2fff4f8519b4269e84a94d0699ebc3fb42d9f34de5f8e192f02ff14857b2ed89

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 17:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_bf69cb0732ddb6ed63eef872fb8afe70_ryuk.exe
Size

2.0MB
MD5

bf69cb0732ddb6ed63eef872fb8afe70
SHA1

13ea0262c03ec4964c28987eadc6446d193e49f3
SHA256

2fff4f8519b4269e84a94d0699ebc3fb42d9f34de5f8e192f02ff14857b2ed89
SHA512

cd568be79f64176bbb0c7bdcc35f247a0dac37aca01c723660943846a6dad9a0e8fbc2b9de34ba71cd2a6f5e5193c3c4f5e5cbb760b7dfd293251f53f8aeed5c
SSDEEP

49152:IYwgtggJTiQuirmRbTOdIyLNiXicJFFRGNzj3:wgamiQ9mROSy7wRGpj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3600	alg.exe
1288	DiagnosticsHub.StandardCollector.Service.exe
3876	fxssvc.exe
4816	elevation_service.exe
1284	elevation_service.exe
4080	maintenanceservice.exe
2932	OSE.EXE
2196	msdtc.exe
3716	PerceptionSimulationService.exe
3836	perfhost.exe
4904	locator.exe
3232	SensorDataService.exe
3252	snmptrap.exe
3160	spectrum.exe
3728	ssh-agent.exe
5044	TieringEngineService.exe
2804	AgentService.exe
1192	vds.exe
1464	vssvc.exe
4080	wbengine.exe
5064	WmiApSrv.exe
4268	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-28_bf69cb0732ddb6ed63eef872fb8afe70_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-28_bf69cb0732ddb6ed63eef872fb8afe70_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-28_bf69cb0732ddb6ed63eef872fb8afe70_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-28_bf69cb0732ddb6ed63eef872fb8afe70_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\84db50906319cddc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-28_bf69cb0732ddb6ed63eef872fb8afe70_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_103406\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_103406\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bda66d31152da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a82ff6d01152da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013dc47d31152da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0b75cd11152da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cd131d11152da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000264228d11152da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1288	DiagnosticsHub.StandardCollector.Service.exe
1288	DiagnosticsHub.StandardCollector.Service.exe
1288	DiagnosticsHub.StandardCollector.Service.exe
1288	DiagnosticsHub.StandardCollector.Service.exe
1288	DiagnosticsHub.StandardCollector.Service.exe
1288	DiagnosticsHub.StandardCollector.Service.exe
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3824	2024-01-28_bf69cb0732ddb6ed63eef872fb8afe70_ryuk.exe
Token: SeAuditPrivilege	3876	fxssvc.exe
Token: SeDebugPrivilege	1288	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4816	elevation_service.exe
Token: SeRestorePrivilege	5044	TieringEngineService.exe
Token: SeManageVolumePrivilege	5044	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2804	AgentService.exe
Token: SeBackupPrivilege	1464	vssvc.exe
Token: SeRestorePrivilege	1464	vssvc.exe
Token: SeAuditPrivilege	1464	vssvc.exe
Token: SeBackupPrivilege	4080	wbengine.exe
Token: SeRestorePrivilege	4080	wbengine.exe
Token: SeSecurityPrivilege	4080	wbengine.exe
Token: 33	4268	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeDebugPrivilege	4816	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 1864	4268	SearchIndexer.exe	119
PID 4268 wrote to memory of 1864	4268	SearchIndexer.exe	119
PID 4268 wrote to memory of 3220	4268	SearchIndexer.exe	120
PID 4268 wrote to memory of 3220	4268	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-28_bf69cb0732ddb6ed63eef872fb8afe70_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_bf69cb0732ddb6ed63eef872fb8afe70_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3600

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1284

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2196

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3160

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1972

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1864
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.1MB

MD5
36a526f3e6e268d699c94cc8915980bf

SHA1
3aa87f9f0d6af2fc2022e89def2cfdde44cc6b8f

SHA256
2817c2408160dc303c0d63eaff59bcaf8f512419cd1a563af1285cad15ada542

SHA512
3694bf5ffe98c3407661f27a1f14dc414ef01d81267b8dc68c722ab6597c25a77b6e8b2c49fd30136b646975f2ecc5a0456010fa7ac5b4b06f812b0bf7c36710

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
69ec5b37f19145d688a440f921f2c76b

SHA1
2a7dc72b3b3da4b7a50070cbf73a065cf7cbc73b

SHA256
412e3bac580d4e00b4dd7ad01c195507798f45c57276ff6c508d12b4410c48b9

SHA512
972ef7d430f60dfd7d41b70d5e487d400e8d018dab0de04b3048001066243d18e8ba575a04d88f8d1b3204ddaa5c93e6e4b7580d5757a84003fca49b5e6bfa54

