9cdc884bc126ffde354fc3c625769f4f92cd0b3ac553acce8c1aaa692d5d60ed

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
Size

2.2MB
MD5

61f3dd87071f8aa3cbf0d83cf4c59b40
SHA1

964749f663a0071c1556febde7a0fec1944b1948
SHA256

9cdc884bc126ffde354fc3c625769f4f92cd0b3ac553acce8c1aaa692d5d60ed
SHA512

1305850b2281356fba8a09dfcbde20ec2efd4924bf9595f39bf656d5fb78f76c8e787c62cd12979577f5c5795521f7ada6805f4a0192689c8064911546af9edd
SSDEEP

24576:4OObVw4TaN1wdeukCba4oXtgLhU3wEdmh58DL8y9jemwOoUOiN297EKG1SY9:4OOh3aN4euLbegmtGs9RoUSVqSY9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1404	alg.exe
1928	DiagnosticsHub.StandardCollector.Service.exe
4000	elevation_service.exe
2512	fxssvc.exe
3676	elevation_service.exe
372	maintenanceservice.exe
2944	OSE.EXE
208	msdtc.exe
1576	PerceptionSimulationService.exe
4404	perfhost.exe
2996	locator.exe
2136	SensorDataService.exe
2936	snmptrap.exe
4800	spectrum.exe
464	ssh-agent.exe
4772	TieringEngineService.exe
4392	AgentService.exe
4196	vds.exe
4908	vssvc.exe
2832	wbengine.exe
3060	WmiApSrv.exe
3708	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9f1225234d74bb6b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c00390b1252da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae50090b1252da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cd8500b1252da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bf0e70a1252da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bf0e70a1252da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000209b740b1252da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046c8ff0a1252da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4623b0b1252da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1928	DiagnosticsHub.StandardCollector.Service.exe
1928	DiagnosticsHub.StandardCollector.Service.exe
1928	DiagnosticsHub.StandardCollector.Service.exe
1928	DiagnosticsHub.StandardCollector.Service.exe
1928	DiagnosticsHub.StandardCollector.Service.exe
1928	DiagnosticsHub.StandardCollector.Service.exe
1928	DiagnosticsHub.StandardCollector.Service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2020	2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
Token: SeAuditPrivilege	2512	fxssvc.exe
Token: SeDebugPrivilege	1928	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4000	elevation_service.exe
Token: SeRestorePrivilege	4772	TieringEngineService.exe
Token: SeManageVolumePrivilege	4772	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4392	AgentService.exe
Token: SeBackupPrivilege	4908	vssvc.exe
Token: SeRestorePrivilege	4908	vssvc.exe
Token: SeAuditPrivilege	4908	vssvc.exe
Token: SeBackupPrivilege	2832	wbengine.exe
Token: SeRestorePrivilege	2832	wbengine.exe
Token: SeSecurityPrivilege	2832	wbengine.exe
Token: 33	3708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeDebugPrivilege	4000	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 1812	3708	SearchIndexer.exe	122
PID 3708 wrote to memory of 1812	3708	SearchIndexer.exe	122
PID 3708 wrote to memory of 2028	3708	SearchIndexer.exe	121
PID 3708 wrote to memory of 2028	3708	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2840

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3676

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:372

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:208

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2136

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1140

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
1⤵
- Modifies data under HKEY_USERS
PID:2028

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
1⤵
- Modifies data under HKEY_USERS
PID:1812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
165KB

MD5
4425c736b48ae6cd31d39fb3ea46aecf

SHA1
0f887fe97dfcf8159823cde964c8e144e287eb0f

SHA256
9c2323f3caa867c57a1e05a123610ed55fd8f5ba1d9c6add1e51a5948f092d2a

SHA512
3be8d3af092d07ec8e9dbbc136d8c1068298a514c5a72b1c4a7c385f12c3243b30214acdd44cc97d7a12de8f694ac5b45e1153bd61973c343adab199fc97989a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
fd2cc89b744e8ea9e026ff9a1235f8a6

SHA1
21ad047902659e0f57ebc36770f656b0128226c1

SHA256
19f4527d835c4dc26458a4a1fdc32e1372fcaf864a01f61e9e4eef37eb98a65c

SHA512
44ea2a37e33c80b13f50fc972926d6f1b691b747e53eb8fe1ccd5155fd9bd743d168088bd425045943b6def43531fe573dae14ea2a2b0cb296d196aed47e4468

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
70KB

MD5
42239bc302b3fdfc186903650b7b0f3d

SHA1
685df2eb66dcb0b917e8fea424f28eb93ff3e387

SHA256
df1fa72d3d088951700b274f9afcb648912bc98aaa4a737f4597bd33b12507c6

SHA512
b5ebd3581739347b351d76742cd904b45d82d7666db4ec7e513a924c82193bde78a0b1a8fb19a956b5e43203e4eb2ca9b39218198b5883d233cebc6617437f45

