044336179d22626a43ae59639c3c8ce83f5ed24b4a7dc28888b5829585f9a840

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
Size

1.1MB
MD5

a4f39384d2cb9e26f095cf92b213bc41
SHA1

9c5de5a1c74020c32ab9cd19cf8a5ce20ea709c9
SHA256

044336179d22626a43ae59639c3c8ce83f5ed24b4a7dc28888b5829585f9a840
SHA512

ae09e4a70ac1e634c4d7f8c2d09f122cfd5e1453f725907bcc540829236504a1499f030c688246cd5b0b7ba1dac30e0d996a2857aba9063dd34798ddde0ab9d6
SSDEEP

24576:7Si1SoCU5qJSr1eWPSCsP0MugC6eTOsqjnhMgeiCl7G0nehbGZpbD:7S7PLjeTiDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4968	alg.exe
3080	DiagnosticsHub.StandardCollector.Service.exe
4816	fxssvc.exe
1128	elevation_service.exe
2848	elevation_service.exe
3836	maintenanceservice.exe
628	msdtc.exe
2096	OSE.EXE
5004	PerceptionSimulationService.exe
464	perfhost.exe
3960	locator.exe
828	SensorDataService.exe
4560	snmptrap.exe
4828	spectrum.exe
4212	ssh-agent.exe
1000	TieringEngineService.exe
4500	AgentService.exe
3520	vds.exe
4192	vssvc.exe
1264	wbengine.exe
4980	WmiApSrv.exe
2288	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5e513bb3e5a029dd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cae25a65b653db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000142e0164b653db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5cc4a67b653db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067900364b653db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000558f6e67b653db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fab5c63b653db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f595165b653db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023b7b065b653db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3080	DiagnosticsHub.StandardCollector.Service.exe
3080	DiagnosticsHub.StandardCollector.Service.exe
3080	DiagnosticsHub.StandardCollector.Service.exe
3080	DiagnosticsHub.StandardCollector.Service.exe
3080	DiagnosticsHub.StandardCollector.Service.exe
3080	DiagnosticsHub.StandardCollector.Service.exe
3080	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	748	2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
Token: SeAuditPrivilege	4816	fxssvc.exe
Token: SeRestorePrivilege	1000	TieringEngineService.exe
Token: SeManageVolumePrivilege	1000	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4500	AgentService.exe
Token: SeBackupPrivilege	4192	vssvc.exe
Token: SeRestorePrivilege	4192	vssvc.exe
Token: SeAuditPrivilege	4192	vssvc.exe
Token: SeBackupPrivilege	1264	wbengine.exe
Token: SeRestorePrivilege	1264	wbengine.exe
Token: SeSecurityPrivilege	1264	wbengine.exe
Token: 33	2288	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeDebugPrivilege	3080	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1436	2288	SearchIndexer.exe	112
PID 2288 wrote to memory of 1436	2288	SearchIndexer.exe	112
PID 2288 wrote to memory of 2580	2288	SearchIndexer.exe	113
PID 2288 wrote to memory of 2580	2288	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-21_a4f39384d2cb9e26f095cf92b213bc41_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2816

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4828

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3120

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1436
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c6669a15ffe103967441faa0ab259722

SHA1
30d50ff1ed45789b08b563e2dcbbdb61fefe48ea

SHA256
3f92f0b44c17cbc193a641ba15eb0f59cb43cfe026ebcb565d45581586a7ba40

SHA512
7bf4801e9ff14a978843a8e5e99c4f1b2e121e087f53001bbcf80c39b4124e0b165b7d89cc1cbeb70f4edfc2227097f27f95e184ab2b66c5856be97a33591189

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8efad9b3c80b3d60119fcdd38292a4bb

SHA1
06ea55ddaec3997f516a0cecf0d4c0866d8fb9e7

SHA256
04aa84acf664ffd03f0e9e99d7ae347d7c206839d4b3b0a68e0909c19d1c21d7

SHA512
a877f610a924731308dea3ef19756d1f5e94f11e923f8fd2db7379a151be4ecb9e1bd5a271d23612ae043fda4c7c8edc19762bf5217d3e50d06285a5fafcd7d3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
bb8d36de6062f286c55edd281719fcda

