94851dc8550cf6ea00642ec1b5c8b0831a9ac38950b293dac1ae43eb2ddb8c4f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
Size

1.1MB
MD5

359104c9e22e34bfeb113e932ce2a532
SHA1

db17c5458a92f1764c3702ff0039c6be2ad92b3d
SHA256

94851dc8550cf6ea00642ec1b5c8b0831a9ac38950b293dac1ae43eb2ddb8c4f
SHA512

38546922c3558560ffc90d680a2560f563c81bb67e0db27680c491d24c3ad1dfb0643ffb05c688ca74f3d2aa07a0fc6b0851d189ac9d31c4e8e8308b96bb1ed0
SSDEEP

24576:1Si1SoCU5qJSr1eWPSCsP0MugC6eTopWZfDd8j6Ye0Tcj3:tS7PLjeTopWTYe0TY

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4136	alg.exe
832	DiagnosticsHub.StandardCollector.Service.exe
1512	fxssvc.exe
5036	elevation_service.exe
3640	elevation_service.exe
3928	maintenanceservice.exe
2872	msdtc.exe
912	OSE.EXE
5040	PerceptionSimulationService.exe
4232	perfhost.exe
4472	locator.exe
4912	SensorDataService.exe
4632	snmptrap.exe
1000	spectrum.exe
3380	ssh-agent.exe
2440	TieringEngineService.exe
4156	AgentService.exe
3444	vds.exe
1908	vssvc.exe
2128	wbengine.exe
4488	WmiApSrv.exe
456	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f63563a77cad7dd2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046ddebb4ff20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af5f47bcff20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f8c78bdff20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d45e66bcff20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d6571bdff20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023264cbcff20db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
832	DiagnosticsHub.StandardCollector.Service.exe
832	DiagnosticsHub.StandardCollector.Service.exe
832	DiagnosticsHub.StandardCollector.Service.exe
832	DiagnosticsHub.StandardCollector.Service.exe
832	DiagnosticsHub.StandardCollector.Service.exe
832	DiagnosticsHub.StandardCollector.Service.exe
832	DiagnosticsHub.StandardCollector.Service.exe
5036	elevation_service.exe
5036	elevation_service.exe
5036	elevation_service.exe
5036	elevation_service.exe
5036	elevation_service.exe
5036	elevation_service.exe
5036	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2884	2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
Token: SeAuditPrivilege	1512	fxssvc.exe
Token: SeRestorePrivilege	2440	TieringEngineService.exe
Token: SeManageVolumePrivilege	2440	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4156	AgentService.exe
Token: SeBackupPrivilege	1908	vssvc.exe
Token: SeRestorePrivilege	1908	vssvc.exe
Token: SeAuditPrivilege	1908	vssvc.exe
Token: SeBackupPrivilege	2128	wbengine.exe
Token: SeRestorePrivilege	2128	wbengine.exe
Token: SeSecurityPrivilege	2128	wbengine.exe
Token: 33	456	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	456	SearchIndexer.exe
Token: SeDebugPrivilege	832	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	5036	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4420	456	SearchIndexer.exe	113
PID 456 wrote to memory of 4420	456	SearchIndexer.exe	113
PID 456 wrote to memory of 1808	456	SearchIndexer.exe	114
PID 456 wrote to memory of 1808	456	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_359104c9e22e34bfeb113e932ce2a532_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2276

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3640

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2872

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:912

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4912

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4632

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1000

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2624

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4420
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b0063f01cafd61c19c4359fc85daa3b0

SHA1
9ddd85cf5029469e3696500ac8c1b9ce036adf1a

SHA256
9f14217cf14de4a69496702d5c3803687d16b107332116ee79c27884c7ccd056

SHA512
d8c399900b1aa3d1b59064e7710131e2233cba6ad1bdbb3b36aa23543b1d9ac7969d1938c0a7978c4f55df908c0bdef2f9afb210e1ca696933eff8b6fe10fad2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bfde35b83dace8d3422aa6ef0efde762

