ef149359fdbc7b8388dc583d8d4180bc99d15f22f068e2e50fa7845fd9b2221a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_04b79b64acb9a52a35de81f9c5af1742_ryuk.exe
Size

2.2MB
MD5

04b79b64acb9a52a35de81f9c5af1742
SHA1

c443d681e7fc1e5e51dc6a6def3aaad010c93ee5
SHA256

ef149359fdbc7b8388dc583d8d4180bc99d15f22f068e2e50fa7845fd9b2221a
SHA512

d0ff83ecf57b03d8f077252116f68a859e180746eb7fa2f3737245ececaba05ab062184e4c2f30e1ac349f0abf1ef837e8eb5f19acbc07c72c0d104f03d39c81
SSDEEP

24576:pOObVw4TaN1wdFukCba4oXtgLhU3wEdmh5819LYuMslorttddRZ:pOOh3aN4FuLbegmtG4tYuM8ort9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5100	alg.exe
3596	DiagnosticsHub.StandardCollector.Service.exe
5064	elevation_service.exe
1916	fxssvc.exe
540	elevation_service.exe
4616	maintenanceservice.exe
548	OSE.EXE
3672	msdtc.exe
1720	PerceptionSimulationService.exe
1672	perfhost.exe
4428	locator.exe
1436	SensorDataService.exe
1688	snmptrap.exe
2152	spectrum.exe
3540	ssh-agent.exe
3472	TieringEngineService.exe
1988	AgentService.exe
1000	vds.exe
2160	vssvc.exe
2752	wbengine.exe
3452	WmiApSrv.exe
2168	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\437c4100102ae222.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-23_04b79b64acb9a52a35de81f9c5af1742_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-23_04b79b64acb9a52a35de81f9c5af1742_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-23_04b79b64acb9a52a35de81f9c5af1742_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-23_04b79b64acb9a52a35de81f9c5af1742_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-23_04b79b64acb9a52a35de81f9c5af1742_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041d1667dae95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c992d7dae95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b3bce7cae95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000274fc27cae95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fb1c47cae95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfd6097dae95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052871a7dae95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f984c7dae95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3596	DiagnosticsHub.StandardCollector.Service.exe
3596	DiagnosticsHub.StandardCollector.Service.exe
3596	DiagnosticsHub.StandardCollector.Service.exe
3596	DiagnosticsHub.StandardCollector.Service.exe
3596	DiagnosticsHub.StandardCollector.Service.exe
3596	DiagnosticsHub.StandardCollector.Service.exe
3596	DiagnosticsHub.StandardCollector.Service.exe
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe
5064	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3480	2024-04-23_04b79b64acb9a52a35de81f9c5af1742_ryuk.exe
Token: SeAuditPrivilege	1916	fxssvc.exe
Token: SeDebugPrivilege	3596	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	5064	elevation_service.exe
Token: SeRestorePrivilege	3472	TieringEngineService.exe
Token: SeManageVolumePrivilege	3472	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1988	AgentService.exe
Token: SeBackupPrivilege	2160	vssvc.exe
Token: SeRestorePrivilege	2160	vssvc.exe
Token: SeAuditPrivilege	2160	vssvc.exe
Token: SeBackupPrivilege	2752	wbengine.exe
Token: SeRestorePrivilege	2752	wbengine.exe
Token: SeSecurityPrivilege	2752	wbengine.exe
Token: 33	2168	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2168	SearchIndexer.exe
Token: SeDebugPrivilege	5064	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1760	2168	SearchIndexer.exe	133
PID 2168 wrote to memory of 1760	2168	SearchIndexer.exe	133
PID 2168 wrote to memory of 2216	2168	SearchIndexer.exe	134
PID 2168 wrote to memory of 2216	2168	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-23_04b79b64acb9a52a35de81f9c5af1742_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_04b79b64acb9a52a35de81f9c5af1742_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4616

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3672

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2152

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3320

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1760
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2cfdd10ff04ec6ddd0b0c4b33d98064a