SHA1
1be502dce6993b8bb02a10f6977cd5995a0b5b8a

SHA256
6b7a4f45b893d517d18808daf70b4ddc333c8e936a51a88d78c23bc75167b6e3

SHA512
ae9a59df59881e6197e80713fb5219d106647ffb168e04afb2a5aec40d7c11ab029cca38c33d978e80b746ffcb4925b4ba2ca27103ba1dbdafc2f0a6826cb242

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
74e5d0eb01e1a8d130fc841a00f0e840

SHA1
5fbd41ef93605c528114180ee66168c45d292c4e

SHA256
bf90637088d811eea5ed9cbb16d8821145a97a02e119bfc923572bdec9ca327a

SHA512
8db8a48605935cc4f465014861f923bf2b22c75cfe27b063436977509441df9503e783d767cee5ca1e2f4129e00b85398d7c0a7002bf08f0fa3577cb2c012809

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9a12565620372df8e5a1ee91a55a3b59

SHA1
a3bce66532065151c33f068b178e819c0bacc644

SHA256
82ce80789061248133143a31847fe8e741e5c6b4e4e2e77fa8f06cea782829df

SHA512
5934c8de0bfbddb5164adb38fc81793c425fa17bdacd5c47ae3494f60117d1b2ad77200ac63085d2e271a8fbb2cc04a8d1b025d5fafccca287faf6f191b89f25

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c7cb90a4c90940adc6a5db405d353c92

SHA1
f1348cb8e7c6ed390619926acb86c68e4bb66300

SHA256
c21c95bfa060e77aa31ee63c9a50748ba35f7206119802dfa18b6c5adfe79acb

SHA512
964a7e4217d831706b1478d241e1e17aec4781652e16bc40780811ab1da0dbfe78d0a8a2265aeb5dc1a68951eee19aef066f2a7a37f4713eaac93fd40c3564b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3c583d4a2ddca18e211c46269a2f89ba

SHA1
d2c831e968df21e8fdc03335f8a53cbf23f2c577

SHA256
f0a9317dfb9e58b6f4cdcdb1ff66c4bf3af0f7b36af7030ce01220ba9f516ac1

SHA512
1db9188bbbec505bcfee6cf8fe3815fb6104f0dca6021a16b2282321605078b2355504f9b0fcabc4c74c135843014b9f0cdaecefbd064257e345c2dd65c109e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
75a7fe8105870893d6976fa366cdc9b9

SHA1
75a0e55a3caf082002b51cf77c1f5e4059f67f7b

SHA256
c3eda1964690d906c3fde05b309ee25f09f0c69028350880032faebd9e5c8bef

SHA512
6e07948ec78c574fc127a05ec1793ade95f792cb253d766b44b63ec1bd5cabb5aca9000a0e23062773087b99ed5413ed89d3272ebdec2dfab32dda75e57cdb8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4af9e39ade1e418141fb841965748a2c

SHA1
4f27d58db8e533026e48387c84d4371e9b096eef

SHA256
35f6acd71288b0d3ccefa68c1adc21b2ddc5420cd60003cb05162075c9d7e00d

SHA512
c42501a2afc315295aeb77a284f476be956a1d3397ecc443b89e5dd2892fff3eeb6e9e0a3c89436ab06d5d552a129a6c67d5efdb8c6f845edec4820d40236ce0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5a9a6881d9ee6a70b448c8c14c6527b9

SHA1
f3993b0ed3088c1f9bb881112a615333d88357f6

SHA256
6ac078760300f585517e37a0f0162cd30a3afe5ff1fa9ccebd2b08b201f76b05

SHA512
5adc93087e19b3ab8489246f52879433daf018ec28878fe55a5c85f3f3b7f93db9d5bc15ed10a4de39cb20a6c785e686b22fe67e4b4a570b1575bc2c9d7ee641

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b074986f5fa78857445ac329169139dc