SHA1
32494742ad8b80f8274aef8072a41e9eeafa1b8b

SHA256
ac44b9b4adb0dabc429743f4a3798a0ee2537d40faebb2b028a284a54caa53b7

SHA512
cbff79dc9e1a21ed0d935b5707ed77d5bfdcc5de7aa6539c35d5cb2d1f8f1e7d09ee016c04a4b0c6992ed9524d74c44ad5899ee205a3cd60b791f32cc0b2a42f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0c9ca62eced3d8e5808fffab616f9267

SHA1
223381d928f918ad42b8bd384363de5903ed31f7

SHA256
38f633cfe1d8a1766964eb6e02016d1e1db555c89abf02cc92b45d60bd58c3bd

SHA512
cab8912e07acceee5297ef359cf335dbc8112a9c4436a99eb26899919127a45ad40581fb73994776e163713ac800029acee5f51fb0eb9d85468856f093316711

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7e0654141d73ebc6001432a23c0a41f1

SHA1
8c66348847211dea363ff868b9cf68c4e53f73a4

SHA256
eaec71f047e70ff5870fb861d23d77b8914f60a875c12c9e79482b59c422dd6c

SHA512
24910ed787d41fb66088050872fe66151bde868879966590bf634733855d9716808517efea9d27b03377742cd9bbea305318cfc36a7ec346d3ebc7775e66080a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1d067e19038da1713f75c8e22f723a50

SHA1
75710a7b7ec5dbdcd4c9389afbd826770475504a

SHA256
108545bd3ab8852873913ec059fd7b1f47289c7d0905bb9d421f63fa4da418df

SHA512
3839fcf6ba431ee6c6caa9f81f547fc304a43aed4dc1d5d70caba9c89231d4ee3a97ea0bbc26c20f493c2e52dac3385eae4b0794ebf4cb5cd18bd3d82804ca78

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f5645c744e0ee7d4076247b0b8a2bfc0

SHA1
4cf5878308428850a730301aa55846dd80307cac

SHA256
d56b84aec29cfe9f1b7dccf4dcb7a94c8459f97a118c7ab66ff4c5840e9dd028

SHA512
8236fed05414eb6742c6c52aee31f92071084ade240bf3cff724b3b18e1f9333ee76e447c128cd98ff33885e712d5e0cc637c02f197d0b514decf3b96c4934b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ffab53cbf8aeba4f8962cf8690aa0f58

SHA1
2d56625e1eb2d4d310fdc5dbefd8a3212bd07b72

SHA256
351bdcbd00da6eb5ff2854124817a08905dfa271b25bc1c178c10482450c3054

SHA512
82ee74591cc0c848122cc3fd3954d21515da98b019ef581b59dd0399bff8a85f7e23f30be0ff5e33ceb6f280834dd5a7180abc907c37c71fe5fea5c0b0a475ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
431c36a0a252c85fdc143e85b08bf887

SHA1
3444807ea997c5882b450f8bea4965f0dd1f9a79

SHA256
b6acb929a18d63b97664685212d6087de430a0f6eaf659bea28675bd27dbfb10

SHA512
b291bbc3f85813f91f55539732d7dd90b29885b530a02bc0f0325d2e5facdfa483a2d38fe2f5fe6a9a345ca3979d0463072adca64cee0cec0868c3c2d0406044

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2b5b513805c636f3affb1d8b09b1b1ed

SHA1
66e9837a669b614df657590e32ee492b805366d3

SHA256
390c9ec63105fdbe8bced3921b98d06121aa0f81deb3d4d8389526516b8e9175

SHA512
23267420b80c0216437c082008027a53db57cc7a6f35847cb64c63bc6bd34e6af71d1deefac5327ba92ad311f728726c6ade9dc4235b2e29d5e950b569b1a559

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5ca4b4d51880e54b7e6859cbb6ad8143

SHA1
19c877ffd001570ee78c2aa92256f5f3f757de1e

SHA256
37a42f1f11e724b06ce3331ff3b1aaa0541a2e855036e320b51d23d21e6aa06e

SHA512
78d873abc5163578ca62d6e198560e49736664e4145a4fcae05cb1bf64bf010fdb3595ac148f547410c0024a6c1aa070635e289c0b6b8e91b9dd6369106afcef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2aad60ed9f1440e2740fc76f3181d4f6

