f9d67635ab20564a803c9b169cca65d274d68b53492d9ede248af7e730d70517

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 11:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_a429cd3475cd84bde75716f7b6688c81_ryuk.exe
Size

2.2MB
MD5

a429cd3475cd84bde75716f7b6688c81
SHA1

87c4495e6e8f22be0b5ce424fe6dc91bba5a6205
SHA256

f9d67635ab20564a803c9b169cca65d274d68b53492d9ede248af7e730d70517
SHA512

161bd05f4f0e750dfb02be02a0163335966594a96359758d206166f9ef6a86ee862598c6c50765a204e1132b3d8e16b9bd6bad7de9268cf7b929ad2e68c9c84a
SSDEEP

24576:GOObVw4TaN1wdkukCba4oXtgLhU3wEdmh586Vg9N9JMlDlfjRiVuVsWt5MJMs:GOOh3aN4kuLbegmtGfgFIDRRAubt5M

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4888	alg.exe
3276	DiagnosticsHub.StandardCollector.Service.exe
2016	fxssvc.exe
3972	elevation_service.exe
3132	elevation_service.exe
1516	maintenanceservice.exe
4488	OSE.EXE
2736	msdtc.exe
3256	PerceptionSimulationService.exe
1564	perfhost.exe
1104	locator.exe
2444	SensorDataService.exe
2268	snmptrap.exe
3460	spectrum.exe
968	ssh-agent.exe
4544	TieringEngineService.exe
2232	AgentService.exe
2936	vds.exe
1516	vssvc.exe
4328	wbengine.exe
2564	WmiApSrv.exe
1684	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-01_a429cd3475cd84bde75716f7b6688c81_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-01_a429cd3475cd84bde75716f7b6688c81_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\32337fac8ed1090.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-01_a429cd3475cd84bde75716f7b6688c81_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-01_a429cd3475cd84bde75716f7b6688c81_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-01_a429cd3475cd84bde75716f7b6688c81_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048d967b4ff54da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b355e2b3ff54da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dceb7ab4ff54da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf7927b4ff54da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4a12eb4ff54da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038f11db4ff54da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3276	DiagnosticsHub.StandardCollector.Service.exe
3276	DiagnosticsHub.StandardCollector.Service.exe
3276	DiagnosticsHub.StandardCollector.Service.exe
3276	DiagnosticsHub.StandardCollector.Service.exe
3276	DiagnosticsHub.StandardCollector.Service.exe
3276	DiagnosticsHub.StandardCollector.Service.exe
3972	elevation_service.exe
3972	elevation_service.exe
3972	elevation_service.exe
3972	elevation_service.exe
3972	elevation_service.exe
3972	elevation_service.exe
3972	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2244	2024-02-01_a429cd3475cd84bde75716f7b6688c81_ryuk.exe
Token: SeAuditPrivilege	2016	fxssvc.exe
Token: SeDebugPrivilege	3276	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3972	elevation_service.exe
Token: SeRestorePrivilege	4544	TieringEngineService.exe
Token: SeManageVolumePrivilege	4544	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2232	AgentService.exe
Token: SeBackupPrivilege	1516	vssvc.exe
Token: SeRestorePrivilege	1516	vssvc.exe
Token: SeAuditPrivilege	1516	vssvc.exe
Token: SeBackupPrivilege	4328	wbengine.exe
Token: SeRestorePrivilege	4328	wbengine.exe
Token: SeSecurityPrivilege	4328	wbengine.exe
Token: 33	1684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1684	SearchIndexer.exe
Token: SeDebugPrivilege	3972	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1036	1684	SearchIndexer.exe	118
PID 1684 wrote to memory of 1036	1684	SearchIndexer.exe	118
PID 1684 wrote to memory of 1204	1684	SearchIndexer.exe	117
PID 1684 wrote to memory of 1204	1684	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-01_a429cd3475cd84bde75716f7b6688c81_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_a429cd3475cd84bde75716f7b6688c81_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1272

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2736

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2444

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3460

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3336

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
1⤵
- Modifies data under HKEY_USERS
PID:1204

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
1⤵
- Modifies data under HKEY_USERS
PID:1036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
22KB

MD5
a969a15c8b098fe12e795464c7a87f61

SHA1
fe415b61f80c373870ab65ceda8999cd411327d4

SHA256
bf6d875a88810955f6f04ef4c18a8ddc3e61a475afdf932798d334b0df76895b

SHA512
7066a587044c6ae2e0747aa85a024edbac495e2a3262047a2134157442e2321949e6856e514e3b3ed27885882c5347c16170c8f33a8b6f97861a2faea5c0f7ac

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
536KB

MD5
9665f44009c0d652c71d4b4086c89387

SHA1
c278c719d8e2eec6e3e12759a870afc1de27c7c9

SHA256
b75c69abc1bbd4707e37f747d15848eaeb1cb681a7d16c8e28d90b2a1f016168

SHA512
75c0352ec70c33a8b3a5bdad22377286e060d0ddc42d2359b980e214e6a20a457e0cc103d2755eb3918bc9853915b1422198201ca5bc55134b1b26741db8f896

