795d6ba9bc94c19012d8cd318b7551e34a86a63d7bb1e2f90bd42eb547a251ae

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 11:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_30fe8e7050ea6b6734d240037c926de0_ryuk.exe
Size

2.1MB
MD5

30fe8e7050ea6b6734d240037c926de0
SHA1

8f1c56be0029757c08fa11887a8df2aed2ca4779
SHA256

795d6ba9bc94c19012d8cd318b7551e34a86a63d7bb1e2f90bd42eb547a251ae
SHA512

dcdd5cfd4ef9ba4885ff33632630c3117111b89ab301a9064ff2a3a68c78d5014632f93d1ab63c42c4427d770c95b1fed66679a8fca8c8ec261368402a833644
SSDEEP

49152:tXWtcDco9YXPtSjeJgEjTmucc11tmlNQ2ayVup3:tSAYXPwtEjEc11wlNQ1ya

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3316	alg.exe
5052	DiagnosticsHub.StandardCollector.Service.exe
2232	fxssvc.exe
3756	elevation_service.exe
4912	elevation_service.exe
1720	maintenanceservice.exe
3108	OSE.EXE
3332	msdtc.exe
2060	PerceptionSimulationService.exe
4148	perfhost.exe
4504	locator.exe
2112	SensorDataService.exe
4496	snmptrap.exe
2164	spectrum.exe
4916	ssh-agent.exe
2764	TieringEngineService.exe
1704	AgentService.exe
1660	vds.exe
4116	vssvc.exe
2344	wbengine.exe
1008	WmiApSrv.exe
2828	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-21_30fe8e7050ea6b6734d240037c926de0_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_30fe8e7050ea6b6734d240037c926de0_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-21_30fe8e7050ea6b6734d240037c926de0_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-21_30fe8e7050ea6b6734d240037c926de0_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-21_30fe8e7050ea6b6734d240037c926de0_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\46838e35fc7bedf8.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3088eaedb93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000104bb3afdb93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ffcdfaddb93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c18408aedb93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa6e52aedb93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009306ccaedb93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006184cdafdb93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087446aaedb93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdce92aedb93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5052	DiagnosticsHub.StandardCollector.Service.exe
5052	DiagnosticsHub.StandardCollector.Service.exe
5052	DiagnosticsHub.StandardCollector.Service.exe
5052	DiagnosticsHub.StandardCollector.Service.exe
5052	DiagnosticsHub.StandardCollector.Service.exe
5052	DiagnosticsHub.StandardCollector.Service.exe
5052	DiagnosticsHub.StandardCollector.Service.exe
3756	elevation_service.exe
3756	elevation_service.exe
3756	elevation_service.exe
3756	elevation_service.exe
3756	elevation_service.exe
3756	elevation_service.exe
3756	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4288	2024-04-21_30fe8e7050ea6b6734d240037c926de0_ryuk.exe
Token: SeAuditPrivilege	2232	fxssvc.exe
Token: SeDebugPrivilege	5052	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3756	elevation_service.exe
Token: SeAssignPrimaryTokenPrivilege	1704	AgentService.exe
Token: SeBackupPrivilege	4116	vssvc.exe
Token: SeRestorePrivilege	4116	vssvc.exe
Token: SeAuditPrivilege	4116	vssvc.exe
Token: SeBackupPrivilege	2344	wbengine.exe
Token: SeRestorePrivilege	2344	wbengine.exe
Token: SeSecurityPrivilege	2344	wbengine.exe
Token: 33	2828	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeDebugPrivilege	3756	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3980	2828	SearchIndexer.exe	135
PID 2828 wrote to memory of 3980	2828	SearchIndexer.exe	135
PID 2828 wrote to memory of 4556	2828	SearchIndexer.exe	136
PID 2828 wrote to memory of 4556	2828	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_30fe8e7050ea6b6734d240037c926de0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_30fe8e7050ea6b6734d240037c926de0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1716

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3332

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2164

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1672

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1008

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3980
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
80b356ab08f3f754df8965ced1c26947

SHA1
17e8af8e50b2228466e39ddbc89165b32e06f9ee

SHA256
35a8beb777b76547ce63ca10364509b2c7d8e32b247b31a5fba55bb488aaace5

SHA512
8f27e9e7c02e8f48e1dd17d24f04d8cacd8d6b45464ec0dcccf74bd3f363e0a4e6ad45e904c10faa9f879dc17e0a36d62dfb398c770f28f9c12b5419efa5a65d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b200420e2efc52cb3853888496a62b82