SHA1
853ba6bb8eeaa5fb851b49a6e4f6fd0e59974377

SHA256
a98b6f36dd340ddb0c456562e0653f7376af26c9654303aa574b24ce90634888

SHA512
b0594ca4d1a3083fbc1ab3ac945c13d83f4902dd9429eb6bc4a6bb6480d7afcc6e454355e1c4943d58f6afff75048a43c9e7aa2c95bf44bd88bcb555f740f200

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
84b8f1396690d5d89bf9da18e75c4223

SHA1
377ca498c99aa5dc2575e3fccb866c3e004b8c24

SHA256
a514e3d6f16d9abdd865ff74d75b172e402e65742a8e89a3e911043f42a573e7

SHA512
9c6ba29b02113cfb84bd430d72b034888fd47dc7d7a0b50f5d787553c1e373512c4afd5b689055b81591f9fbb44b86f20a6cf03ff6ad70164ad8b0ac6cc3f440

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a8c14fcb14e7056629a8db294d41c3b9

SHA1
e845c6016f93ce95b26dd0f7112817c55f6b374f

SHA256
84e97b6b123f4696895b623e7940c6e507359b4a33a06b18a22a6695453d3b64

SHA512
6548f0a06d29da4d9f77ec28dc18c624c81d2c9ddcc403557091194c523f5a74f5d0b69e3c3fe13586db4219b7f1cc584392f1daf1636a6fd65f821cd844da73

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
50a8c4741e0b9e2d04388b1e5995567e

SHA1
6d1f3072ef63e09cfab7682e6c9aa106c7dd3b1a

SHA256
c6a281bd71422efe462565df21c3589364a65cd4813d24c7bd824bbee01e65cd

SHA512
2e74f067f8eb4fbec96b23c1082451d18e201f140008e2ea018d3867b1f2f64eaebbe1125136b1e27c7689844a7ce533511866df8c53a374e0cae068a3770e98

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
974c3b820b3c8dfb32cde0ad2d6574b1

SHA1
47dae9c9cef0ae38046cdb89af73f2b5cc3cec3d

SHA256
655733539688111da2355f14f5223fb7692f980b5eb8f2b380809e68464fbd95

SHA512
3485b72d96b60456833fc669be1c0f246c328268e2eb707992f3b718fef52ceb7af0bb48516786312c1b94a0ab22822e83dddf27cf7060de1771c02e399353d4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
df69672d784667b95035712b93632965

SHA1
f0f0c674b80201d5479d553938e1d2b07a83fea0

SHA256
200018a83cd6992983aff493004f12dff88e57e6ba704183672a408c4e3e3dc0

SHA512
54265932b7e3160d7e8c6f195e0a24b59d495f9be04a437b237340a634bf131dfb637e4f8ada45255f8067af044254c379b408bf40f5b9fa7d6a731191e8388b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
19bdb55bb750293c9e6eb53da3904d39

SHA1
5ca6711ce051252c0a5eaa1aa7128239432f1fd8

SHA256
5fca0a15254ea1e52d0716aa3348af51705949fb5d3d2d52abf7b124d914334b

SHA512
93765f4a16e903cac6156654231467c9efa2ff97cc557b20b101ff12048c6083139d0b365266b14985a059aa95d2771b0af822ca3a53c49608210f20cd76953c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d130e65de2c90e500076c9f8f213321b

SHA1
c90401725c2e14aa6c97c640871b4a36df21323b

SHA256
697ab379d5e7de0a5b1a7df15c3eebe9885e80d257e32c3d98f9c634bafa15b8

SHA512
657f2760bf099c38fca05d5d38b2b282d2748e0a3c399ad40e9f9d6ba7156ce8afdbd90b67271c68f0d1aadf90f3f657d0ace93980442f22b03e1bf006cf7e17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8283ec9f81e28f71d166d91c1e7dcd07

SHA1
25ff55521fbfb31ece2165171e2d14553b6a4371

SHA256
f734717fc0f15b8c18bed7ef1dbdae4c8c3c21c3c95a782cd4e6dcc3b1196ea0

SHA512
3b03f0b1c105e2effa4d4556f44424e5fa814bcf45845e40bf42d76a865d3abea9b68f2c9f76955aeab4638e9664eb688c8c7e0d5910531d6184125bcdac2fc4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
27690eb0aa173f230f110b4ca815bb4c