SHA1
12943ef3d3aacf2a9418ace1b486c33181992da3

SHA256
e21c54ad9250b29eb699627e1d549b09d498a38d63733624bacba2f800b17ff8

SHA512
098c561843b39b22bf07dcf30f3388efc869cf5a82cd01971906f3e322b149b4e63e9480e72ef721aa04e9b0b09da85b3ab69a9e047c06120e894ede6cd8beb6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
120034eb800b2e019272bb8ffc3fdfad

SHA1
61ca532147d822089e623e7a0ed7af2a75f58f84

SHA256
9c76a9308f2415d2e6ecac8c7f9b56830bcc30bc2b02277ffbfe6ae74a11ce69

SHA512
775e552a2ca5ba53d54d96722006fe8c7cec206ade54a270dafe19f862a5948a014e169b4e0cf2c7fcc5719bae834961fc93c16f55adc8b85e6270137dd834d2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
14c77ec5bf8e89183b3feb5e69046f15

SHA1
6fabf696c4db1b725012c63cf5ed5388c6db9f46

SHA256
a0d2112220afa967f7f6f4878aac3566bd8f32131e25a39dc001442f8c897315

SHA512
ee01ea830898be63fd045e70b2a433c6a65652ecb3cf420b43069ac5c60462e5871057f22b4bfae67a32a1b9df2f92f715bd0e0a000bd2f98c24179c5c61080d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
ea9f0103666eab0ce1085b623a731812

SHA1
0bf445363646bfeb80b0707013d1c9a872398cea

SHA256
4a55f4614c87c35548ec2e3a695b7f0fa47e2fa59bf8fff203f1f22067b2e92f

SHA512
65e7fc07de12fbe128faa801326c7f59291cabd9562f79a9c6d7b24c105306d6ce7862e71872ecf2f4dd5956e3d2c9cb6b14963df58695f78e29851768b068ee

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
74eb865c2b8e7a0791e8af6c5c940a28

SHA1
9c1135b40ef3f5724a8c96c493d1816a7b7e82cd

SHA256
6da220ea561dbf9f96b3afb25eef804480cadc777a6f407ea7412b7c23eefb76

SHA512
0b8ea2380dcd40a446415331881b7a1a08302c8b5349c7b33acc347cab83e757c6ad0dbb13f4e5d9153af813af73ed04e1140ab06251b7729b95bc442e8ba021

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
53ba294c7939ed702e7e212bcdc2d766

SHA1
4892d4619e0fe6e173fda7ddef1fa5aa4c45b412

SHA256
8018367583c6324caec29c3adfbd1c889313ed1637d3e76d7713e8c873fe813c

SHA512
2fe39d81dd3d59ee12ab4c933558d7bb100620bcfef953115a95e6745d3b6ddc786da1a62bfbbec67950d788eb2a5976f216b41e5efdbecd5206251d1b8a94e9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c5627a65f80fbb35ee2169f137e6ad07

SHA1
48e075528cd987e5f1851cd38a8ee040e7d68c6c

SHA256
45379a65196956f95b99801c6819228723916bff349a1d57decf283e094b171f

SHA512
3fd0e670f34837b1734e67a5526e99f8934c27bd5a42ae26898a2c480353d10909229665a4e748e075806167856fec7b86b33fcd9fb088f546634be2397a570f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
3c8ac12e949e712e737e9321553799f3

SHA1
41269d1ffa12e7a86ea17090fb6a55ee5e946653

SHA256
c22231b3ca57a653b5161a81e32ef9ee04186b4e9bc1746b79973d301fb53bee

SHA512
fa4779f1ebd65bd5cd76b7ec659c3b640eda79c5b284de264c00a4cbe60bd52803c746c9694fdceea1ab591ef3548904ccd95843d4242a15d16213b2b56fcaf5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ac764981d4e0591f3c3afa15a1ccf317

SHA1
4da9672e6b82878e273ab751f4e5c8e9565215f9

SHA256
082ea2c1e68aa704f1c7252fcdab37a6581ab1aacc80e73221c449cf47df46a9

SHA512
d0cdf63f0aff4ab763845bf04e379dc3f21849d55b68a5a89d90111ab1b8dfa55b2f259c21d2a553dbb10a82adef4e282b5858cc886b5b7bb80c9cb8da1d8383

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2202566542ee8e05796a60bd160083c7