SHA1
e99d4f9b8f1a91e35c8c7c8cb71f5152e0b6cd2e

SHA256
fa0de9dbc22d55f14c1e2b580a5d06d879c7b0d0ceeb12814f488af1cc66cd88

SHA512
8e05e1e5cff027a1d838e18c7ae1caff19e4e4989c6eb364ae28bdb007f261516c1b7ed8824f2741a6c6ea365d7ce90a3f68d4145c029df01cd1e41d542aea23

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bc0329f156c18ede5adfba75c90fe2a4

SHA1
5ccbb6d7cf431891bb0e36d472e04c90c6e78a44

SHA256
62a2f2c10d4d40179ff5d56cb40479ba032e38a424f581ea42b674bdd1d1ad9c

SHA512
3dbf18d7da382941952c9e9f7ace1d1e134cba42c5bcc2adbff4bb0f28c37b726a64c87881dc96a00cb5345085f581b5917c4867cfa9b90aa62c862e69423506

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3c4f1fbddb8a4b8d19d9d97caadedfd0

SHA1
2148af561cca6083d9647a43478a69c6091aa430

SHA256
a226f648edb9a8d27eab5862279aed5f738552479fb95a362447bab1d83befa8

SHA512
3e8a20e4b228d84b4a5012637db34fab0866033a2effdbb64a29e073be6156ace6e845fe14a6e30e4ba2d41d396b15c69f08803236f832f640f65f291438abe5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c4a0e247542b849e74cf336aa438aaf6

SHA1
54b0cfa1f0bd8bd9d11e03547d2d3c99630afcbf

SHA256
e2b1acc60030db2fe6117e2b12034852b7724adcb4c7de6b13ff4e3f76dbf27e

SHA512
403cda0f4f4860fe9e3918882a7930446e5c280713c4ebd51cbbeed0c48a4a5d52d800e2090df7594bdc8842e60c0a6e5f9e3a7deee945ce56b6721297da7018

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
169b0226dc30f0b858db98d04f08234d

SHA1
80be48222af61f74dc2bf4fb75c4c08f2b33890c

SHA256
679f0e417ec76409dfb35530e36ef7e40e3bcc31682bca0d9131bfe6fd9771e1

SHA512
49ef40b160ba7f9f99d2e8e6fdc2b63fa44e436f3ad6ca45376de0ccbf7fafc9959e9a4bc9546e9ceb3c1bece3ea19b7e3bb87b747e9c2b411a11370e5e105a2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
4e38ecd34678c950751e72d8eae93ec7

SHA1
e52ace7129ce3f256108aca32d1dd60ea0e62ba0

SHA256
b38f8326d238e79a49136439b05f11b355a50793c4bd98e633e8fe9cffddbb02

SHA512
b466204339bc84755e73d951764be165681ca51d9309e0b540d36b5c098b0fc6d8bb5032a34953383d14d885d652985eeecd8041d672aa87b3ec6ceaccddf639

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8b69db1a41d92b4c4f5267b60971a494

SHA1
bc94a4ec548e04d070f13f5d5a11d86b607b0d1e

SHA256
a9fefc4dec91e6fba33e39b6aa5c5e8167fbc24b011b44afbb5b418df36b714a

SHA512
a187aacab4736075094b3b7ceda9ba112327484765a07c80bb4ac52cc81486dbf49118daf5438f19e5cc96be59ea56ee3b5d9557f25afc269c5473dbd953e16b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0e5b94d7c36ae19533cee9d5ff82cdb3

SHA1
d53b9c1450bde9d191d3627d268e7a2f145bfdec

SHA256
be3f2fad1ad439009260da5bd97558bfdfdc9da5a384f6f8736251721bffb183

SHA512
8ac164c6bb0607a31ca147837cc308b0e04c4cc3431cc857961d8977e4a8a8a082a0164e47fed2589dc365631521d3f894688d31d82dad80bf229c47a01d441c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
555b34e639239f575875296e27fa53a1

SHA1
2f59f113e39f21f84103f36ce76ad9ea5be94094

SHA256
6003bb7c67659200533aff49633bcb0c902ac2f6a725291461a67795515723b2

SHA512
e817f97aaa63ebbd25f59dff118f6a7b988e5a25682900163aa22e41f5c1e6f47b6d6df41ebb0c3c4f21934125971a6cff1e8a42b706efd1cdaaae80ba8c4b4e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2e7420ae11ead9e2a820e779d483737d