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
325KB

MD5
ce567d0e849ee3daa25ae5dafd8960f8

SHA1
9aa5fecd7ecbab72f839df85f7e23dd22a0a809c

SHA256
adf17a41d58c13a50d8c214eab5837182e3e725ca3a0b2a07b33486811ef1958

SHA512
17008ef408f887647fa53562ce2ef965c6452791a6c8d4d4b3c279099419c41e10b97ff125e37abfd8aac2bf8b512f016c9a13e0d5ae9096cc3408d018913867

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
223KB

MD5
43a507af5b4a4e890ccc802ed11b1648

SHA1
bfcb5598175b716090fe45bf1d9402c87d11c115

SHA256
0a71ad3f38d9aef33c5fcf4833c3fbf7f6fce01cc73a5a0239c5b14d2aaaee91

SHA512
6aef30458740973eed368df91c59a1860fae35084d48e25db10418f9125f9177bddce9008b03b3c6a71b3ebd49df2c70d0bb49ef7440af8d363421f8cd446d18

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
82KB

MD5
192395f54b6451dc6aff65787110aba6

SHA1
c90416ae033044890dcafa67f0d8f636408ef655

SHA256
c8a22fad82e96f858f0796ebb444aee6342f2652a27ca214b384adb1ec529caf

SHA512
a65a6176cf0c12ca2718ad29b5c84b59ff75e65f58c9ea41f2c92e7b5d30d4e530d14051ea3d76f8307a42254d34a768d166d1ee755cdebaf042c393cfbf61e4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
284KB

MD5
6358376974b87e10b8a109e5e0ee67ba

SHA1
066d047a0445712b309768af93a403744cea5d50

SHA256
0dab71b590d827f45193bb0dd7e82f250513b15284d2d848e641a5e701b79fae

SHA512
998a554a8c24abf9fdadb071319be0606a6ac608a801a939c709ec55198eac06df8712e1395335849585343f24db0fa0daeaeefd09bd9d2495d5010ef2bf0957

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
144KB

MD5
2c68c24f6714223bad32b2fd816fb58b

SHA1
de4d11b73fd8fdab738a7730048c93dc8b8a3e54

SHA256
40fac651a71ef6e0600daf46ce0862ebf2df8976c57203c2444e35a19ce37ae9

SHA512
e38bd00e7a11ecc6a9a7797e59610f3de9ecf6675499018d6ed98e18396141c9429b75763ccf53622e78ae71b5d5957b14c75a1ebd11c55f54cb5450fef602e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
267KB

MD5
d286e06399c3a6df74eeca73f003f693

SHA1
079db91ca3e4e25a01f7fc963f23611e7d21a4a7

SHA256
aa5f468da2739bcac07ecbc2594c89eb02beb1119d05bcaad47e8ba2d58ac1dc

SHA512
fb7a5c731c9467dd7baaf80596973ae755da48f783fed52fcd8be6553aa4f5e1038edb93d666568e522724722bd9e5737a768399b8f2c36f6ecf4990a244e237

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
139KB

MD5
bdb0347f662eaef7ca96b774c0bcd9eb

SHA1
9b5f9c1a4d90a8a4449cd2fead142bfe91569582

SHA256
16be5b31593424ef9f86f9be5b498a29f2228b98dabd39cfcd0b1220a5d6a27b

SHA512
8601fee9a083b092434b7034d36abc5e14356787ab0160f314d8322c363b7b0d9487f509ac70f251e9d95c4de970b843ab0f3b6e94ae329746084e45ad23568e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
68KB

MD5
1eebc8075855c0b1947eb5088d962aae

SHA1
6b1c7fe4e0491fad4398eef135c5f9a39d27baa8

SHA256
54d9e99c3b1688d5c2be668d60f4f41efc5d841a8d1cdc31777b3ba933b96d2d

SHA512
b000cfe0f110079588dd37dceeefbc7cbfb6f6c0614e37395f9c9d27df947700343b9b5afc4346c34e5a06a98490b11f7da8466aa9c3ebc3ddec679c630e9352

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
110KB

MD5
57c3222c0f39a31cdcc06398aed56c03

SHA1
cd6c9282ebd2d6ed531bade8748adb0b05eff4eb

SHA256
004bf207e708800a3893e5f76e3bca84d2c7590d081c25b937bdf06ef7f9eee3

SHA512
184b5a1fd5c12abe514b79009a06adecae99db7713353dd266898b7fd217beec71c598d3d4bd7f61214a4104b6f29f2d310867bb87b342db1d8d04ec5a7a0437

