06b2a0c6fb78e93accb706126cfecb227e5fcbace09de89204f0e1b6ed00da02

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
Size

1.1MB
MD5

cab0abb57bab8b5f4be100762df18463
SHA1

bf76275ae43513be81d6ee0fad5e1875fce20f30
SHA256

06b2a0c6fb78e93accb706126cfecb227e5fcbace09de89204f0e1b6ed00da02
SHA512

de05ac0ed4b71c76030996429debb7767adea9c991957a39df4aa4f42bd11a62d3b1bc9c5a756857506346a676875c015b904efa560d3bbb0a932b96a75022f5
SSDEEP

24576:ASi1SoCU5qJSr1eWPSCsP0MugC6eThSkQ/7Gb8NLEbeZ:wS7PLjeT0kQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4868	alg.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
3016	fxssvc.exe
3576	elevation_service.exe
1368	elevation_service.exe
1148	maintenanceservice.exe
2732	msdtc.exe
1708	OSE.EXE
1468	PerceptionSimulationService.exe
3292	perfhost.exe
4104	locator.exe
2544	SensorDataService.exe
4756	snmptrap.exe
4232	spectrum.exe
3748	ssh-agent.exe
4392	TieringEngineService.exe
2908	AgentService.exe
2748	vds.exe
3892	vssvc.exe
1672	wbengine.exe
3972	WmiApSrv.exe
2684	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d8c888612dbdc151.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4896B57A-BA2E-425E-ACC6-3260D1FD1C27}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093c0ad6d490adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0aad86d490adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7d3666f490adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093e1f56f490adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078e6d36d490adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b983d16d490adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7d3666f490adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3240	2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
Token: SeAuditPrivilege	3016	fxssvc.exe
Token: SeRestorePrivilege	4392	TieringEngineService.exe
Token: SeManageVolumePrivilege	4392	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2908	AgentService.exe
Token: SeBackupPrivilege	3892	vssvc.exe
Token: SeRestorePrivilege	3892	vssvc.exe
Token: SeAuditPrivilege	3892	vssvc.exe
Token: SeBackupPrivilege	1672	wbengine.exe
Token: SeRestorePrivilege	1672	wbengine.exe
Token: SeSecurityPrivilege	1672	wbengine.exe
Token: 33	2684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	4408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 3068	2684	SearchIndexer.exe	110
PID 2684 wrote to memory of 3068	2684	SearchIndexer.exe	110
PID 2684 wrote to memory of 860	2684	SearchIndexer.exe	112
PID 2684 wrote to memory of 860	2684	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_cab0abb57bab8b5f4be100762df18463_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1368

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2732

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3292

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1136

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ec166a68f8d223d98c64a4dce2cb0fd9

SHA1
b4ca86b02360b64835e8c8c650fe425abbc9a313

SHA256
6b83391cbf0d2f947f1cc64dc674a7eee00241c36dde6da8e51013b0ba741941

SHA512
689520564dd605c27e243f62b1d35b130d250ac4294b97d36ea9c1623c44c023768563e5365f251d2bbede1b06a21479d957137adb42f14df98daf97477ccb24

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
355ac9ef5dc8e89e54d4291c9aeadd5f

SHA1
b6d9c1198d02baa59b3e39fd486f40d2be181716

SHA256
3a9b3a82ccaec7c91e9892a857290b67d7e258b7f12ec61ce18e7cad38c9eaa3

SHA512
c4e519b76e63246272c9016e5ae902483348b648e734740532e834a77741c558db85884ff0f175a545d2e14eb01a20ed5f9e3603362620559f543a2d9f1c7d81

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
bb0a9e0b43cf21822128c22578713c5e

SHA1
1cf911294113e0ae121300f2c8314f73b5404e37

SHA256
4a04b07c787bd1d4cd21d5b16aaac2f6c949be39eef290977714fafe2d5a94e1

SHA512
893756090c0d1495ac9d9c1bcd9f7821f8d2fd7ca823e0aa03af661de1cdb69d74139256233af5d314e7a199fac981a6895d1cbabc3b25468f194f379267a026