SHA1
e6bd20e3600debdc36e3a8d10b03ca8b1dc6e621

SHA256
cbf7efd6464fb56e752275a41174e6c0fdeb5f9a4089e3590ac8f8c4f5585154

SHA512
29a8aff2fe4c6f60a8830ae15487aaaeed0d84ea559ad4b9e2982cb47f2bdbecc1e8b8f20b7982ced0c6389962b1103900220fc2fdfc842284d10b90c2f9dac8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b508929b02ec62e836e6b6ae981dce19

SHA1
571b519e986804ab69c4f76dbd31572090a3f2ef

SHA256
f8f5847c6bf7d51ef047f52fc97c49a566a057eb270ab1d3c80ef9cc23acac7e

SHA512
1f954c07dc5cecb1bddec07024d623817bc5159f25846fcdbf1ec9ab357d83d48951c006c32bddf4ba5a80b4e6645209695a8bf5ad99ebc374661ecf399ec41e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
79a7e2bd03104bc09838e66895fbc9a6

SHA1
a1d7d892bea49137565c1f0f0888fe9c6559825a

SHA256
77b79146cb578acd1b16c444cf7b78709164b8d25a67f8d6ee729c442cbff362

SHA512
023144816b88e42d9f83e0b44abb4c532935aeb685c8e090e56b9f1d510819fb55aedfeb832378eff7cdcd0e6595d5147c882449f3844c340821ccbe59f80a28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
da2f6d9f1405d64a680062073a0b2b96

SHA1
1f8ad302774f3a57e156a3f7313871a5aba0d4be

SHA256
b6efadded38e6cd03329c9fd8b2c6ea292b7e9f92f009eae65839224626bb595

SHA512
10645927d1cc5115b3e838d3957f562ebd24873fa71bdac94ec9e1d586f68d1fb4a8319ad6cacdc1b44fdb66cd734166b5338a5a88fcee6caac2b68fee635feb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
101b976c93f3f7d6838602658a8b4841

SHA1
7d674807fca56b74b656edb5b5c7e4f90c7f91dd

SHA256
e0d1edf7ab3e055daff6f688f045890129267edac1d33780409a19318ab0c0b2

SHA512
69f6c92eabcc058fd1070cb6af56794179ab4874ce312c062429934d2d13b81e74ca46bc08ea2028d513203423be5818555c2f4432d41c9fd7e086c370cdf398

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
24e7f5f42b548228a4fd9aff8b1f809c

SHA1
c001b153d6b768fa61e254ebeb696d65a10b391b

SHA256
6930b229f99218eed081e572842b9bf2fd63fe037ea2b484a31d33a186650c52

SHA512
c04538fa6adedf7f4fffedfbee9376be8364acb9d5065a9dea2b14e2701773fd36060120b2dfd0fbd5403a115becee5666ef824ad55b9037080b07a0be13d49d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
85da4e07efc9c33d106e86b039f9afc2

SHA1
1f5a98d8afcd2783a5983b6bb511e5f23dc38d1f

SHA256
814399ab7e4e9d026644ae838bbdaf1ac5ce7ec1ddb06971716d5e74b9837f0d

SHA512
85fe12b78e639b6cbe071df43deb4d9dbe57605c51636475b1c2ac19da6845de515c58f396c863deb5975dcd9f7312f50c7a346a018fd734a8a9a8c5c8211503

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
331a65366d9f998bc1999c0ed57aca37

SHA1
46ece6b5c06886cec53c34a62f12c6eeaa2fd5d1

SHA256
1865c750f64302c1dce23ca477d76c3931c7b8a28f1f6aad6e9ac61fe8846711

SHA512
6167feef868f80a2ad5b8dab5410ba890fde3d11ce463a4f05bfd3f97e3dd058c0b0b23138815699bb1f11b0534419d7ae2c4c9fb4dfdbd98ab5012fb62994bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
18d82848f243d13ff5cae1bba95fb4ed