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.2MB

MD5
721810c1b8f9a52c33e7d784c4d8f6c5

SHA1
a7b752973678122ccfa8d64e87314e1702e0b1d1

SHA256
271ce7ea82b620786df7f02315c2bb6db940b1330c600a812cde446731a80ce2

SHA512
5cd52b87c62424d7cccdb354a5a048a35f15b4f7dd8aff41b59b2fb235babc9ba3006f4c9be742e3eac92fcba659d414cff1b86e2ce764f96033ba4ba4699a20

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
143c9c8ec28ae80c6a0a8db6875d1bea

SHA1
f2344f1041bc9ad998ac76e73021cfaeff9a788e

SHA256
3c563a203c6641349be52adaeae97b6994e70aa9dfa132dcab3388c99d3bea23

SHA512
59dc922bfa074f096aa2c644d3f52199108bb8f28e2dbbbe91d4e6c22b338498bb077a10eec56099ebba89a3f3528d11c1351e2ecf685aa3ba0f013b56f9cc5f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
350KB

MD5
46018d03e534cc10d0a4364fe4f4493c

SHA1
270598712670387b5eb05d65df875b91b5b60f5e

SHA256
d2063475fc7f0ab24d084be7980d30799fd30e9ef958d94c45149cd650f8aea6

SHA512
522d9d8343a01a3bb558995c9e43e21a67ad8918a92d83f808bc1707f407e1fa60d2b54bd2f55136a9bf937242532e07935ff77d0a66f1d36e0fc177f99409f3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
457KB

MD5
a20321a0b17666beef679da367585ad2

SHA1
ba1cd72efcbb9e6dde3be1c50ae6807224752981

SHA256
31ea89b05cd257b17eb15da4ce1e781c1cc6236fbeed38eff48e3c02152c3b66

SHA512
c51da4427c4452281735bcba98ae3efd61d27d5b755ab1f6a75f73107b7b7389ee2cea7fe92557201c2bafb60874aeaf11a6ec77f9fe6de0188f7d320658fb1d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
315KB

MD5
6cd9f7c9821e10987ff96605d80dacd5

SHA1
36566f79861f68af392fbeae3798115cef76553d

SHA256
2934db7e161289f74a2470378d6330f35bedd26e4ca9323bce54ae508b8816e4

SHA512
ed420f11f5b830a960ca89ed375b5520b941b03a9717225b9704ff693b4ab0efcd75f0b98ad0526461a14f6bd59aae845b9f8429eebc8e5d25a73637eaa88a7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
468KB

MD5
c68ed0a5942385049b2ce5fb674376b7

SHA1
78ef6cbd2591b31313370d8061debf3f376cc3ff

SHA256
3af8f76a3f61864cb4b8329cf50fa472ae07395d91bec8553090bf2c153d7c0b

SHA512
4787d95b332ae6e4c24a2d833c42d192c676b7a9a6fbbf239091533d8bc9004433f50fdd8d93bd33d0bc5a721797e9ee5028ff69f8cc178f853fcec5256f67d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
85KB

MD5
ff7600db1f1646b0f53117a2dbfac0bc

SHA1
c60534b75fe0a20164567ffd0cca084da787c508

SHA256
b199c01b6b817c802890e69507502ce2c78131461f3276560ab0067cba5b332e

SHA512
f437b7174afa48b6533ca1243616733a98415fbd302c3ecaa92798e8f2f7fc2ec17ac8926836b2729deeaa3571b0c5520009a9ccb0ac09a398dff19e0aef9b2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
330KB

MD5
cf795fd26b0190b08ca158be2a7fdaf1

SHA1
0cc6f9d8730d54c069138caa73eaf75409970e1b

SHA256
0efbdf8d232611a96212914e97f421b9d47868c11714c7038c98de4ec60d04b0

SHA512
f7e88c1761ae5d580cc61e8fa439dd0849a5b252ad73bfd04f13d80fb098e6d6e6a47a5e36aba0fa78c3d18bc7c87cc77e02b3d36cc78ff156c63bc50c782799

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
431KB

MD5
55ab8b6c7b1790dbdef104276990c53d

SHA1
9c78f628893812f33f329bf429d4fb31cb517ce0

SHA256
3941ff58d3363e3c74bcc0fe97a70331d2e60de6f060c64f23cbc58bd115375a

SHA512
277d22c118fa64903539a30aa33c076e551d03c49b06eb35346e523c884eaaa910d7f62946ab81da8b8b9484f68b350bc294e8420c7a60fd51c44d8a579e5770