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
68f848d5678048dfb015ea80c6fd8d69

SHA1
1b698d695057ccb5ef1b926b55c903e66193eba8

SHA256
8171d2e9c26a231c4605a4deaac7cce7d0fda249b7cfa179c99fcc282a6bab6f

SHA512
d358c4db5c7ff5e2f52bc370de701b7d566950ea78ac00603ef8a23135f9488de0456392c9f7598cecc384af525a46d621339fe7c8a31b1b6a11ec6f488d7a56

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
87a43447e94af4bcb04b126b5e6e76ec

SHA1
e9b026fe169cf304be531ac8776313bfecff1d6e

SHA256
414a10cfcbaaaf76b5ac927a2facad138b844381a4dd4ce58510efaf9a33592d

SHA512
e4eb786e0476f9b833811d0c976b8ec47b77ed14611a38612d0297507d359fdd9934ffe3b8fc18ad5e3992b292b6e8bdb1be2475c446376077904a9e526a67e5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e6c14af28309946888817708592a490f

SHA1
05e61b707d5739e3dbfef844e48bcdf94d732787

SHA256
38f4b3f14a07ef2e0d05a690b247fbfc692bca95a9f4456e8ec91858af1bd8f7

SHA512
9ee4486274b5dc765bec2df1594083fb9c6ddabc4609d60d6989b7cfe1dbbccd2e915bf981cf4fc29a38eafe638b295bfc79100c07ea61e12b95d0152dc3748b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
e6a570d34423c5b80dfa3067b4969ac1

SHA1
b971f7fb24777fabd107406ba08c632a88aaf105

SHA256
3649546bbaa2dd2bcd85186be060b7d848f4f414be6776b708a5469a4f24c654

SHA512
83adeaab31f47590abe467cb8f05eebd61c4d53096793817a8dcb4040272f51945a349e652e801bc163d79a8f902d42d8fe1ad893a868c47013ec9c06b51ddff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4e3f1e89bef59f1fe981040f7012d59d

SHA1
3a2bda17071b0217a05a5e40b64ec096b3e977f6

SHA256
2ea162660da688b56b3144f3cd12b3c6789b4c2c4687e88a766e1fd7ab2778e8

SHA512
8611eec03d74620c03f62870c9a2115fe0bb1e8b35cea71054c019406a7bcda6596f47fcaccdc04f7ff9db9b74f96363306b8936b288e4bc0f690955110d52f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5258e19a43f1cb1a4dde6b8acf137ec8

SHA1
00c83cbd971791d6dfbd82dd869cc20d97b09371

SHA256
55cd264cfb3e5c50294cb0b53fe4a207c073b714bf1eaf16c4ce0cc795bab5f8

SHA512
f2af2456c20c68e156cab5dc420ffa19b4b4f2d8ad2074d99f964523c139609f44bf5cc53b2708d198965b714d696bd552d50cbd8d55727ea1a12679cbd50ef9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
955d9707c305f702989c427f4772c79f

SHA1
72014144efa89b4af0ceef34909f653a4073a10d

SHA256
af9c5d0376aace7a6e6d7cd8321e152f67aa9d1d78abe2c2945fcc4b0bdd3d8d

SHA512
30381d95135461b9b2e6713ba8cd5b0bab3957953b79a035142fbe11950a2508cdc3db894d065d807d5dbf42ffc6718d547a169dbb0fd36d1c8b714445d0098c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9d16bfbea91b89c08382bbc3dc45ac95

SHA1
6b3378ba66de99a763865cbcb079747b61eaa1bc

SHA256
1b14c610d7d24985f340ffa612257f32d1388587002508d242dac655cec3ad45

SHA512
096a6cf7ff6e1bed4b1952748346f00edae577293f22f0986be91eb1031a69dd3412732e5ad341b2a99e0764085dc5f8261d43334262cea1b6c172e573c3dad7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5c40904445d42469cc15cb05a65af6e3