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
190KB

MD5
d600e24f7bed78bc23cec81e14cd98ae

SHA1
bb3c155d692ef0c4f25f29cc7a8fdf83e01f250e

SHA256
f279530a3dc3367451d700d9cbe298390bd6dbd65a2731bedfde2b8d2b6d4207

SHA512
f874bdf750b31266d679228422cefedd27fd1811fe5738c8cde90d7752c2248681d1bdd6e9a754e950ebac1b6371a1afcd4d19a9e30757605141eff652a2ee8e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
119KB

MD5
549a679767fbef389f658844ff75e8e1

SHA1
1792b0951652bc54d026610c8712ea37037b446a

SHA256
00db477e236e49495ca692ab08e84a71250ca13658071583c6ca64416c2c6ae1

SHA512
c4f99367679e2721592b467ff8d0a5fc31871f4d2c0707800b39027d468d016986fc61309c633a81afb320a2d4bad8c8015195a7c2b8a82c6b3bacf00b043056

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
211KB

MD5
6ed4cbe824674fe0076c06d71de60c67

SHA1
ac336a1128a85f6706f5bd7aaf6d986385337986

SHA256
a42c2545b1f8799cfffb1777ef7e156c4acd9cffbdc406a2302edf9fdbdebad0

SHA512
4b17194c60c91e28c51df328c2a01b69dc62fbbe9525f8710df82f6d8f78e70a222d1e7a0d61ae4ac95042c6e18dd8178ef5cac5027ba4281942cd22c5ea12e4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
226KB

MD5
7d9c7a6477759241661879eb88cd5c98

SHA1
1fb0fe1d12c51bf9b0fca270972d91a2f1a368f5

SHA256
8337eeec981a62a1d89ff6d511f86b5dd4f8ac5f9d6e05dbfbfdfb4758337ca8

SHA512
3a2db1834f92e5663d957692b3c0545090d44840a68877aec1bc6bed1ec9c837c58188dcbccf7d5270be150b32c30ef763b184a679b29ebef0d562fa4aaaa1e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
279KB

MD5
22de09805112411faf3cffe6cb28f469

SHA1
a672486c1b2533ff8fd96d9d1e90b234e3ef4c0f

SHA256
1806a141a7561c51c3cc4f5d613175abaefe5cb3ccae0c6cec8f13348b121a4f

SHA512
ffd596a6bd5f2863d565f541f4da96ba8e4f73161d550f9895d5d7ad2fee873df0440d408b9dd2e40227710af9df59b61eb1e85ad1efef8041f342106ae12d58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
204KB

MD5
93fe28b1642268c3f1dfee8665429cb9

SHA1
c32906e5bb2befe6e46f0e5cd9fe696300a8ed29

SHA256
a95730e17456e7ee06bf3700885b30cf55259ef4f30cc2d30f6ca49f96211ce2

SHA512
341804f59d6527db63e7d87f25d0a60757e8fff00a229f3c788b351b6e8e2ca8670d014cecad49b8e9bdf0baeb24c7902c5a3c7c26c2746492ca507c98691ea5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
242KB

MD5
100b0e1dd9d43b007140da6c8029d628

SHA1
ecd5dbb465721515b95fd6ecec2df30e0684d931

SHA256
62eeed4a5496c6ca0bfb8aaeeb97c17b81f61a7842bc386cc84497722f2b6f1e

SHA512
8390c1ce7be0e632979c12b91193b53da81118236fcc7a016425d54a4bd5eea98b2cc03a30c8b1e67f2674c881e6476e1c16728b97cd276ba6e412c7d46d2151

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
185KB

MD5
3bff689e307ee5bddd1571120691240e

SHA1
96f4836ed9e828d699ed66c351932bfabe9f258d

SHA256
8ff196c20f97ae78072bbb8c25627b2630665c71b1952cbd7167d6c861ac01a0

SHA512
1165295c3622feabb59c6faf41b918f98404ba575b46abebdfd3908fde4cb3f3eef92eabf9538b3d4dbf57db48b2c3d8fc7a4b48455d84ec1de50d3468d7e420

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
63KB

MD5
38aa21bced5a87655f3fa76d5ee3a7c6

SHA1
5f1cb39bece30952c0fd693b8b16bafae2ea2262

SHA256
b1cbd28967a9cabfd6eca7386b261ddb3cf7134f024f1572e7b1236a5c98b5c7

SHA512
4802cfb8986db7b1a5ffbf61ad37a237d918ab6257734491e01ea7ed0013be31bf809dc8be18242358cded6999c2424440a2da11f87783c129bfbe49dde0272e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
92KB

