bba1879c0df3f2465f95dbf84b37a23b72e8c0c4ca9db2e0cf3643c7bef10c2e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
Size

1.1MB
MD5

6385c28fde0946a431bd8ed40fe560cf
SHA1

80d21bc59b1a405b3fd75c7b684c00cc59a76321
SHA256

bba1879c0df3f2465f95dbf84b37a23b72e8c0c4ca9db2e0cf3643c7bef10c2e
SHA512

e2d3a9b80ed6832c8ea2115caaf428d3f54d356be6b734aeb6e1ff9c16d92e222c2857016acfe36a1437bd03b8e4328b7e2d0ce672f01630ebc63ea8bd146ce3
SSDEEP

24576:2Si1SoCU5qJSr1eWPSCsP0MugC6eTPSkQ/7Gb8NLEbeZ:mS7PLjeTqkQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
212	alg.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
2620	fxssvc.exe
4704	elevation_service.exe
4812	elevation_service.exe
1448	maintenanceservice.exe
3244	msdtc.exe
2520	OSE.EXE
1660	PerceptionSimulationService.exe
4996	perfhost.exe
4560	locator.exe
3828	SensorDataService.exe
4400	snmptrap.exe
4600	spectrum.exe
528	ssh-agent.exe
872	TieringEngineService.exe
1540	AgentService.exe
1924	vds.exe
2748	vssvc.exe
2348	wbengine.exe
4944	WmiApSrv.exe
3732	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\30f7248c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028ad63a1b9cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fbbd3a1b9cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c28bc1a0b9cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4c446a4b9cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc6460a2b9cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdf0a4a0b9cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de0d66a1b9cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3808	2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
Token: SeAuditPrivilege	2620	fxssvc.exe
Token: SeRestorePrivilege	872	TieringEngineService.exe
Token: SeManageVolumePrivilege	872	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1540	AgentService.exe
Token: SeBackupPrivilege	2748	vssvc.exe
Token: SeRestorePrivilege	2748	vssvc.exe
Token: SeAuditPrivilege	2748	vssvc.exe
Token: SeBackupPrivilege	2348	wbengine.exe
Token: SeRestorePrivilege	2348	wbengine.exe
Token: SeSecurityPrivilege	2348	wbengine.exe
Token: 33	3732	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3732	SearchIndexer.exe
Token: SeDebugPrivilege	212	alg.exe
Token: SeDebugPrivilege	212	alg.exe
Token: SeDebugPrivilege	212	alg.exe
Token: SeDebugPrivilege	3208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 5224	3732	SearchIndexer.exe	113
PID 3732 wrote to memory of 5224	3732	SearchIndexer.exe	113
PID 3732 wrote to memory of 5248	3732	SearchIndexer.exe	114
PID 3732 wrote to memory of 5248	3732	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_6385c28fde0946a431bd8ed40fe560cf_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3176

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4812

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3244

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1496

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5224
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
1⤵
PID:5740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
d5f7359b3354641efadfe6f219b83a55

SHA1
c1a28ac74170bdc7fc4773a165bce1a6021de652

SHA256
b70fe091dc86c273862c18194e085b82bacaef1e8b56b43748bf56616286de6b

SHA512
a29bf588d1a2d40effb5d22f647b98fb06625187c9eec48c8a7c941ef64919bb2e2c35206223697bc6ee679f80ca26382472081a6ab27fa79bcc9967f847d9bb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f05b0519feb70a8e5e4f71ffd3f5d31b

SHA1
65e86319007e1481aae73682fe1b409efd5c8a86

SHA256
5d76c2a1984348b6f63fcdaeec6ff56f178a34763c988bf099d9805a9df7cbac

SHA512
d3bb8234a9460896fec42c178e4a41d8b8e9404b5045695981f7652ca81f41fa14a8cf838d5df69780a28484149f76d4a10354f9ca7eb44fc85c56da47e6c50a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0a40159ecb0a929b444ba3aa9919cc27