SHA1
d25572498f3a469a135a93088f3de81d534a7cfe

SHA256
d29a8372fa23be7c0703f3c7ed5f0be3bfa0c156eb4450607d30af1a7ed4e7c8

SHA512
44705652200f5a7c6ffcfcdc9728b870cb4eb9a1f49dbfa2cf439b48eb5f69f7afd72653ac9589fb4f173d653534e4252ee246bab03041bd81ce95d975e6bf46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
e07e59ed66669d8145882140025d57c9

SHA1
adb9bd925e5bcf084821163527d94c411c1bea67

SHA256
f54864fb8c63c1ef68d79f833dcc332ad932ebe2ca8e8019f75853ca3928f868

SHA512
75b4b811620742a91820b2effe91826a54cb0db186fbdfc5099f1a5530626dbb1fa1290a75b623b022b3b0dc75ac000548394e9f6fa3e8bee1c8340cc74b540d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
0d5a2dae472c36ce987a3c07f410f30c

SHA1
ecc5161edc3209df9b4a7a60a59b2f3c943c1ef4

SHA256
5a0a23f28a93b53689c15c31db5ed41c19c2275c2afdb65e4adb8c795173090f

SHA512
e459a0705f45f1ea13ddf248b11c783303e749f10659d80819edff5b1061bd8dae58f85c9efbff33276d2167fe466dab3b32552dbc243351e6e0b8f15d0d6e7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
e8ac5cd0febe447b48d4872aa8ac3dda

SHA1
ab745625a3aea28a2820693055d725e10d103354

SHA256
ddc71111da4d5a4d4cba3ca5dc52a18b90ee132c7fd58b76ad59175cb3c2e8c2

SHA512
ad652176b1225a319ca5381a08f39b91d4d0a1bf37bddd2e2ecab5613895161a0712e50cf17dfd1b38a71fa49894dae1425acda16eb1d8634f50fdecd8a44344

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7445f6ef7db1e15bc68a087a6ff216f3

SHA1
3e6b2bd85185a9a5365123aaeb689f3127e51366

SHA256
ce561ef9ad45230d409f1e7fbc868f5ea732ea6ba239f064f0757113ea73e2c9

SHA512
434b18f01e1fb0ff07db4aa7f3b18e7ba52de74caf7985dd6f883830ab8f2743d44a9d4a1986538adb4972564124864d50fa39f4849b2b4e1e735fa56c8b9ab9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e708ecce86cffb69e304e95c8013f2f6

SHA1
21406f03cb2224666bbcff524d4fe4c1d65fb3e2

SHA256
92f69595d8712e67cbe6228b07be83f87337847b38907519599787c9ad883f0b

SHA512
fa29612f0b8e3bdef3edd2fa9ef9a5766b7929cf083ba50ca3ce5ef0d0d1279df16e4d6743c1e651cd81d82c318b098336285167a6cabdf6cd5472d4851a48fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
5c75f2058f5a26ac40640606224c50b2

SHA1
e1dcfddc1cb25dd341d1300f7143b418025242d0

SHA256
95ee2e5e726ae6ed266618b7cafaeb03f3e9c7702297557d5d5f084689c8d4d5

SHA512
fe3651a7b20d3373820dd2acb63c24af8782ea3bb65124e8406db4888d5b7ca7a4ad97179383eef88fb6ed85e56b50ef0680e28017236a97e2a636b0000d3bdb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5613bcdb904a65b47ffc8df81afb71e2

SHA1
ddace06e0da711b97576a07826a6947cb2d3917e

SHA256
5e68cb93dca3d7dd68a21308d718c970665b793527a84c327d633a12ecce9fe2

SHA512
dd110aeb401e271e066450478d4841e42f3a2abebc3a6100ea7b15eed4420b6715fc4b4f0525ad357a6f499515a6c0ddd89259a910a8cc2bdb5940fd9451222b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
575eebfdc2513b94f3c528abe703644b

SHA1
6e745578734b90f119d2c33a2c1bc71af007dfe9

SHA256
d99061b36996d644d77738ef23b22a1be7a6490206480e6960fff6e275546fe7

SHA512
e334300d1dc1966eaff6e513543c366e9373965e4e1f31461c55604434e8cd4343bea57c8c36adce7feedb7b843f9fcfced22319bd0cbd489dc79228cc988ec5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
e86eba02103db6b5758261a14d4b545e

