91162886824b53754eb78dbcc6df5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b80716a439fd91ca398878d1c4d6f7c6

SHA1
9c92e946c75e6a16996883354cfe4314d339fcab

SHA256
e8e4815cd92824c3d22f7d4a06b8d5f973480787b63fa9d778175786ad8c5f76

SHA512
b2c23a026c8068661107f36aa1c533fa728d05355e6043c2bf50d80e2ac6e487741152633f7c05b6e204df0fb5f65e64bca48928f985116f3c31053276350687

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
01de811c6a12775f33016983debacacb

SHA1
13c5dfc82192d2dedd53d963767b342164378405

SHA256
d4fee6ad582be4585b4610aae2768ce0ec0808093d72c857d939e15f0e368154

SHA512
338cabc67448fef04af029a5c5c96f06f64b9b0717804017946c487df3f1f970bbeed447e7ee627cc7cda76dfb4b3fdb71f86b15c97187ceb9e3c467b81768f9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5fd1d224e29387d81d749c71592b54d0

SHA1
ee5fac70d39f392161293e4b56200502131ce274

SHA256
2c3f3618e1ccefd631c5e0c9dd28850b68bf8cce1d740eab01d428d2cb804990

SHA512
d805008ce25c6da42583b84c12d9ef3a50ff6713e3621ba526ec0b36c262448a6fe1fc3d7d93134b2d1ea196c4bbc5dfab63546c7eb1b3f31cd3373e17f6ae71

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
df13ed23517b558b1c8258c15396034a

SHA1
1a945fe9ba0bf4886f44cdfe87a308caee26bd63

SHA256
9b4a0a38df1d32e747befba8c5e5e3a12c8e43b240b0ab20c6724e61e898e38c

SHA512
96808cc5c1406ee45bc14a0e4bed74fbccf0fa11bd292bfe35c884262bda3583c5eea86d88b04c0158fc7d669017abfd9e627c4be5b45283e0ddff4fb814b0d4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
508a431a3885dd6867c4f7080b3edffd

SHA1
92c4df1372b3e4efb610698ffdba34ec70896153

SHA256
42aee3c3681e65b92086c13d86a5bd199eaa7bce755abafb4549c676f548eeea

SHA512
a7ba51c446005193e4a1320ce06f54626ae24bbad6cc2e72eeb4309ab576e28b22136acd5a7274531831f1bffe4c599cc3219c137fe698cced9c2d049fe81e89

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bab5f086fa5ca6a7c64aff382178cf7f

SHA1
004412716d8ed2e9574f13edad002054d5a5f756

SHA256
e738575dc20eaeee2ca271761846cc02abf1a8142b7fb85a19ed1880893ce437

SHA512
b08d141a39834653d193d3450f64fcc45db8ecb789b69f7c0d49f84edef2588042ad433783f65d591ebbe55945223647174a23d53a5c6fbe42ae73f93be626e3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c1defa1ffa8d111f0a36b4b122df50aa

SHA1
5a722289c40bc803ff799a9e129943e87b2a819e

SHA256
9db6cfc86344a32b8dafbd1c8b2a44e0281bf2ec85e50df3093a59e206efc4b4

SHA512
b9aad9f1facc5bbb81cb7866520eddbf6d0faeb6802d7c7691d7f89d0f245142fca694de48e8ca5bf17d1d6acf049a20c7565af15ee5162d8b1eb662699ffbb2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a98c43617b721f88236d882039e181fa

SHA1
e6623bc94a18992b283af4a2581a34b0dbe50892

SHA256
152fba651cf5f5d2d1341afb565a68d64d95a8d7e400e3d0409ae319868a5049

SHA512
5f5b4b050de8c50fe1099d41ce4e5928d9e157bdc85f84f6ce3bbeef583cf6f2cb2ba9231b8b016f4956860c0e7988ffcd8579fe0d149b6875685983ebc13144

Download Submit
memory/1060-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1060-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1060-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1096-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1096-126-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1256-590-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1256-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1376-59-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1376-477-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1376-8-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1376-9-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1376-474-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1376-0-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1552-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1552-593-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1560-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1560-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1560-56-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1560-50-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1580-591-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1580-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1744-584-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1744-189-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1996-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1996-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2104-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2140-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2140-587-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2360-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2360-141-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2516-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2516-548-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2916-71-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2916-86-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2916-40-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2916-46-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2916-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2956-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2956-36-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2956-27-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2956-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3344-22-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3344-14-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3344-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3344-106-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3440-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3440-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3440-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3440-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3440-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4016-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4016-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4192-586-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4192-200-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4396-156-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4396-468-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4580-188-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4580-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4580-70-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4580-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4796-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4796-594-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4960-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4960-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download