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
227KB

MD5
9130a844fb3f44617a692d3c94f168ae

SHA1
0d043b327d6bde5aeca4f0b52ed1a65eed7ead93

SHA256
b10359d66a916899d686e9b408007e19bfef97b2029a80d77af7450131e9418b

SHA512
002791b66e303b80d01aa618c2b24306e11a27258c118ac3e8b3ddeba827698c5203e24d30271f6962128fb8e17c122c13bdd597a2c628342846e8f80dc19947

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
199KB

MD5
09e688d84ffd4bfa57bf085f8ff6e24a

SHA1
534cd876a00936da4231d5551a3ca6564428e1a4

SHA256
75b3b4b9c3121cbf54050d5a33a1039a2d1e09cb616394935921dc8efe5c0568

SHA512
af396bb6f6581c5db7642501d8692be011141f481dafee02c826f2ecf6fcec7d149aef096b42d80e91f0b2750c5a0a5807273cdf62a5fe1aad57059d382407df

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
266KB

MD5
5773af588f5eeb6b8e6354ea6b8521cb

SHA1
5b76742047bb7f1b235d110eafbc35fe7dd471aa

SHA256
17dbed3f0ce4751390b4e0b8bff59764405b96671a6d8d8a0c49dca07542dfa2

SHA512
52556b5217c2e9365a9bb0a6ec527894d9c0e2d029439d09d729987a5201b1f934e06405caef2eb5c71bda28dcda0db9520773b1b50cdccdda2edab9557550d9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
192KB

MD5
11dce6a5a1e0aabaf99002b26c6567cd

SHA1
19848e688a476afe3e5e563e0456846f6a2cedf5

SHA256
9a201e7ac328055f2bfba7b277a557e1cba41f3b081ee89965c168d0ea657d57

SHA512
b8f7cdb39e64bc23969323470de9ee65381efe650bd246a9171c4d412ce96cf7cd5b34c4ea313c5ac76e9155819c20586ec0e5adaa987a8bd45c3e9b00962b8b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
200KB

MD5
f96e77c41560beffabbc89dd14517eda

SHA1
f2c94eada98cfe59c210bc4798bbff41efe07bb1

SHA256
158d41b137764d2297b9bf29d6406754ad69c259f8ea47a4655c528e669fe110

SHA512
abcc33b1882f60ae672f09506515cf65ee4a5513dc4f79a0906be5302fda9aa2a8f49ebd9389f9a2b6ca0c5eb6682ba848bffc53e340690f4c33ecaa136672ce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
59KB

MD5
b2dd2335a639d86251109a855e3b50f7

SHA1
3e49493028fedee04659d4d5079a0e44241204a8

SHA256
5fa88d5a5cbdf151ced552eb55721776fb2c5624b514192a888ea1f272e40dd3

SHA512
2c47a4d17457762d4fe4ac4ebdde528db2efe2e6d67fb504b2b718ec6123729517d14b9e292551d58c812e066241f29d4dcb15860d9e518ca7251d5fc33b335f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
108KB

MD5
abd4ccb16a5225d229d6711c2a9d0b49

SHA1
4db57296c9153ea97083e2657567945b33ef9364

SHA256
41b6dfeba2abd2e10bdfa9ddef913515dadea34230cd3c1f3800d842b191288c

SHA512
f918be220241dbb01cd7639f66f376996f4a70f9b249659a2504bbc9876a6bcb59c8bc8d91a7cce2914125004ad31772b620ec3161b9d568329d9ea68dbeefe3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
112KB

MD5
a69c67a34ee603dba28a1b3bb6f22187

SHA1
9460977a3103b73b429adb8d5e66364a98a42fe5

SHA256
c99326158a434aed9c1b17a7dc03f76b347e7a485b27e6ac59203fc89b19391b

SHA512
a26df537f171833a8009e4506290d85e7e2511770d017e7f7bb1541107296616a7e512aef9265fb80fb3e70501f4dbba65b2f50e022ae74ef0c48a2550f3ea36

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
437KB

MD5
56858b81ed81e02cd2c28cf61289a899

SHA1
f434080c70b354a31df926f52dceea28e15f8a9d

SHA256
c4e860f3cc6fadbbafa02a78274f75e2abd8b7c964338da8f213fd389979c78b

SHA512
aeb3ce4cafa570afd8ec6ce91a403523b178bafa021ea717a367babcd7c77598d77a2a3b076ad95592dd9c833b8741371ca9767b32fe1156a3f6d2b9599aca9f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
105KB

MD5
94949bff7e0516ce4bc260302ec70b66

SHA1
59a93c3a78bf68e86dbd06fc4ef845990399386f

SHA256
4a3653c32f282bf83736cd2081ec2a89ebded5aacaf5fc9744868bef60003bbc

SHA512
de52390d90056f1126082a50dd38d58d968bceaa2f7c4195c442c983770995728e57f4e2bad15813bf93eab0a26fa9dc4a20ca2528ca7a651fc9148ae8992992