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
444KB

MD5
9a0e380247f3e3a3654eacf22623f5eb

SHA1
6c9906de1620b81332d3eac8b1a0628442073dde

SHA256
fb2491045a5c35e9f57b09c01f02b6a4f2ebac9f49be0dac1dbf2eb037d923f6

SHA512
0fe514a9b7567bd9f463a8bd491811e0f386cf07804999ede85de102c2a0265254e22c3a7f23ad59aa02f146959ebdd26b3f0e0c5aba71cb8a64b02f31a7784a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
419KB

MD5
b52dccb5e8272a1773e11789a0be7642

SHA1
24071131b47f6f24eb64fd27d65d0c79ba460b6a

SHA256
68c70903c7be91e74d3a20fa57a83b3228cb31a5be394f1a41e28f7f9a3c3969

SHA512
e09205d1a4cba418635188d7cec478807f0da4d355c94651d23ac4affacd7a2393627975edd79ddab32b11895a9db1776b36adf0cbaa447f4cde4e154b38989d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
707KB

MD5
860fdc1ee66cd46968343f5306781d50

SHA1
7f1e7f03f6b9979d248f225003afc5af44176cbb

SHA256
4cb833472b5069c5e559394645e78bed9411cbccad3f82f942bf9ae835acae65

SHA512
af31eb3688ee99d66f7162cb49c5e82b9ba0c1937dc986a1f414b3b6bc9f24723849f8e5dadd720fd08896c93cf8270d705ca686f67e29caa459b8c61f4e8531

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
16KB

MD5
2458601169cb7ac03acda7c799c971b8

SHA1
d83559bf098f84712c87708fb09ff919ca5b45cc

SHA256
185cb20a08ca884344c5d6a76d705210b0e85b276e347f5d7eadadad874569f1

SHA512
7aea973a67860f051d6d851fe2be1ad48b2901c4cde4207eff15e2edf4ac520c073ef374dad2b05e9009eacf33a8e00c4f49af14b14f8f88551a06ba754c9b15

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
68KB

MD5
c1e992fbc89038097e8f0cf649bcd6ca

SHA1
426f703253c5fe2fa4096022c2df5b029f4231c9

SHA256
60b8b37865b0c70929685184843157599ca31616c1c81f9dfac67913f298905c

SHA512
1796759b7b5e00b842d87c93f26d80dc7e3d2ca08c4ec4b5cee5f60707095e7e98fef55e5e62aee38bddc50e9e8a23860b02e4a6d79723f4ae9c15cd187cf7be

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
654KB

MD5
04654be31fdb9fbff3bc2129e85396f0

SHA1
0a187dfb08ada8935c1821cbaa3da706da0426cb

SHA256
94517acbad9f6f553fe433ee307e9ff211dc26222a1dfa508e83a875d62c75c8

SHA512
a6dd84b359e948c2c99e156e5f8c6793b6959a13883ddb238e7858df4931563d928fcdc3b63abb4bd3d54a56f52dd31025bb5a5085cbb66e1bac7f841bf24d80

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
668KB

MD5
0ad8f1332f511d9059b1b097149c871a

SHA1
d1685b839807571abd761d6a2a1f0455c6cbfab7

SHA256
2e4784528416a3b17519e3917dbc6dc80106976d527d7d848a29befed1e7d689

SHA512
400c4a6c344af3c885b116bbd4f196768a08bc8e0f42d81e5206b82fa7dd9652a625dd4b8990516fc607e918989d145ba5ab6c72be01200c79f481ac451ba1a0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.4MB

MD5
f1d91705c6cac36ef57c4a50a6980317

SHA1
3b9b6aec919b0c24f91209f0711e3d7ff73bb0c1

SHA256
bf8b7c47a5a5b1e50583ffe995ce74c745da15a921d284c144fb1e8349ed998b

SHA512
ed63e9ec1a2cdc21ddba8c30ef160c6b1e5d1c4f57cf6bdc8bf0963cc253ac6044a272af11a40184eeced6ee5d3fc1073e0a6c187e5874860cccb76ed6ab96fc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
418KB

MD5
c46213b1bbfabac9bac0cd774b6e9181

SHA1
63e1bcdaaa4a8e77e65020dee1b5a90c35b238a8

SHA256
24feeb5f7e5761252cdde90085f77a3a44df31836bf1b364e6c72ba2f0da4ec7

SHA512
16d9674420cdc8d074ef9ceaf6a0b7bca569c1646cdadd9c935fb61a84081e5b987c4a1bd7de57db2e29e4ca2d7b5ac09dd47f89adcc688d88fa7de2bfba5c20