SHA1
112a8fd8ad62f3497d7256871d45d8b92d66e48b

SHA256
8780ebbb009118835f45fb8c8e8db1b76176b472a053949dd43c4d1d85088e86

SHA512
cd7dff77a43898e6331a9434ba4275765383dab503734052c7b0f708129928f7757601c0b6c0d5176775ab4384ec80d1d6262b28aec40f484014ceaabbcdd48b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f44d25c419d0837acf3d51835f78f42c

SHA1
5bfd546b33fd4542f107c23b2487bc434901f810

SHA256
3bef34f4a75097e291c83e2e9649947a4a66074ded4d21138ba350a82efa19fb

SHA512
7b67d75d78de2921f57b3bfd480e15db81714916ede8f33a7df5397037eb9b7a7ebffe29dee0ac9983eacf9a6663db5f05fba78abecc681848cfa39a87cd56c1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
62f61fbf679db529513208626deecea1

SHA1
d4b8a5b06f83b607d63a6c65745a0bceb07ea06f

SHA256
348cd082e957181560686503f6950787f07b658b868101d46fb11311487dbe8f

SHA512
8a161a8dad6f3c0ccf510176a65089a86cfe938ec364378709b4f27e4ba9308785ba3392731378bbeb6522b72cb015d217a635f44cb373ba2b71564105332f70

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
36aa26d686505536f2b731d77d9787c5

SHA1
c5dfc57827922986b57b2693ce3a077699ebaa98

SHA256
3fed5d57961fe222ef0af468b4919e45763976fbb02735d65e1368c8db5cb140

SHA512
58259deb47b0ec0db379e4ffa5d31e16b46d4cc72d30c2d6b9654dbb3e6f493241b5d0f3e5cafd9757c176f7bbbec6f915c7839965a3898e95e38ab101bb253d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
3eeb67918f198f58e080d5d8e6e4e847

SHA1
f4522164441df524e9c08932175d65c4f1e8f38a

SHA256
4c10a6266921a70129e59e878147a89cd1ffb18903657ab9f060876a44a927b3

SHA512
49c2e3af4fbd6965bc1d430b28fe345979b0adaf4da0036f3601477d30115bd72a5506bffb18b1c40708097ecde24542027e0adaa01c01d1e626bc5161283748

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9adce0ed5182bbf59a11320dafaf6b3b

SHA1
cc5cfab4d5d3be0a211277b62e9d3525531a6c00

SHA256
d33994da44244431586d1e0742b4c0ce6b8e8fcf0c8d92023b36fa3978600505

SHA512
ee97a6379f97ca28c2d4a23753f28498dcea3791152418e3ca6cbfb33a69b3a00a6fbaa20871dec403dfd6b2ec4ec94340766b9965b9b29c7a22e03da53e7928

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
b698f831862c765af4375f3f9a0e77a2

SHA1
df1d5c7ad1bb20c2f8117c8cc5e82951df80a0cc

SHA256
cb921ac1d1a9cb81a0aefbbf5db3f9a03622638d6ba9ca7ae7866853ce435191

SHA512
8ddecc730ec684d41e064d507ef269d4e7a3d826a1a8a5a048d8bce3cf138789669f634f475ca9d0d061ae17c8a655d787af8eef993fc8a36d668b8acdec1407

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
4f6465c000a53e9ea2ea1ba2266d5396

SHA1
e11b6c6b44b0b6a447f12378213ede1b5aece438

SHA256
54a882da20c66f4420d337d8d2e20e9beaeb1b267024f543e845852402c14a54

SHA512
8a060719c25917fcc2574e22e22d6085964c50955597d34fca4bd232dfffe3b092ce8ab33a0c8ae239e3290e81149c96864a1200fd780be07cae8cf3127b6f86

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
88b96ef92364df59f378f1a2ed58b997

SHA1
05b6409f24374445eea91387228cc262ccd2b59a

SHA256
bab6d48851a3f492289598b7fea7e0c1bee7f75fe3983d0cf3f4326d6def7e98

SHA512
ef5ba129c06fa81897cbfffb7cf0e79e680e9ae5ad0a70b47a6506fac0bfc6f8ad02c106e308f60681a80cf42d96998cfad1992b852f3238c2b7c66360d6934e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b902edfc8e1d3143489ebda1f2694502