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
235KB

MD5
d4664f9ab181782cc913ebac27e85c69

SHA1
36a84f7327c612fa45663e420588c44c4e1ab64f

SHA256
d03c1af0757cd6d4b0bd8f1b7bc49e6a12528a14de631452efb33c68a7102c49

SHA512
afd5a38a2ac3b3eba3adbe95a20f7659de20f652ad3536dc412fd4b56dfd99d0a90a3e01ebca0607a785c6ceefb48b3ec5cf045dd14710e50502e9edaefcf83d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
155KB

MD5
13b6a1079bd6f0c47919f680c955cc53

SHA1
50626912e6fd20133a205263342ec2b27dd69771

SHA256
429a681cbcdfd5e8141960a98b62954f53a017830a7c92da974c8616c42250d4

SHA512
6e1b846d7a54d327e68086456d15769a37f352d7409585686691d1916c7fcb4bf13acf8834ac02f93a376c669b7909353c111725a96108aa6c5e291a4e72b8db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
97KB

MD5
4c4d66a7cbaef9d71da9f32fe42205c7

SHA1
11da01a550a90cece727cbdee88d67770a316917

SHA256
7ba9210978667a547be2afbd39aa0d82344050f169ebe681892b6372e52d6005

SHA512
7431c05210b2f4daa5a9405560478777069df731f850a0e7a51d302e2fd16cbe5c3c5a90c2e7fd37cecc22b0137b2417e9f3eaf0a3f1c0ac9cb386e519e2b9ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
430KB

MD5
8cfed0404466b54e0f1fed21ef531021

SHA1
8e5a17742ec171f8ae174aa43fd69388a90d544d

SHA256
c26e708033b5be0417434b659dfbd37974e871628dcb0ae0be5b7856ccf06e03

SHA512
6963805906976a9f2c6e865a0a22be484c020395e0e1eb06a10080a075845c23e5a3dfe4a96e7c57caf246fcc372e547e53c4d299933ad7dba681c439758dd73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
162KB

MD5
d4b7c16dcd262fdc7193742d8e093f8a

SHA1
60f40290a57667f8efee54f633f0fc9ec65c8394

SHA256
ddb33b6663734ecf67a787ec8105f468689bcc8c97e15a5d90907e8034147188

SHA512
6c2d071378b4e42500114ab49ac3a0bb4422854c28815bdaff2d5c492071342d965a514c5c858238adb70b243bf02b7b92ac38346a122ad0bc5260469dbfe5f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
242KB

MD5
7803a9fbff4d09369be1406f09e920b1

SHA1
7c97f4348801518d690ab757355fa01c90679611

SHA256
1b24812d4876085048eaa81819caf295ab1b9bc6eeefc2b1bc7fee4c3a3d5842

SHA512
ecdcfd0da83a5822eac9f69889f55cf179fe7e545cfb2b67c6087aacb3c781c1d28bd09756666980840b3fe0201b4b9d5256754d70c7a23f92c55c635f50a052

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
160KB

MD5
a1b35f64516a25120639b081888cfc11

SHA1
38f8f531208fd4e01ab67290055e81cbe0ffd366

SHA256
5ef595d8b968c3ca4bf84c450b481dd297d9d186b3e6103726d7eaa30ba39cc2

SHA512
2d863b23b6d7c22f680033d1e0d3f6cb34bd3dd353d2743e27e8f19eab0527f8d83498027bc66a440f643c1333b737bfa8700f7fd3c9fdd1278f1d53c070d51c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
92KB

MD5
ce5efa3d8d61e3d9a1d642be667c8998

SHA1
cf4498cacc44f4de1cafa1d70fb17ed39313ee1d

SHA256
908c12cb4b79a4ac39792ac9507f5de582be60f59a943861e6524bc56fd59ce9

SHA512
13fa50bd4c88fbf86c46acb14c4bab9c19a5ea76635c27851f1b05d535fb6a87b1c24703f430e10a320a1bd4a6cd0f8b492dfa2fb0660f9891695352ac20b762

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
191KB

MD5
481bf342e1c3a4e7ebd5b529ce9b769b

SHA1
07deae08c2e0def9260c6a6d104f5877e81cb104

SHA256
73ed2ccad2874ab74465e6fd63e2c35b473a18b85c90ad8dadb9ad1c317d26e5

SHA512
b07d3f58c5081114f3513ac489fb33822776f51cf85aeb7f0c1ec2ba027b4c0e0d20cdcca435675e3a24955de040080a270a9284138c2b7df2dd2d51b9610af6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
148KB

MD5
63fc56c6a91cbc511a1b4d122037f530

SHA1
4997abcac0f6b0511124c0e031967f0dd9057205

SHA256
cf20e11632893a8f9c742b5838933fd226fea813268052d5306312554e8064ed

SHA512
2d70ab2d4f7a7947159a24c2ebf2ecf04d02991696560077b39d1cbb7c1b381d4413f8b8baa900c4014d3201f3db03bd7e3557f1f08e3d0fbb53cca448402fa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
85KB