MD5
6915100dcb966665d37f977c6d4e34e8

SHA1
fbb25f25355886101a8c2d743d9ea6221c0a84ad

SHA256
44155fa849113018d4fe128fb0c97479fbbc88dd93e89239a31c8604c950a72c

SHA512
fec4e745fd6b3c5c193fac4fbeb05d36887d952d00dca03f389cde70f0230cd0b01ff49bc1464fc5b93cce3dc3d6d9c7b65e7aa62844636371784961fc76eeef

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
67KB

MD5
6b2a00c1c130882558e42dd2a68ca074

SHA1
1b181a48c48a3e41df21203e76bab4d02ba6065a

SHA256
d7feccc4f1d515a1e7957fb608f0cc8f64d3d17bdc369e38b32fb6462fe6729f

SHA512
79cb2a55ba6542dd8fa405fd7ba7f7bf5a859718266e1ee501cd17faa32062991180b3dcf639a5d3b8819106dbf162760bbaa7cb1ee134c1f6f1de650125c765

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
247KB

MD5
f30e33372308ed9829f0c3320c6b5a26

SHA1
f2535d35416c656c08ea533d711e949b644cb0ea

SHA256
c2e4189c90afd536c23f5b8b4eb0861d8c7b4fdbb3282676143b9277108ba9a9

SHA512
7149e46077b9b56d82db74fb421807e328198126616937a5f503c1a7ee04c3267bc6bab0e811f670f62b5518e8e29123a4eec40992dcfad6e7587f05f089f0c8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
92KB

MD5
164f4032fb64251b26967a4ecb71fb81

SHA1
4bfdc16f34405e81e9703f0c1fe50f49866dc4b5

SHA256
2f8167f5cefa829494ca62e7b39665fa2b57b33170dff89409f618efe8aeb5e2

SHA512
90be1bf087d5c95eae7a8000e5360f0fd96c3d5a319dd50f7eb4051d0e5e05ab9128290acd52a6f8f2d60b3f3e6e77c8b2cf104f7823279bfe86c2e6e6707f44

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
149KB

MD5
1d48f1f856a548ea8060b8e06fde32d7

SHA1
968315d1b530c74b46949fc73e6ed85a7d1f1f83

SHA256
978ac028c2993f1c1d8886d65583d64b23e22cb7e917d7dd8ad10367530fc15b

SHA512
51b6fcdcd92e3ba71dae383d98761ebc3f42a4a5b6611650d221fc3bb4a6b2e8956e7d260fa8716c38974d92b49342b59e4f4f3e1499a42b5a5a51378a4d02f6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
159KB

MD5
7aa59660ff513171a148f634f729c05b

SHA1
728d2c0a09d88f8832d2e7f3b54f4d689f8b8e61

SHA256
10b10cf96882d7bbef422172af3778af6fc417240771580cb5c2a006795b5b16

SHA512
89f0c3cf031b128a9b67109bbe2bbc1002d321a81b825de1567fc4bf3cac85f2b28c3134ab3224c8d1be1d7b6a32431c70b3a07def0f776f0d72a00882985aa3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
87KB

MD5
331932b51c85d67d22da9821a5d9ebda

SHA1
4333205cbd87205a4eccab0428daeb465ff32de8

SHA256
a2a1742c39e99334b87e80809d8e2d7fd58604bf88808e065130be0f22234d67

SHA512
972e0c7a6f3ea4a5ca601cb6cf7901d3e2953282e764e3c2a1b9e384fcb981fc06a9aea32666e6dff136606e07519549aa50c4d183d6d013ab1d22b203198a9e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
290KB

MD5
2ee6fb1c7a8e51288530a9132b2db08a

SHA1
09f38947e55aaea3c10b9b5d1f136af8ce7196b2

SHA256
4ca4d55be9e8f120dc608be1d9303c2dfb324f8053968af13faf21bae786fae3

SHA512
d3d46704d8be164aa8f29948d04668aee627133db980bbd51aa255aaf0097cfa6bc3260713cd85fe39f4d91a093784c9e4d6ff26a771a33bc69fba0bb897e210

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
163KB

MD5
4a5d24a1410288e665dc46477f499f75

SHA1
be9c80937f002ffabc60b29eae91af77450063b8

SHA256
cac3cd7ac57c6189bf2e82d8be3b10f374e2f35cc22c779852e10c04aa0e7c6c

SHA512
7afb7b2b7bdd58cc7a78ce55053006f28fece3f63c2aa1a4eacb4aa2ce325e3e29950fcd150bb9a3de742bb87e1002422226fa16face97547cd75ba00ebcd751

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
217KB

MD5
81d74501ee161c1c3915dd0041b0f72f

SHA1
9159416fb9272aae6060d56c910237292a828bdf

SHA256
c2d95edf0c07f9ded059ee026bba7a3667f6b848522773b12c8f648ffe46d259

SHA512
27c1e1a99288512532cccfad71f526cff91e819d5f0e9859865675ae617c1ca89b764bad134c1806fe5e111ee6e0cc7991f3ce1d09ba4c5527c60d90f59c6b67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
163KB