SHA1
26981bc2eeb07c3f06a4a12f5c1689f488f8c468

SHA256
3038715c17d656fc3f128280af8905f818460608a81383185ddb55a797724b7d

SHA512
a9f473fbb68c1239f7d22c6e276f944d969e903500058857b5ebbaf4f8ba22f8f9ca03870c19b7cfca5e3a983512ff8e4480d08cfca9c31871e668dd4e299783

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
67b9031ac8bfe778695f02cb55872684

SHA1
35665d07d1bca7aa0f9b0126b6ca47a7c07a8480

SHA256
4e70715a085ec712b815efd327832779779cb173b6490a0b433b91213ff4f8f0

SHA512
571342fbccc97647c9fe4f181f67d73487090c69471a3162997d90b48cb3c4d246682ffd8cf3117266350d593dbbe7bf783bbb41d4c6b89719da28f687040f74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
53f1f4af7c18f40e5be1e2faf7b068b7

SHA1
0cb642b651bbf8de78c198d2096aac8d116919d4

SHA256
d3388f024b8789b0dd10f276d096418716b9c7c2e3cfeff5b930e199e94116c4

SHA512
8c067ddbcb563cb6e0d05a9fdd627701d044ec0d58ea56ad162f04a722fea6f6b8a3faf31cf6b851c35b1a5541d0e034085274a6fb3bac929c165cd6c6051298

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
ca1b4cd7f3af6339cce3fe9cb035bf0f

SHA1
98bf46fc162d91b940d8b1b9929b74a18e5a0eea

SHA256
5e6ae7e06ba7a22e06d6f0d2d9bab39931d8767965c73448d6737a7e33718a0c

SHA512
436906ed6f6a1aa5731037f4968ec47b6bbd8b5b8365e405cf7b37a0a346707773ea6bf2c97937e9eef8b33de56cdb41e842785d9ffd63e00a01f29573ce7c57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
475efc5fdaf852883b74c19056ec0623

SHA1
f6a811f2d7f8ec8cabbcfbcf4434974fd21850dc

SHA256
be5e22792713a12ba7cbb441b81d0381643268ec47bc4ec3dae98a18ab7db0e4

SHA512
a6b329b73e4ff4b37be7958591a42b00503cdf9ca7ff9702e236a28aaf7e90762cf112b16f293a9bbb394a2abf2cec1825a3b5082fba019bbb741bb283128f11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
86fbdf525753a15be1dd9bde3e9db845

SHA1
d7915e2a43a47c2af83390032afda25e53711a98

SHA256
ab6cc4fd9ed05ab8d6ff2e38ca0da71d2be37bfe39daf7c9e104f6b9602e1d12

SHA512
87229219dbe0ee5755f5393fd24a1f677cac9eacb7838ef7bb3fa8a3fc4c11a55a9e3085e3a476f119bb89faf82b2d9a7443b3f4383608a09645c40278a764b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
bef2c8b33e56cb7a667ab44035c7104c

SHA1
946bab99c82deeb391a891afe5cb1746c078807d

SHA256
7e0932d2e453e104508f3316895dcaa8c530d1fef5f5219c3b84df065d74f85e

SHA512
654b572cc09cdea07a073b2b074b100a13e038b5df4f337d0d38c35adcabfdb75e1ab70484521cc42daaa24ca3b4978722f60c138f9af2ad6b462b08b4422def

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
1215992d0ec2283ac4433b97202287c5

SHA1
4b483e043ed7cc455f78bf1f64ab139db138193b

SHA256
d11bde35ff5b6a02e7567f012302216f13152f5be38ba12f476a1e757bfaa93f

SHA512
c84a3eccebe10373a1f50ab89e5032a9e43fe0cc63bee143113da96f829bc690f12d074e620e428bfdd453527601ecad839c7e7889fe79ce28ca2491e3dd6393

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
b5199f461869b3f078e449fa3b6e65f8

SHA1
f365bf18506cf68279bcd5d60e77bc5ca4715b64

SHA256
be26b1f3b6101011bbb46f321bde49f83961348e479e95a718898dfa52b204a6

SHA512
f99f4fc87179dd68f811e52a5c1eb73e7f95317916387fff5b7afcd5f12c3a7f9177107061f5c59d891d37c46bb77109fb83fc752e81732ff91e30144fed0ea5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c28aedd1bd655546d47ed3a1371be62a