SHA1
30bb479fd3acf36bd16137e9a76b7be02e61b121

SHA256
7b737d0a9acf5bf827d7781a93f68dc3a31f2c503b9062f672bc131bfe494fe5

SHA512
36a7dab156f8200b319e2ea80b147a45bc20babe1b9fa28b49bb79d1d29e045ca41493b61fe53e4989ced44a8b1a1f73f23c81692d1139456fc1d09b50266d1e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0ade70ec0ba0cb1a223c8811c199a005

SHA1
ebaa04a9ea93fa6daf880f35ef3863d7a9ed05c3

SHA256
4cd2b66cf24ac4fe181acfd3d9c6135a641adcd5ae19a2a3c8e33d3e47cf75bc

SHA512
61aebaa7fc2e2c60ad3f308f454e0b764a393f5228f6b96e1c1947a6e77682fbe1e8948eb4cd68545bcdae29a26cde24baa9690e0ff7438cbc6bc805064a96cc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
29c55f0aace7ebcc3f04b023332df5df

SHA1
dcdeb13fbd5ad7f279d89024da76dac09fd1bcd0

SHA256
da3752b2cba0f37dc54dee5ef905b1d4840d93deebda912db4fb7de8484411c7

SHA512
938b891d2cbc72eee27b9c6c9ab7e4a21c0008cae0fc2d1a9f4d13d4737934b6605f00086e2057887cb86cb0a592852baf5b37707795f449d8726740f1a570e3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
786793f05df72f5891ec287433492db6

SHA1
68cde4084e4caa1ba4d8f20f9c5eb68fae38b9d8

SHA256
5d5ff41733e8fd76d2355b108c70f3d89f13b966e161cc401e9fdd54e69d3116

SHA512
3e0cc8c19b47f394d79ad8911bf56da4baba00ce15d028e90c3e64f96bed2d2f19467850e490f0755572e0983002926fd395f2670703b736eec3af5ea26dd46a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a549c72e5aa80ca6b5c8fa90967f91ab

SHA1
ec3110562b330670d43141ce35f0de2250c98527

SHA256
a99bb88133ee9584ec13cec6ef89e443653793d4c0d5abe9e0d0edf8b70f4852

SHA512
c4a240481abfa34526bd67caa1bfc3829a562ae92adf7c076841abcf2555e9f0c2aa505ae437b4dedf6a5e9497b902edde46b3a8eb366f83836dae9d69919ac6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
81ea9a55597f20f429239f42440dc257

SHA1
a56b8da7c99a089b35c7323b6805dce954cb6f05

SHA256
44ff2cc4a93def0b6876c1fc94c9cf7af4c433c8252dfc3ed62cda293ffb10a5

SHA512
6f816800a1313eff8eed7866b72721aeab634bcb93eaa3d05724aa8b2fd60adf54ad76faf47d35cfad3e4cdb8932b927c83db6795c581a0a26169ef1a2f924b1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ffeca836b0de833b58c652bb5a4b89bf

SHA1
d616a7216d2250d69fa1ee0e24adc044831f1983

SHA256
0bcf2b3daee23b653e3167f2315741a147a04b75cfca0dd1a2762799e9bb9d4d

SHA512
8a9a8bd8669c37e2a6bbbf19f5181b8375c0c3108a4545ab8ab8b39fce048908156e0f2502ab380e439f945ea4c7df65b7c172bb19d7ac2663f3bd21e7f5a7a5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b95299b062b35762720d422ba05cc8a6

SHA1
bfde72b8ca51afb5625d0f2a157ea399cd1376f6

SHA256
5a5207aa38ee3aa23c5dac2231241ad211cdd8842a2ab5b0222b76425a2e4473

SHA512
871068818e250b8e71d71e031a7db80c4976868483f81881b2ad8a3bdc1979a2be9d5750b8ed3216c2615a8c24c5a87061a70c3ee2b291372e471de2e1454391

