5a82474fcc4c85bf039da0f0142682ecf17e4581751e0d29f61fa11fd2e91090

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_bd4e1f974aa376ab5ff26894415b646d_ryuk.exe
Size

1.9MB
MD5

bd4e1f974aa376ab5ff26894415b646d
SHA1

62d2651498042c185a873c337b9ea6bdd9595ff7
SHA256

5a82474fcc4c85bf039da0f0142682ecf17e4581751e0d29f61fa11fd2e91090
SHA512

26616cc37cc05981abf8f20f12d6242f53ce73695f8e729d1daea7a7640437a057c6064d5c47223486720a899d25677979b97c6aa70956e9103680a56c341046
SSDEEP

24576:Cj4NYFYMlgA/ptNqcg8lSQ/Y9uo5NVoP1ovLW0Zna/0e0+KI+i9f4LpO4:CjGMlp7AchSdN6tKJG0zFIxRCpO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1496	alg.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
2316	elevation_service.exe
2380	fxssvc.exe
3820	elevation_service.exe
4068	maintenanceservice.exe
3140	OSE.EXE
3928	msdtc.exe
5020	PerceptionSimulationService.exe
2204	perfhost.exe
2912	locator.exe
388	SensorDataService.exe
1144	snmptrap.exe
3260	spectrum.exe
1088	ssh-agent.exe
4716	TieringEngineService.exe
3636	AgentService.exe
4824	vds.exe
1792	vssvc.exe
3588	wbengine.exe
3980	WmiApSrv.exe
612	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_bd4e1f974aa376ab5ff26894415b646d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-22_bd4e1f974aa376ab5ff26894415b646d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-22_bd4e1f974aa376ab5ff26894415b646d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5cd696e74f8f84a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-22_bd4e1f974aa376ab5ff26894415b646d_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-22_bd4e1f974aa376ab5ff26894415b646d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c1be268b694da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a237e169b694da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd48136ab694da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043052c69b694da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035786069b694da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c822ed69b694da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011eab369b694da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
2316	elevation_service.exe
2316	elevation_service.exe
2316	elevation_service.exe
2316	elevation_service.exe
2316	elevation_service.exe
2316	elevation_service.exe
2316	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4156	2024-04-22_bd4e1f974aa376ab5ff26894415b646d_ryuk.exe
Token: SeAuditPrivilege	2380	fxssvc.exe
Token: SeDebugPrivilege	4024	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2316	elevation_service.exe
Token: SeRestorePrivilege	4716	TieringEngineService.exe
Token: SeManageVolumePrivilege	4716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3636	AgentService.exe
Token: SeBackupPrivilege	1792	vssvc.exe
Token: SeRestorePrivilege	1792	vssvc.exe
Token: SeAuditPrivilege	1792	vssvc.exe
Token: SeBackupPrivilege	3588	wbengine.exe
Token: SeRestorePrivilege	3588	wbengine.exe
Token: SeSecurityPrivilege	3588	wbengine.exe
Token: 33	612	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	612	SearchIndexer.exe
Token: SeDebugPrivilege	2316	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 612 wrote to memory of 3304	612	SearchIndexer.exe	133
PID 612 wrote to memory of 3304	612	SearchIndexer.exe	133
PID 612 wrote to memory of 2756	612	SearchIndexer.exe	134
PID 612 wrote to memory of 2756	612	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_bd4e1f974aa376ab5ff26894415b646d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_bd4e1f974aa376ab5ff26894415b646d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1496

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3820

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4068

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3140

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:388

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3260

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3304
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
614b3940ca44c826904c5fc3146f9d74

SHA1
e4b282d6c1ac3945edc39a314e79042b26fb9ab2

SHA256
fac5d9b4e35936ba45b4f681db51e6ee6b98c63deb64b750735c58a9af96349f

SHA512
eefc006273d8c83541c76cedf7fcebac016d3f6349ca9233aa6c9449baebdfa3e6ac7c9b6069fdd214babda1a9fdbb8f18f091f46695b5131f5f177020c9118c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c9a24940469998e6bb460091831c421e

SHA1
af4bcc82b8a5b07c09fb67793fe4acb13f961c03

SHA256
3c70d68f21074c32dd78c58f90d172bf53ba58e93dc55eb184355721c0a2c7eb

SHA512
c5998e264124608a75fb7680b0807e4cac4b1699fe8c3ebce6137d0ca7d0dc737d4b36f7739842896883788c814f163188eff1c78e68a73104448b191eaa1782