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
685KB

MD5
e71806ce5fa50f008424f5f4e72d95a8

SHA1
5435686e9e30531d3e66803c909d23368f1759c0

SHA256
ff8cda1e32e6afbbfaff9f8b0d7d4b0501c190cbff288772ffdb65044497d526

SHA512
b99de02b7e814dead2674b5963166c03fc896186ba38fbc1619e1c9e581ac344e1c6d5ccd57003dbbf40799541b08101783cd3f5ac21a4b4d4072e12e37164c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
424KB

MD5
9e2bcb23419fee5270309272f1fda2dd

SHA1
ad0925cf2c5f9b58d99b05384926c08d7d92323b

SHA256
f9dc647810887f4a06d1cd97125b51be76116f22f0664019875e5699aa025044

SHA512
351e6227c46cd5fb2b4fedf1eedd88b5b29da2dd88e35a1f5186ba905abd62d90a45c4d435f33527434bc2365f45784d972cb4c47a8e2cd3d6962df7cc8e7f7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
409KB

MD5
1f09b480d1487f6b47e0288ef2052661

SHA1
4276d76355c6be846a8bad54415061903a0025c4

SHA256
41154865962664e2b6412530391a5552f79db8ced565a612b084b74bbff55985

SHA512
26b796318a0da15fe2dd7ae4b39b8c1897d1ee84f4fb119b2e042ef50d45257aa1253192923d7cb893c949c9226c04308e2f6809d159024cd51f9636882709e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
411KB

MD5
b7d570b92fdacc01059fe0b4e350985e

SHA1
cb6f2e2c24c83690e7d53fdbf1e9ab96194da971

SHA256
b0770bdeb8172a13bb4844543dadc7a31c8e15988a378287828633391ea0bc4d

SHA512
1b48296005703d82956e1b5e43481ff2b579c6c2f6f62d743ca33af262d1c31b131d571eb45f98502668107c94169b0325c17118c4ae42e40999e8a8d597de66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
468KB

MD5
fc8bb57889dedf241f7a98315721bc27

SHA1
e9e8e6dc56fcbec41453a6ca670c4b634bf8d45a

SHA256
6ab9beaf55293d12ea093db9efe10313ff40b8bcfba4ecf71ee5645b25153e04

SHA512
5664b7fb08cfd1b747e1f568a196f121adbe622c99fa5a740e562138836d9f74f47ab75d165bed0783e6bd772c232b5e54a91e25d12466610c2041932d80dd02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
206KB

MD5
b69ea6583e8e3b68421c4616e71905b2

SHA1
328ac6de0a79c0dc8a99b7057c01c23f0ffffdad

SHA256
386ae8c567158dd1aa5c8948e6ad9bc2715138d566d507f540337b3e6175a391

SHA512
0da7503a8704eeda6f7f747975712868e8f4f30f091445e75e0aea21fea8ac06762068f8752ef08bef044062125bf6af9185c541ffeb32718d0c72937f9d6226

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
411KB

MD5
6f903d7cf239a11c4f59328b51dd2a6a

SHA1
d7511b3b5c9e1704c63cdc04af1e71ab214eda0c

SHA256
b4bd8262a2947b7c4c56b915aa2222dda788b83eb75ba5cddd2961541bccb98a

SHA512
ebaaa89b533fa8fd29230977dd320875ddb6ad45b766fe7a7ae1c7f6f53d50d3b5fd24933b2e1a1302411cc3eb0ec1757a12bb1e4c391332eede54ea80b83d1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
326KB

MD5
2c008e8e7d7fc1fe8d8180c720619921

SHA1
05819d10ca498a66d6fd0afa397b870e66db76d1

SHA256
137db0c05e73970e3ff4459eba43a83f4eb3a9312a1c031fa7d84e97f66c1a19

SHA512
d102daa0c52b8dd8422d9dfafb40f270ee9471f8e8ea7c44fc23d0aa42c658b22c4905befc6c868bae97303ce126de739c7bcd5575215d566285927664e2c6e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
534KB

MD5
002e9b2f54dab80c53336d1aa769e4d2

SHA1
99fbaf1b38d6e900a2541b001916974c071a2b5a

SHA256
95716b9327b94e262bd047ab1488fa725135900d75166748fa23fe8fbc996c90

SHA512
ff93aae44bb4caa2572cf36098abaf48e6010181308f964e5a5b4e08f0d77e65117232e987d4fbafb6e90f3fe7b18c2d9eb3e6265c806b86eff9f765dcc46a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
460KB

MD5
9e27bbb07ffe9fd8490f58612d1a6bd8

SHA1
704b4528bfce8076f1888d6aa5e227b4a79b6284

SHA256
21db318695b44adc2b4645b686b5d5f200733f5e61215193fbdf004a3f494d4a

SHA512
0241a66f6415675d25195ec333e964ac7c040d97af0e988879a79feef331cf0b0a8006d3769631111f1909ea2297cd3b584106ac5992d6c42e41dd52f63e8144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
350KB