SHA1
13c3334de98babd8ada6feed589cd970b63895b3

SHA256
9ab12042b6f08f31b3a1632d100b4a153dabf11dfb2f96d47bd16ce6f5542a1c

SHA512
c432f3092f94a2fc97a940db387e1d14129f2733263805f71d305487fab71a70acbabec8cb865c557c24670e0a08bb7d1830ddfcd956c36f860e2a12091b4feb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
acd808a6b0ce553effbd02e0a57f57f9

SHA1
423c00903999f885df834b11b7dffff8fb16fb33

SHA256
1ffa5d8c6261cbf729467a4f987b57732ca36ffead5d08776c63fa00fd6cdb73

SHA512
d9e5eef0afe140c12c280dff3522816c4b4eecef53964b473db5528a69a9a658ab132313d62634f1686f8f58e90925cf89189b207eb834d171fc31680a888b0b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f7c3687d6ca4ea95dbe5436c838a196e

SHA1
959ec78ae7d9f0a04352ed13b31d6388db7b5ad8

SHA256
a2ebdd9844ff731b1ff5e7f0ff3721a296f8a13c3185ec17cb513647c90975da

SHA512
0660a2c9397c38a754303f3eadb70d6e96d4fc11dd50014c480f2db020831c6819ad2fbae3fe9d605f6e258c635c9b018af63c6321ab07345f060ddf50d3d4b4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
30f8644e6b44a5065939d8f051bae352

SHA1
56ea89e7ca5d6adc3a974e09b9cf9c555cae3b09

SHA256
d0d140b078180db6d4afc41a43700f40dd6698fd002c1bd74686c6411046da49

SHA512
a7ef842e942190b08f19b7433bef2e17654053c3007ccd63f912ff454005b045ed680b3ae6c07471b11f3c755635c690b8791c91d404f7bb7ed9aeea59fb1c22

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9e47b2c501374fa0addc77c0bd17a6aa

SHA1
e6aa2643d30e10ed9f3236ae972595297bd77321

SHA256
8e58ecb6c7bc6368a372227450f475e3308e886742089183055c90f2ea370b9c

SHA512
d2618a8fc03489d28144aa74bff975aa1a0fde366e33d529d161f15dfdc6a542608bb5c07137ccff2fb09f45209c3ecc684cb446345ae09c7a468dae915e54f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e06c5407764051966005911dd833179b

SHA1
4985a0b5e80e582d42e37ae8cf2157c163d6de37

SHA256
ba15de89dabcd490838864565728532c175c5cba86fe51d621037873cad1b54f

SHA512
d32611dba3d623d9a7a43f98c0bbff902b0db2281e5dd07b372ff16403a0424fd4754f6950af903c7f94025214cf2ae26586d3d1c83545bbba7f5779f4221edf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0fc0f1986b00cbb30f36d8ce820cc17a

SHA1
c9dd1372ae274d0a73d18f565e3e7d9acec5a225

SHA256
7357025356f53ab86d47d2329198a167be97a4982eae3c09a25ab69a3514c21b

SHA512
74a8646170f7d0381b15516c975b74b8bc0a858b3ae63303673184f09c54dde25d77e6a7378d883968c456484f95a3a79a76b137e4af7ac348340734c1fbb470

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b2bf8418e6694dcf9a2b8840257a1d90

SHA1
99de59a42e4039e737295f228385aff2983f29b0

SHA256
f2ef659205916a3babf53acae319777d8125c073a75df146d5595791c6baf798

SHA512
5847f3665f9142374e9cb387d1f42c5c67b1f420bae90ea3952983a7f634e25f618e49dd0529a48505ddbe6bbdb54bfcdb7e31be8884afde60483e60cde6c5fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
303c6b963346b18df6daf9bc1e860602

SHA1
6f7d58edd7c7dcdc8869ac0b9edad1f6ee7df1e4

SHA256
d831c3f1275a4d5bd6f40826c34857d8806b2850148d473cf1effb771683cc62

SHA512
35bae9dbfac5cb1a37a319cd14e27846bdf53c84c402077b701c9d908f8bb946f2f299e1cc2f4dd5707c1927653ee40909221829ac8d6bcb30d961933e1c8e7b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
83dd1867d629ae65d0f0bb4872b2c770

SHA1
d272ef4741088655d7dfcd69a7231cafd2defa93

SHA256
c19a53172206ed7a9934cc8deac4220fa0447e0cf3c289c259249752c797b5c2

SHA512
ecc9335b8c50023deec66e157ee40e1c883687a4bcccf981267b939b9135a7b5e5acbf991f08cd1ebf568890f0d60ec9914c290aa5603deedd331a966785db15