SHA1
bfd6eab4b25bf456f810b6d5eed4a3f068caf368

SHA256
674d97e93f89686d47a11945635ee854336bbd3d2adeb2982ce068678c2b03bb

SHA512
1328a692982a0ccc39134db5d0ce15f04abd947cd2e8f1f7bca4443c79b017c4f53083b28fba9c21142b31d25da1fa5a36295f46601e4fdc02969ccf166bf513

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b8396e3dd359739c17b32c14cf347b0b

SHA1
92fc517b90aeb93145c6512dca6cf9bd06d2592e

SHA256
e0a095805905142e83c75919446eca38e08fe33f11010e146cc189480c05fb58

SHA512
8ff629de084c069a172af1e4ce5e82fe579d0d405aea66ee75a9ff8bb3f59ff619ee92e5dd2a27634bddca81e2287402a0bb06c80f66661ec3166dbba18187c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f195bd1299de0528140c5ae126039d2d

SHA1
63fbbb93e7567323146cbb8f3b522765858487ae

SHA256
bb626cf77a0aa3eb8d5dc8f2122e11517cc7b11cb555936a0ab52f629b83db72

SHA512
ca63c3697e8432677a8cde828ce98ea0cd22cfe016cd8a06d327178078fa50b2046d8bd41656e940f6ffc6ad92be124571eb2632d8e378687a463af3e4f6fa47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
523370476e5f181a84d32ac3b7ac9de7

SHA1
04ad43cb4325438b80cc02aae0bcaa52f334893f

SHA256
88d0a1df40c6fd15e1997d0568d66e16c3c5bdbf64abfa3d2eebf2dd75512a4f

SHA512
7b565734b58e6d171695716877c24e9ff4e509528a42a9ad2158b4db650be6bce55fccdbd32164bb128a1dbe970bd2f573ff3b842c7eaa01dce838640eb29532

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b882031a35ebb6e46a617152219e1d93

SHA1
ad304f7945933753792aba1adba9cb7c936e6567

SHA256
7a57387710a6266339672fe841dc4756358937f15db326fa30c3d67350c9c535

SHA512
a363930f43ea96975ccefcf11ee700b7f1cedbb50e81d7e8675ddc8a226ec24ca36555c957edf42b9c2ebbde361a6929c6524a80b6d083bab156cfc00553f477

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
87060ae8d146db5a3675417d2e6bd8b0

SHA1
940a71138848cb69e4b88cc3dbaae06dc8585d32

SHA256
5f07e7aa22c7884cbacc3c74fa1b372fbad776d90654cbb3c6cb1b6b8d387d07

SHA512
c1f59485d9861dbfe1e66a094903b309fbcbf7283ebe6e24caee4f0e8554ec57c075b4faba1d29de05e264e12d5f37205638cd9fee5c00df7c4c98ed5ff15974

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b94afa1b18643e6e60c6a1aa432c2de5

SHA1
e85efab016eab65e594ac06f32040c9ed710ddfb

SHA256
fbb29178a481747efc4a36de545affc68f37e6e5763a9c9293f21a0915ab12de

SHA512
0fdd573b1e13d18999df04b8739f681592d16eaff7e211d62dd3b3427595e4d01ee7b20e67e6782fe34914a582c34e85778026b6ee481f5ab4dc01513ff4966d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
0d4a2e925db90b5f4da6429a23859f4d

SHA1
0106eb594e8c9797b62e2fd01767047f02d5fa6c

SHA256
798b0671ba9191a7ad5e33a02743fba2886c747f4f766ad9dcaff017e1448daf

SHA512
8741cd4f4677952421690a6f8f4d57cc555680c687355099b67425c74c4e4702709e717b03e2309004385967c5bdeba5b064a0beeb816a3284c6018477213160

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
a6191dbde6c790a3a57b088a2a700e23