MD5
c96bf44bb29fe171988282e1234e7254

SHA1
ccd79510f2a6615035c08f4e02b6679f94524c43

SHA256
200d35f26ded76cfbc1c32a857a882b95a50d750b8cc5a6ff9d9e77435d2c288

SHA512
de83cd426c9ab49b8314caa71b7701c8c1ed038dcd1eb4401a2f8798c7e27c643ed86a4b9aa2f71653ae005b34a9594259dc5f6eba3e73c13d6ebc86eebecee5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
447KB

MD5
a739d03b399b00535afd454bd46ea2ec

SHA1
600590f4a482fbf2c2e89d805504196bcb3a6539

SHA256
9d8de079a548b1d56df8993c915523008cf58488f1293a0f933d656506aa8474

SHA512
697de54ca00f36df1c9da97f3a5092fbe8075cf8f4fb8dcf89f2fa7d27e3c6fa626040cba501ed03c2d7d3323f4af022e85c29f37834e251a235b74226a05418

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
426KB

MD5
19c140d01025fb55399a30c6baac60f9

SHA1
a4ba95fa56156eb7ca4cc7469da2e4fd7f296558

SHA256
769b8b39c97b20e99fec131d17de76549c00ce17326243b3b6e0469312f124c9

SHA512
e2f9f23d866c59d53a3249da69bea141110f5e0c86a8ca26cb2f7dc98fed42da6c27f070bc8145fff83c52365adad9490b8dea5fbe3e16fd86a91137be8af2e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
698KB

MD5
fe91681aee0030c846e6cde4fa5fdae2

SHA1
4ddc1df2f7ce4ece35f84495d9d665e9f11b8323

SHA256
e0985c74fa09f37e1b87dd55c30a9911fafbf36ef6d92fe311d0d7466d233081

SHA512
88d209c638ba2bee017ea84e9cdad42d05d22be981ab1878742f139335a02fd61811886cd1100fff5e2ebe8ccb2f9719a24914daaa65d6cc5a1f63e63f8880db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
274KB

MD5
fe36c8f39940f86ac7c6b99c4ab27f51

SHA1
8f3e8a3c1514cceee4669ed40243a67d870ea584

SHA256
3f51f234a06aee167853992b0d527a8be9a2d726e8dac217ecaa27af2b89bb36

SHA512
67430e661a9790e1ece0671248e1ff1dab539c8a4ee6ce9ac7b4ed20a47dfb7781ec118b289d687260020af88510db3d14ba68556c1252866dbd2d23bb8f080c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
942KB

MD5
3a1b0f8448e64c667c7c5c1789aee6c1

SHA1
e7403fc178aa2237d64035afce25b71b1ce968fe

SHA256
95fad475937971eab5282c181ba3add15595802841a6f791215a9987bdca1299

SHA512
5d9c18598a8c04a829302727e99bc1bfb9e4beb08790ba78f13c858f8edce76b6aa454ab5abfb73a330b0c0cfb2ed20d4fbfb68fbc423ccccf99fd8a819a26b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
544KB

MD5
0202121d4f59f2f206e35a8d03f4bbc6

SHA1
4156de107128f17ab23b0c107fbe5990cf03c359

SHA256
658d3f227de4528e40c183a36e0bdf5d8b231b96f55a84e58df0403c226b9a90

SHA512
45100749871eec044b8803cd17959f6343b5e233d96699601506d3277c731f750dd810092dddc4a4e130ecfbc51d8855031d33a9c03523ba3fd2e56663369e0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
148KB

MD5
dbb5ce6b8d2067cdf418039e056e1f51

SHA1
59f5c255f9a049f2b65a6751c5a675772958c9a5

SHA256
36e1f964a1487f9ed779bdc64f39cb2e28646f28c0f20746ecdb20718d8adee0

SHA512
7699cdd79751967c503ae88d7d4d8945cb85f1302a6d32c200d5c8750e7ad80218b8ba9b0903b1296ee4bdae3214828bf8bd0a768ecebc3bc560c5a3bb76c2b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
92KB

MD5
cfe516f0cc321623095fe048d0215835

SHA1
ca1cffcb0155c8e1ae6c33b6b0cea369823f913f

SHA256
9b4742ad18e192129abf09c52d592c8f87d936f5c6a2d2894053183b6872dd9f

SHA512
f8567032641ccef7491fcd323dc73b9e1989eda22b5fa6bb6b854f04f677bc33a87842040ab7bcd7cab9e93a6d2ef45af85194255441779bb5ca53f29740c02b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
18KB