MD5
991d68e5a747cbaac3c58c096138be19

SHA1
7c100144336a32ce93d1cf9f10058ed2a0ba0759

SHA256
8a7f7de40712b8db9b1d997041b1d373c2cf6aad0d14408e473fb6740487d908

SHA512
3c2842da4d81a525c10c7b02a22ecda3588999aa688f566653c00e7aced9270bfc3ea060faab63b8a0c2742be0ecedcacf47186ffa6106d8d8974ac902abc39e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
125KB

MD5
68bc18a9fbb51bdfca0f2f907d7adafe

SHA1
8e203a4738c8ce1f8bb832a8a85a8f3da8a0aa69

SHA256
47f66473dcfc47a77fad33c9d2fe36ff4a8b494d9105fc42419c116815e872ec

SHA512
c195a22106cbeca13b9e887030525b3b8aaa0dbbe1a87e1d0696567df6de755b6a77815a0ceec95b356bd3fdd328dd078a2b0a0faab60578761f7df3fb8f6e4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
79KB

MD5
935a3f6bae675c3e641b09c0be3cf0e0

SHA1
ff0848cea230ce4dcd835343c20d19e1dbfcef22

SHA256
603a6556e6cf342c05ae5f861ec9a6f612295d9270217153bcbad1071c027d09

SHA512
92038c4d145551cd1d4faa533a3f325642ae56fdc31ed15b1d72480853fa3a3f28cf282d1805d98227c76f2381251b6252df0aa262cf58d415bd711fcd07ae7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
192KB

MD5
1983ba29f876a8f373ee12b7afb268a6

SHA1
094491223d3ac63fa72ae9e19e92f4c2bc90dd8d

SHA256
1551ca39a42ba15c056009fa8197c431ae0aa0d442848419ea0e233643a11029

SHA512
6711b3e8263d4d9df518669c454f8beb62b42c91ff75fed90f740c0c90bc3d952dd4354348a98843443c3584fc523c98a9cb2356a7b9d93285b55da7537baf24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
95KB

MD5
fa5cf7171781c787d1f38df62c2c24ee

SHA1
01b2dfa0ba1e7cfdf26ea5fad0bf77a53af7cb31

SHA256
c5b6a5f4136a1fb6b953ce7c59815b3050eaf1b72b1d7cd7d5fb9be996c97b9d

SHA512
47f3afd27ec5fc82699b5c811930d107fb94353c32c059e7ea675630d94eeb79cb954e551669ee7c96a5239b46834772df5ea5ab75e5354109a3f4f17889e7b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
56KB

MD5
48f14ddbc157a561cb4555facb229bc4

SHA1
b636851ad7a43f426f1296f10d276656086ca123

SHA256
8366b3e2ba68c66034956dd69858354600aa347694dc53bd8f8bdc6411a42244

SHA512
1f00320a31503bc3c66df151e10708ee06986a2aeb41662050396d296b96a93313b9ac7cc46ed467fa6a26d73115009821cb5dfbeb5338e443007f8fe8cfd7f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
65KB

MD5
c889240bf3f579eca7408e6b9c2e7c43

SHA1
88470d5d426c7cb3f6d8c0415a55f6514a425ede

SHA256
7caaafb2a51ac9e66e303610b787be7089f5884dcc60c5514148261e0143ecb3

SHA512
0e23e9b986a5abb00c483e68edb3aef3e964c005a487d6d79a8658ec37a3468d7a02aa6b8d4c8910ff6f3a8a64a69c0ace01da7805af6167be00b62726f36d5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
173KB

MD5
2667da0325a8203a6d4d2e0ef8d4787f

SHA1
8c2f7f3d93e1869ebd4a537ce735f5dbe61b1921

SHA256
6b77bf7902c8e1a269c1abb4783f3da89441d2ad2566e67e4acaa57d766d136e

SHA512
ea681a573f88007c36e687a15cea1c99625c21b3b5856eb1243f3ffb62eaac5654a8344097ff5bdd75670d22328df09e77b26503224a5bbfeb50a19e58a0805d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
119KB

MD5
da59d719d7b2735ce99d34af93d1c5ba

SHA1
12c102f45084b6c7db1baa7547b9f34fba85c5b8

SHA256
afc46f65fa2fadf9eee31b9276ccd813c0674f3da1e293c1d17fb2adf21ee455

SHA512
6e89ae09232ab355eab91c75c785b47c3064f2e57ee87467e487602bd0bc9836487a0363927fd9b0a3f1a0fd0e187222fc41c972298d0d054635fe7045a4fba5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
15KB