SHA1
c4cbce6131dfa5bbdf511a1ec8761d3037a15b42

SHA256
0ab690cc64e11c9b0b139431949066e3fc52bf43a107cdd838c32bff2f79d87c

SHA512
96ef1d0bbdf9cb5011a9758608cc9b1dba4028cfab50407b23e1d45162268af8db6b1962eb23790cd8fdf8601a21cc1d823dc4ba24c6429afb39fe1e02f840ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d5ca78f9a4ba2f634d2fa85dccd6f19d

SHA1
482066a1b0a6c450c279ed056968083db40f5c46

SHA256
9e6e77b11b2e68f220feddc3ff17034085490a1bee1f07323a5447cc15d29802

SHA512
3d6b52d268137ceae2980aa45c1efa0d9b4829385ea9e65f73bdea7cc4f275766d71b3ea98a36d6d066975225beaee89f414bbaa7beaee08d0e2a19654254d6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a9f0524aff3c62030689839454ec825b

SHA1
2b24e65b2427a83166e13410a2055a29462757b8

SHA256
f5186e8e802daebc2ea856a942d7949a11d575959cd81f027957b23d1f84a957

SHA512
eee4ff941a376a2286f7f9250f28d6c3b5138de50d4ba0db43fad54dce2929a16372b43790962ee414610c26173c5c9c1c406ea91a52906c116a9a555d426cad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
3e8f1252f26fa997628f6de63af7e1da

SHA1
998f2a039ec3f0c7e5f915f4e2fd6b6afa04d9ef

SHA256
7bc79931942d3abb98a32a5966efacbb0e3da773ea6c37b7eeade933745af03c

SHA512
7007234d4b8d7ceefbde5fc3e3e680ae19adb38e0702851d4143433ff5123b0358358e88a10bf1d3f6b7e2037d022972519d428999fd2812d088302b58d230f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c393a0f77ac6db5727b8b3d8c479b79e

SHA1
65638d06059af4a49322b22a26fac0ea8ba47f15

SHA256
0b59640103d30221c2d0c5ec174c843958b494f24546abfc2a1562f33cd10e50

SHA512
54b018c7452e00131edee6d08d428a94158c98a8e5309a04c6afb101b5b3dc5799aa6233ac74a4c81f06e5efc8c0d894c5eadeeebc9a958b57657ea3d7791082

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
b1f45129fad550df5532da590436e7c3

SHA1
5f32d9e01153fd0d01e8aa060703d71e049723b3

SHA256
3d2f568fc7cbced82eb026fbf79abb50bb249233c55df21c0f4f89709c9883f0

SHA512
7099628bdd3b9f2330f551939c89878cd52aee57ff194017499141e3bac001b23573adbfb7570904c4ed431afa263776740c84723d89290b5bf51606b01a3ef0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e7f0d1ac33376013c885970b0d55e6d6

SHA1
597003dd6bb8f7dd705bcdf53427e7e025311134

SHA256
92e0dd37fcac3af0fb1eb3c97dad5c1727aaef2be0bbe64baab393b0b8723cd5

SHA512
3c4d503c26eae9979438cd93c664ff7fe7cf5e2bf969bd78b4f2b46981604cade931d6734d2de0ee4e0b4227b4e3cd5f6dfed34e840e91b0e466117f7499d195

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
081e697e34d1b3edbbfecab463735cf2

SHA1
5651474e5b80568e246beae4ad26da1a4fed39c8

SHA256
ac635a3c8beb5d0eb24e3c9f20de255907c59a1c6ddcc8f7f6fa2f11b14f2924

SHA512
fb25993372cdbe0fdf97d1f46aae63c7fa95a52a04949c6294898bdcafde4ee977cb265a6587a7adab3733c1ec35aa4949ac98f1499951535c912a3aa3bc8a47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8aaed6ebc60fd720abfdf0d1185f5e21