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f50df6d6523f05152b2c6f71c01546f0

SHA1
4f9acdaf96500e9382bd8fba9098d9805b0cc048

SHA256
ac2c9c76aaf0c3bd477603c63b9441aeb00902e3b17ccb85ab942d1aced152f3

SHA512
4f5096dbe22028da0f78138706709727c8768f67095b44e275c3b52cb6df4b8500af890b8252ef95c9fb635369ab7e87c5ef553585fbcd173451f99bb106e7b9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6eb6d9b3a5811418e1c9c5c24cd4510d

SHA1
87a5d0aa2a7f5f97e83331888c0a26aae99bc5fa

SHA256
dd6703a6d9f309968d0b809774675ab722413fdad6dce55c0c549d5fe4f865eb

SHA512
4fcc549cf524499d5cf99de0cea7743f95973f9122e1afbd597ab0083971007059bfc2138ad354d0722637e0be8f5abcd680f5fc041408019dda0b6e53268be2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
49de37b975cb9f1d931fcefc88cbf8cb

SHA1
b68fe6f018248727fd130bdd545640aa54a51ee3

SHA256
03ac2745d2af0dfbdc069a429ff8db6da8cf5ca1faefc226df2af4140291c706

SHA512
1fd922157948bfae171257b83fc35b7acae92674e24399b13e0020b3028a95df1b66adfb25cd6fadeda37003d5a03c448fb33e57dc745a4f3d4abb0e2b129d0e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ded0dfbd775079798fc6825bc81c81bb

SHA1
c19db22854cc304ebb5db0ceedd5c39cd55cf2df

SHA256
d67c86c784891981f619211920ddec96e8a127f4a618c9f23e742870d29ffbc0

SHA512
79e257baaf1f52b415d3be36fa61a0138042b19008838201088a6c5912413991ed02eb764630022777220ba55df7c527e5f6c6dc1300f6ed04595344d65edf6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
dbefecc4e7bdc0615c6099e5b8f34ec0

SHA1
e13ede30a5b630f7fdf2ccb5af87ddcc477f3166

SHA256
f0cd23ea8c652b9300071d3f0ea5cc5d25029eaba8b8316374c48b8f6b520c55

SHA512
a0b3d3a897e3e82d4cd29b9ec39416545f9b7582a892238f8fd8c3a2402911c1422e973a1d2aceef5c52e799ed1d15d3a529278511eeaacb28e4ea52fd8dbb6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
61a8f60e9bc2a50efaa7809782533ee4

SHA1
3fd9ac119849aa67600d398cb804065d57af5c4c

SHA256
53bba2e430a3e28d68a56099d14c8c087f1e2ce3fcc0a6298ab509ddba93bd98

SHA512
4d120bb0219b85117ba542730c78f2400cb25d38f89e1ef217b385a9d885e6da3a3c786896add62405553a8ad55bd3d7148d872a4c5594c9c49e01db83f5f644

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
78143d8de09657d6bf5e762bfbfabcb7

SHA1
39c88e9f4273b41d68e06181639eaae03244e10c

SHA256
3f9f6fcc8c2f5fc1a34779a9ec804de5c0e94c0528313c39b21f80cd2f117d9b

SHA512
da0b33ac15319e91a8defcb6d4867beb2328a1b93bcb23be66127b2f4178188892e73e40c20f99203b3432ed8ae472053dd575c05e0e5337f8c8d002681a6c2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6bfc9111460d7b1923d9745e8eda1fe1

SHA1
0cd8ba20076f174396123912c24883255b0bfea3

SHA256
dad35b02769987e292772f8c7faeadbf83cea08d66cd27bd606d2e268bd82630

SHA512
9e1ed3c8120c795b8173141dfffc8a4f99b38a17a27c2fb52ee61f19aaf77e5ea237b890d97da7096847587d5287b419720c2af79e5766223d22a385350d7dc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
eae74f220d13f177b141e912de70d12c

SHA1
c63dcd2fa076f4dc1fad72e4c52ae6d44164cc1c

SHA256
5cd5b808d2763807a51fcd6397b5f04e5e0676a2f00e05b4bcc4e13ba7966048

SHA512
2b3c9969cbcb6e1cc97ae675091ce9c53f00b454e7c04403d9a32b6565a91da324cb8ec34f29fa037cf76159ce6376d9354b374a02d10cd3b8ddb1001252d9b1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7e500b599c3b9f4742c04d69356837e7