MD5
805a9ab6797e8be3778b8fbb91e3f31b

SHA1
a1f826d684c127167dde17611370e8c0a5b9cf9b

SHA256
8b5cf70c51310a6d7b692f39bbcbed67e9eea22901d3ef2c1951386b1f264c7f

SHA512
191d8f4d7dfb9af4809878cd955f8a889ff28de160a79446a9b275b6593dea7bdcbc429fe3b67e73c8885f70f00017fcb0d744cb97f29e3fdb669fbb2f406896

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
86KB

MD5
185c4674c7b1f1692fb6e4c9b060edac

SHA1
c953f6f37011f1d382bbe9553b8670d9642cdab6

SHA256
70d1b653fb20b522892c3363878ad437d0b4a1f9138d8eff87a182789c7843e0

SHA512
506055daa7ea6ebe9633a6fd0d90e662157e248c493db317bec07e2ae20e72155faa77529ce6ce45073aabce2f9b702e60b77dfc5f1168dd6d43375f190cdd54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
108KB

MD5
507db047d95998f25bd050f5e6490d65

SHA1
84977d1ab2d7694cf6d824acd4a69ad0c77aa54c

SHA256
604f0ff6bc547c66401dd5364006487cfa8dbef97c0af1dea3242fa51eeb0614

SHA512
e9bc32d174878325ce490fbdd886fe44d21a25a00a731e0d2ea7d0051fe7e863c3efb22b890c88691d88fbd78188160305bbcd3eeff009b7f99ccfd8de1f2a53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
132KB

MD5
0f4e5da4d95946ec21a60282ff1d24c6

SHA1
53af3e26cfddfd5d5d57f7ad017a300b538d0a94

SHA256
ad1bd733071e7d015be7f984fb850bef22f790c7e7fa9d6a0f49edc1951ff974

SHA512
30660c1dc29d34669f3a76b2e39f272a78ece97b0a8bde3a48ef7c532cb076500ae2d8ba3fb093f9f41d7b8b1106ffb85e84350912b75f375b1fac349479c814

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
36KB

MD5
1ad8bf1fd78c12f43f296e168ad6e651

SHA1
28ea2632f6272ef38ace206b450ab09e08e2d490

SHA256
c74c0553cac5499cd16e55e3776abc6d9ec2063cdb76071018965b5c22993d4d

SHA512
8bec7ae5aa489585ffe61275a383bed10f7380cb2e85dafe75b3ca0ed6d5a99239ef8537b7265a9b7fd53ada7fbc67521ede794d14a046c14afc1ede9fea6730

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
175KB

MD5
f1c28241673372f47c4dbc6116151942

SHA1
0acd9727de2b181b5303d5c21f76000ef2512bfb

SHA256
c8bfd8a7facc1d1ba4dc70a3c295c0cfa8df7d46c274b243b85ca73f89a681b5

SHA512
309beadde815b67bab02ad9b2ee6f0b36f0a5e060bbb7cc85e18475fa60b82648a9a3976cf7beaf19fffc946883ef59f194d59425ffecf516e185aec9ec6ee35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
100KB

MD5
abd4d330ff0d924f7f79947a53ae2130

SHA1
e012ad4cdcbd4077746a639158fb9fa88e0afcfc

SHA256
9acc4c589e4394bd3a04e0c4c53fcbc3816a88af66337e2e5bdbfeb419211e00

SHA512
31c8eb6c5a07c492b7a7f5e0fc28a503de19c2f81d4a84c31200364c7d2818d75892d7129a5c76dfee3047b369944b3f9bda41bf5ee6efc578035379ed8bd25f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
89KB

MD5
70aa326daf1efe718ad12058aab24275

SHA1
1fc39bcbfd4e2e5068105b723a4be7439dbde42f

SHA256
921996c3ae8eba15b9abd197e6927a8128c491027314b679b7a17c6700739431

SHA512
786bc0e4da99ef01f0bfd0843197e7a086933541a7d98d6e90fd22318128cec54ac6563df4f1eda0a6ab65f337809714f76b5ea9115bb475171f35dc72ce8dca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
84KB

MD5
bbe76ac8fa3a56f43ca7b8cf746f1e8f

SHA1
76999bab9b04741007c06d63f01d330e8050e2f7

SHA256
00d2c1563de275a7beda35ebf802e7eb00c80fe6ac28a618fe09f529e623e020

SHA512
7731f8a2226c721a8231c808ac2e15f04d46d6aaa26bf417ac8e117fef7a5c5cdba8de8b9f57914a5e4c16f48c1e5e212d028da4b1f09357296144df144209ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
59KB

MD5
e41554da952b6e102b8d6608985fb279

SHA1
cb28dec5f5a00c6afd697b286878520844ff3718

SHA256
7060fce85e67036b69fc938e3433bf1b2cf5ee8404bdb711f9212c2d64a055d3

SHA512
be0451cd033bf602e9e15382d0e02dc8a645bec8bf64e4626a7f78d4af6fd4cb453c1baf1359d5e6d4ad014f590e8ed987e1c3e36434184b9ddd20e68de8b1c6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
80KB