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3572dd81d194203114a1621385f0a0ef

SHA1
701ebf78a3947848db63e638c2e8b3be31717da6

SHA256
651915635307ec166c73e921c7557e1a4aa5641a61849886ec4e266c81e96697

SHA512
ed17be1560e71fb0bed02c6da72bf9db6c901ecceffda8a9c4c8c6a227b9a308f4bca761e4f94df31498f3392586e6edbf9b1e00c2f4b90bf952a7be20ce4bb3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
25379f60ff3d54d95daea003f5f06ff1

SHA1
2bfbfd0543c1839a1ad484ad075fce4edc74de79

SHA256
8593900878a0f397f4cbcee1fb9e2fc9acdb6bc744336fb45dfc88e8023005fd

SHA512
d02dea23d33deaf2ac084caa50e25cebc57ba08c6620d84b0089d135c46f52b6afaf8e260859f0d7be3445e74cbea6bd1089e00715515c758c1f03bcdd95a77e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
bd3ebdbbf5f8b6348203ad1b35714421

SHA1
52ff12da4d74d99b87f561ec948401289bf010a7

SHA256
2b9fa8428d46a955541f32b2e332fa2010315ed5be5dfd4e8274808ca61c8a37

SHA512
5d8ba566b14c9bef1d46128318b4b1bc00297a8711e6e3bb0a2bb2369236b8855a77d65a5e8949a9cc0c2936cc4a880fc4078ae47d48ff931803c6d8089af7bb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9d63e6cac9f27906c2071fd98fa65237

SHA1
b779f87c65d0994e81079708ab7c48bf74700e87

SHA256
48ffa530cb3e2195bcc88fdc7812e941a306d58e266b86c7770b4d26c884eb97

SHA512
47c681e40f47c73e02f5e21a89e34048df062ae09c5676318602078f9f48c9ad49def907ba3950e838131c66b2b936ba8a0f1d0ecf9e0408805268cb44ece322

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e3ba48806ad302c8156c55507afcb747

SHA1
e7c4f444719592328ed9c43a7ba662c1dacbb955

SHA256
eec55bc60e3708680e6ce647cda4b14c476842d5297f8ec61d1f1c447eafe0c9

SHA512
88069598e7df2205fd36c7bf0e4ec343be04ce665954b145f0b38808f3248e4c43683d2070e86b0ef15758c81449c7aeb649db7d61c876c98b6e401672157573

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
aec77571b449f75278b6da629ba4eb59

SHA1
840c19477a3429605e9fb36ecb19e51a5b68af80

SHA256
28db1cc293802cad19e08966202408a7caed1fb4581738fda468483dce977303

SHA512
51d9a8cdb9fe8d559538e030dc6e34f2fd7912c6e9ede19d803a7427d68db4624421e5aebd0471a6402a9052456ace1cda448e1c7dda930b625fcafd528fea98

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
49c49eac3e2d0eee30788a8c625e74f2

SHA1
6ea4b84a79959f7d72e1a82c60c96993cf698735

SHA256
a41adf5dbea0f4f4f96b913203ac34925b7becf2342b7079629cb3d21a1fd7e1

SHA512
f30627a9c15187b367db8bf040fb059c73f9abe0b5cf06b7d59a59749018c69b95e47cd7fd0e9eeb90272da0380ca7cb006883e37cbc6dcf5eddcc902ddedda7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2291f608e4f1e5ccab3d7c4f98c5844d

SHA1
9716f7111817be99b0948227c1328642e8ede217

SHA256
8673c03fe505fe93d0c78e5cb8cca73560cef9aa64f19a4f2c649cf6eb112798

SHA512
1b858b4d06a8007184d9195363f7662746026bed5094b43273413a4720ec26b9e4b1fe9fd73095453f925fd88d3fa6e2b74e0143067b80dce29f638b8d0a5483

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5bde957abb463de25e671603ad2ea9c4

SHA1
fff0ee36e4585ab20856f82dd174fb6afeabbd5c

SHA256
576d484dd66ca46191ddc0aa352593f3f1d01f5abaed2d0f19606d0b0d5d7f5c

SHA512
cd0c4c4791ceceee3efbd53c05e86caf1a1a13946bf5f5b88248210fe74864adad89cccecebc5cbcc07b72035a05f824b317ec02d5d2cf546737b9adad5b72c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2edd6fe6a76326b2b0d991f2d45032f0