SHA1
a4930d2754054fe89a7ac7eab10e2316a9e71574

SHA256
73562a5ee4553aa0bf0c64a040f1b2944f970e700af7929b070b81521d20b65e

SHA512
a6a3c6f614e1a6f78257c0c3a10a358e418e236da96fc1a13261452c6d63f2960413a1e659a2420c8944b87a0bcbd9cea47e1cc420ea7457bc79e0d0919c0ccb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
05fe97edb8b4ddbe3ad1aa7bf0d3ba46

SHA1
5f3574fb6297c1ffa743d16d5e34b7fbb70972cc

SHA256
5be3e4ee6798decdd011a307f89f562b553407e208f3e02ff9ea01598e299710

SHA512
5b5de87aa0270268a76e9dcae2b94291608c5c5785283c6ea7d21c6a304cf2b7150c31a5cd1dc7e90e43e0c9457467b3dfc648293487ffe614f5517a95d5d9f2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d5123c024b7d911f718271c1779d4625

SHA1
9b305cef689cdb7fdd1e84d98c68610b9b944854

SHA256
f3e483ac6a6c2a43670cb869c817c82434a2f1c84013c43bc3e8a3ec697eaf0e

SHA512
8611f547f4c81f3eb614c93aa478e17cbe487ad7e404a0e85a1e69beec27f5cf853f9adb9e165a18fcd38ec13a02d61f0b5dab4e68943e334118200d0491dc2d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
05209c76fbafff15dee5884ed3509dc4

SHA1
0541698562427176d639162aeb64f91cd35597c7

SHA256
b16efbeffa730e57fb219c73c3be6b952f105f75f7463b761a0bf92fa060a2a4

SHA512
490bd4e7247424c96cf986849da0e88d9ce65d9f0376ebfbfae829a53656e413fd4fd74c2a06604a9639229ac6c1d1121262bf4e8c5739e2d9be6a4fa79ee344

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9099a1315747e8dfefa27f2b83fe35ef

SHA1
1cb2326194d663caf4c80ff0a61112b2295d0fba

SHA256
a27b3908641a07f0ab00d747594fc56ba3dbf4aee0b6d276dd8fe47823962c92

SHA512
90759b46fb577b4120e01f7162855549cb52256c636139be0961d8d5fe0285464556f095fa54a8b49d00272f8c5cf9456c02ac191f3de288a72c2593fdb3966e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0faaa269440d2fd1e3ff282e7f689598

SHA1
f5b95b6930d4fe6e403dd0c2d9ca8fccd5c7adb5

SHA256
a0442de8b08bd48b35bcb28c44fdc1b6c3a975b0745b32b443557b448025b71d

SHA512
94855dd919a802337f72b9ef478c9c866f991740a272a7b5e8ffe929509668356f0fc00a91b9ef01155bae6c510eda2eb0e7af16b293f07f9e8da520bb6e6c3d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4028a97448c0431db6909bf4af805151

SHA1
178462f623bd1d9ff2746b13f17a72d971aac6cc

SHA256
07de6a0f2df1ee33c426962769ad445c039faf0b2228278254a33e4aac76e3cb

SHA512
ed2829b15ac45c0032c1d951997b7d2da52edddf46fece441cdbe4987273d2d09748a3be4efdd9d205ff1b28e1a73e2fa4423cea80957c46ac595de9bea154d2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
605ba3caa6982e75a75cc02e94e17efb

SHA1
11741c06873e52fc16edac5a1fc9ff03c81c430f

SHA256
c719e384578a0a25dfd3e0a401b63ff3a9e482620cc884ae99198780181f451b

SHA512
7a1aeefce03e8ee9a17c8d52ee99d6ce00c49498a4c7284036527a66e2eebe2bd6f3f27a82bca799b25c43cc03abf0c74bf404afc33808db8d9a62008765ddd2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5712d921edf9a270ef05a282074def29

SHA1
ef008af59d9d65917489d3c601a79d7c1821a826

SHA256
4277131f879cb1fa526111c520f247043daa620fcc7a77a9b2ea88bedd18e913

SHA512
4e05478e059c660529a5769e42bc5da64e6eeea199ff5252bee7cde23b2dfd7a7d989072ae33921ec2d05148597800739ff09ae3a4b9b79f71b372591a8de78b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e6dc27e218f22ee3e769badcd2016ecb