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
04f4581c4f7f3286e3f5942f43f3ac97

SHA1
3493bfe35c41bc1a6acb36c815ac7189c925788b

SHA256
1367e416980cc67fc66ef2d94da06f6f6ed22dfbc212f2f5975d568e64f2116b

SHA512
8733779abe2cb28ed324f5461d0f85a13b17a57f0d76b796a84df6128e5a8edc18881ab28e0028ea1000d14ce810fa52ab4b9726a891cda8c6803c84c1f2198e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
57e38f1a303cc7e407c58b776c0c72aa

SHA1
325a2e0340b9ab2ad8f1f7059626e01acc657cc8

SHA256
87d6e647e5b3ff0271b5a8841b41fbbb172cc802d85e0b593087f90dd05b5c51

SHA512
1c248130084fe15b5e43866053479120b1b4fb0a923f20f64bfdb79e9f31380bf2c90fd1c0220dd0f6c29512fd8b73b3fc911e69ba0e188dea0edd456a4cfb1d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7bace0e85669f7f20686f61694c072dc

SHA1
756c2d435ba92c766f4cbfe33f48de8e8054861d

SHA256
b75c8d04ef1dd6da5c16099844635284405d59bdc780fe7729ea85d0c42c7c95

SHA512
65acaf35d1f73537d027d533a46467eb6f89e5bb4428233a59f94f0701002eec4919044eb555ea02d66d8541fc11cd9b84ddbcab23366d3dde77233ae7296073

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
fd5064993b764d8e9b8dfc5d0e34f28a

SHA1
a5e2ef4fb7c8c3b3694e6a690a61ab19304ee7cc

SHA256
acfb8f9fc8bed95ca6bbc954827ed21539e994c243d850ae8fbaa0fcd5b51b18

SHA512
77d7a6ad960659523afb5bbb7c4e758eca9c927cd681a942979f479ae7eb80c9b7546746de65248fe7e4ff37d151ed1fae67a172ceeba0655ca4f37141746a74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
260f9f93f31ff2f51bb4841b55e6419e

SHA1
b2ced26c3c536bed8f9d3501d53124b43f258d27

SHA256
13bd35bf434538b0fb49af4c2126870f9da8c0be0709095439173321a1761db6

SHA512
be4f937e87d29f009c9a16b6799528220ab65f2c3f0b888a74fb42f7721fdc7714b4521afd04cf4bf36d7c7500bc9e6c7491fa11ece906f1d61dd47651d5a5f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
efec523173c53613522f113476954097

SHA1
6dbe3b400cfb7f92e4ffd890470c73bb9141e763

SHA256
97138ce811cdb9e42ed3aa097ebaaa9eb19ae523c56c2b5263079a6af1d13465

SHA512
998235ec24db0b973e2e67a021c50e0c979226afc808d5f1e9e3b92976edc082e309a27d2e57ca8ad2b056b4c194ea7ce2ed61cee4d5f21256eabf0154690d04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
4efe2a6a1147b7240e4c0d6461f95da5

SHA1
76981e6cb5f11c6d41d7e3e3b6cfb63c766e3040

SHA256
cc7fd9bb2786faa23e44cbe5494aeb80da102b04b3dbc3f44c0d11504b84d5ba

SHA512
3e7334b3e4b034fb9d4b7ee6d37bd1d34d3712e184b360d670ca85d3232920952f95ab3eaab77ab7ce51061283146cf02a5cebc7d4a7513c204a66f65b8b6551

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
57f08d7fc0c42721886557c27a5082bd

SHA1
3f257869140c30ad19e1ff43d3b492979968c6b2

SHA256
e21c7312955ecdb16a89f7df5a0ad30b42f36ec0cc0ea330ef5952217b5524a2

SHA512
0bd3b3534e87f3802cbdc0e2ccf4449f7b469cc0acbabe8de2c54c99317c5942d2d29c0617e76e81470026705ebce34d5217162ed8758c7cdbfbe28899b7b004

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f7f4fdb52648b73da9ea4a2f968fe13f