SHA1
da0bd3a3b3090a3a4f2dca9cbe2a41db196e797a

SHA256
487fd358ccfc2c3a3046051159d00ef49b2ba7d8b2a49a893e9952ee924ec8a0

SHA512
80992ac4d96b42c62feba0307fc8c57ec33d7c3970b792a21fb720faf3ac7150ac697092b6761c0bee47b05918fba33731172d3dbbc5e1eeae6ba1f038ea2aa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9ee50e878af6d1ecad2cc43402aa5719

SHA1
7b53cb1f1f7d1a76cfd54b1c0993095dbbfb111c

SHA256
9e3e7acbd96d54e18fb142d9e62fd4071dbb02b3dedd13574b6830c9c1cccf16

SHA512
9bc3eb735d5a6764d629140ee522c10ba12fd22c1fecec67b193db141b114815b45a58902bd02f7cefea9017840b3657a3c9c8ff604ac6dc96b84d4a7c9cf649

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
17a3307e3a746b2fc8a5f40ed824fbb8

SHA1
d2b0bda32e4f60e9d53c92ae511c3b3eb9ed3878

SHA256
f72a9e5f32ef5093bc4009e1f9e0dc0bfa1910d219727270b7c8665076f213bf

SHA512
b5cd7f6bffd0d35e01965e73fa7dc4fde94c42373dd17421294ccbcc3067704d6ca3248d337e9f5cfc3b348c1bd5987efd54e8dc5f0a82e290192d2876af7634

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
efb2c682c7d9b777a7e31bfddef7854f

SHA1
16af24710049643a06e50772ad2fc35ddef330ee

SHA256
9fe84368de338c0ac71413e6c24f3f92b8c8b29f02deb0a3818629866e8265c7

SHA512
2c9c37afca3964213696cc077731346579e741429ffb4d79184bf5c2eda805521e94ee19cf387e3c0904612098aeec63d0d89dc485ae1416c4c5e3c9baa0b4e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
662af7858a164e3c6c222f5e1bdc817a

SHA1
3ea920cdddcd029858f13c341865b6f589615821

SHA256
e9e371fe77bc3835b89dd08732ef07b3220e85a7915502ac26b5c2e5f829a063

SHA512
b2c2e7e1fa0181297ab77a75b22631f21127df0ab2fad77057a88ca9aca169eb99dae02c50d4ca6e07aa8d0ca47c9e21c26d97353593b6c1f5eee50481c976e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ddb085bd9bcc8e235d83398237d456a0

SHA1
56d0c9db608e7c51d40d368d2b2dba7a7cf7a3ca

SHA256
b58b449170272216c0d96ed55e72dc5152dd1344437a127a8b2d82c7d4659e40

SHA512
5efdff5358f2036424f0632e8ed9d069875f2d71b489a561a6abfc722dc4c5354527937dc48181e62905565050a50bfdcd35c95aeaad42196c3db426d5c2fdd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
07f41d7b7eb2ac67f260e493815c151a

SHA1
fbadc4fef84b774a81f6468b5eaae395534cdf36

SHA256
deff37cda009fbfcecb6060540ac14bb895d00eba1c391be44bad318a26a8965

SHA512
6b33dc5921d63678516c66e1d841f00678da25081efe2125a5ad058cad24b602169175e8171c10d43da185cd831041e17c2830d7494650eb6025df29c46e8516

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9d377bf3b829ceb7e58050470b1b8230

SHA1
759f591f4a8290395f407728d08669c4392d46ac

SHA256
677253417779da1cc4b1567b411005ae0daf9b4617e842ea8f75b472c0d4da8e

SHA512
ec83edfa9f4df8acbf3583f78ab805e6529eddc31550052bde04c3ab4de529b927a5c4de934182b9ade10808eb1bcc76ad0678fc92e550d3f2cda0411da353ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fda9b44355cc27f701a729436fc9df6a

SHA1
ce74fdd47bc66c8da541f35c4d2a09eba717889f

SHA256
c6417c267619ac1e5788df8fead8a1bba2968cd2b3e7ac2c3f6031c96347c38a

SHA512
a71e961b948b2373132159b96af30da6061be1cf4cc7e27037bb92e231db30cde475367b21bc42e9937a4553520b47ef57215187e3b62558770482e25ea7bf29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c3375d35091680bad78d40ceab15ccc2