SHA1
276c18d990988cf7239b6c774c730e7d0efbefcb

SHA256
84734d208ec5029e7f835a2bcb45fd6320b2b25a6466f1ccc4c11fe856844e4f

SHA512
1cba1368e8e62fb5f02f9866a27378e6663c8643b35c464f409364fddf7f9fb58f579dd86ea8ade2412e4e78c2e44440dae0bd24f5568dabc3e5baf13bd035f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
cd58e90c1b7a60628149731b23b1386c

SHA1
6cb8837ee2d177cc0c5dead6fc53748c8b5fe6af

SHA256
f8b6e9a95ad33150f5b729541e9540c5f00eddad350c4d60aacb84e2784f7d60

SHA512
2d1bc305968b8d316f3c838960461e4db1782734bf414345566267cfbef156a53b5ab0e22c60bf05b3b4909bdb563fe1d6bb1cdbf2ca99f904b1aeb8f9f80ccd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9f3c2026d2a9fbde830fe5d8365cef5d

SHA1
749b34c17bea163e0889f872091bac984bbbe03f

SHA256
fad97729b4252f7041dac6c5b3d9894767853b54685814a51d004c52781dc7a2

SHA512
859a77e71d66d12cf537abd7c24fa14d65ae3672cc648ef9013a2ee0c3d78d5d20dfdb4c56776dc89a50b08abe4d670c82682db4e54e559d041050deb3bd9316

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0537a9086485a204d5a5662f9a24a7df

SHA1
1bd4c208b82b2040e11324f60eb530356557ef8a

SHA256
b2f315f8e0268b2264ceaf4f49cf1a7c4fded5c2da16401648a2e806693868d9

SHA512
bce4255393ce63e0ecdcb5012e51e9247f0d77e6450b5f523b190d4f1d8996042d0e98bc28e10c8f4ccd679a5cc05cabe2b1b1f5312849459355401f9e996454

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
5ee6421ee0d207ccccb6f744d13e8c5f

SHA1
47de181cb0fc37f54b93349e37a31b2247f74f89

SHA256
bdd7bb81cf76533de8aed76bf4ad98144d48812978270affeb4958e1c8ca752c

SHA512
4a8b1d282092cb869a72a490db1039a1fce83bbe3860df090e2bc3536fe15a5a17daf910454e5f72cf3a78128000d28ceeb6d3a1e06c665b3f904e74ec7f597e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c10d27496cd51128b27442a119de5120

SHA1
d7b8f39058ee8312693d271988a4de5ac61dbb9b

SHA256
b216e2e3ffac47be40bb9c2684a434a2a88de3cb778533701b80c2017983e579

SHA512
85850b987c464dc664e10a8509b76e5a8f29b254ed2519f11890d036ea855dedaf59c806d6722ce48c1b66b62c78e5c5790ca615fa14962979357b47a914f6cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e3de78fdf166c87a0dd4b619ad803020

SHA1
9798d39731e2b5c467812dbe1024bef2c30e2996

SHA256
13f003fe4b14d04f00218c3205c9c385ddc70eb0606308f6750f145c17338d82

SHA512
209749259c2d8e6b4f003700c103b053b0ea80a36359e324edd373687458b9018c23d858ee6973d062cbde96e9ffa821f39f8f5cb295afc3a2d6f78a59b5056e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9db3b8dfcccd2cb8440cc2172a360fe0

SHA1
1c5a3972aa83cfd59a41b48212ba032d76e42028

SHA256
30dda55345bfd7ce7ca2d819f884ac2034fb01221dc77abc9bb40c10f3c136ce

SHA512
1e45ac39ae606c9d2c18b4d0c3ebdaf0da7b2084354fac27933b641ad72b7636765efbf71921554dd913191cb7f145ad83ef40a914604df4437f33b9b2655c78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
50ab111c7ca9f31e190add6dc8a0d937

SHA1
b079d4df9fd2eceb18cfa0a7f5925d8e8829fd08

SHA256
400801140f02692658f93022032010dae5e1e555b4c864a4b61614d26bf5ddfb

SHA512
92fd795abfb056c65d30c58dd24c25d417f4092ef6281c03959c282f2320394c8815fcd89f4d438f1d48eba61fdc31aecae6548d27654ee3f967b7f4a0fa5ca6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
cf942211c96bda066d42ea916dd98126

SHA1
ebd27158b5c51817149228c084d74b561332c76e

SHA256
3867886305d0cbdbae07f0dd0d3374a5a7742d7d57cda88697cd7987641ecb68

SHA512
17613837bb5dceb344cb9a590cf18c19d1a3573668f44b21af1467e6fe5c5ff630dc4060c06a653b385aa03802fb7f9ef1dcfb40247cbf4f2672571d8d573c51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
60e830716d76f5b6acf511d3ab7f206f