SHA1
c35c6611337164b5d4dac264d6e89ce64225ef56

SHA256
dbcf606644b7282267c9238e2c01278c92efec6fa8c3ca6b56dadbe202241ece

SHA512
8e502823ba1393e3f5075969500c0a32314ea1277340081aefd9a45f119c04b4ad2758176b87e100a7c59c8ef17662ce9e942aa6fa467d49434e9d73e3bc8236

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
afcc94da94a2c5a97c6d5177a24bef97

SHA1
d872629d97eeb22f373184418da8505ce318f072

SHA256
5e9509e8cf21ba6a73c81c5debea56e035c61450570d13dd3f65da97919a20bb

SHA512
cd7fd76d1b90723210ca9aedfe82a2e6e1f6e9a3df6fe00861d83be1cad149d5ede709cefa77862e75d50a782f622fbd397762ecf0792edf71ece06b09adb7c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
5d9369df7d0356e6d7e4daa4cf9dbd12

SHA1
c9fdd837b6f9be7e89611c361e470e1ef87bfd5e

SHA256
5b9fe58e311037aca9bb34bf79ee0c44709f8a1c1086908e750982df73f3664b

SHA512
1c9011d6f4cb5384603d231b69f9a912524c98a8628bc8d9b4a37fe3dbecac5ebc76b8e0080353172e7ca7ab6c94df759669ec23f21bc77f5a0a5753da8a34e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
469734f8218d94495ef1ce80f89d9efd

SHA1
7dfb2b8a9fbf427a797b648ce55dbeda58a290e8

SHA256
e9cce2c61561a3e2268dff76364c97543e6e9ff901f3cb5dcd8606fd27a03d22

SHA512
36ead9c6754ec442b6a4b1c0a187ba53bee11215d6b8709b159c0bcd83367951ff87d961cf7db887c25379daa1937f14aa85e646ef8a7bf06266fc0ed5eba90e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a8ac6014ea09dc7875a79ca88a649ed8

SHA1
0f3694a4641c79fea711daa4308ca1b3a3a2cb83

SHA256
adf5b2e38a21d29f36d75f9ab58e119316e7599c8bd6b261718ff573a2150a6d

SHA512
488e6753dd48738f55bb95bc37ed46fe22772cbbae62a31efcc85ad662fe93add8877938cb286251f86635ab9539dcc8e913643855a0b1357f3cbd5d9a3ff0ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
96ea096db346303103b47395d765b477

SHA1
29fc436b6c1f8d9542dcc2b0b91fa3bbe731dcc5

SHA256
656efa6832848a76f4644b9fe9bae3c7411129a5d9c81a96e170523cfd467c40

SHA512
7d447d7b2d4746d44c8325d75ed34056d6dc0226f18227e0745fed7b061884290b46a31de81c76c572696f970e2aaa1601cda522757c6e47046ca1bdb549e389

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
bbd3b5ba6cd708d9fe73691aca0e95df

SHA1
a5c6bb18021a565e067d7977aab8887775efad6c

SHA256
392949af35fabddee47ebff702634341e395ddf0a7c97465c310229cf3f80508

SHA512
da2f0e43509b0e7c3438eb8a588c929237627411473ce6fed139329a95714fcd40747214c10acc57db2494d9569f36592622e2f7524206c99dafb6b181276bd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c0168657e683ab8b6377accf28f6a3b7

SHA1
e6dcf2f60fe9396a76adeecb840475b8cb7829f4

SHA256
2f09e342b3f9b9aff16c88098af0e1b88af8c40acdf4db588d6d916533af8640

SHA512
f20db89e18874a704db5b532c125d6ba28d3335971019c070897e8dffee5066635f41319c212c78343e844339e9b6a9d9b0c2c7065ef1ba073d0cfb62b822399

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1bf91c1792ba28660e9728d0de470efa

SHA1
9e59ae2aa3499cbe5f05d79131abceee7cfd3618

SHA256
4c811acd8a3e95303f02d2c940a27b17edfd976eaa3b78743be5ced0e222bd34

SHA512
f6e66e432d022f74cc5b74477fe60769cc9b9d344ff211ce41f0a9b4d1abd137c9d06a9a9d12c9878c33ed4224373108ad5be3b5f16d1b3e3c22df35ce5fce99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
003ddcf31b6a1f71fbfaf81d278877c3