SHA1
816d100855cc794dbe854ae760d09b87e41f9fb7

SHA256
d05fed380535ac74afe93a42a97c083386c9b33d4adc312fb14d58f740d7928b

SHA512
3c566fe4fd40924b2da37759e1ca09c0882ef41e453bf75c7515aa9f95ffc8a32197d968299b4a1bd624fce8621f83d0d3614a3c9456a4307d7a35989e2d5516

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
7d183523c090ae3d2c8dc74c3448da16

SHA1
392970eac88c01baa81971f926adfdf4900f36e5

SHA256
477db1469af135456328aa1bcb8cc36f6be11d317b27839039186bd6362e8f46

SHA512
b5b9d0e36d441090f74843d048804c0ade3cc13f693440f0d7bb1c138d7a92b2446d0079cdc226e2d43143da54cf6d831ca9adcee57bac4abe896d984819a71f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c7b5dc165876757f3bfe493b0eacfe8a

SHA1
3ac6b0365952f3663a6d90f4878fb84607e0ca21

SHA256
077c13713488d21bb4b77db8027ccc2b7e01f06f700b80e999062fc23f62f771

SHA512
bce4ba5b25aee8a93019438e1d40c1a45980d0aaf629421362aa33f2a92b3759a041b59626916923fb21f6c552448368610018fa5d04017dc3e426ed6afee066

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
33e541b7801d1b77d4e368b9040ff686

SHA1
07248859b0f852076fd00e58e2c0a13b8a1fe546

SHA256
d4b653acefb80bfb4aaba3be0ee1dc7c2c11780e617a1996931aba90456c2c7c

SHA512
ac4b6a50b4d8aab3e87ca765673429fd1d607a7a7fd674ef1329377b3edb60bf2ffde72c7cbd7927e8521635a7db82a2da8d00fe8f541958ca12afa65b1e2edb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a074923ec694473ffd27060a8b7d93fc

SHA1
c16d71e4beee23dc661ff69c61904de82578b659

SHA256
ba323f5782619f06f71223ba0d305bc60e8faf0aaceb8b5e926a6f45d8d8f6a1

SHA512
3a12ed59c9b50eeca575d8f0155b95be55c0ad5947f6963e666cfb10cffb7cdff0dea1024f0d704d2eda7c37aae5a28adfa5a701dd013ea77a01a90fa0494c17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6e6d83db90eeb76fac87c7e9eee756cc

SHA1
613e602cdcde4af90baf3be4bde15daf05886e83

SHA256
ad1f73752256fee5472fa9513ce5cb0c87acf48af5da8be3b807df59729f7d69

SHA512
45144c2523b12a600dd15ad9962020dc9bd93dd4029324fbbf0cee7540d3baa0459b4f7b73f82bc3d867b7e5dd6a91f0ab7b12ab92d98c660cae8f33a47f055d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
e7b33777afa95793eff96463230be71c

SHA1
abf166d861aa56bde91bdabdcf32f272a97d905f

SHA256
571dc9c9f1d9f07aa5ca2b0382f1727a02d3cfa69553ec68847944390403bb7e

SHA512
6b573d795fdef41bac75e614b01a8d3990a980338e47c7e5e1e466908068fb2f314b0cd6d0ff35b359ae7777b2ab3e01990781b53ebb7d9c6f61c7a890041860

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
95b3fda4e62bec8e1141dc5276eec145

SHA1
3451152a28c4f33138b8a3de948bc08052aad06b

SHA256
c43bc3ed6d85c13a289e8e591dcd2876677f35dcbaba89e279e3e759a4fcb839

SHA512
4d0742a0633b58c88efb6c47ba48df2f2faae3509c3cbed38459e7fdad77591cf326029f15d70d6afd484582d0f0a4bc0cf97a19167d814dac5c7f86b36544df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
e33b99557fbb728d6eb9b57b41f02918

SHA1
8630e362ace870404acf63c531e0caf796220960

SHA256
f82b7d385cf3fec49d23e153906b8514ed5d2e777b360b70bd0ccd0d1caf0a1b

SHA512
d52d8eb49b29827e6e6bd3c70f82d02d083e5f5e372a8877c6f1c257a501b8434200c14e432416840edc746ab9680e945a6327d51d87242d6f374340e09cbc36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
efeb95a0e8fdafe962e844fe4b0e245e

SHA1
1e30816af784ff4f9cbd7bafcae7994e6969a231

SHA256
04a73d2e02c377c15253d257f308a9335ff9f4c2fd5667edfd8d77917c0e1533

SHA512
80b54e3e41f8ed8adec435247350754d94e2866a9743827df5227224ad31dd346f30db678b0b8d34e0101cfe83c69c3bb4c3e8ab9d54081536ef1ab570450606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
acebb29350f3392239bb4492d51cdb7c