SHA1
1a6ea5035a5353f81790a0029de2533c86b49cd8

SHA256
5f9ca20c0b799c860a2c920c8313a372c9ea4073f1ca9f3f2605baf8981e8963

SHA512
c938ceb47fc5bafc25281b44416bcacfea9cb8e0a11e368180a96521e9f9ffd1b37eba9d6eeb85cbea34f05cc673a660822e9bccab070788b1dba8797e874790

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
cb88b7702b27eee7a5d57e364455ed95

SHA1
7770673c402d2d1bde56e0e832c6218865083163

SHA256
9f19d3d71cdd86e0a26d6a743e9cec40256767ecc0b4ba679fdf2c015df2eb6f

SHA512
769ef0c820317a0fa2048f9a1e612dfdd2907786f795d8d157e9fd7f5671ed8970d4791d6b13bb0302a516a7dc6a148f3de585a0ca57ae36baace34cf299f1e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
da5c7da09ca59480552b7f574f23fb54

SHA1
91202e06d04832308d46bd925cb2b9dc56fb2e49

SHA256
13c51a942eff43a570f4bc768120666f3f1c71279c973236b5dd571cdd53b1b8

SHA512
f1a38a1fd58bc86c13560f95b120e7f316551dd80d7f902e363ebc5f0976d45a42af44c6d7ba334beaa26cf8150f0ff2890e5cfa05295b81335cacd971794963

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7baf2e52e9ce6a0357f4b4349a9f5460

SHA1
c106257059ba97b3533e0ec4fbd63d611cac0133

SHA256
b60bdbd0a24ede499ca20e680ac9af7ea4bb34004d3e9cf3ca40b0e106693564

SHA512
b8a48b478f6c8677384fce32c6fbade7e5c3a940ee8b65a35339ef946bde170e020fff67fe3e3a73bc763d4f5b50d2d16597b0e114fe8ba34d89ca714a82bab7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
82989f358bccbea82c27d47d7f2031e6

SHA1
b25102b8d01d5ceb5f2aac7e7ad0771c1ad48e41

SHA256
7f4379bb622ce904a4b61e837fc8bccf883b9af8fc36b68c150b72ee4a29c13b

SHA512
ea70b1403a169bbaa329522533eb590205e7fa0199e8825b5e3936e671fb9bc66d0aec39215281b9bc2ef46c8df63038af1c6d0a69d1c79aac67f3cdadfa89a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
85bb1ef1ef2d02597007505503d3c772

SHA1
25b7ea654e7b01a528ec73150b521f000def8475

SHA256
b64593ae7f2e48be03a1cb35ca5827540150a52cfbb1d0718daa3525300a572f

SHA512
b517a3b6b8b018fcb01cbc8e7c281e77ccf6435b26f599bfd5d2c59f5e0f707cd503beec69fdf4e5d701ae461db76ff578533e4410e4d2982dbf86dc9104f69b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
19f54f4bac891ea3b3c60f297a6f8e3c

SHA1
b1013f26c69a7a5d1feacce84823d2a4f5d945a0

SHA256
69efb193104ae66da2d15c34741e176ee488d8a4e5be54702d2bb18a521cead5

SHA512
1574a481651d95555a1db67b9eccc6037175f164410b71d4354982f3d2f477e91bb86a725a962a99248a962e24c966422fbccd1c91b77d031ccf9934e746c1d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
49427282634d183dfb86377819f2db87

SHA1
d1c1f2277292923c750fd3523fba5501b769ea00

SHA256
aa3fa93484d50f63c3dfc6b71613b88e50ab7168679872aaf886628ce4907f13

SHA512
c6514057681818ac5733e9fec7294533b5e641ca022835dbcc8e9cc814f8e5fa1b42ceaac7ee204208ce5d570549e2b8c42683e79dd3ccafe63b64121517096d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
688a3ea2e4fdf77442e30c372af7314a

SHA1
737c49192ce8362d5d74c7c573eb6549af30791d

SHA256
f23a0af2b155bd9bffb3e0a2383b31dfc1cfe3de492a76cdcc1bea198eb62a03

SHA512
8a45491b21fcbd2a3c3ccc09fc3919b3d3a45fa646d4b4ff5b704bceac79003e5525ab2684097c8f66dd46fe349794e0036b8bb703cb6cf8f5bcbbf354b29859