SHA1
9b0c1dff37f431eb0342c884ef86af44dcfbac33

SHA256
3de9e64b487ac107bc5585ea162509efe95ff706a57ca2808f570c67c7777478

SHA512
b0a8e9e5e29f761770420e1c75482161b987de828a2f305d237169bb679dce19a50c2a05e39e4a72d152f1b10c80a3f0f7ecb6cebbe828b3e6ac58f456e7f55f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
08efd43d3a9589b898906b7477ad9646

SHA1
cd519beb29da78f8e22061c6e1fd383f3ac838c3

SHA256
36ddffd5991bf646e5d2a378276b47298b33fdf0737e18aa7f02c9e3226789db

SHA512
1209ca59a685b37511b039f092bb0e97d9ed05c5da0d8390f458ecc882c4fe106545b443120e6cca55fcd591054244b8d99cce48b557511c32cc154173ccb465

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
0b15a1145e4cb4487f1c32d27a693cb5

SHA1
86631c1f7df0c329137a48707f20532fabf468ce

SHA256
d0710b3dad17b06884941137ef841c0c7b1d7802d99c24bed01002a16386d801

SHA512
247453c3adcdf0df879b1a13de2f7d3143bf1823c3b21e94c78037b50fd9c6cacdc808d03a1afd48ae97f882cc5ad0fbecbfe27d60f8db335c209915ad2c0d32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
377c66d22027a3870a295704f6d7f0f8

SHA1
53aa0611257827180d31c548ba0bb960acd0d027

SHA256
8d3a87443ccc5cd67518426f71bbb146f4d51773b8a01ddf9a5f9fb50c0013c5

SHA512
c28eb04509b4f25b3b962e32aba2a03c3427fddad1ac56a62cc22fa1c320761e2e71b7987210c517be553bd871b781688e976810a111d11bde6d26c839aaebc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
d94d133c93cfa8497bf237eca5844bb4

SHA1
a0f0d16fe34f2ceba65710c11b23cd42d435af17

SHA256
eeaabbd9ed0129ab3ed4bc134d24b87a10ba8df145b16f3f832ffc157dd0c73b

SHA512
4d1384bfbf6b18957196c9078008a38621c6c31e6d1cd06346e26a35dae1a812d33c2d3dac3af416d664670ce4668962a07b632ec0ff128d7bd614271eada853

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
46d3126fc83bee05fb0276b9f7cc29ae

SHA1
93dc50aefcbac371b95cf24462c8c77459dcf3b5

SHA256
52488609671d2ec9265fe6811b488a4b6705793bc60124983fe6c19d9458fae9

SHA512
381968c40c53910fc6c647c74b0935c4fc0cb6b0fa4098b90f35feb7a6a65b1cf93de39de9219d8f91fe2cd5bd8f3647767746c6fc1a314f0644dbd28adf427c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
170aecf95bc77095343ede0657bc5e19

SHA1
192d1386cb95dd801498d079ad7316ab5a95dd87

SHA256
8625d7e59ca14922ac8288d87d5925a3c4f1c96dc5e0888f8bc3272b10126829

SHA512
8d408f4a15979ce111c0be32f5d40d6ad088ab4bcc8c01451b5a41a19f0a9b02f6fd15656ba73d1a1c2740b49e8b2abe6878a54be011355c1ace73d1d9f0b233

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
31c2b5902430f731324fad6a2ef2d6f3

SHA1
d09028d50c930315844d2eeb287751952fc17f69

SHA256
4edf1b000f26dac83d69a6d5565e3b0afc0c2be800cc305c2bef37cfe42cfd2e

SHA512
4b76321f6366f9f8f79378f571056245754d65ee9f6a6a5151950b1a829b5ec51780a8368b635ce731f9be06d92e631a3e56465ded1d11c9d5d7eb61048e3af3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8a75c120ac069bed135a06ca43f9d90e