SHA1
632f70db3fb82d072b1fee161d403a83764d88d3

SHA256
6b100a898f085c2f7144a18369d64eb682918934a45654b0de0c75731200dfa8

SHA512
89245a139fe41438e9c1045d4918ed6c0b7533888b9311afb60dad7a01d0c2474a46957d0d5363b2a921c2ed58157772acb097202ad6feee35391ecda5e81ee3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
03844b9742f7cf22245c99caa396a652

SHA1
65e53ae86faa2a2192c4add3e73ed0153e532dd9

SHA256
23609bfc44e125a8b5985a929ddc9285d59800e895583652b5c6b3097947533d

SHA512
45de6eb523f9edc9d731329f386b4d6bc193836ce7e5757c4fe632e9ac6cafb518ae8a3abcdbe6a232c8bddc1653597a9b1f995c3224326929b3988e1bfcf73a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
db5e822020215561785453b2af62975e

SHA1
adde3167c0752c732a2fe442a74771372b934798

SHA256
454eb3738bf88b88fb4e3a1014b7af992770998ad28d41ff608fc479a9fc1658

SHA512
11ba2224572ec0de83b874b8f83fef71b2e118f55e2897ba30b10689f89bf43ef4491522eb79e798afaad49e135f5fd9b0d93ad08d23d6b3454bb358efc9b72f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b5140e08c3e49dbb0721f921616c1851

SHA1
09c8b16c75f7e26df97eb2ea06869959596b3d53

SHA256
93644333d3b0dc31ec48172b9566425cb5bbafe74673ef18ac674a304bf22585

SHA512
ffd11d8482881d7ada00fe3066a7dee41578d5ca188a427f3f9b9e1b4c1ec48cfcde2fd83847f9ced6676e0439d87194209499e3b78e3314aaff192e192a3c5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
486e85d0ff10efd06724f3b05fdcc071

SHA1
47865c22836bb676d2e5bec41298232e2d2cbca3

SHA256
350f9005b563aa2732d72ae40edbcc3ed0ea62f95dc66957bc1c863a8c2d9f45

SHA512
f09fa0cb8aed4f29350e4d3affee151e208d3265cf899ec4e0d7a11c1dfa413a8f142a6b99d105eb9fc1b8e9c16d35bf7a224a715725bc183c2c7f45713f2b0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fa6ed9b04383fd02a962e0f4b189f93d

SHA1
9fbf78ab257fce390a90b16b6025d6d53f3fa5df

SHA256
1928a8653c586ec0ec6e98427c8b50b1fc849640d37049fa8539a2945e85ebec

SHA512
3a9e04421ce19a9f5871a9f674d208c3349ae73e09d31543f3d887839d741fb0f75ed710038297ded6f13d79ac037cb325b22a65531e3d881bb67284b9ac3ef3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
98c6d77aae835ca8c0548495d7c103bf

SHA1
6f85c19ec0ba284be5b01e551b02b9e98925f995

SHA256
e44169d001a26915292cf9f35bbf6244460703ac566b0518e3e5eda83640173b

SHA512
e4958a11eb67633e5616dd0e62bc0a4344a8b7d185ed290489e5e8c30bcbf9deb50e4e5312e28a48139c90ba92491f1a7c530fe2e7c9963b4e5f1f6201c9a016

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
212e594aefd327c08f8b2cd51380266e

SHA1
7fe8b43c0b0cb77c821aec50d03c5ab6d458feb5

SHA256
2b53ab49d582da96b9e95dd9b0f6f16f247c7a146b6d50551bc06d8955b8a2a1

SHA512
2ff670419a18e31af8af5d853933504d358ff7934541248823870c372c6fd6b78a27d1a98bcb43bf03375e6ab11d92afdd3fa24a3fb2a5e08978f2e9c2ac9af1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
755d8867060f198c675c081530176685

SHA1
70e7d252f9d12c5e5acbdcd074e082927431fd40

SHA256
22bf683c6ce5df0f412f7ba30960ef1ad7317012a530f3c004d232770002421a

SHA512
e571cd57f4c6cf18cc9a6f335e73618396da4012267dd374c8e484ab793574c900136534a8e12b3827c2f5a78e7e4a1fc23df4c99f7d4352fa4babf00ef97975