SHA1
324fe855e9e8c2f52e298f9001ccc1184be3086a

SHA256
ed9c1ddc3e67f83434a63342a8818c212d84ea764133371fef93367d744e1841

SHA512
2ba6260e21f33cc8a4644dfc707dd4631209bcd3de6f86422c1beb25239cdc1bbd37a26c5fb14bee0c9600d2fbf15697be0fb228e00adc53e5a6755570807d6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7b3a8940a3b7a8b219247737fd320084

SHA1
46ccbab61204d6ed843838cc06aa134973fff455

SHA256
395ad5c9f916cfe95bff4a28c2a71783e66a6e41973c46546281eaefe84e971f

SHA512
fef765f77e33709874689b4b2df3ab71024f3ab4a63170d0cdb75fd8f09a944f3ad7b994063dee290448b2b6cc64d8df0fd195ed8fbe1f5d8e1064f31dbf3d5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
8dba4c7a350bdaf9b628ec93d4313cb7

SHA1
ec198c61d1f89d6028d04cd839730f1f9d6dfe9d

SHA256
3bf7781d4b61173af20b3fb0d987b6063768793e813aa55311ea7bfc10a2641c

SHA512
87a5249b5dfa5447d4ae82ee2f83903b2ddbfd9c58425eda6ad19ccd1093b1431c97981829d7cb30352129039441b99ce25e34e7836cc9bf4652679ba011644b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
fce5da2f34e329e3314a713684ba1a32

SHA1
791bfb5baa84635178ec2f545df1f2d34063a85b

SHA256
aad70d81f23c0b0d009f076e695ea7ab7ff9c6a148527db026eaf05cc247cfb8

SHA512
2c5396138235f186e3234f06ef549dc51ab0836391b4a015ace94d797e4c22ad6ba441deb7ee87dd7cb61cb02d7ddabdfb4f02397e23835dbf34ccd3e5db5519

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9bb22f081c94fe90ca8e6af8c95cdbed

SHA1
15e15fe680f49837d7025d2a388ac459136b0f5e

SHA256
68020d206bce18452695e94ace0563bce360bbb3bdd6b03e33f7e93e0df561bb

SHA512
fb81088bc498b4918f54472208474e4e30d41b554e5924d0cb3b573e9b428db47126896e1fd4e1ba11bedcdb461396aed35678d83359a405bdc9bf016527c647

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
bd92fa9102861f6af43769c5c818a06e

SHA1
bbeb024e2bc775562601e9d8df55075fdd5ca3ba

SHA256
1a799d668e77e9eab96c1c2700d0ca9b67a26aeed8bfec02f2500af2ce8893b9

SHA512
0c942a07f0be2c736b9b1425154f5fd4d7b761cdbb24768a5bf59313b914d7cb5b5e531ecfff9c089cee588ed9a876ad24287d8b9111ec56eb097a209cee4568

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
c9cd19fa9da6aaef99bfae6480d05298

SHA1
1cd0b8d832511c1cf1eb7c58e473e88495f6c9c2

SHA256
e1f48b5137a35d1b25f7a53d7ca227da9e8bc6a9bfcec5e3e7dc9bada3c8efc8

SHA512
cc0bc556f3d5bf8a274bb52223874db0e719963059fa67efd127ebf14c0cda0d7180ddb43ffad0f4c9e2d94d40033d28b11449ff61e4b2f54025f97552753e45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
fbce55be8d04a79870a6af04ffd22ca5

SHA1
17d1598f5f799acf804f1e6edbc407120a624bd1

SHA256
c57b490b29bebfa354330824d93337486031242db2a6d0fcac77dd8c9eaab11a

SHA512
0cc7a72bf22c0a8161bdb3ee77f7ab1d8d89c0907462334ec3cd7846e2913b6fc16af7e49f217773f94b9086bd1a4241866c198cc37b65f9f0425bf0c8e6ff6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
971f5c80b345520428d5ce0b886540cf

SHA1
dd9ff82b847bac8c96caf6a1e2a77b1af05596e4

SHA256
0ec417e6d722de6f73fdee0190529d56ac2c01b433d286f277155d61dd206c7a

SHA512
5b5cb1f0eb3baa8331378ef6e92e613615cea380756b50a07dc3f044a00b873b991e39545f74fc5793833fc65260711e119f0df38fbfe0f99973d9fc18ec6dd7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6153ce92db6ee84789e85f065577c070