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
eefaeda0a06cc756acea4189f7b59996

SHA1
2ccea1f2c25e433fe3b4fb6b5884f39a8d790af6

SHA256
db73dc7f0b532e5941bc09f354d693a18336eeb98a8dbbddd753c69f94853a17

SHA512
5ec4cd31adcc131b163b0884b408bfe5cb35669b812242254d2cdb1f121a3b048e3f87201ca6325c90ff361eda5faef1129923043ebf0b24da7e8cf8b88716aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
b4ebaa858fc6f558d50fe642b4ff5d85

SHA1
b1b790bf97a9bd1821585e59c482375d36fbe64c

SHA256
21c13be58387489ccd4a329f13f681e78789085775c18b1dc4b8cbba84fa09ea

SHA512
900275c38e734970b0fe709021736608353b581289bb8eeee80cf7fdf0a0fae74a6b78c1ecdec0ba1b047d2d6b065d3da5fc3ab3007eaaf4811b2e826a5458c4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c94706be9502a947f9c52a5b8a21d1fc

SHA1
3a477f3115249ccca5e5ec8a37004c526b680ddc

SHA256
db823943fb3081cb216e2d1cdaf8cee0b9977f009920eee4fffb2f7333cc682c

SHA512
0f6daadef2ea88d37a3072fcec89a50ea0007ac39cd5ba9ca79facf47a64df66860548720177f9be1a5796e61eeebda45b9dd39676c8ff8cfc6f18e92d638a85

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a1838ba97b9a41833f5eb6adbcf4fc61

SHA1
ef6009408890637405554ca5532a0699b46ba68a

SHA256
1632f0a3bb52ae738bf8f17b8ad7cae4bb632e4f50a90d1bf8c50b106ebe4553

SHA512
6fe149f3ad01ffda0f1dcf817006435e9ff7e6465192ff221fc3d51c0fabcffe825635b1c4c664a8b601a0362c17cbef6509024f0f6a9a60a6a0e63024355538

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
537e968b3c2613d46e3c6c63fda45977

SHA1
ad18229f030adfc4eff0bfb79e4cff3072e59319

SHA256
2d3fc8c9b375b420a03359a01af16c82da5715b732b5d7fd954c527c51054848

SHA512
57dcb3401118acd6be20cd9c31d76cae93e7b19472ec96b6e52d088447aad53a7588282fa064d6d23e7603390340bb9ccb7dd8769d888b50194cf4661c266bd6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b3e5a979cff7f26c0382dea81c59bb75

SHA1
ea6eadca2b24c7c487f5dbf961af72d5e9d576c4

SHA256
aa06bd26082a4570fcea7eb373eb6d437fbd68ab424c41524d7057f3b6548c31

SHA512
2650a4a03b343d04e0bd182fdbe9e4aa94da696f75d196d25f404fcc33a452fa7deae5fd878dd50c94e08231fee72eae8706d34efa04cf9adb689fec67dc70a8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2f46a91f4ff19af82a448022b2f029bd

SHA1
8c185748f6f64e24785c0f17fe231f754e7f7450

SHA256
d479393d06a4cf8d30873c951cb3cc654e391a41a85f376d8e9143d5dd76d179

SHA512
df5b9e17ca41cf83cc104379231a016f3ab675914706f7e29eeb9a186446db1ecd42ac1e1fec4dc95ad8d0df5825d93ab216db29d381830575a41980513c923b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b4b94502c12b44bec284e31301ac27bb

SHA1
06ca9baf2a4e286f32c788c1737cfc2f6ae4479a

SHA256
19c224761085d2ff378fe8c083635d1975807af0e584a6fcdbfba66433d4904d

SHA512
44dde72042bf144a126045f58ae713c5cdf875fd1a8ed20ad984b4b1497b9dfaee0acb99daf42c2f8962c038442df096ac7f59b2cdac1f3140ebe7b34da9b544

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
db99dbdd036151f59505af01f231dfb2

SHA1
ef3c1760f830aad218a45389716ac77cd6973827

SHA256
6c5fec3fbd761ac99b5620b774bfc403946f26e86764041008962b3a3274166c

SHA512
890a548535ebd218327fda2d6592d304a54f26c3c04427887d8bcb555caa14ccbe0ad21463cb479b763502563924f5f1730ef924ab2a0333e33e918829468664

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
416bb18857d3828785c0b2cab5b3dd5c