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9b2de34b2d20e332a35b2ceeed523657

SHA1
09fc07e62f6a10a6bcba37c6a015f570d3c9e1c0

SHA256
7150fc733d46bcef7f2f3d2a62a79338f35539fcd75a2cd8c137f151648c56d7

SHA512
abb8c8fc66dbecffd56f847680ced8b63a667e312bc1b8b4321071aaf6d93ff0edb8390a769a2626d0c27607d2594a3b694c4e52b2f7f29708547301940ddd26

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b281bde646a226c88ca42dd5a6642767

SHA1
3e9251f39c88f755249cd8a33068622acc70e106

SHA256
c658dc3cb5ecef3a135fc9c686ee54caaaa4a7a024e2f8f4f993c4f5daed5135

SHA512
345fd5d8b9e08d3a3c63e0e76c0826776e8ff7ecf058bef81e5ca454da99f7363a90f4186833cadce0ae11e2b96ebcb8b9b5eec0e569573d6d12e3a118c0baa6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
46ac71f52b642edeb49441e0a7ba4654

SHA1
b94a7f880343e084bb69cd4cbc7ebffe61bd0b1b

SHA256
b9b29b7e100e529b55781b03fb7e14486ddff02373645a172295059d7f6739a3

SHA512
33c85dfd29e90c2c57e54a00757909dc71b19734268f5102e56677701c7e8cfd31486e5c78cb480a02f3001324af1172438b61b1422940de0dfd3054ce159dbc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c49739c948c44dc676f54ae19883c7b6

SHA1
5b49e18c834084d8069d7fa4c3cab31be9fccf67

SHA256
80635d66fe97bc9ded263cfd40dbd4f85976625b38d88b381d4f4867202a47bc

SHA512
3daed91afdfecaa0c136de252fe933ee7d219535d07f5ff5fd8efe0029b4054e2432649edb7bdcfac98cb40f93ba4dbaa3c794364c5ac03282778ee08eeb0e62

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cf5f06e022a8658e0d8a1aaea4cac301

SHA1
f4fd883893f9632906e1e2a88a0734faa45ed96c

SHA256
dd5d58a93234541041895f15ec28746ef74aeb4417701336ab8e6727ec09aeac

SHA512
d1b7b4b1b5c080a22db1ba6c1c3d96b332da7f7be831b4adefd8bc4de3fc17531dd5d2898b3e3d947d85237c62a1d2bcae1a4a3e39397eb145d1b018fc609c8f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4ba33b86f862c25c8d740193c01abe54

SHA1
3902c3d69e4d2730300b661f4d36315e74e23e30

SHA256
1837415ff12010f6434ba5ca4fd5607a17c4d9fe7f6fda559aab23e42b0e521e

SHA512
2025825be2bdb8accbc9b7a72ae5757a15a235245efa47804668cd87ebd5d2c437b7abc2ad9bb51e08c6e5d0b837ea7daf5c82a871fe9b97fd3ec46d04b4bf32

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5e04eff3ab352b56d438dd297fcb2334

SHA1
ae6fabf80bf688bd3e5d88b9a3106ac1da5b3692

SHA256
a4552f81224a2e7515d07e859ea680afd1cafc35f823c9fe5fe6d3cf3615d9c1

SHA512
85507f6780a1c1a21b3a1ef9ff60d82f8715c37fc698c09cc1d7317f094d778741c220c1ad5e93a6964c9706a201bd379eca6ada0df461e4c15e90d0571e31de

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
84861d3b18e89ad7db0017198ac109de

SHA1
e65797c2148795731a633d51cd4b2a36bed1067b

SHA256
727b209aee16e6d8583ee60058033c4e9ce8f8fec7fb8c77546e52c206d483fa

SHA512
9b12d2f2ddb605fc13a23901e6461f2c263db9a156f53d04bc8dd8aaf263e44a665e7be231c1ec816f160f18c72a9cccbaee57c533eff50e5becee71eb7ddb5b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c738064d4b707e94c402e9fb6a329c04