MD5
f81c31ac663c8324c672e520fb60096c

SHA1
e21eb48dfa4fb1e9800c118768d891cc9b75dd50

SHA256
6cf2d32981a1a4b21eba571ecba2269e5fc686006ef9b5793e92c7c024059e14

SHA512
0bb2c69b93488f06e7af5b771cd77e9092020fb51547e3d75bf49a2043c770a1d3ef4e1e8d18c264be88b185984cb56a1b3e2b7b844cc605f4d7cd951b607b2a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b982526baf9bd71326d00ae64f934818

SHA1
355e93b547a3edb1d3d629ee479d95721af47bb7

SHA256
7a36f443af56f08152889c59397372b7a2c60f67831d289aaf76836819e5d8ab

SHA512
e660fe7664b22671c4d4e5c627e450904f88f1543d312262d3f04245765a42e4d640314ef9836caaeda6f25e9b7df19a8df17bae2f4133e108e5b5da162d42b4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
417KB

MD5
84bf4d8bec78fa8d344fc1e079186ba4

SHA1
1fb7f6ccf0147f6140b41a9569b429c6077d1c77

SHA256
561dce3386d88b2cefe0bb053f3b9b6b08f6eb20fbaba1f4902b4e249ed1deaf

SHA512
5ffaddfedcb33e0058bbde1144f2fe925695f76656619ffb23ee7b324771adc19410b7bb0f6959d4acee971850f7c0388a7dd8d8531643e4e07ef3ac1bae8d35

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
125KB

MD5
d7cceb92755e6c6a77dc82805e7f7885

SHA1
bfaf433adaf00b634482b488889f106ccc304df5

SHA256
3b24a1f539e35c3935c36d34b5505c2f5c2d4982b086ffac62214330ec00f9df

SHA512
51f5f958596c98f4cbb09e88f6080aa73de62c3f81a8e74eeabd08c74c2eedc928ff5a46ee79d77155caf7e7690ba9fe111df35d79b870331dd02eb72ac16d20

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
250KB

MD5
3058ac1abe8cdab6a631c92f233869e9

SHA1
f653a6b8848727728217afe6228c74b13781ee0c

SHA256
bce0375c0093364d2566cf1cca87002e37a886ccd35d8c69053b07574917babf

SHA512
8d0084e523b785673fee2d3b524027f31c97318357f0b33cc8c8bd392194eb088dffd4424e23600fb580122a169ebb0ccc1647e4ba295e82da8c143cdef15b7c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
489KB

MD5
b49e10069161981b6c9e6e18a1b1f1b0

SHA1
236ac37fc7e04250f0bb7f1fbd9353ecaba68762

SHA256
8c38b9f9d70839ebbc4e72062893e12fcfea4ae62bb366867659f92d3e7ae47a

SHA512
1fafdccea9dcdede976ec2dd6a47e0c12e1679979bec3411de3f1ebe91bcda21f7c7e6105e8da117e16e24e57cecfd85f6382df90e836a26e08f5e6cfe254d1c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
222KB

MD5
518f768a9cc92a68e1b5ea6ec9089953

SHA1
01668188ba86ff853ff7cacf9269cdc218d10af3

SHA256
dbd44041e6de8e572028296fd32a8d7d17efa7e121eda1144d2f115d05f2cf64

SHA512
2fbc77ef769b3086962d67eeb200d0218c0628a8e3edd433325df78ef49bcc175b0fc0d6689eb2502ef4a16dea18441a8427dd8c327b509367fa4ee8b2d2d5c5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
372KB

MD5
d4558ca97d900e12ebdf6a123bf8a6e0

SHA1
7caab808ed965ce32faf346ef5c84457e8cfde43

SHA256
f58576941e233ab1fc6ab510c9acce6f1b65f06b403b0ee03571417ea5aa25f7

SHA512
a4c3bd74267455b2ed236bc8811dad7909ef1294a056bd07b229b45cbde08d9b3e6b84ee14a1282b2e7ebd77bd971115f6551303ced7defc9b23902a217f0081

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cbb2dfc715cd3d16c552471523c85a7d

SHA1
f65a05381f87ec786b8115a969cef62e6cdd492d

SHA256
6b31e746b80c1f205ebb34d68689593f3054bf3f30008d7c400ed271783e4727

SHA512
8254f83675b37bfe280ea4969b8ead71db1e9d16b280e2c16801b26348b72d94674b2e90033d74451ddd93f16a53f3335eb7276e6dc860f772e690cbaf68c47e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
285KB