SHA1
77f7e4d535816d5439403479990c1f4c9dbbb6f1

SHA256
cb8514e51c1f9b0951bd84c825ddf1a6f356466eedfa12fc2bbb2deb7d6c6beb

SHA512
0a755065b1c46b2d3907853df848eab15398a0e99460a220487130439ce47189f7a83e3304e1a425ec6647e723d6d1a9ef660a413b5d515d3772042aea3c7f7d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
90e2e641c720cf56097b2a2a2a1cd1cd

SHA1
7ba4c22e9fcea23c310779d1283598fbffdacc71

SHA256
2d6c399ed4e9abb870df6a75a14c1bd91e84434a886f4c183d934e4e20788529

SHA512
0086056775a60b806f5509e90fb34f6bc9c534dea29b1480b43bed5b3323e206fd6f6417618cf01fffb105be3347adf2234390945fdc291f9a0135c8a3872b2d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6cb1cdb9299a88bfa78527ea4faedee2

SHA1
d7a68984ff6472cc538388b8045e4b3098f73928

SHA256
b49c6ee262ba259583e06e8082bcb01b1ef7ff1174fc59f7b903df04cd9cb56a

SHA512
fe4b2439f49e33f288bb0168caadb55687f51356910f1225946218c09c718c2543ba647b90271f2b34af31ac941a6dd086e153e75de37d527d24597bc4b0d1b9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
32ab90c86ebef02555f607e91c260022

SHA1
3551cb0ea983a16f01d7dcd1fb6eb7532f18d41e

SHA256
8b199676040161f24c00ba4f4e66e4f2bd0e3072198bc48fe267ab33c0dda073

SHA512
41c99761ec8be4151c0053e43b2d5807d366f3dfac4be8fd62877b74048cacf62af72a6fe63df96f85eb8c9c099ec9bf43ae429a1f258bfb2bb5f14e7e744238

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0219ff5d4fed191adb14c03e14ebeb83

SHA1
52fc50736109101b84448a4d84c6d6823ec51145

SHA256
8bf9ef03a090f19bca52e57c35dc77f4c576417124a99ed7ab4d1b59c267b16b

SHA512
a0229d866c88d73f0a02b10d9f7c70c6f1cf1514f9e97ff6c5962f1aa515aa4cf78d44bea7972646d0a4f9263efb2564d33b450a6470bd6771903c182787e5e7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ba0afa2cde392187e600693a850f26cf

SHA1
6296ae5c43b192b81a5d29f8a30344e73c03a84f

SHA256
b110ca9f7c9065a349e5bfde48a26390d6209f07c4a2242d4fb21923d9c33003

SHA512
54afd4f23bf8033e05db463563c83b18f78e8ab279dab7e868477b6a8e5f488e6f8794798469418fa3ba26d7be8ec352d333c02d1f63bd64b587b19c85f9670b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b29a8a7c31555cc07f9f565d802ba6b2

SHA1
1cb6924f4e508c29e3206097d3cec06d2d808b15

SHA256
c13e32556195fbaa553499be9a5d56971d2605dee958f056b9e8eecb58d363fc

SHA512
36c2aa438863c5a32f1f1189178a444c70aab03be547f5182b9e385d23e1347005b46db3bb866153dfd8df130b4fdb34bf87e91c432c2de04254947fda577967

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7631fcf03aa880931a51d84000ac773a

SHA1
36bc294c00465ef3b84d04846ea3168ebe18c2e9

SHA256
d956a89e5abbf4c79ae39d7422e51ee0426fa5c9da0f3185b309a742f38317f2

SHA512
27571e60580001e1a567ffc4a3745238c4fc216717d6ab444f1a0eac9ba79f38a22757d6874c7a936053c3f6bbc92f6c43e624e416cd3dbb1d9bc321b336e7a1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ca2382f6fbf7dcd35a16ae8279d8ddae