SHA1
5aec76cdcd3319ab5c200ab357302edf3bffdddd

SHA256
7c38ce1c02a6ba8b61e95494ce3546e0818b62f2b0b634978882528ab7eae86b

SHA512
c16fd7e886f061513b72e577a978ee38fd157ee7518074e31ea5a7419e6e0b8688b152a59bb93dbbe6b86bd1a1fe0860c6d9d4864392edcc2a7358e001fae3e0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7041612410a2f77afec2fa2d70ead158

SHA1
0c42e8184791f2e43151a824a9e5f6428059a4ee

SHA256
36c8db84bfad8157169f6ecabef7e0cfd761875f1488ca4d923c0fe633aeb0c5

SHA512
9afd7ad6f98633c591b0a9836fa56b40646815abbbea792303fa77c9331b5fc5a227d96f8f1b12531b39c84623bcb50a1ae5b3cb955e9f35767837e6cb69d1b0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
7456b35a2fd7d0659a28a8598bde0c4a

SHA1
e96a9a9030d691ef27d7ba52f7dad737b64d6b45

SHA256
9de1d83022dfa6a674f8037c65f848e3a3421ed40b2690afa79513a478d022ac

SHA512
9ef325432bb54002c988b6d34ec0b50d84cdf4f360d7ac5de2c6bed550287518e579865c88d578917092cc884b690cd726c0d26c935f756e5da3ab61943f7517

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1f1087bf21269818af5419c518ced0e7

SHA1
02bc08a2defa26e2bd7d042fd74af493fe2502bb

SHA256
50bfd1b142d6b6a33a4dce4ddc3be4d4838bf32bfdd319a183629783012554c6

SHA512
015a189286a5c59df1b01b5c7a10c1cacb3789f2e1ae6cd45d2488166e7d3281696e2bf45eec5f740b512fa928ad0712d72f506af5c6e295db800ef6802bbca3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9261b2a68d81fcaa75c889dc10cb5a7f

SHA1
ddb318af09dc699c82120f27856c8c9c10452076

SHA256
2b6ef324e52b21ebf3ca1cfaff865b5d5b5a546c5d2ba7414e765f0ff8578e0d

SHA512
9d86b47b1daa3cc526a42896828c1b4656e4209cfb702378f70aad69a70cb910e299dc87d43c41654d1da35197cee7613e071d898555fbf2c058e0712c5f57eb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
472cb15db9dc8285218576ed209b6007

SHA1
c4230ea57e24e229becc0300c4da530f3a0eadfe

SHA256
d3d24a24b0cca4334614422397cb6792b0d1c2658bcf0ba2dcdafc60a11f06c1

SHA512
b58e262d2ca432c92df4a6e0c6d30cb1feea022175b2143c33f24a9760bd31ff1249bf70a710071f2261bafd0890203d713e0380203e4210243dfc0171eb0ed7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5331055da7debc520db9776c9a044c59

SHA1
28696f99b9f50aeedb088de76a3e562ee3f4743a

SHA256
cc1787c0e8067aefb3322a05ff9c3c52b66892486cda291bc3aa7dd25cef1c76

SHA512
94538a0f76e5c736d41e0f58f40dbe46d0366c37706b38eb36793d1c537190f869d0f26cf265664ecbcb82b05c6a09edf9b2626d58f8deed4df76145296de5c9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
617637413d7db7ca0ccdef2fc99ab228

SHA1
d94b284644478ec7f53a4ee21eb9dc2bb78c36d5

SHA256
c3f45a0b44baf046d2b0c88c84d9d4177f69dc4eeb8c59548540c7692b54c554

SHA512
3c1d832fd5300c4efed8f21ca9262eb9e25ea19668956af7ebf92f7acad2e41bbdfc6e43b0365f2fbc0c9a9038fac205d4e4ac99a8fb8f742d6ab2089f2ce071

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a6d10578cdcc4054e8c137e2688cc21f

SHA1
83bba58b60bbf695394bca3ee7b8abcb9e30bab1

SHA256
10a758fd183d7a3657ecc694bfdd639d42467383939af09f06d0a0acf8a28806

SHA512
79238988224c22927d3387ff5f2795a2a016ccae3da9de6a462faa4ffe5ee030c7f53067ef6cb246bef4e3b96ebc865b45e369129addd6ecf77463a0be8e4cb4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fb1981a6068b42df14c45f339c604557