SHA1
c7bd7a1321b92b3624485604b6be86111d0de491

SHA256
2acbef049c11b0af68bf2da770cb12624e391c0f20a11b640b380b79b775e25c

SHA512
375593c6b5a4241878385c5fc242b78fada7f68dd7a314cd76faec503b740bf7dc5468b5fce04423e875d9b86e73cbe7e3893aeda65a7a6e227c0c70de4dfe80

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b2c8e5667df59332ea5a34f61eb99bcd

SHA1
7c0b31884b0a6aeb603b104312185a51a99435a0

SHA256
2a847ba2a41e1f07a5cf1c4eda313a9ddb05522471e307f2d7ce203bedf2c492

SHA512
d3f1c39040f4588f8db4460b148592a8876dd5fc0492c0f83fa07dbbe152f8fc06e74194e247750d30bc258162d36e8d6178baa11fba9ea9d09f4425437cdd65

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c7c577c5791b001e5078276c41c3128f

SHA1
a06c2f166f24e9a7f90681693c10929241713fe6

SHA256
b3fb759bd4818f46b016aaeac0d08cf45527b55a5ee33d4ab55487dc353de55c

SHA512
0b19077865147417bac0c5e945990a0343232b022f9a7e9d1d75928e6182abecd47f89d220cda489a47a3fdd25d16f4e0362f1ebbbe4e6630d8a39487a557a8c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8d0fba5d1e50be25a479938529ec10e8

SHA1
d6d9ea081119a9a4637312feccf11cf281cd6966

SHA256
2f848fbe8b681650a47ec51c620b2d983a00ef633002c64a728dc5607768ae25

SHA512
170b230e40b1a31da1c9d4bcaa957e728808af29a3904fdf405a50cf47e4529046b2f617bfc1875092aadf0ea8e06373e57b332483bccfcaf6227bb27a50f1d8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
16198408ba77cd8ed99bfd5fa3441166

SHA1
00b04e4f3da888d7b8f240819e6bc19a1b9a29e8

SHA256
c0758943d7d6fa1ac2a1dd02956275b1792aa86b98eed532f406898c35d3988e

SHA512
ec02b7d72992f1939753eef40f77ae43dc704963bdb2e1c18462f16d9dbf4b2dae62004319005b439b1e96a79d2b91b6eeb8408e7132eb276239bc462c1bc112

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bcc0ac15e86511488a86d7a6a733bf28

SHA1
2de6a9f52118078b4520e33fbc50f14104f4c75d

SHA256
988ea3e647afbf8334289470eee2d20c6284cfd372671c737847cbf0fa453fa0

SHA512
9ef8f306d5aaebadbbf5904ff5abd764c2499569d89453451704f6f6dd2a9f1406eed0a33ec8a3231a21ec79357929d566e898a96560bc4a0ad7f975cca4cdeb

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7cb51244087ae89d740e973876955e49

SHA1
da47517e93d0e4d0dbbd8409d19a764118c5351d

SHA256
1eb47922729431a60bee68dbaa1144408cdbac0417dcb158ad96fb0cf2f03af0

SHA512
226c7a06b263de76114e016fe46992f95c8d1f3e700e8bc4d8955a3af670a4de5a3b9beed8cee1f6af1532c6c02d84add44b901e550c94e06c9c8714269aebcf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3166248a9c0952714468f28629c8f0c4

SHA1
bd2918aec72c33b3e8449df5601b39b168828a6d

SHA256
80a0b6a6091124c7795ff13148ab66108c221e40455da852a8d21e085af54102

SHA512
5a13a2968a023d48caf54f8bee29e62f8268083d0912ec9ef1ec43cd49a53480cdceec82d695d3ef113880f719799b4ab8063d0f00cc181b50edd6648a22c7ac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
214ff91dea7032f43d5dbc8b57156ec2

SHA1
454e99cfef33f12815d711fd3448ef2c67dafcdf

SHA256
66d68e3e004a31de00c46f1a1c66fe10552796992f729a17b82e4c5aafa3545d

SHA512
ee66956df8532c4b3d309e624939e1e5bc155064c3727d753e6e2abfa78bbde9a3cc78cc6b6f8b4ac21c00c0fcf334e7b314538c947cda6774b5d3365ade6a8e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a44fe74a88765dceaee28aa56ff3868f

SHA1
22d306628f969a723b15884bb406f8e702ec1392

SHA256
b16dbbf42a22b39ce7839e850797b2baa9d2b5499826225fad9154ce25b87c75

SHA512
33d4ac9a25563223b9471be92c3c5104f2e58afce13b1e71e0b28ad606b0e20a88aef8ff394a81137620e5dc2977a60c0a3ea8a05324680b57b5aa269841712f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f65fd55ec2fd9df3bce937bc0f126de3