SHA1
c2268ada17ccd049ae752d5e2cc081530a311f36

SHA256
b396547ed0d6d3a0e8a90a1e6eb190e2a5056c54ccff295b04dba98febb6176e

SHA512
a8afae1f6f1b29a05f2c92ccbb9ae7a4bd1bf1233dab39f1b20f0e2fb49aecf643e6b7b84457ae9eadc8386ded1fb95e7724b25378310ed6c1175427b675a559

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a945e3957a00254e853663ba37127193

SHA1
87748150a3b5bb54991d2ad704375a69bd8a5f31

SHA256
cd469e07edb6a3bbd39984f6492060b66fc26101e16beebdb6d56da04043e5d4

SHA512
866303b8654e92fcef6a9787eef5a87fe8fac677aa6827828ccfd0d2061f1e6527ec31b0f1ae9076b0b8ffcac64cf583d4ff5d3b76fc10cfc3084b3fe23a9b8e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6247d1ea98729380785f1a2561fe2230

SHA1
cb8bd412769cb10582f1db2c1a20443ac2c7b521

SHA256
c767f2dbc37be7e988dd160db53e3f1af35b421867decaf98743350a65c6b0ce

SHA512
7266e1706100665e256b66f7d3feb3118f87201a93e02bd06d633e79aab1037214c5754dc1e1bf9aa7668c85c1bea2c7231dce70ca2022c5e906b550296f0b8b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
28fec9f6dfb784fa261519073f0547a3

SHA1
32372c5b60b7600731bc5c13ff9e99d5c72e66ef

SHA256
c49dce307557180cf762bfefc4a43fb0312ccddc98caddfad5b7546d90dd40a2

SHA512
a250cdbe1cf7c87bc53cc07a83f1ef4b705336a4eb3c53ec94b8afaeffb1306a3c8e96f7f176c074580cee544f1e9fe2dc4f83990651a51537fbae3f12e35607

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e2a2709480da9e0c635e43afa7586230

SHA1
622f7ad99ed903901f08a6fba8829100d110f60e

SHA256
a7235792b82ae6462c34dfbf28a4454b1cd32c19f3f23af94f18ad45fc0b34ba

SHA512
d177b572f11fa5ae048438efecc40a7bcff2dcdc5dc71ff7e1d0b41a36ab55df6abea317be65ba59b6667c933794868f4ffd4b33b1ed413064fd14d8a0439c99

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c3f8e599d99636523f681acfd0a93170

SHA1
90404ea902c8865e09325c55983c8b8065fb1811

SHA256
cd92b6661cfe6fcc1eeb79cb27a9a31326af018ec4423da318afc9d378eaba74

SHA512
6e8762d21dadb923fdaaede09e489949f8537b3444910deb01a9a2e63d8807c3da17e38cfb3042c4f5dc249210b57dfd5bd99917c49aad35fcd4e8b7921e3445

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
838b2670b468ae113e04d6f16fda3848

SHA1
9cb9e651d1c8f89432fd05500be84f21608564b7

SHA256
12435fa1aecaf614e03347608d954a4a1b60698d06b2b7f46b7ffdb07054951e

SHA512
48e61b0dc1fed40e2be2d1fe3da291d5c3b798418987d5082d713530f09e30848ea9587e050994484760ab2c96debb745644d05bc819dcc1e8a0a49a4abefaa0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2fec56a3bd75d7d1ab523b3963e5c605

SHA1
4c6ec0164d79176aa1bf26160197d856076f24ee

SHA256
cd64a172b20550589bc4c70fe595c3488add9ecd18f83ad7329f437b3e47d797

SHA512
6c2092e3579129f5c5448a74832adc3e22b7eca837d8223c51999bb66052d2ff5dedaf9577f8a840d699a7bebc33a8ed825f52279f31184418a0344fab4dc590

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
1be13976e9ccf06da9a1bbd894d90f00

SHA1
d2b33515ab47244a2617cda780c58affa7f05a47

SHA256
e453c54607ce3e3003fef0156c90603c9de91add3c0b1428f93f4ead479ba18f

SHA512
b6f2ab5b1b126a7dead9f912ad875c8b3c2a6868a51a34a45da8a346ddb9b6da244c2fc634a33d3cdc5796dda2efe51fc0d1c75c0c1bedfab0efa1fae6819723