SHA1
d1dff1eceaffd61773fb51f62d76ee2a046e86d4

SHA256
f48fc168627aa4e367bf98f4e65610db157c8d725517435ca08a0a7d1dfefc05

SHA512
15b6f454601cfd882fac5b213479adf3b7375a5749f198e34df5787b5c861b53b2abff68cbab1a5a143c38d3734caf70df3bc2d4748193b7c5ccd1162740edad

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
43df9751e814e8df8cc3018dfd6edba5

SHA1
400f9cfa5610fdefcbb9daaf6d1c00559a7e0d82

SHA256
20c0ff26dad4fa2ef0f5501096e0b56ab05971864c06abfeb820dedbe64ca7dc

SHA512
41b388fdb22cefc5274429bf53e7d719d74fedfd6422098de5570db3c76d7489aa6b37c388fb70f3dfcabf0bf8f980d6992f0091dc5fc361252a14a71cddd7a9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e88ff80994a02ebb7d0b3deccb8b9647

SHA1
6baedfe53d7ebd6a419c74060861335c16f17665

SHA256
f6dd2d07d21bdf14a5f8a49f7108a7f38de80eee25b4434dd0c7488505d0d515

SHA512
f7d3581c7abe25e02e9bb633c33d7a85c06fac7c96b495e48a42cdf353ec72f3fbfa097820cf6a3d28a5747a48cc31591231dc3fe190dce45389420bc247d819

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ce6cb9b7c42fc2f5cc20b8d40290df2e

SHA1
1ba80e242abe816deb3d8883c2438a1e06cce0be

SHA256
00e4c3de3a83c788ece9423c7c7bfbfd7e40493fe0cbc1894d19072897c9addb

SHA512
1c769fcc3713f2bf1c0e7ea2d79832ab7efb48c4d2437c9b04641a2786814a022fda261795e81cf674194f661083ab18966f091335635308a03868af960e80e5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
74c0cf4ee9debcf51236666281fc4321

SHA1
d550515424b563cab070016b44c9a4776e413230

SHA256
83d880f915f93eb4ba0d0c0755594b99c73ddc0f3e9922e571f252bcc15ff0de

SHA512
a47ac3c2e1341328ef3c4fe4a37e321b6bdf7155a34604fa12e1cf5543391f9939668e1204b2512a74a12507669df18c4977cf70de9bf80c786efd237e995d37

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1d96257c2ef3b21d842f53124241c5eb

SHA1
e30f1fbcf59ec4d80b0835f04104f78311738073

SHA256
7672e7f624e3ad4e6d7b68a63ebc417ec2f02f5e884ebbb73dbccdfb8d11ef3c

SHA512
d61f5c85454cf68c372250971d5f07994218600d365571dfd70f861f98f5caf87ec946160a39efa0c9dfa5dc17ff061610e13337f4d8422846512e12ea7389b3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
41f5a8f6accc38e2c252796a1a69fb1b

SHA1
00b19a16178df307f2528dc31e4ae43a1df59eb4

SHA256
25984962dfb5b9cd3791ada0fa961413202f09f709cf0f4874353c4450059be7

SHA512
1843170510d581216547761f78091e31d8fd4c42c3db5ac12cf3d5edaadda44f1eea2e2498addf0d5a5b9b83e0c881f27c04d385f2f307181d13fb38d6679634

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5cf89778a1c2c173c937199665c1d5e2

SHA1
daf7acfeb23731d660884e72bf3ea54ceae88775

SHA256
0005e2370f935969927db82800cb192d82ca6a75d02f87a471733e905ff9196e

SHA512
194fb34374174768e6c4f62fe0001f406adaf2c34b0b0eb7b5a6e85c1939e4b536636501e885008ee3ceec5a9603b94ac060bf7cba63447e2ec135c6e3bd8132

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3b76983339ac41b0a94f220b8a4c1eeb

SHA1
8a6afb20117373ccf6dccd0beaa2c23dcb3c1cdf

SHA256
29100ee4eb7973e113c978dda9858fe32f5a0bba5664a6a4ebd82d2146f99ab8

SHA512
d5473f8ce7b4ae91ae2cb00bf690906697e6e06673756a47ff00a02bfcdbb1a0d4b06a5eeb89d2628a15ad673847770b590db32df3db72fa2ca2389108381353

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
714a535d4519fa672606d7281091d287