SHA1
a953d47dce8dd67e8e50edef13f6fb0aa0087bbc

SHA256
0688c09ca7a07c4b42cc3516d36e39479b5aa93de8dd0da7d0f6738795f3c180

SHA512
76896ea2ff691d5ce9c3c790dc0bc856dd35b8303123ad7e1e3ad01797c427f801725be16b46000401cf389027f040e253ec5060393d6370a20e8e914ded4c8c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2c563607e4a53149e157228bbcbd8e46

SHA1
ffae10ed482db5240bc0bf7a6106f97fba51b789

SHA256
75a7711e1b133875d728606b343856199638583e942cafddbdd0cb74427427db

SHA512
6575e2af2850cf1e79d1ce4a6cc86d6790d283bef620e739eafe948029d17982462276271519542153959736f769f53e36c3de75dbf6a00b5068546934b98ed5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
63b7365a855144a977c67d099e730636

SHA1
b94593581c6cf5a380fee4f474dc398c01d61eb1

SHA256
a2f76c433af4c27ea968ffc411cca2ac8815b11e68577b7390e3a0d8317cbbf2

SHA512
26a13223d2bf57273c4274e616f76a09059a88784f5ce9825aa3ef26656c8525cb308050b9a3557bafff794a11e0a42468cb86ba3e0a710747510f5fe6e71a9a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fb4f490bf30c44d4673f5339906c00ab

SHA1
acc96725f1f8cd4456f128494c2c3111be6287c6

SHA256
2c5a60c7786c00e95fd23e3386629bc3ede2be7eef1da3165ab3f67fb7810f8d

SHA512
d453945d2dd7ea7b2e66041147485a6af26c53512e385e5af347ac5e044e539a979d157ab37ab5ca9f23935eb7d57c11de6cf94e03c76387fd0e99f2ce084103

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d0e69fec4a928eefab4cd567a4d4bcb5

SHA1
76b8713fc17d572141295e2450044ad3a72015a5

SHA256
795f31049893bf311182372f4d4b083226f562962b324dbda1908b34a972cdac

SHA512
1e098c83f58ddb10bc7d4f92e8f2a8d1abeeb766f16876a454eda28f18dd3c33c176ef79966479b81eefa8f6236834527d6fcab5c1855698816117a95b7504f7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b7354b5e1fd087d5cb18bdb5f20e5b5d

SHA1
0063e5fe8f9414b307d1631ccd4bce60264b1999

SHA256
2521abd579a4663a7d5cf1acbc7ae3e40c78f11461e9d28301a4ac2ccd7e0b3e

SHA512
a3c5e36d6b6e545a29747ee3cf86b2bde98413701f411ab79c2b3d5a80890f077c5c729ebe3caa9565667a85421cca7f3317481d69c1fffdf97cf4313abb9d4a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6de05911be2be667ac4ae964763dd86f

SHA1
48d5d14bb418ecd6f2112895578dd8f3b91840d6

SHA256
91f4a2ff7ef2b513aa50b21e2a73a55931743e49b8cb4ba0dd6a76ec5edd95b6

SHA512
b041e43fa79d6fd2a67b1e7d52ef28476ff94372c73c9f0fa9e73f3c1226083043d04c628c70a7c72711f038e043be5242aa1589c3d72ac3eba7715932e70d18

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
303045fa9ecb0d73fac8ad902550cd62

SHA1
4a1594f36feb874b9370b6287abba1d17733c4ad

SHA256
e89e8b51beb56bde4e992b887b032a8cd31d82c1a03f2729c2183a3d1f2eb14b

SHA512
b7a3edddf1d758511639c3dc62317359a876bdb78b762eff5db16852313eb4bebe1fe44bc6090cb861f3619ce813406cec7ded89d49df47bacf094d1ec6d32fa

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
57684d146a84b5b16777c1040f5affa5