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f563459310206231d34a2f6c83f06325

SHA1
d2b6473edd7131fbf9359f50ebd8459c9c107b3f

SHA256
0acd28881f7c71dd94cdc714939fd988e5acd83bb290e349c9a877633b8196ca

SHA512
12d1f5a860e77259ea3c92e4cfbd01e656106a117894cb8fd17fb8d78235f9fe3c59d85e7fd17088a97b94b52901311c936c974c652fa27c8bc8c410f0164a30

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f1f3a3689318f7668b76146db26d8f45

SHA1
64170519b872d221bcf00f22c86c53af21c71414

SHA256
f85326f7d1d831d32f8e953a54e6b648238fd9df62a16e7efb58fed5bd2ae7ca

SHA512
331df3a497d5c7ddbc0fef90e520d08efb2638d408bcd5e2d85afebaca09f3fd276de88c6d8e0724feca18e3d70d1a66dc0e94d3f364827feac3c66ef20633bd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
107de8ab5b6586dfff95ab1dce9ca70e

SHA1
be9be40e384c17bb4f27427cc7d7e6de13b546a0

SHA256
7377df02dcb897509571b2ccaddc790f67f2f3fdf494a873d1beb0bda79dd1d4

SHA512
2433bb932672db730a46e66615297fc997691da53e0a43b09bd3aff1341cc2ef1e124a6804552ed66b6badaf135e75485a5ef2bec0cdf0397b1da98ed35965a4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cfdeb934653eb00ab1365ad245f44a3f

SHA1
269add0a5f1e12a8824506a83dc7e0c361cd08e4

SHA256
1bcf0a05ba32338bc8225d5e7c86d4fd7b643372e14c5589c5af25cf873d74b1

SHA512
69e4d447f98759a62e171b283dfa09a8d50ece3acd4d177222f374430e14b1399a1cce7f2f723c772e4a9ca98f46cc9f473c3465e9fbd5eaceb15cd566965653

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
807ce1afe4f44bca9a83ee26ab086aaf

SHA1
8ef3542078136205c8329a9ad76d647365449293

SHA256
ce113ebf4580b1677a31d256753d06445ec9c5107b0ec5679d8407d82595f505

SHA512
7668847508e951701807310e654c48f30dc979f437f689f39321c50c5e4d64b249058685945a4cb199c42cba7d74b9379ff7f1d920e1075ec805af15f0f62206

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
55b8e0229b33d32b07a8e8558b37d98c

SHA1
a4892e8d516144bd0b7c15714098b4e60c5d7941

SHA256
4db04aca9d23ede1ff94708516fa6adf793219a84cd10e6a8ae6fde32d14c9bb

SHA512
323db731589eddfa0eed09062d768e77e8a3fc4f5b80952cb0e848b74f2e74901299fd0fe159ecf1a885a59f2a7fd529da9c569bafabd62e06e508e5892655e0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
06e3fa85d969b5f5cfb8a8fa248f0040

SHA1
52394b98d897f172e94a6b7266698b44506e5940

SHA256
b018185fcf3f91dc8cd8f69d9a0a5b232256325a44f37c4dc7bdc01efeff0457

SHA512
72955e145aa405b3508497595850c2eda0110e930331fe2f74e52a1f6f4f7e2122fdf395a93d18b9d8d884d5de669609dc6b905d45cf9d7ce8c73a1cd6075302

Download Submit
memory/456-409-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/456-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/832-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/832-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/832-16-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/832-204-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/912-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/912-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/912-81-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/912-404-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1000-160-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1512-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1512-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1908-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1908-407-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2128-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2440-162-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2872-400-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2872-73-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2884-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2884-327-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2884-328-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2884-1-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2884-7-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2884-80-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3380-161-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3444-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3640-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3640-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3640-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3640-368-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3928-55-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3928-64-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3928-61-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3928-66-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3928-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4136-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4136-168-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4156-139-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4232-99-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/4232-169-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4232-104-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/4472-155-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4488-166-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4488-408-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4632-159-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4912-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4912-401-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5036-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5036-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5036-343-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5036-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5040-86-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/5040-405-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5040-92-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/5040-154-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download