SHA1
1b230c13c33f09c4aabf4250657db638527b705f

SHA256
16e0ac04ab272f987f09f1e780a8f1bf3b333fa096bdf3fb7ea91a0bdae85231

SHA512
91e3d826168cc5ac82145c73929db1809b7149e0684d0d5162ff837d43b10e35a0d1501ec2f6f3c42ae3ce6978b277b1776cd8dc6f1abf70cb60184f0ba1fc72

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6af715d6c2274958be609876f5d91bc7

SHA1
1f29f8d42533cf0ea63e5dd5fe6b0a7f700ceb62

SHA256
791da5f66e1c98f02830ecf329ea73d3e1c0767a3b69c8c5dcfc42fb73fd1d58

SHA512
da366f5c3297eda9635c0236f4bbf3f782b4d8e30544f9fcd9c98371e2ab11fa0c158033acd08c6ed0bb54945922becec679c1e7affebdd3ab08428f1ae79d2f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a10268d171e18f9b09526ffdb9b3767e

SHA1
fcf5f3e828f388a726916b36ea5dce63633f194f

SHA256
15cb319feb3dfea62b5d41b9503dc0c6b5c1b1fc311116248fb13db24e405334

SHA512
45c32e48b3be58415b4a6f307c4c824fe0f49d0c328f645e948bad33c4c9fb409cb050b24b2c18e6d39d3dc64ac098dc168909a81fb1054305e3fec6b4cffaa2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
86863f5793422f59ce7a52f29376b260

SHA1
3921f4f319572b5ce4bf92379219a4a88486e660

SHA256
f8dbd9ac17360f67ee1b79b1569519257a3ab347063141c165d5475232b86c21

SHA512
6de9e737e26008fd42620349008a9cdf65ec5b4f58e3bff6d2d079432a250250f2fd1a4bfd83390933d6d2985a2dfaa13272260038d642503db41f91d960c68d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dcf22a4a9e4ddf816eb15d4f1db57837

SHA1
1fae983d612271eadf866128a01b087acc4d158b

SHA256
39410b43d451c2545105f8e1a2c1399e404d0347df82c3d53a0781dabf73b769

SHA512
fda8870c86b2d793b0b63f19c7cdfb23bd45541792ae891b934282b2e7b4d925105abe2b038429840ee9d030864bc216ae77f0712e3669d22b4f49e52dc29156

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f78d0806cdf398f66b8d32df513218d0

SHA1
c31650ca192f79f08337215b3e6b2fab2dc05676

SHA256
17dfac2ac7611465e0a63901ddb815b09edca47ddfceedd954299934819cc35e

SHA512
e788027c02785da8e77412daee878ceeba8efd58cf6616faf9d0db095ba6f71b4ad0fcb35e6e4d65fdf2432f0ec5aa37cc0e48a8e1a8277cf1a7306410ce8912

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4d9d70d6b08b1eafe0cbdd5eeea93b2e

SHA1
dc338dfdb18fb75c6cd7bbbab802c3840359f767

SHA256
481af5e3fdba50f91dd43090ef8ebed1f8fb6b812f608b8dc66eb6c91e4875d1

SHA512
c4c2226a14f31bd052d31ec094e0f84fbe17d9ca2339ecee1fcc7125173aefd2d6d26d2bb8625f5295dc03ee44bc4cc0bcdbb1b401edcbe80765b0854934e242

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a538053c9f08b7481cdc5fb7dd0e6d19

SHA1
152a42642cc7e593d71531b5a108ec59d95c5505

SHA256
7a5a6cb0b1f368f00ef90a880969c942413e38342885f01e39b62f850c6cd72c

SHA512
5cf7ce2286e427096735d7c21f213f11ce07d4b40ef72106fe04cc26814f818eaf03ffe90271113906bab058e3bc1828c2e9a31090188a2cda63722e2449dac5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b35dac188e1b17109f8160d136dc8333

SHA1
d6da03bb5c3e80d793f072cd620fb18113280fee

SHA256
55516056ea6ceb085fcd63bfe8e0319ae2ec229b342e4715396a70caaa6c1d24

SHA512
d7650b68b1e0c6aaf62e46a0139f03e044b8bb1693a26f755e2824c420d7f6d266eced1ad00a5ef74ab352be55dd3c4fe4bce739c3631d0412302c07a17e83e1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3e666ed373c72adda13332e9f067fe3f