MD5
11b8e6eb72706a4e1ca804ce7cf74929

SHA1
17a814b4a2a880417b956387156d33a0aec0d4d6

SHA256
06cb43bdbe045a68b08c366cbec66c746dfc12a34d9156f036dc07896622af12

SHA512
5533586467a164a474c8169ac24b6b2b23c7db4ee6d3f08dd71d1197938f3b34f1d1ae36e6dc42a211d8287db1d54888257d8bd0ef23927c188c2e6e1dc26da6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
58KB

MD5
1e63260d9f2afe9b14f23e9b2e66c2f6

SHA1
9a38126ea3f21ce4f316b7a3ab775704a47aab35

SHA256
a5497e03f9d9b4076e6fe2d585f708badd0acc7dc036b0598a623cca7e3580ff

SHA512
fc768bbefc744259d3af828fccd5c43cfd56ca762fbfdac0558a00443773586c4ebcbf21ab8e35e3c8d5a653a4b321d9880ba35474778cbe7a0bba96c814ca2b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
368KB

MD5
34524590d105f5357065064e7a786093

SHA1
5bfda77843fcb997e3cb4837b0df72d6e7c95b14

SHA256
d33deae265f95412bb2c23e5ef49c1276f51ff76dacee2a7b67fff75ffed3a69

SHA512
e28c051b306a37b0fca9211a622a920b6e747fc9533f81b188b9b11bf43a82ef1ad461ea3feb321bb8b511c565e7b99c1bd5ab90ababd83a909ad7495dfe88b3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
66e43f84c504c904033a86245c66b405

SHA1
0323de9876ea78e74fcdc5d8d67de25b879884f0

SHA256
4dd0558ef34f41edff1225eb673ea693161ee64ba7336edd532064a6b1adb004

SHA512
2086aab4f1e22433575bed057af0d685c7ee158d055b99cd1348aa5d3d475de8aca72d6b5c8707fcc79abbe2d213dfede093ef197f7461103c3e3fc9ef355af1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1KB

MD5
48abae455a0b41a604ac9aaebe1dfc71

SHA1
8b59cdbb606746245891214583a7a91c2625ffad

SHA256
6facda5d4b974e520e72b650e812491225e3146931fc3286738abb2615a06d89

SHA512
734236a7703518ce22f3425964b8a72bdefa08a3a1e128d4082d125a02d45744a9c35d486b4b115e7ba05ff3e9bc8ee429b6f1350948db886225481656e11d8b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b9fbecf41a7ec2d21ce7eee23bb48003

SHA1
032e459f2f928f28a17a612ca18eaec71c63740c

SHA256
c2f58050b9203923202a67c83edf872226ed47ec0bbcc776fd4f27605cfbc038

SHA512
2a359115c07f8030424a86bdf8a56efdecb68075a93a55a358cdd0167c88f1a12657c6244a35d0eea30c3b5faf3b326c798f1a8e08a3aa5f148f582a57e12a34

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
71e4eaa82238663c5b2d7387007fa70b

SHA1
76e7c16027896bb34372b03c8e3b06614b3ad0ea

SHA256
71ee09c1b8838fff39151f386cded5d39e4811043ec7c7a8d364900f28314363

SHA512
758f9258fe5ec70291b777b195db9861a3b39a0e184425e8369a104b88d13c925a9545d91470c9ac95aa7a2bf54069d67910106dfedff665077d07396264c2d2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5ca1e12aaac93bfecd40f64300294dc7

SHA1
9594ed53a59bdb077700063b4d1bd2ac8f9a4461

SHA256
d95b25c1abcb7da32fa90cf2015ac3f7c10cd1752d2840c98c4d5e22595b8e4f

SHA512
87c336df9148e2b304b4aef5c8243bb89905b67fe9671633643f80be3d0dca66c412445aa4d9c918eedd6a384ad53b730966f674197ba0de16de82656017a87c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.1MB

MD5
ac0508a884e85971813468ec5d5257ff

SHA1
e9d2f37a9b76864ccc9a8e48bb31f077d4e0745b

SHA256
0e99a201b57f919ea9e238df28c391fb3202c709bf2577620edae852ae7ba3ce

SHA512
771a25bb23769392a3a8d441d3d933dea23b8bbfb292079c8d2ac5e688ec28a36802d754db76b13ba33de9174690cd7316b3638aeb9c90f6f0e29f3ff81415bf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1ced1177f99d8b8da2e928c3012e7f37