SHA1
2de209883b6e06d732ba0d9023698394453ceb58

SHA256
c42b2d493da6c8b56ff480b9f028dc876b54ebd1a943b544968101de49f5bf80

SHA512
0ea6d0c4669c33d4d7a5e4f2541b6e63f70684b7cfd86621e70b8baaa8af2e502ec5d0b1649336ab414ffb502d615cc6b57d31eab9a1b383e3ef40c3ff3002c9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e3006ce6e1f4af4d01d6e83617f8d96f

SHA1
2965a55e685570331c7ec241870b65de3818af85

SHA256
edcbe80b1300d3f0efa50380fde9eaf7741c1e67ca4603b8af49aef5ec840f65

SHA512
a0bc46db5f26cd3473cf761433963323aad29993dcb525fc3a7cf142f161b70ebb5c48106dd8e014c0e3293739aa39ad2fe32c3fc47692d0558655c88ff95caf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cc1c8d53d0c92a90945f7e877cc585ff

SHA1
2610fa645da90d4064a2c4393e0ce449e3370a51

SHA256
a3009905f81753ccd6e36a2437276812db0f2756007bddb452443177ed7cc0e2

SHA512
9d6c7cc658a9c26ab7c9ffc15e35d8b0503d2b730e728d211b8ba89c2eb8ff0884ef3b46f11bf3eccd226fe276c43bce520e3c4b4f5935cfd1a4488f077a812a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
92d9160b27fb8313fb250ac4b0c0942a

SHA1
869d7234faddd18ab157e3123e83ea42fb046055

SHA256
c1db9e280670cd910aa178982b901842dc35c54996656ec5260c66839c1a47d2

SHA512
2757dd92bca95ebcf46ad72b794d8b3ee1361d0c35e314926e4ef8a0aa798278a0c6a60d889f0157d2d730713e607cb3beb6b886048d63295b09af8b5f5e1e67

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0562638a303c0e1167106f553acf3f34

SHA1
73469074d17d1a432f860724d8db9ebd34b1461f

SHA256
04a306e59a275e36b27150149f621d6a1fede3907b952a66df79eee59426c39c

SHA512
6e9ed4ec6280375b584877b93a7720116679860f4a2de386c71fecc24c45ecc5c7b146ac3e5ffcf610cfffbc6318fde4caecc7144cd77712b0c9c9c2859ca273

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2f4ed173f981f766cd2021ff277779b5

SHA1
24443f68a19b28a3e93555abe6b39b2275c1d580

SHA256
27760b02e98719884e40a51e3937c31773aba95b44d9e0314aa2e5f9142eb9c7

SHA512
0648e614d3768808cea53783e3f2fccb9665f436bf5dba0f283c6e9edb5b152ea5e4f6ea7d4ca4cc4ec70d552762b0be478ad707a5b9161837563f1612ea1fc0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c9a64eea6233f72f33087550bf6407d0

SHA1
823de91557bdaf72d6c9d8c5a88e528e24b0b5b0

SHA256
5bbd33fc8457a78f549e64812c85f11f354681e1ffc71e7d50d02ef9385bd8d8

SHA512
6a2736647ee3b3d2f20ff112e47898fe3b34859f26d8352fbaf2633287a02ab0323758e61b7ec227de69fd51dcb39e267c58859de916832ad333f1768b7a4210

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5d9e392b678b265052cdb745d8cb0f81

SHA1
43963085e421874c9400da13b02ea75498231043

SHA256
6ad01de9608fd554139ca7015e4f4dcaa0b4dae9c190ef0e69e71e6f3edbcc8f

SHA512
1ff1befb130815282c6b696b14c34d99d467078e5f3ed2659e22d1bda384ce6bf6806d4e58aaf85215d91b535450b5b7a1db9ed2fde64a6a1d87b7af3ca60c1e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a3e0697af1eacbc5555be58e1eebb99a