SHA1
b22dc9b951aebfb9c74fe62cc08937843cadffb3

SHA256
d81d5114163f9a0c0328b669f186e224754a3c8c21c2daba29365a93566b92c8

SHA512
638a66061b866b657e467c07a46bee66f552bd58384f5f85a71ffdc812caa1c5fe2a6ff8ca2207de1f49fa61afae69437abb4a9293c5991402a07859d65bfe3a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
4317d63c48aadbd0fbbba76ac8d622dd

SHA1
a4956bf6bbe109603dd16ff25c5cb2e2fd91aec7

SHA256
a35d73296a155f0c2bb902c2f228a164b26070f524aefa2409628fc1e1948ff2

SHA512
3a752763095906f6a59a4773caf2d746c961fe0189792370d9df9e74fb27e98a66d76f58b991ee5e6f7200bc5b02133639fbe6130e13dc9119e8692e66a18bf1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2a7af64a8b1648d10480fb3bf6744795

SHA1
f9d5a6a5d0b6536f57511af17472804b84f0c44d

SHA256
79365e784e3fd36d769cc11016ea9f3334dc18f3f7fc4f896e9d13f10aef417b

SHA512
8cd7fa25f5d64a7433895e979e09f092135b6d3866e7bd4b783ed3330b7f885a7f971039c8086460db4b8bc75f1102ea086572ea71702aa4c97a0a5efb4eae17

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b67e2d2b43bbd21dad343ba3b0fe3aa7

SHA1
e4970322766bf2ccc4027d4e948f4d999ddd2fce

SHA256
df793b15402938741e55147218ce853a19f38d6e0a048d36e22e4863fcec5db0

SHA512
c7cb2b8f137a161cc0c88f0393d82e4bdfad27568d1fd9b222ee945e6cc4eff77de653e7f330bdac40cb6869386e6aafc11497166eb09c84e1b3fc2c7fd8ec33

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
26527663fe6bae1532dcee2b2898a136

SHA1
2d3ca4dfbe4d97cdb1571a81a6702c816d514550

SHA256
dada38e4a02069c95dd92e27da8fd52fb93157366d9ecaf06583dd91d9bbfa41

SHA512
24f903c220c8a891b94dcfc4a11cffe525553e3822c6f5019a454af9e7480e29e9ce162d2af6300639c7d1b2acfed9f95288bfde6b6b57efab90b575e0e63b57

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
510090ca55327a371d18a59c7d7a78cb

SHA1
b09251d47fabde5d44828712f994953e2170fbe1

SHA256
efc6d082e5ded9d134de8823cc7fc9b4e67bd7d1fc01e23f26196837a14bf97a

SHA512
bedf9f0a196cf501caff3b325f2ab9ff4331a08b4135b3a9d6672c0567ef02d82b4d39a9d987db317a094911e2068ff2a19d8c0578aaada98551b54f17ec49de

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
670977fb1b91ce565e2b6dd63d28dd87

SHA1
3c35b89fa52b4fae54f0d8e0c1a3405551b2555d

SHA256
29ae8615649bcb773870f1d6b114628e1c30d9e4cd894316c8e06258a1eb2cc8

SHA512
643ba5f4cdc4eaf083da396122f7b37676bc531aeb7ac602a60c49791d07e717d24f3ebd082b4dca04b920a49a8828fc7d3e05503a842455d24cfebd6ad90f5a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e766c4d9aa745ef3462ed491bc1f159c

SHA1
c16f02ed4dfd7c68d4537486ec71b18a617009c9

SHA256
76bd0e214f30fa5a79f069b09d8dc146bd16c9539ac65e7baac3b0863d882b36

SHA512
6212fa40cadaebd6021891c850a0a6f39a0a0b2023602a6e830a1cfd8b79942b1cced5c256831d4624e10bb7f3d498cc63a02e75e6ef3a338437391a327bc18d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
773513ca628d5e03818b4e39282bdf88