SHA1
538bcf75a99d4371c2c7757dbda5f476ad65f039

SHA256
ac891d3619470b5c7bd957ca52f099af5dd3bf87464041024c13b5bfa43035d1

SHA512
4ca777b8792ea7331d288bc10dc68789fe124dcac11548edf049f84850f287718e9a9924ac4133d7d6a3a75d4c25daadbba12c0d8314c6139fecfa35148d1358

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d0936a2ca7a6abeaa3c10fe635524b41

SHA1
d4fb53822847c57dab98ccc5e15275c90a8e9dba

SHA256
6d13462fc39c2f7292c8f48bd50bb1b131fd071bcad2de6cf86c5dc50daf9242

SHA512
11a643f437c71f1e1163b3b9661bd2b45543113f6779d26365ee98ef88d2fe33df8fdf35f5eb798a7938f298a44dd1c2fd2579e15434890f8a3867c17c8ce5fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
6de4ef9b1262de5d9b71ed636e49e483

SHA1
8785fc95e7da196ae7c25ba47e09c4e20ab3f3bb

SHA256
bae649a85c158a14c65316f5770646c07285f985e934a13042382d378898eba6

SHA512
9b0dff520b83f9c84723be95fb7fb8cf0bb905f86df5177bc969e5e70be2179c06e25f01024084864fed54e53082c4e83c0330bc08347ba857079316ed8d7adc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0d80d8af3607047286115aee5830ef59

SHA1
2250534f10d6f023812119ba42e9202f9eaa9b2d

SHA256
96287433c99e3d668f33c0622ebe423c05ac901217e1b287eb6dc87bcb41ff8e

SHA512
d82b24c745ac9acf9e03a23592192f85449da0dc22e3e6c9f8fcce72ee20bf6ae649567bedc624031454461de1cfe305e6a5d8bc0b94ef52a52a7d3e8350144e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
88a1a3fa4b7f48865a800a253a9acfab

SHA1
b3884ed62a36df241e7154223e363575fbc46484

SHA256
3ddb94cd64237dfd90cd9349999fb5d98135434032efadf4c409d42388067a1e

SHA512
172a2883fbeec4af7475c7dbd453adaef6af38c0546ceb0a3015d8814fb6995c17f2b122fbd1cc9aaa41d2926751ffd2d635ab5aa0cbe903b2b3c81d99cb0a98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c58879b242e3173af5aafc8538d91d30

SHA1
9dcd84fbd4152047298c25d1eb8aa7f7186c75fe

SHA256
0ba6be8eeac1f3b836590d0d41e95eb0b43922c8462c5f3f39e7c394bd925aef

SHA512
9fe999fc7771188a4b9fa167ff6b7fae0758895615bb56a0f2314a5a49442a3b765f7f5d3c84976825a83939d2eb44cdd947d904b19bd2c1fff320e690134386

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
4ae459508890f12fbb3b4506f71f1423

SHA1
2e93f4a810b35ee7ebd45411e66a9fceb1f194a3

SHA256
2fd61600471570a17b1322626c86b0d45cd4297e74bf4d837bcb9a84273cca48

SHA512
2195728ea4191f364973957c08c745dbd7c6c917c46325134146e7205d929f24a34712f9d78d70e9bf42f470a48265e8006334a00c522cd790b56d4d0b96ab92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
57d903c33dd2688cc3a2a562b2234479

SHA1
5ac246db575b2fd17da76b4e40a6a524464adf81

SHA256
3954902712543f0c9446b225be8cac91411ce3ad2fc530dbbdda2986c7c7deb0

SHA512
8b4e011ca2752b84b06076530c46ad3f357b6c21b6db62b6dbfc9526a8b13a81b16abee12e4885bd5adab8e4b6668ad85436cccaec25ccc04f5dc6215a4af80d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
5de4e49a18f23f7c5aa7044db8d6dc58

SHA1
73b0dfe3cb318d14bf9e74440d73a86e4ebede08

SHA256
5000bc3647546253f6d742ea3a6cb6da7eb264083124b971564b5df1c72a137a

SHA512
dbfd6f4d5db05445eaf63006935fad5207d4b602c030816190ec12fdeec3907e7b8666972746954161369231f47c6977466135fb6b2313ca8cb81eca277c58df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
33f8ec3856033b795f222c23fd4f9bb6