SHA1
37f474a86f68ca66e719d12ae91b3775e9a7f96a

SHA256
bd41a1e594ff71c20205ea4d7fa8eb3956392fac00224af959501474bcfc1b8f

SHA512
866d5345173b5fe7ef3a70ff9cc96d7aec6f2ca2ecf0852712b4a5aa37a1f8fb943a1aea104445d97fd15694c50d308d6b39b35b32391908f76d5195e92d6a6f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7b63856664dab766b54908357463a564

SHA1
9777d13074034965b576f2c6642977f073a9aa6a

SHA256
8ce53af3a0aa6d14369d9f99791a9db0a74eb5ec45346a62f73cd468c9059b2c

SHA512
505c663e094b060c89b4a0144a11b6f3eabbe8d77dec71c4ce48853b4d873de0736afc350b80c245002832578aef9a9615e3796e25749debe9276b4b3034be03

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
137KB

MD5
08b384513bcc6b81538801f01b5e6d01

SHA1
3e81a76b20c47591de58dba32ad6353c236098d6

SHA256
a7670d8f5760bfc3e00a0255865694f0329aa1b5445053a36368a24925c432a3

SHA512
260c8e386fc1ad06a56d3da7afd552715a5e89ad821c055d76d0edc4a443c0ae7b39de1ecce822953957a6243a23e63b47fab22d3affb82c2f145a27e061a8de

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
de7f8dc797aad872f8e92f01b299f8a4

SHA1
8c9281489a1a0033a5fdbbdb51e3dc091bf27fb1

SHA256
2fb37991d9ce479e1fe6520a519e0138b61b9a01419fb3930616c960f40b9b4c

SHA512
ff019ac0b1d5db6e074ca1bdc40b143a54409f4ea9a348353a5f5945663e94ca4c1f100ad936bb6878747177cf6bf4d86f0cc395868b7e2b826810518bae9ed2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b464af111632cc9c010fa9f79200d177

SHA1
d4184b18ca098367855bba0a86f682473511400e

SHA256
662ae821746269cb5ecf0fdfd8bf6e9c0d67d1935075351efd6afcac01c368f2

SHA512
dbada879d21ee5c62c00155c98dcc58ab9f206e5fce1c086d6777153a3bbe17c25c851f1a2ef40ba194d68aaa31a3ce945e9e832b76a346c4ef842756b73acb2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
320KB

MD5
64b51af2a70b5c70789b0f65d9695d10

SHA1
7432ffcab3bdf6e670a34586fca7bb46fdc5a702

SHA256
97677699a65269f56900dbc77880d711135b58c7ff42163ed3134aa135dd244f

SHA512
b9fdc8c6ebde5e7efabe0c9c38c651905eebc8667ca55e61cfb5857000d68dd410a0554e2bf7b792c44e4fc0d2742fde6259f927a9ee58deed2df3f3eea42263

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
302KB

MD5
a0fef0efa7f7b58594cfc1f8ce0e81c0

SHA1
efe9bdbc2fe770792cec0f9e1c5cd606db582011

SHA256
cedb8b79aebc7a6ed11df3cfcc796edba9574016c2db7794b1f4b589bd973677

SHA512
19ebfe190a55cb3a0bbbc04e2d3a84303e4fd14fe1a9fecb7a781f49227c3bd732aab56cdf9368f386867dfc2b7453108181284a12b14918895ec08a0f1fe09c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e2e295e7a43a7e732271661d4383f610

SHA1
9b12131c2c8c5d27353c99a5abb0a2a2388ec612

SHA256
d682dbb56ce560d074e8c09a186714c9badead4f94357e474cddb734920d09ac

SHA512
c0fccd566206794d2479331a63992298ea4c9fd8f9aa3da163df1125276ec97044dce730fb3adb9736a105a9acf2470d33ea9377fcb5af2ef1c0c0bebfecf405

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a1ff7fd4e3d6413a4f066e593e64b1ab

SHA1
b875840f8afe5eb1abbb5093360cd6a304affa14

SHA256
784d8134e4e7f2b098d364e9d835db0743f31051b6e12cfa1f84ebf2a73f1397

SHA512
40a62dab479bffd7e75922bd498af7c0af3a3a987b4e289d5100f4e67705beaeb44b1de68fe684c456ae6c490fc74fff69395ab2523f62f5bbb3c68d19394f6a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5d07423d5a981997d61a2c9ed11cad73

SHA1
d47db5a8f01f53de0d04e964c202229dc39b2728

SHA256
031c7b3ec37287e245e65230a212fbae222cccc61556bdaa8823ac7a205c9293

SHA512
5c9d613d093443a91d6a6ed1d267c54e911edd5211ac70682e263ae577a5c160be5280b4c3b9347b3827c52be6245762adaeb5018f1bb79dcf5f781e962791a1