SHA1
2edb5f200a14511ff9333d2292beeb57ba08f050

SHA256
a86b2663c78778a58fde421e01ff89d05bb3940a707766bcd9674d08b2b1c745

SHA512
ff0bd5fd8255d9d571408a1a70314c8a88049014d1fdf7c8356298c0bd06deff59e64f3a1e3cbec36cc000e58bb56d1bb5be6472b12e9edae337752cfe2ce101

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e2dcc36ac662c731d01bbe5e1b6c2a2b

SHA1
2251b8125b4db3e50db904f5bb67901eee7efb81

SHA256
2de115f2730eb6e3701466d3f4745fd3fea98840da8a4642f16c1b41e88de818

SHA512
d22b28f365ac12684d6b00211b500bb71a4dd861b7f49479bfcc9feea251109d1c20bf139ad5f43c273b385362ba8e8d19890cade2b5893108b46a066ed1654d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
35dc764721f7ed2e846c8ad7b7f4c330

SHA1
26683bf6e14a77c354c5f9f1420bc2879dbfb749

SHA256
d7cb1a07fb44e44a19d69b2d54e49ac3793609d534a170eecae013f7a54cebb4

SHA512
53b16dc330e76d90aab12e334150cda6062bc45c5015b45438e4f9fbcda04a7cd10c1ca4a424076c044f9d98a537cca27878d2bf10a147c3eb214ee909648c18

Download Submit
memory/1008-342-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-453-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1660-329-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1704-325-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1704-327-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1720-61-0x0000000001E90000-0x0000000001EF0000-memory.dmp

Filesize
384KB

Download
memory/1720-71-0x0000000001E90000-0x0000000001EF0000-memory.dmp

Filesize
384KB

Download
memory/1720-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1720-67-0x0000000001E90000-0x0000000001EF0000-memory.dmp

Filesize
384KB

Download
memory/1720-60-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2060-260-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2060-259-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2060-266-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2060-316-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2112-287-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2112-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2164-295-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2164-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2164-302-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2232-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2232-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2344-485-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2344-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2764-440-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2764-321-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2828-351-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3108-82-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3108-75-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3108-248-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3108-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3316-84-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3316-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3332-255-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3332-306-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3756-44-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3756-244-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3756-37-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3756-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4116-466-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4116-333-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4148-324-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4148-273-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4148-274-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/4148-280-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/4288-8-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4288-32-0x0000000140000000-0x0000000140222000-memory.dmp

Filesize
2.1MB

Download
memory/4288-1-0x0000000140000000-0x0000000140222000-memory.dmp

Filesize
2.1MB

Download
memory/4288-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4496-341-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4496-291-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4504-284-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4504-332-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4556-430-0x000002CC9F900000-0x000002CC9F910000-memory.dmp

Filesize
64KB

Download
memory/4556-446-0x000002CC9F900000-0x000002CC9F910000-memory.dmp

Filesize
64KB

Download
memory/4556-490-0x000002CC9FBE0000-0x000002CC9FBF0000-memory.dmp

Filesize
64KB

Download
memory/4556-489-0x000002CC9FBE0000-0x000002CC9FBF0000-memory.dmp

Filesize
64KB

Download
memory/4556-488-0x000002CC9FBE0000-0x000002CC9FBF0000-memory.dmp

Filesize
64KB

Download
memory/4556-487-0x000002CC9FBE0000-0x000002CC9FBF0000-memory.dmp

Filesize
64KB

Download
memory/4556-486-0x000002CC9F900000-0x000002CC9F910000-memory.dmp

Filesize
64KB

Download
memory/4556-431-0x000002CC9F910000-0x000002CC9F920000-memory.dmp

Filesize
64KB

Download
memory/4556-467-0x000002CC9F900000-0x000002CC9F910000-memory.dmp

Filesize
64KB

Download
memory/4556-432-0x000002CC9F920000-0x000002CC9F921000-memory.dmp

Filesize
4KB

Download
memory/4556-439-0x000002CC9F900000-0x000002CC9F910000-memory.dmp

Filesize
64KB

Download
memory/4556-468-0x000002CC9FA40000-0x000002CC9FA50000-memory.dmp

Filesize
64KB

Download
memory/4556-445-0x000002CC9FA40000-0x000002CC9FA50000-memory.dmp

Filesize
64KB

Download
memory/4556-454-0x000002CC9F900000-0x000002CC9F910000-memory.dmp

Filesize
64KB

Download
memory/4556-455-0x000002CC9FA40000-0x000002CC9FA50000-memory.dmp

Filesize
64KB

Download
memory/4912-245-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4912-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4912-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4912-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4916-308-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4916-429-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4916-317-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/5052-237-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5052-17-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5052-25-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5052-19-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download