SHA1
e8ab700bc4a568df68a89fc165a237265236ea81

SHA256
ca257b3842671834122d40ee195c356c3d1d0f2e0a863a8f1baaee2d846e1450

SHA512
31220aae40815844cd73c23950db17553ae0badcac200fa4c31eb720e75084581ab585dfedbfee3fecd6a9257ac0d3009d776f8ff632f835470207e921b8bf26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ba60276b683f476625deac91df83827d

SHA1
2e3c75342405382728cdf5d612bd7f54726112cd

SHA256
a1190e0bb8db42fa119616fc4484431385b44f7f941f7834fe131f26a1459f34

SHA512
cadea004abd5c05c1533e20523be6fe449db3049261388e0d37f56afc223cd00ed22a6fb07d385b9f3bb41da94f1dec3110c2a3b2d374f8209b47e686d2d6ee9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1dbc64da8d932fe4adfbc7fbc226513c

SHA1
431e238f65228883ddb5ca37937716a09235cc04

SHA256
522583a078c9ebdab0c6672ec402e4d19881dd3107704619ffdedcb67116b8f3

SHA512
f2e72767c0025da9cc5d4def18aebd07284a06ef0e8b00e489cde465b2c0a6e07c5d3a34ff48e72d4b5088f6b0e016ba869370302c0754233233b1c77cb91504

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
f3344c0d9910936743199293c247b6a4

SHA1
c62c484c42dff3ed993b20d84ee43fc59095010f

SHA256
bc07941f63ab70da45852b1400ddf36d4ff2e06380ed9b41fc766d53ce33b41c

SHA512
335a4623e4db41709f9c44e81b0bff9e6b519d29b099cf05cd843ab6af465ef5e470950f65c91cc0d62990e9dbc612c23d778e49c7da116b37ec6728979a12de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9248eebad6cfef539856125629b56d41

SHA1
75d1f912813960a436723f47a552af86d1888ea1

SHA256
970ca372eed24480a40a1f45559e2120ac16d9a6d480e12dcbb7eb83c1f5eef8

SHA512
57eb758731e8d52e0f0f8292c5b4012ac79d2f73920be7b724f57584572e400e0411d777fdca256ed9bdf173ef817ad0d5b4bbbfbfcc3741671691b994e715ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
13333d37c5408ea47d6c28a0ff690301

SHA1
e12b2b1da0f0413fe5132d74e492c001865c8b83

SHA256
25b472c23ae88d25f6853e9f78e206d9831ffe7b58c46d5143955efa06fbcf7c

SHA512
30edfff20981000973906dc32e87881a15f2bf3af07e8cbd084f37def0ccb6e5dfd9fca582eefd2448dda5a5b3c181f89a91460768e33ee04e2acde38ec6e2f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
f80bc087fe51d537f9bbba8fdd63c9d4

SHA1
a43da9a541e280a8d8f5ab113226fcccead2c0e4

SHA256
987ed66ec8f0b555992e76a80624357f8889f4a85053ea6efa5b59609dbe5119

SHA512
a823a26a5cdf482962fcdb498b3061ca225a93e8dbdfa9c8fc8b61774c2c83c103adbd9094bc0882b3c25edf3dbb3353c575d8c1ae2a13b74110292ec06ad7ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
f85ec1eed0c9675f79024740bf30de54

SHA1
53a9a198c690a645ff7496eaec3ccf7a5b1dbcfd

SHA256
cbf671e7d83c9c49a021b61f24f41ab2303c4afed277019db13c6128bea06b66

SHA512
bf28e5e5f19d5b0837cbe9436ed7260cb36e9a7b77188fbb6f60f46b01877fe40aea19966a8380273e396c87ad9919a4406c67b1b82a1af8caacbb034f5aedbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
fb728dac6945684189520868bbd973e8