MD5
20de0ec130fce2ab0fd05fcd77655059

SHA1
2170954cd0202431a167da104836cc65fe21f9d8

SHA256
11c01fcf6e6b165da98d78643438e84242cc227a05cbaad83e091ef3faff1d3c

SHA512
e51d1e8031a729ba4df1efa194a19da5997d4becc4c4b79479cace9954294638ee3c064a0f0035749d8a77b00cad277f00b9be72a843d5ac17a2e97bda1fffbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
190KB

MD5
3a6a4aee024d490fba5617912647e86e

SHA1
831b10f18e27071766fd46fe87b585642c31ab8f

SHA256
36bdc9abaa5563c302a4780fc96aacfe87e52473b489ce2e789fc234772bcb48

SHA512
3b20f098bad45deb6517c5fae9117720899cb923491a0fee8d3a5ecf6421b5fa6541c6f8fda97d18aa4a83133c751ab2cd3b834b53741387025a959194905871

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
86KB

MD5
8a2cfc5e66597e655ea03334b3319f3e

SHA1
7c98874448d302452ca36edf05d3b6da95101e16

SHA256
bf0e4bf9698a9622547c1d8e97c40317556cc9ba630bb44d02c1efa056ea5f52

SHA512
ee4a8c6e5f82423c97771d317b0a1af53d189249f46ebd44a130f7c2a6182320fe64f5bbb12ffb056e6bd58d1636a59a851dd76e1b9c3101b0622685566d1014

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
85KB

MD5
ecf11ae664f8290a921369d6bb9e3e1f

SHA1
ff595974dbda7df1d2a603db0003c1b762befe5a

SHA256
96c4953f23d338d1d4b64be24f86f413e24054642d73647d9c6de8e910cba634

SHA512
3eb8c8c896ac849d5c1e16c3a5d9ea7884f32429a8015e2522e445ec8a2ea67bd800db37c6568d8e30c2b139cc92403f0cd39891aa97f24a0b53a70a49425521

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
82KB

MD5
1b637cb78506164f1926b3b82669cb89

SHA1
167e8052175521a97ccd12d7d56386ae03a02843

SHA256
9f9024c777fb2dbebe54b0b20e8e347886b85fe9d3fea6ef96b5ccfa59b06d7a

SHA512
e58747fb84e3a5c962242928505680b210cec3141dab1934aebe974a0db8fcfcba7d770faff77d8db8cc288b33b3ba57040fb03235bd34a6d1a4d18cb5200c2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
170KB

MD5
c4ff7dc839ec95027d7ecba16a85f816

SHA1
b5322c057ec26f469deea1cfa836fdf1fe05b61b

SHA256
f2b28917e4712155a21d84af2b73c4ca63547e703c49d7009bebdff9a7d3fca8

SHA512
60158b76feb7e0c2b2cb2e3523e0491598207b8d59a751202505726afcac44d213d5a757accf1479b182a7f05f90ceb455779ff8a8b6e2aa3c576db9cbe0e45d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
269KB

MD5
8cdadb996a3a26e728b8cbcd60586cff

SHA1
0e311478c1c9ecdc373fe639544adf5421b11113

SHA256
02be54f329975011fa7698401485fe4eaae2bb952aed420f4865636af05b7ca1

SHA512
1f309d7727388233aa8143b3928e3194901643e6d0909bf80aa924697e29a90a3b38a3d349db0527aa1755a696d8871caab82a2ce733152cb0ec0e82147f956d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
8KB

MD5
8485ea5dd061f58a5d0b01e84fad973f

SHA1
d94967680528a686dfde68644e7147f2ce46eab7

SHA256
d8d260aac1f7c53a1fe76e39e4e648dc114fd3bc0b935fd8f4eda4ac8b625751

SHA512
5af096ea0a7fc386f6e83e92339ea78a37ba9271b03fccdb3f0170c775405bedc7eca82de561f28f43b489303faadfb9c3dba966def528e9b274651df3c7a297

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
42KB

MD5
c7fac065bfa65b06aff4318c80559ca1

SHA1
d8a050b1672a2bea75589e0aa30bedc2bd586969

SHA256
e9e70ad53cce09b16a9f42ea84da2a5a8c6cec3c118b2f3684321541e7a4265c

SHA512
e3bd46714966e313af72d312146d6b4c55a283acfd0ee2eec1b4986f99118e58885fdd9b3a18e4dc7364f97f418b8ee05fd1739a8bfe302ad21d0f9b69635314

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
48KB

MD5
4fdb7157eb2acee087e2d7d6621247e1

SHA1
51e26ea3fcbebb710e1ffaf6b329923d5dae18ff

SHA256
62e85fa248274a40e6ab6737a22391ffba4f28654c5324e4466c4cfe987c6a90

SHA512
8572a2f762ca551fd311b2432bde8f30911ffcc31cc88e1481d5be84eb2f27213bb00b2e8e4b39ad62ca3ca175a3f7766f621f4f9e09e7c27e1ad6bf2f5de9e3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
171KB