SHA1
a5f77d208e15223edb25168c182157e26d58e44c

SHA256
60e87109a9cf7f8d9a9dc9f0cf93c3584f82f0ee23d3ccee1d678dc3b3db2c16

SHA512
541fc11a73041e885c7b5e120d364eff612af57b880219ff4d1934a14f9a0a9e479ab95023f25291ec747aa4e1ec8d4295cdcf0dcc1c6aad5641d023ffc05e90

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
18c9ed5ed65d6cbca77ee4b2d107aaa3

SHA1
b4461298c04d5396a3bea0c19a058ae3ad2fe2d5

SHA256
30792a061b08545384301d2d3b71de39a86957ec42a2c07bce4ebde926166e00

SHA512
ae509d93f20c9418e6c0b26623ce94f321ec6306630bfe1a9a6a5a0150c924ca6c5c6a55b7e9954acb971bbaa8401627f7eecb86aad0ace4994c4f1777c51a09

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8f7364951e3370a20dad0f9a86f9657b

SHA1
7f313ab3c65e63a2bac8d59451894434ce3a1604

SHA256
b1bb8ee1c913fac9323e2ecc222a3fb9f6234e26f77130951cdefc172cc3b9cf

SHA512
345fa5f0b822584ea2e62c419771d6da6e7e3a57d95c7df2a530f5b0fae2251c5458bda2650176da03ce8ce9cf3da725e89181242cf3f08fbd7f7bac3db18e3a

Download Submit
memory/388-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/388-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/612-357-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1088-312-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1088-433-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1088-321-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1144-294-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1496-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1496-77-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1792-336-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2204-276-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2204-277-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2204-284-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2204-327-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2316-246-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2316-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2316-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2316-45-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2380-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2380-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2756-427-0x0000021F810F0000-0x0000021F81100000-memory.dmp

Filesize
64KB

Download
memory/2756-468-0x0000021F81220000-0x0000021F81230000-memory.dmp

Filesize
64KB

Download
memory/2756-454-0x0000021F810E0000-0x0000021F810F0000-memory.dmp

Filesize
64KB

Download
memory/2756-446-0x0000021F81120000-0x0000021F81130000-memory.dmp

Filesize
64KB

Download
memory/2756-444-0x0000021F810E0000-0x0000021F810F0000-memory.dmp

Filesize
64KB

Download
memory/2756-432-0x0000021F81100000-0x0000021F81101000-memory.dmp

Filesize
4KB

Download
memory/2756-455-0x0000021F81220000-0x0000021F81230000-memory.dmp

Filesize
64KB

Download
memory/2756-459-0x0000021F810E0000-0x0000021F810F0000-memory.dmp

Filesize
64KB

Download
memory/2756-431-0x0000021F810E0000-0x0000021F810F0000-memory.dmp

Filesize
64KB

Download
memory/2756-467-0x0000021F810E0000-0x0000021F810F0000-memory.dmp

Filesize
64KB

Download
memory/2756-445-0x0000021F81120000-0x0000021F81130000-memory.dmp

Filesize
64KB

Download
memory/2756-469-0x0000021F81220000-0x0000021F81230000-memory.dmp

Filesize
64KB

Download
memory/2756-426-0x0000021F810E0000-0x0000021F810F0000-memory.dmp

Filesize
64KB

Download
memory/2756-474-0x0000021F810E0000-0x0000021F810F0000-memory.dmp

Filesize
64KB

Download
memory/2756-475-0x0000021F81220000-0x0000021F81230000-memory.dmp

Filesize
64KB

Download
memory/2912-335-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2912-287-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3140-250-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3140-85-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3140-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3140-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3260-305-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3260-347-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3260-297-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3588-340-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3636-330-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3636-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3820-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3820-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3820-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3820-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3928-310-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3928-257-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3980-344-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4024-87-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4024-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4024-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4024-18-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4068-74-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4068-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4068-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4068-69-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4068-61-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4156-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4156-32-0x0000000140000000-0x00000001401EF000-memory.dmp

Filesize
1.9MB

Download
memory/4156-8-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4156-1-0x0000000140000000-0x00000001401EF000-memory.dmp

Filesize
1.9MB

Download
memory/4716-324-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4716-453-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4824-332-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4824-473-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5020-319-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5020-272-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5020-262-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5020-261-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download