SHA1
731c82ffac70d5881582a4cf7f6c3274380ed3a1

SHA256
d41987dd99266b5726d94c8c0d4d7d1c3f6604e3d4dbaa37eaf0d24cb17b2ae6

SHA512
a266cd08ee008d323a36bc909c5a9c4eb71c6b96c13a58a9a7dd8e4a16dc4e3803794cd31bdaa8eb75c769505f7039e8f7293af4466ab7906d0c4f2eb0fad604

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ef99b7c5d1220df0e705044d8f77dc86

SHA1
b282c35713153ab93d9f2414af9076ab2a6a41b1

SHA256
e339bdb662963cc36de58ab84708477ff22694f6607ac2d53aa375530e6188a8

SHA512
2b3f5c3bfc56335104b240f0421954db3dde2734037f55be496bd638653ff0dc59abe2ca126e930f61863877c628245081a133d8524bf0e4c77cd3bd60c29057

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
08b9fccf2c61fe95ad530fc7ea62b48e

SHA1
8d00db187f07d68eee9d2faa6b70401f748b4e99

SHA256
c88d093966c2696e7e284f35bd6150ddf48a8d4004d054f49ae9dda5222a4854

SHA512
3db186ea60ff478dc9841f062837e8d8145dc74a3abf7c3cd7c28db8b0252fcdc6c81ea59f634000d95a0c88d091a025bca56367a9bfd80f536b8c92259ad924

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
588685e1b66be02690dcd769170985cc

SHA1
002f018f53763d7378f62cb3efa435212c2ea79e

SHA256
a5113f72a4935e191c402fbc3a21b6270bc41eab34289b429233814d8cb55950

SHA512
8d4b493c9159a96058233842f0dd1ba011fdd07cfc5e204b911056167f1219ed537821f8a8668ac79671df19fd3e05c5fadc84e28594e177f875db97442d1e4d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
26847a4a94da41111e92725f392ad80a

SHA1
815a58cce5262cf78e711950a3fda71876f454ce

SHA256
8e37fc2dbc4f381dce6d135bdec7a3c6008d96675642c0107655c3d47106edce

SHA512
b9cfc77c5e496c142f062d0daee6a308418bfd80648901c5a84e49d35a504295df47a35b3d39ed620e3bd2126af333b71fc5f4ac9975c4df7dcba1f2ccc8cd8a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
86ceec56853afa44f036a5d7404fe5b7

SHA1
eca8098e6451860f4a3460b1aee71ed3e83d99d6

SHA256
3074ad379448d67c7b7f666eb3d64d2a26eab063626ba703385ca25048610fcc

SHA512
ba58e98409fa015419181992224128f22a6d9130e527c966e4af83ff9bf3fae1100509cbe6790cc67f3c3ff7f3fbdf2dfd4cf57140bd98b9544537b2ff02109b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ac1f1b2118a3823253aa1b302c621b81

SHA1
7ae8b179c793aec5597ad8c64657f165a47796d8

SHA256
594ca846662cfd7d59b5020fda27408c45b4b7facb90c0e15beba96bd3fd310e

SHA512
b056d0356af6707f26b921f877f69573873004afad81f00a07885241b0795cd2333dc46178ca9a475d5abef216d9006ab498022d8c423ed9f0a632881071fe05

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e9f3d8089f70dc78d56ac0d2f597fe12

SHA1
50a0cd4d28723441ff4c1413c49e9b8841044f8e

SHA256
145bc20af86161a33b1d5102134d2c7f010a7f108dfd5561a42fd98174024508

SHA512
0ce6683d578a22e6707b58536544e85ee567c201eee2c4f41eb802b6224f9028009a69f8396251176c91ff1f01902e7bf3775386a9f0b1e2ea061ec28ef1ce64

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
44c2d77b1783119968c591300dc095e6

SHA1
8b6448239462969c2a2e499d5e11230ecf37668f

SHA256
8abe61e8a989175c0fa1e9d9b6dea61ed814e6855d3af82710dd8feb6892bf73

SHA512
7a67244d5c81792cf2dd4546b90d9a980b233c727dfd80758b71da13058497212c15405d589a345bbfce8f9b6e68ae2ef4f37a8200cb8c39c98b98970a4bd5a5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
54fe41b592c0552274116397b97055c5