SHA1
0b7a7a9f79320682c930e76e830f504b406dd4ad

SHA256
d5643331d44266abc4bf6b4c64df7c110944c285eeb3f3523616c7b893b73096

SHA512
18039e8b9fd829850795d30cfd4ffc4cb9f5abb12b775c879cfe275387e0649187c7ccf9c8b56c8e65e06cb8b51a74d6317795201cfbadd5975f1a6d5dba5868

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b8afdc3fd276d542e89f43570be0dc6a

SHA1
9a0e032e95f5706c1ed6dbaef7d8fdd5971284d5

SHA256
d06b4caf8e645348028ebe6a4451be00b2d6c56dd7b84dd009ced46f7295a56e

SHA512
46431afc5d068b0d8d2a58c6add25eef4428f3efd845ce4152aa44107b1f33bd61a57b4019722c1bdd9c63f81fec4bf7b4ced6258d795e3523ff21ba972f37d6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d562485282e247d82b5bc2db58a2d0ee

SHA1
c0429355c5e525b7724ddd3d40eae8683460c992

SHA256
29a3de40ecc34f8e75f9e8f4b7a9087f38e3f9b472f3c26d6d94c371f13aada9

SHA512
8dd0d01c79d4dd21344acd5961b264086c980ad47b9d9739e97978c9efe977853c180e58dee281db6d8dac292e2d052423a9c3865cc68192982465edb05d6456

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
094096cc2b1ceb1a9d8fa3bc1938bcbb

SHA1
51d8fdd71e5805f16c9cc6cc13a6546356ec69c0

SHA256
2b15bd3dd82de328fee6e2050639892167766cd83205b2aa6337819c2c094e76

SHA512
2f1eeb5b6a1ab25c064beef7885595d0bfba862bda560b4ebb1695eece454a83ef2aa82f99a5c30049c2052c19a7f6ff5a1348e515f7faec305e78952d3e0022

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
31ca471a9243f640a6df18b49664d745

SHA1
ff9d4bc8067ad935238dbe461e8d73da0fdee55b

SHA256
af6a96e48aff68dfc0cbe8104216f0435fb9cdbd1c0541a22184a63442994ffa

SHA512
143c8596d800d01acc8cff837de01159e624c796c5d5107c808ff0399812940cd51fdda8a3bd23b971cf21b26eaf9d95d7bcbf243299d24f87e3657035e4a274

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7a215f3db4b373226f6ad3fa3f0614cc

SHA1
4c009a93f97ccfdb0c7314ffde5cdecbd33906de

SHA256
8113ee97d20fdcbbb773e96fe2d5ead1b8f6be09a7ba473289f6defc3cae9f26

SHA512
fcb38bce0a63a691275b769566329173b23d482b2ed64e9b6182c4cc94b9964f139e79a58ef3175f2e5f3f402665155d86ce576d41886836f43d6cb77b8d9dd8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
8ff0ef337def844408f69cd2d3c812ec

SHA1
bfa9f6b3de1cf8deeadbaec0b298554d4e6867e8

SHA256
e3f6f914a4d3a1d18e4478435fdd5421077b84c33e7bf56cec60d44e7c80b59b

SHA512
a5e2fb3906612237568b6b893bfe0b402b1fbb026fb2f2a68551c4e3ab76454374825924749f13743e06f18ebd9eadb0ca8b03ad4b34a9372c39620ef7fe9610

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5a25687c07b6124300353977fd4e463e

SHA1
7680ecbad26b3590e327fe6688a18785c3ceebf9

SHA256
649ac015992b2217b2557aefe4f41036de1fb61841d1c365b68a8bdb5c56dcae

SHA512
6d6e872799ebc5443d55d782bb0ee25197eb4190ae409a3932696b7ddf816977b0b0d25856252ae6e1ed253d7f9eb4eeac9d2170dd1207ac128d811b18e674f0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4973571f393537a0ac3e57e5e530e6f7