MD5
225565ec8255f00ba98dbdfc5cae6f23

SHA1
1c2002fc9f65d1ba15927ba48447ccbdc19577cd

SHA256
5f0bd59e6b69387def9fb239fc10def01e3d5b1e80a39bd619dc2a314e0f2da3

SHA512
8080eef12e6069583e2b1fbf1b27a13bc6e5151578cc60afde7c5abbaf41fdb593a3d0ee14105b7aa445c0dcb8f0adb4e615f4304969b31363a3bacfef206d4a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
704KB

MD5
bdce35990ce56eab71b1d82f3e84a66b

SHA1
bec5333c3f09ffc21db7d6f710a7c6debb66b973

SHA256
9086cce1cf341eb3612a87a2908657ce7d4f500905a42e07436664a3af0d3cbb

SHA512
6e19d660bd5e37595aaa5c3589a70d49ba77e4fcc95327ea97f2e632dad06208154019089b112e7b352bce1e2ef13686545f425f43c40f72cf8a49b11edb4dec

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
424KB

MD5
5af1356c3afa5521226ef74481ba6430

SHA1
ec9e54f9d77b8837d8da7e947f69a15c64793e5a

SHA256
4c9350f42128f6afe5dabb470d134da4ac5931fc29966f69b08bd019d8652f2f

SHA512
9b02d3c1e9c084a1d095fb553396547896c7471cb64bd5c76e5c5d1a50b223fb2369c9e5344cf19f6c433a13c6c18eda6d88ac4c39113665a54266d1f452d4ca

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
446KB

MD5
e8257840e040c2fc26a649d6bd8ee64f

SHA1
246af2269546631f73236af6629e583e6f1ef524

SHA256
77afd736ed3c6d9b89ace84b9dd01f729c4d25bba71aec1ab990232c015917a3

SHA512
927cb1be561729a57e278d18433eb30fbd8f7fd5a3819de3273f86896403d7ae03dc74f6678f61b7fe1f60beeb912f08a1d8334d05e09a6d4fbeeb818d0ffca3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
224KB

MD5
cc6ac7f18be4f34bfb248cd29e770fa7

SHA1
9bd929ce0d45aed32ba7d6646e84bb32a0c4414a

SHA256
f0ba5414801f168b3c0fa12cfbb4ab9f1d383cc8daf957d611206c5dc2d5555e

SHA512
da42a12f31da58886fe6b91c09a57539d7ff6694cdcdf5f1502653fcfe549debc5af8aae9a84a65af5a147b8eec142ac0e7f4ad18b51385b0f70a421c8263a03

Download Submit
C:\Windows\System32\alg.exe

Filesize
149KB

MD5
5fcbe4f9845293fd78a83b2879758f59

SHA1
b6275be90642fbe1f7b0d2717e6503e843bf748e

SHA256
40982937b438e5f242e408474e3ef5b61e04d47df4217a1f5e9592d888f4949c

SHA512
1e6347de1fc869b8d7e9772e4ccefe958823b9f5f94f712a4c34867962bd92d5c25954c59feeb2b971f380fed0f95ced119a9fc0f6577364c7a8419fd2f8330a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
dc82c47b19585371961808aa527852ba

SHA1
2c63815957fa5df3c03dc13f2a768c650bde4f05

SHA256
0a7c0ad40f38c7a82cf82b21b80357cd6906265aca6821bdd6c501bda281ca18

SHA512
7dbb9a0aaa59b49c7ac27eb882e659f14963f2826349bbc714332fbabd46f51880c3e196f45b682f63529db7c98a3500829104fcdd794a3f3bacfcdf526f7b09

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
448KB

MD5
c953e61f51c9d628672c1e2a9737a0d4

SHA1
126def2f48ae87898545b860bd513a3f5d6291e3

SHA256
e6ad64f357cc75efc03c5855353a3e5ad65d63908a19df6d1c8335e0c6241ee8

SHA512
675db364170198f1e5a45cbada9db4ec957583424763787182b47d113cf39ece65632de981051fff4cbfadd9a4e54d9b09108d6c3af92b8efb1edc8697654f22

Download Submit
C:\Windows\System32\vds.exe

Filesize
252KB

MD5
2eb91e77ba153e9579b90b0d2508e783

SHA1
1dfc6c55ea8744c35951b9136abd0641ab2c1f3f

SHA256
c8790e7f7e5f395a647c9be0b3cacaf4cb8f6f4f9f5f8a7b98f7f5144b2ec6cd

SHA512
e0ee5859a74e203c449b9d6bbf74222f1b749f1f7937ee4f225f9f1c33cf6b5d7fd94f7351f4010496b465870a1ead13d33d770983f6f87bcd04d9f8a504271c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
249KB

MD5
a4e2e6d75a72d1c141a7a407cccc6064

SHA1
eceb83796287c5f1845033a588d24d62cab70418

SHA256
57bd5ae7a1c6dea42c12315f136aa57c99f359bfe5d826e968cd266d61df0737

SHA512
45a6e09ff634039bb470a6202c35e42e8247cbf330b8b478cdaee80e74f05171e640fc70750dc641e72fb21f34c3e3b1727aa48f215ad1d472c57a738565fded