SHA1
6ce32a394fb7d33f4a9eaa7a783b46bc85d873e0

SHA256
509472e3c6aa46b40d7ecd5194b1eacbe13ecd52529c1cdbf4ced38525672598

SHA512
08f7a409552dc4891e59aac0e03f9d953b9ac32dc05188aecedd7b6eaabd5ce7720a9c96561e5daab56d0bc6e6a0331b476fe22520bab6dfb901c80a38e7e92a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a6549f753bb90f1738f3398ce188efac

SHA1
2191cf4e52a53172f54e40632877c2d67a57f3d3

SHA256
51afdedf88a9393f52b9166c4fe1341fee36569b2c0d4c63bbf1ce830e4c1d43

SHA512
7b168a5e6a2707331645f4d736678aba994acd5a7cdbbc67388f7073167e3c71a8574c99c754de2f5e0f5446a786eee2a93645a4aba3afb4bcdf22155b562082

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cdae2c0b2a30fe4514d80c94d9442734

SHA1
555f20c127990f6c9334106b1108793c66909b75

SHA256
a8c3fb00f132c7c57374d3ca0600ee184f8e7caa097b4580cdc5c6a11893b463

SHA512
2cd485afc5981d2b87a2a9a2e0339e7d78d3731c838f2e34c7721a775a3f543320199d30d9bdd144d63e34f3c28889adac45c9c942ae69b00427264916fdad13

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
88511f245ba6cde1b2dd3fccd52421fb

SHA1
2544e4777b727c53b2c5e73118410bc353ceb994

SHA256
65cb70835bdb433a9695cca14a0b9e935df099fbab6a62fe9bfd41bb03b1f4b0

SHA512
73cea72da789079e73cf05079f0cc691b25a52ed0613cf6cc86ec91645f43faa803b4e29832dfb4134de52153929aa187114966e41c8c0c23e6f25ea8606c2c4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
11ac35ffdb9d12b171d2b2785024e32a

SHA1
edf82e7037a5c528a59ce0dcf6593c200c9ed1f7

SHA256
4a9fc743872e7947a94abcb5ab81b03417c62675aeca850dc91f66833a9c4206

SHA512
d1df9486ea462bd78b7623dfb6d8300790c1403bd2ec6b3f8225564306d68e700e70115734f3912730e4332c0d20a80097e364fe08f2cab4f5b1b13c593acba8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6bfba494cadc56a0ce79c4fa5cba85fa

SHA1
aaf47e89b3aca6568c56b7c83ffd8f30c954df4f

SHA256
4f62c38a24bd2ea1efe1363daff290ea99862e405fa24947bb3953fcac32f839

SHA512
3b196672857c6e6b707d2cfdea093c9171014288e658f7f9b641df7f0dd3a952340f4b4d49535431b8f7126aaeb71868c517376d4b8586dda047f0379663c317

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
3d0e513a973bce19087a28b5cf123b53

SHA1
0c5b0205ac4b5a5fcd8721ed41ca5b7ec64fcbfd

SHA256
39d50a777a4ea195be2f00ff64d4fd7a5098b70bfc1fc99d51e6adee440d6980

SHA512
445b53e35ed3b5d62398087f465d0b51f5bfb3a60b64a21a931af21015be1650a4e6e2be778a09d1f8b65ff532cafe510d8d8b9e3f80e7efea36536a5ad919cb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4872def5687ab96d73ef367010194365

SHA1
e4b8965bb65c860af3efe7016a9c10d4acb81e84

SHA256
5e96b26c9d3e66f616bacf377e78d2869739cdeaf07f8a3f99933b956420d365

SHA512
f45b411bb92b8e1f79115500bf315594fb413aa211fbaf1c6c3e8abfeefd707d0d7fdad40cba1e87cabd3bbbd46e1554f1cce493b68b13c2126e520bbece1a65

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d929d3560f9005c3ac43349fa0fb0769