SHA1
8325db6f922ab75244877d56c2e6904c1070f705

SHA256
1e1afba1b257a063ba8d182afb5d5b829be9d54e290af89a466319794fda455b

SHA512
084d1ca781e2658c560828845285977d49403c1ec59069007e4da9bd2ffe8c8e68917f5d05d8e1162d903f4d5d4c6cf8ab3db80f518a9b6d2ac881a4eb75181b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e7774195cae124e5eaf4305fd1326ad4

SHA1
8bd08c4f4bc5fa0c22b02b223e96e1676b561d8b

SHA256
0f999566fc567569c96bf59dcc569f1482ebbf1fcff74388f28ce1449d274cb5

SHA512
e7d51206be976cb2ebbba3cfc7d25bee137719bc2b436825f2f991a21eae043ca178ee8eb85faf381763ef3b54dd28442b2d50b5c032e3af3273e7756ee909a0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0bcdcf0d32a7299ccd3f9f4c0d624bf6

SHA1
f1fad889313bd74cc77c68524338d375f8020c64

SHA256
d0578206d8f02507d5dcda591462ed5a2cc5a8e057bcb09c1e6c91f9fd629b39

SHA512
e4fd9699a793e77c5626a4b668ed5393d07144647ddfcb0ffa2d41499cdbe8d31a2019fbb514e2b572cab79a80172f6ae1dd95fab169f3f2480c2f3a716dfae7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9acfbd067ac9fce7cc47de3c31f938f1

SHA1
2b0cdf92b689d15f4f52133bd5eff9c545b20d9f

SHA256
cbe9602642dade8950759a3cc52e0613fc0352f5677a2e9ac57fc7fd18b65282

SHA512
4bede954c9d1b94daef1b57f5a8fd4aa1cf18268a1871ef0e6379267f8fc8b8f31508d462caa05c581d500554d01e2e189647b9cbf46369c75d95be588813824

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
537dd371b6f66813f6ad8ea8095c0f69

SHA1
af4f6fd8fcdc635d1989b80d3fe56cada57f11d1

SHA256
9a6e0e181eb32fd4c493fdcbfa9ca0b85b967229598062cca16732019a9d0d23

SHA512
b7b4471cda4369e8911d94f02fda80194efa463a9181ba3e8068909db534b49c1220857cc0fdead20719b86e158bef7e735703679f64771792c653de472629ef

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
1340daaf0e68d19e92b1e1334bf6452d

SHA1
4367fe304a3891beaa66fd261b19c173b9cb5db2

SHA256
d808feaee3d67aeeaed65a801393314d4b4c5651fe55bb87ace52b0f306bf4b3

SHA512
4d0b9bd642495fcc81c4fdb4aefe57c6168a0db046bd131a7952a34cff7a5448f086cb2832a93bbe6d1eaa916e9f0d6eec279f29810b8f9a9b8d6fcea5b7c9a7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
1b67e47c6846a498f46111b3b7dc1773

SHA1
2076d18526898b04d0901f7edee39b502740b270

SHA256
e97c57367ca7facfd038bdea33a8cc54ba078d1c1872e2fc4c534db5713c634a

SHA512
cbe1389f3aa436cff8733e217b99ff57a019d109193c13f2b4dc0f52102d067ee045200a48b97d060fda61b25b87ce8461741716644c2cd99dd1a383dab93329

Download Submit
memory/464-132-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/464-244-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/628-94-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/628-95-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/628-205-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/748-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/748-431-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/748-432-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/748-77-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/748-9-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/748-2-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/828-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/828-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/828-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1000-513-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1000-194-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1128-51-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1128-169-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1128-57-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1128-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1264-638-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1264-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2096-220-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2096-114-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2288-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2288-640-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2848-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2848-188-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2848-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2848-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3080-36-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3080-120-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3080-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3080-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3520-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3520-586-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3836-88-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3836-78-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3836-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3836-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3836-91-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3960-135-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3960-256-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4192-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4192-636-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4212-479-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4212-191-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4500-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4500-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4560-385-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4560-158-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4816-63-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4816-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4816-48-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4816-40-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4816-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4828-170-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4828-435-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4968-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4968-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4968-93-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4968-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4980-257-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4980-639-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5004-129-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5004-232-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download