MD5
e444ebd2b9f56a08a2d9652b5cb1ffb2

SHA1
f3697f382190732ea3f5dfda22c6cee49ccf0298

SHA256
5b29ae4f933d56957598e787496854b3c2a5a2e2a16cb7f88248cc8908d345a4

SHA512
4b9555edbd975b42333bd9c57ec573fc382a7f4fbf4423324565f6cc31278a6de87bee898f9af2d398243a00846699ed819419551659a768d330cf07d70d4e81

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
509KB

MD5
89616b07c31cd4b5f8ccd2ee15df3ae8

SHA1
eedbad397c69f717d32d0d72f92399dd83e61f9f

SHA256
b36cd2d0445828dd246d4d6fe889040005c52ed00dddf6081e3af5821bff2eba

SHA512
caba11fdf3a5af10d23bd466e8832645e8ce8ecd9df320906ef18ad6e299c8c2c2195bab39b0b3e48ab94fd0a64b5195280dd0ff84cbff0863f585dcbb8b03bb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
443KB

MD5
b77167040e3b51e6b1dfd84eed5810c8

SHA1
22e4b389c21943268ba5a2246a3dd706cc0dc214

SHA256
f40288ea2d4005cc3faabdc8c7fa3640fb95c5e747c42d3ed1103b4b2de7a857

SHA512
a3015f2900417d87f26e32fbdd4a86c5d086e1b8c4d6386b89bd1984c23d9be1d2475f2fae7edb9879445485e66751b4485988adb1bdd5ef68643937e0a9f5d1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
224KB

MD5
f3b6193570642e21dc4e9378a5820e7e

SHA1
4962f79cd37881706a22c397df4086ea17ddadce

SHA256
e7f221834224627a5a8ff5a77d1e1d77d561561c76146f3e63e13f312e6d8999

SHA512
ccf555874de8fb1ecf12b0d98481311b9d6cf5a3b52dfb07388781eb425c42721d3b8469a7193aa07a1e5526f6686c77a561b3b540fcbdfaf1b419ab4b52dea4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
170KB

MD5
1bfb861bee1323a381337501acc9cf65

SHA1
e5a6a353e2007277f048fe7044495bdf8bdc7150

SHA256
c4057ceaae52ff5d2093005ba7dbed59b84ab8044cd81a8ca29a7473ffc382eb

SHA512
587c2fc623634642c4bd08988e78a99aaba24cff2867d038c98ef27789d4825dc32f4e6882e0e53a3cf61ad23b9acc1dd45a59c986e18b4a5a0bc5eefe111c14

Download Submit
C:\Windows\System32\Locator.exe

Filesize
275KB

MD5
1a419db5ee07fdd4c6b7c2c27f97514b

SHA1
77421683bcae7f857533ed35af22e217c97eee52

SHA256
076032e2ec75634f750684cefb84bcef220f90a59387612eadffc67ac9c5186a

SHA512
7fad6c02fa64fcffeca587b40605915712daf21047ecfdba34784fc61e3fa16a8d871e5f30609ca34ef59bb88f12a6b9bb8b7f2ec79f3ef4dacd621fd5d11818

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
383KB

MD5
87b79670ebf50906604fb41469833cf5

SHA1
2c29500807694937e2159e6fddf9bcfc0f2fc7a6

SHA256
1ae460f28160ab3c7fdcea0f3da6c9fc1f77d718cd75883c0f7025424770df34

SHA512
24feeff0ad54368384a2e2d003e0b09af79c5b1c06fe3a42f14d67090b6cfce450759409e4b3ce309f1020d72139fd9b208b7d6f3d0a4ff5440c2df27002e225

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
211KB

MD5
8a1917933c3051d2b7adac3dd04b99c3

SHA1
9e95102d2b1dd492580781c7e6202407e5021f99

SHA256
c6ce909bf45a946b7d8f2f13132ca6b4d7e52198fb20205a09c9b48d02f72799

SHA512
2ca77c82a497d8e6956558dbb0b61cf19069f25093c890b857990f70b473113c1860aa9b07fec78a47b985b57c5e50d82ff084b58fde66d04fddde2a4c6b505b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
465KB

MD5
cb75d948d1451c16aa9effd9198d8f23

SHA1
99c35f2e0d56d067f313d6bfedd0833c331fc358

SHA256
748f3ec5a531d74f7b08c08ffd08c21cfe12b3d2b3ac31c3b08373e38b63240e

SHA512
eb33ce2833ab2c0126750d02bd846918cfe57d808c0922e5ec72219016087257785db03466146d7f080edd580767681ac0ac14f86f3e2a4d854b79118089ec02