SHA1
ee92d9bc0740a28aeab0805dc67b19650c1221a9

SHA256
5c2e094163955da2e8d9b52a63c7402eea64734fa6fbe30d2622caff08105bf5

SHA512
1ab71dc2c5a5730539a7057e8942ff22756f3c90921a7fa521087f11fca6c05dc1c15089e11f94c799afe1c5484a4d30c2fc9597f53a6db36aa7c14267f0884f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9d21bdc667e5a7d42583f9063e900343

SHA1
f70a98f764dda8b10ed1fadf8ed3b725e74c7ac6

SHA256
64fcd0e1dbf0feac0d4022286f14b29381d2d66e617b496cca1a7637a322717b

SHA512
d585b2e1a27438c55bd85610df1fb66f44f52c2a0bd46b29632270b6057a33630ed396766e6afbc4852d8d646b11f70da8cbe5c25aa733303e4ea164d201a064

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
e2af934933e2c4c792b58067c2f8286c

SHA1
3679ca5cb469b603aa4fcf45efbea450fc648e05

SHA256
a97c1684dce5c716215d1d8c5ae4f32133b1079cab80d5bf2bfa5689147a2cd5

SHA512
8297ba973bcb5e1d7686bc151ec2933bbb9b59388a108adfac453ad0dcba35d0b12309925588e40687f6dd60ffbe18d846eb9ea65e346c40cc5413bce526eee1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6884f99ff74eb9e9b1ca27a847c4ffb3

SHA1
df697bf606f654db4fc4a50f21e75fc8aad33c45

SHA256
1040c594ad08d35197a717b0350f3dd786ad8817df955fecd90ea00a30a5d4c5

SHA512
c0c3d082f6173a51167106f64a82e87f822674d3909672fe1b2d72d4bd74f2bf8e7bcfa747c21c88b4c02f053bae088f482914bf2c87cb7bf1668a0d145364f3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d511692538a76b800b8bfd422660d12f

SHA1
ee4ed24a1e6d829a7f99a80463ac56a3cd3aed62

SHA256
89ed50c8b363ec141428df58779bb606a0822e03e038ea4acbc042d011afc593

SHA512
67a581ea9edc5224803a73588f3ae5806bed98b5769e03366a16c2e3b39d3935433827515adb5acf0b77587b02cd83a2273d4090a2f594ecb450ae733a4a27fd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
0a24c84078500c2f1cd3fffd4ed1e2bd

SHA1
a095d3e0036cbe7e1556d813371a92ac0d726244

SHA256
4905da02de02ac54937904c7a7ed37f78af08e8c3e34e0b161c675e85ee2081d

SHA512
c86c2bce012d0bd7a7df1ed098bee6967bca3f01fc6d9c789119df677d838240fa4e263ef7462aa41ea987b46cb3d273a8bb2191cb7e32efc4522ae48468f455

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
d89e5b8e912baa00740ffe7f0ff6a721

SHA1
aca18f8286da4208d6f03178731ebc31227d25bb

SHA256
47d373aceb347e5b98dd1972734ef5e5d916aaba66d8685b14e7d5c5534d5320

SHA512
f5fa7d1202db56baa5f1fa0c47220c9205717b47918bd7420cf3033fc4bbf28323ee2803fe7341d2a5ab89d0222cc026786507997de3fb317b0f4d92411bcb30

Download Submit
memory/212-91-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/212-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/212-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/212-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/528-640-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/528-196-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/872-641-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/872-207-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1448-82-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1448-84-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1448-88-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1448-90-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1448-75-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1540-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1540-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1660-237-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1660-126-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1924-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1924-642-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2348-646-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2348-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2520-104-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2520-233-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2620-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2620-60-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2620-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2620-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2620-47-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2748-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2748-645-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3208-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3208-26-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3208-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3208-129-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3244-210-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3244-93-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3244-92-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3732-648-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3732-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3808-81-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3808-549-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3808-550-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3808-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3808-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3808-7-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3828-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3828-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3828-606-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4400-163-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4400-522-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4560-148-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4560-261-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4600-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4600-639-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4704-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4704-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4704-50-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4704-56-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4812-195-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4812-70-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4812-64-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4812-72-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4944-262-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4944-647-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4996-249-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4996-130-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download