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
149KB

MD5
e524cd4a5ff73613e4ec0442b117bbbe

SHA1
d2fe199bd7853a282bb160b1e48fda0f75c7fdc4

SHA256
ec3b79f22e5bb33f0d08a096692fe93d1df53465e06ad9e1f0375cdabc00d3c9

SHA512
1b558e2e583f10450cc55fae89e5a17d5020c3208acfd07bf00be50da2208cb36fb68cd80676c18fadff5fe0f7710d83f858a5c96dacb50377d172e8af3f1939

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
99KB

MD5
6c076eb8575762ade8bfe9188304beaa

SHA1
c997492c09389e494796533abdf6452628accf92

SHA256
ac3b7e8411fe09fe7ab563894d941263656c23fc5ebbf1b8fd188ff63d9d16e5

SHA512
79e3cca1fc316885b38a4b0708813d283ee08015f61538d838f656e8d051607ef937a045b4ce5b43ea117ce550ccb9754d4ba642d702f06d88a73e8d554af095

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
120KB

MD5
ef3023c4d1d07091d5c343fda73e00c6

SHA1
199758e2742eca769b2fc97ac160399652ebf41f

SHA256
1c97cb947741fcd2ab9229e336405971857b5a7dc59de7c89e9e0122a26de8df

SHA512
106811f690c642ebf97aabd44b7ecd19b6bac8a912fcce262be6927af663814c3d57d441ef5db6a26622f3fa267aed17d439c1219dfbe0053cc5e24906624a03

Download Submit
C:\odt\office2016setup.exe

Filesize
77KB

MD5
062506caa04f1e7bee0715810c3b7429

SHA1
06a8bdb20677e566eacdf8f563fc2632a8eaed3c

SHA256
9b2a5c09adffe06d93d7266da9022e46b91afb461877805d17965d43a17f80a7

SHA512
69cb5fa2f17031a36b427077ad76fb0ef65dd2889e2341b6ef02b1e2f38daa577ac4eafec7abfa4a195a2245c89f34f27836f23b5a7e24da193c69e0ae8470cf

Download Submit
memory/208-257-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/208-309-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/372-63-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/372-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/372-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/372-76-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/372-69-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/464-444-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/464-320-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/464-310-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1404-78-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1404-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1576-318-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1576-265-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1576-264-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1576-271-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1928-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1928-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1928-18-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1928-87-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2020-33-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2020-7-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2020-0-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2020-1-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2020-8-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2028-464-0x0000018BFBD10000-0x0000018BFBD20000-memory.dmp

Filesize
64KB

Download
memory/2028-442-0x0000018BFBE60000-0x0000018BFBE70000-memory.dmp

Filesize
64KB

Download
memory/2028-465-0x0000018BFC220000-0x0000018BFC230000-memory.dmp

Filesize
64KB

Download
memory/2028-466-0x0000018BFC220000-0x0000018BFC230000-memory.dmp

Filesize
64KB

Download
memory/2028-440-0x0000018BFBD10000-0x0000018BFBD20000-memory.dmp

Filesize
64KB

Download
memory/2028-452-0x0000018BFC220000-0x0000018BFC230000-memory.dmp

Filesize
64KB

Download
memory/2028-474-0x0000018BFBD10000-0x0000018BFBD20000-memory.dmp

Filesize
64KB

Download
memory/2028-475-0x0000018BFC220000-0x0000018BFC230000-memory.dmp

Filesize
64KB

Download
memory/2028-441-0x0000018BFBD40000-0x0000018BFBD41000-memory.dmp

Filesize
4KB

Download
memory/2028-486-0x0000018BFBD10000-0x0000018BFBD20000-memory.dmp

Filesize
64KB

Download
memory/2028-451-0x0000018BFBD10000-0x0000018BFBD20000-memory.dmp

Filesize
64KB

Download
memory/2028-493-0x0000018BFBD10000-0x0000018BFBD20000-memory.dmp

Filesize
64KB

Download
memory/2028-443-0x0000018BFBE60000-0x0000018BFBE70000-memory.dmp

Filesize
64KB

Download
memory/2028-487-0x0000018BFC220000-0x0000018BFC230000-memory.dmp

Filesize
64KB

Download
memory/2136-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2136-291-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2512-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2512-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2832-492-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2832-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2936-342-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2936-293-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2944-77-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2944-85-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2944-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2944-251-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2996-286-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2996-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3060-344-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3676-248-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3676-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3676-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3676-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3708-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4000-44-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4000-247-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4000-37-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4000-36-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4196-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4196-476-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4392-473-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4392-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4404-326-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4404-275-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4404-284-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/4404-276-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/4772-323-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4772-463-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4800-346-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4800-296-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4800-305-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4908-485-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4908-334-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download