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
222KB

MD5
1d8adb32cef882001546405f6a1a9380

SHA1
2064006708cdfbd256424de8209d70056c42fa8e

SHA256
7dce4ff01786153369d16d4a266ea33d0c8dee1d4711707b13f2a683c057edf4

SHA512
1ec0eda94479587ff099ce4d8a5c462a7b7ca8a6e9c9b2ee9c303e71eced404b767006a11c96052f47691704a25e37b4091578c63edfbdb448da6719b446edeb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
224KB

MD5
f03a5043b13d2be4915ef87ea000360d

SHA1
d27e8db7dfcec09cc2773e219aba283febd07d3d

SHA256
27c6c1198f67e31f3bcd4bdbbb348473d0558d9378ecc56c4bd8b569a99c26c6

SHA512
2593e692a1fdd39fef464d215fda07cb3b7a8d93461fa172c0b367c5d52044fe5b3dc2fc518899e3f4d1d69934ffeebed7f6be0a42fdc4fc0d54d8939f235e36

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
305KB

MD5
d36dfd505ee21a9371fd27fbd232b2f9

SHA1
6a2f067a69110071b72a31cb89edae0e136f465c

SHA256
0a34a12690425a211edd21cfb021609873f604d14004869ebc3e913ea70a895d

SHA512
de43b693a2afbbbab5eeaec1b1453ea134e6f7a7c43e14e06124ccc51ffb2a46fcef0259089bf331ca380e70975080a80175d6fbab345d615e55de00a8485a98

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
133KB

MD5
98fa86eb0121f019b0f79cc5aeaf9f1e

SHA1
fe3f23fa72cbbd7dd26db794d725c2e9c513abd2

SHA256
f8bf33322b37ed1300e4e79ab3b49345f3a1091e9d38f964bcfa1ee0014a7dac

SHA512
7bc355b724a28b23c9382045ffdda043b2c80d10a6f0c7fdd05d03f185f8284670ca26497ad86648ebc03e18116e315fea968ef99685b7d4c03cabdcc53a8850

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
181KB

MD5
a8883a09b1650f821e9adb62cc347958

SHA1
956eecab7b44660a892c7746d844ba9e48ac6849

SHA256
36a230a79cf8d4aa1b050d17cb1da073e51eb6cc2ebaaa2e00a9ec43944272c6

SHA512
03eff07c1eff9302360e0ef4ca8af3b02db009dae35b53fc24d03921c5770d5b0d9f90f7c42bb4c45e46b6230ea53f31c385e9cf8d610930195a678abc5128cd

Download Submit
C:\Windows\System32\alg.exe

Filesize
340KB

MD5
7850d229cf2fcf10beee0c3c5d6a2f6e

SHA1
d3dea1120438d14dd3cb291760b7e455aa085763

SHA256
7a0740299187e2641314e6af02bcc973dd45e646dd1ced5b1e51c983de156f5f

SHA512
2aa2035114c109f88fd846cfb6eaebc58e799b3f84d3336ad0515ff92fa5744206ef0524ebe9e09c3ebbca852822e157aaeb549e25a0afbd521d807c6fa64685

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
401KB

MD5
e44d56ff9030cb66f0a89fbf180ef5e8

SHA1
37682e772e8bf5550d10e871c17c243cb8248211

SHA256
6953e223cb76f2e538463ddb691e8627ff190b12b9705b9cb92261726a28ad89

SHA512
223cc401779ab6be477a77133a96077559a32a795fa1527d128b9bf418300bbb187b32d6eda596a3e1c84f1fc25efaa57270075eb6fdcbc408f46675c341cb43

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
144KB

MD5
2e1bc24d8bccbdda44d13cd09b6903ef

SHA1
a9e95655b13886e197456abaefaa7b3a58cacc3d

SHA256
5b0cd00612638cdff8d17b0fa885d33c8e66974fd40ce9908fad824331c7300b

SHA512
5b44e8f9e781076f5316388bfd69737c4114e94b81709b613872f072aa193081c137e26b7961b72c3ec7542b7f03f5db79bf5e403a40b35bf36f488cf41e786a

Download Submit
C:\Windows\System32\vds.exe

Filesize
102KB

MD5
cc319a3e3b89de12ee3ed025029ccffa

SHA1
624febec0d4c5c01e9690a20d8ca700cc6d52415

SHA256
f50e30657d81dd4c7d3a0a353867efe9e747fc394348095a673dd99182f7b02f

SHA512
992b419e3adcef58927b819b23a92c9a085c68d15d2c38490b65116c27a76eccd6a1308f4e5423ef781d4db25528c7ae50f1cb37078a443970b1e7902633da6c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
143KB

MD5
a85484a5557cfa2900562a5b366e81e0

SHA1
1e271f7c5e970c42c08b0277e66d3ebe30bec53a

SHA256
1338bb19c8b7e6036b9ff79c0f554d2e590f3beb74db708148c78505588b1e8b

SHA512
2eee0d502b5a143cd94dea9c17181811ad29abecf1a549476c114e9d52c8f8863fe4e8bf1efa34b70709471c33079a2bb137d3254f3097e99e453467c4c8e798