Download Submit
C:\Windows\System32\vds.exe

Filesize
64KB

MD5
2942fc5d75dbcce0ed55cfa765a8b36d

SHA1
f4cceccd9d839310d172f8bc68816ad7213e2157

SHA256
2dceb314a26a21e60d0465ceec4af117ec76ae790e7217be709b72f495895b6d

SHA512
94be56f1e548cc752650f7d961b7573837ba7e1f27fa62cdcd1b3dd9e41791256112de8aa36b60f5847d40cf3dd9bf2637abfb28103d51a2d4e040862bff8167

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
174KB

MD5
9d85b51f3d4cf2ddfd61a63bf6b0eca1

SHA1
7c79dcc1fc78d8bcef748a400eebdf2bc98cf7f6

SHA256
51297b52dc7f5778b4f8a810953dc430887d1f52a3c83688007a04356319f6c1

SHA512
0323de4e2f7b7e843c746a6e9b805afd3c33cf2d8d1c11f1466800d89e4e66cc10c9cb01982ad62c99e9ca81fbd33762459402fa1c0c93fb30662a12f554d99b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
62KB

MD5
75cf1cbaf6145b3b40535aacf8f3292d

SHA1
318093aac49795d8f12049c504a0b1a94b641056

SHA256
696dfcd32d99a835335ab272a37fa0be76269b3f82d13649fdd504ef55529058

SHA512
614738106735f66c4941731a73d8bfa598d06883b400c05b2897dc74d787a7edb7b5c95b0677785f77a32dff90d16c0b298f22670c4cdd380422ac17b6fa81e0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
574d5dd8999d369e2f15dcd56a5bb27d

SHA1
18fc0a800b0813ea67ff75cefed877df3bdbc02f

SHA256
3f3f1dae0dfb87176b6f95551db2a03cfbb18880df6f24452407c1ef3409058a

SHA512
55fba1c8ba425444ed5bfa7bfab71fcc074b70c032f6fb9a8d3953f6dcccadfa0080e2323e64276800da8a5a8130edebb105aa5c8d99eb1214a43a9704c0f6eb

Download Submit
C:\odt\office2016setup.exe

Filesize
880KB

MD5
d4dabb5a70052e84cdefffb45909f161

SHA1
be67ed44841cfa4567065c641f3a3a8846853280

SHA256
89be69762d6140527f24bab6575f548039e9505b01335226e4259f76a8dbd9b8

SHA512
f86a5adf16fdbc2e7cc8031f36f8cbd13d0efcee56fc643e6807ec10794f51dcacb448ed6c5fd0964337b6cc38877dbaf78fc1469f97ff089bd0cda6a142373b

Download Submit
memory/1192-453-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1192-333-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1284-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1284-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1284-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1284-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1284-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1288-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1288-18-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1288-85-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1288-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1464-454-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1464-337-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2196-257-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2196-310-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2804-330-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2804-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2932-79-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2932-77-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2932-84-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2932-250-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3160-297-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3160-306-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3160-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3220-445-0x000001FE24470000-0x000001FE24480000-memory.dmp

Filesize
64KB

Download
memory/3220-450-0x000001FE24460000-0x000001FE24470000-memory.dmp

Filesize
64KB

Download
memory/3220-464-0x000001FE24460000-0x000001FE24470000-memory.dmp

Filesize
64KB

Download
memory/3220-446-0x000001FE24460000-0x000001FE24470000-memory.dmp

Filesize
64KB

Download
memory/3220-447-0x000001FE245C0000-0x000001FE245D0000-memory.dmp

Filesize
64KB

Download
memory/3220-449-0x000001FE24460000-0x000001FE24470000-memory.dmp

Filesize
64KB

Download
memory/3220-459-0x000001FE24460000-0x000001FE24470000-memory.dmp

Filesize
64KB

Download
memory/3220-452-0x000001FE24460000-0x000001FE24470000-memory.dmp

Filesize
64KB

Download
memory/3220-442-0x000001FE24460000-0x000001FE24470000-memory.dmp

Filesize
64KB

Download
memory/3232-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3232-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3232-426-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3252-294-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3252-344-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3600-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3600-76-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3716-264-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3716-265-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3716-320-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3716-272-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3728-425-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3728-321-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3728-313-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3824-1-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3824-34-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/3824-8-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3824-7-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3824-0-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/3836-276-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3836-282-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/3836-277-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/3836-327-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3836-332-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/3876-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3876-33-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4080-71-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4080-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4080-455-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4080-68-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4080-62-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4080-74-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4080-342-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4268-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4268-465-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4816-242-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4816-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4816-37-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4816-45-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4904-287-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4904-336-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5044-324-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5044-435-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5064-345-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5064-463-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download