SHA1
164719b896de4997d13d6f4349a1eae9561549af

SHA256
bea6e58c9b7052694dacec8a81608978732b15b072bd1ed5befa4585c32fc57a

SHA512
55b314f1f65f2a9f4095510e82f2d130951234afa766c75644aa0239d926e2d198f7e2d0a267402bf41da617ca37e3ef856ac8436b67c6e1cb1bd08b75504985

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d6ac6dec9de3c7c1e41476ddf73d24cd

SHA1
58cc8186fd48e6bf16c5c8e200544686df4dca5d

SHA256
1908fd8c08e66be0a1cf23174b06d24f1d08c6d51c74939bc83c520e23ac31ff

SHA512
e285b50a806d1e2d03156c4397682179935e780f85ec3ff2d00893edb8ee589c768b773a42c4565af9f611d553a9ef99faf2eec49a6597bbf4fe31dc90e95113

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
dcef0cd202529dc4ec08b6ef4a549286

SHA1
0bcc8a76f37cecf5bbf05da0289b550cf38b9987

SHA256
9bbc258ecc2044fbe0131eb597f669d042ecbc0c6fc1fe6655eca648cd843b8f

SHA512
5a4f1e4c615bf249fd359237e257e0a7672d11680c34ddc758458d9dd005efa25cd3673a1a5af8108f425676eee0b246e4071de09223eeb83559003e72256a4f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7e1043710b42fbe5d4e1ca21dd46ec08

SHA1
45896e24e3386aa84dfce8e1a3663f5b3ce4aa2b

SHA256
847fa97b778fe1b6ac3953515709cbb86f9bcf8beba93fb686a1f840c0361937

SHA512
327afe2a49938a2fb7d08ef3bc709315c54f74278942d88a3cfcd9ec14801f79164d03475243b519395de7d10fcec4efcaf053c17dc70672b053216258978f08

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
003155b63b954b96c1ab9499e23d7d5f

SHA1
035182426a08a46f46134c165f334f4b722150f7

SHA256
51d6a40313c16069ee6d6d02a8fbe80bd9d5682496496ce08b3667e0bddb2d5b

SHA512
0d0e8039317526edb5ea09a63b2166bffebff01699468485ff364a00ce1ab0ca4dac459022c33982e0daa3da134a63f9977d521c325232dd424054dc0818294f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
2631cc2c85aa3c857fbab2dd59810649

SHA1
7c3aa794b0a1c7b8473a2f653a8138aa8a74ceb1

SHA256
04405b1df7ffcd99fed76d33ba004fa79036696bd93f7f3bb183295755bcb739

SHA512
1fa458e5b9c3993be199adfb7f9c291a9843d623fe3d393df0c4930552b00840d5eb40668ffba402b32d9963acbacafc5b302f7ca19bee6d8e261f396f9eacda

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
8863118c7c1dd22870a23e2a6caae07a

SHA1
fed36b0d18e6235def683ffe2e5824bb8086fed0

SHA256
11fc1423e1104388240d8c51d39a3a961ba5125722b0becfff26b4736ff391a1

SHA512
cd764dadbe980cc0ec15222565db54c70fe6580cdda94916ce78eeb1c3b5d194956456effefee3e48c92fe9a4633001ec3245638716056ba1798b13cdc7b0914

Download Submit
memory/1148-86-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1148-83-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1148-88-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1148-75-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1148-81-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1368-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1368-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1368-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1368-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1468-236-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1468-125-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1672-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1672-624-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1708-224-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1708-111-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2544-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2544-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2544-621-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2684-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2684-626-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2732-209-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2732-90-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2732-91-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2748-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2748-537-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2908-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2908-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3016-39-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3016-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3016-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3016-45-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3016-49-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3240-7-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3240-1-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3240-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3240-477-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3240-74-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3240-478-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3292-248-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3292-129-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3576-58-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3576-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3576-52-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3576-173-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3748-187-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3748-467-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3892-570-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3892-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3972-625-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3972-269-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4104-139-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4104-260-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4232-446-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4232-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4392-198-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4392-497-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4408-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4408-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4408-26-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4408-128-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4756-389-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4756-162-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4868-12-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4868-102-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4868-21-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4868-20-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download