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
97KB

MD5
113bb84dd6c60e628ee4a26931879e6d

SHA1
bb38cf3c164b576808cb3c92f8ad2dfca458be5c

SHA256
de5a2cfab841a15290d6cb1eba8eb3009b278af2dbfb32295b279cc376e4edcc

SHA512
f7a553c6b499ed942ef6eb79369603ab49a46f64d435195467eb9ffb13b123b233440b655dbdd19b9810a40ecdbb96fb18ee932ce87b92b1b45f910743d8d7be

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
121KB

MD5
f8ca34e8268257120e15ad1218e52593

SHA1
5b3e09ac154cf422fdeeebe6695f9352d6940ddf

SHA256
f0d8a2e8ad2b1d69891728b10a7560db13f7a944399b01395406d37d1b18acc3

SHA512
f1792b4cefb084056495dc4e24391cba05d9ef7c0ffab4243a170aeb5ee7baf8a231caffb506a2820ce2f5a11b220747d81a38e12b9318e46d2ab24fe3cf9be7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
a94f418416fc8045323ec8ec05e054d8

SHA1
0d478af0278003526b3f714744cd0b4afa426a7e

SHA256
5219ad2130deb27c52951b58738917b144e0e8c0fd7afbfb0b2badd95e7eac01

SHA512
30d5659027ad7a45695717f48ca0c9d110ca988ed25453cb7cabcc145983c35dbcfa958a97702570ae40966bdc38c39c7f2ce7c9ed1250409210428fc0b48b71

Download Submit
C:\odt\office2016setup.exe

Filesize
142KB

MD5
5616e6819a22a6c3a493cf00c00b8c8c

SHA1
815174c3e95a8519aa100c01c06c1321227d7882

SHA256
6fe41dcf3cdf076913375d38e68c2ba2355bec6595f0046d2b5ffdc8db3f5c8d

SHA512
af682f85fddc6f20f194c6e04acb27be64a91d4b10d111bf498d568a013693ba13051c801882e651a799f8540f84de7f39ef5865f1865efc010a209978458fc1

Download Submit
memory/968-430-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/968-310-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/968-319-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1104-284-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1104-332-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1204-472-0x0000023464BA0000-0x0000023464BB0000-memory.dmp

Filesize
64KB

Download
memory/1204-490-0x0000023464BA0000-0x0000023464BB0000-memory.dmp

Filesize
64KB

Download
memory/1204-467-0x0000023464E10000-0x0000023464E20000-memory.dmp

Filesize
64KB

Download
memory/1204-431-0x0000023464BA0000-0x0000023464BB0000-memory.dmp

Filesize
64KB

Download
memory/1204-427-0x0000023464BB0000-0x0000023464BC0000-memory.dmp

Filesize
64KB

Download
memory/1204-432-0x0000023464BD0000-0x0000023464BE0000-memory.dmp

Filesize
64KB

Download
memory/1204-426-0x0000023464BA0000-0x0000023464BB0000-memory.dmp

Filesize
64KB

Download
memory/1204-445-0x0000023464BE0000-0x0000023464BF0000-memory.dmp

Filesize
64KB

Download
memory/1204-466-0x0000023464BA0000-0x0000023464BB0000-memory.dmp

Filesize
64KB

Download
memory/1204-462-0x0000023464E10000-0x0000023464E20000-memory.dmp

Filesize
64KB

Download
memory/1204-444-0x0000023464BA0000-0x0000023464BB0000-memory.dmp

Filesize
64KB

Download
memory/1204-461-0x0000023464E10000-0x0000023464E20000-memory.dmp

Filesize
64KB

Download
memory/1204-446-0x0000023464BE0000-0x0000023464BF0000-memory.dmp

Filesize
64KB

Download
memory/1204-460-0x0000023464BA0000-0x0000023464BB0000-memory.dmp

Filesize
64KB

Download
memory/1204-459-0x0000023464BA0000-0x0000023464BB0000-memory.dmp

Filesize
64KB

Download
memory/1516-333-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1516-471-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1516-59-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1516-66-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1516-70-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1516-60-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1516-72-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1564-324-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1564-273-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1564-274-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/1564-281-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/1684-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1684-488-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2016-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2016-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2232-325-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2232-327-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2244-1-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2244-7-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2244-31-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2244-0-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2268-292-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2444-288-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2444-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2564-479-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2564-341-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2736-255-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2736-308-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2936-447-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2936-329-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3132-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3132-245-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3132-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3132-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3256-262-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3256-261-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3256-317-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3256-269-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3276-17-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3276-16-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3276-84-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3276-23-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3460-294-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3460-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3460-302-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3972-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3972-44-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3972-38-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3972-244-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4328-465-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4328-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4488-248-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4488-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4488-76-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4488-82-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4544-441-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4544-322-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4888-74-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4888-14-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download