SHA1
6bbd0179590c4e071470c1d53680f86b3eb3b790

SHA256
00d37aa64c1f76425ffcc12ee319370000a9040cb16fc03d6e906c9e01b61c3f

SHA512
0afe948ac09629743b8fd33dff9945fca85d938504754dd08b414cc425032f4d7ecce5c126d9d76037843b58146c3e86d6d5c25e4447b4d9b13ebb59d108b678

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bf4e1d3067cb8c8662e7ceaaf6b0f3e1

SHA1
c755bc80050e83236819d8f918b5d8a504bdfc00

SHA256
fd7e25e82ff378f9e59fc5e425163c0faf496619ff6360eb9d033f15e3c34d13

SHA512
b4d070f945f711bc3044601775296d6febfc60210eb3b3354bd24dcebf84ab30cae2270fd31cadfa098466ec4dd38ad77e91b15e145ab329a17ea802b927446e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c79ae3fe435abe82370867bc0f39f200

SHA1
bb7e378ccd76faac648045029eecd79b6316195c

SHA256
f4c0f687dd95cbfbced0744cd3bca845d06466e397700fa16c44b49c794e777e

SHA512
d0a76c93ee76d563157d23e51dc6592eb7e46d7fd7f1424e1273abedfe3616d7a621db66fedadc2c679a00aac77b599fea05130967284daf1bf5c2359478c016

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cb16c9402cc5fb3d80f4631a82bd4070

SHA1
149328240628c7c9be76ec91fb71f14778486aab

SHA256
c0e8910b028b7defce67b5633d0e4fff597c27d99f02f7b70718d43f3f2becd2

SHA512
a6386fc7445e380c24138cdfac211e028e87ee4d899e2545aabedc983ccd2fe9cfb400d428888ba8592145e005fef40b1c43114a2c462d849443b2e942b0ad9c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3d335446bcde9e9bc55952512afd3951

SHA1
39408a7ea9ae62c5faec7e8a0da6381223933e1f

SHA256
89d40a2b59fe892c394b8521aaa6f0ea2bdd6d10f399642acbcea1db53c3630e

SHA512
a9852adf454e6a66e173a4f5e97682ef2038e0f393cef8405f3009d02de088984674338684e2d6714a404aea746dd7451494132be7c476c9e7810c4622ba4362

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e9caf68a7abe97bf534211eac99d271d

SHA1
cb1103bdbdc2173078d222d9e6c474c885613ced

SHA256
117725cfa77af87adcff6cb66096f519efd8015f1cdca1ea94d42e1dad780185

SHA512
0fb1e94ef58a0a595c6a5ae42cef7c23a52affa8cdc09f13d0b6fa9c80ad609576ba1c3fb39d73b35dde3137ac6ab5b795849d4b6751e293b621d82c674db0f2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ae0c0de35c4158e1c8255a07a548b6ed

SHA1
b493d66a9a732470aab5312c8ca666a4631c5edc

SHA256
e6383fb6e6a06b2fb11950039fb16eab211e9c274510166325b1ebc09b6727eb

SHA512
2ca98e3378342bcaf8e9d3899ed175296379d7328535c8c311c7a8567c8c466db730f7668bc9e79ba49a1371610c67cc5bba941e48cffd5d580336b6fcee88ef

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0576c88a2f9d26a03aeee576b56385c6

SHA1
a16c94a911f164dd8f5721ea584245f12492ad73

SHA256
ad4025c29e4039d7361bf32cd998c3826fc1ce2cd1811c8c43af6e6d139a7116

SHA512
4dd480fa27c8b3fc91539fa93b1cbf2f2ec18bab20740307af7ed9bdc94a450b2dc078eaf6619231dbdc9677cbd8771a2f6f8a8358c25621bb1ca8c1616ef941

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7127911b0caef7b81ca9367dc94bc14a

SHA1
eaaef4b617f5e017ba9ab1037842b9dbb310596b

SHA256
2121626243a60f676a1d8560fb3bbaebaa6b6e0f5ed41caffbf3d212af40aa7c

SHA512
1fb5c3b4a3d5073ffa6682325cc5a27b51273320f6979947815f009b4770e66844c4ad13a0812f86a3232979d9870eeb2f0ca7afab6b1df57f5b0048dc6bab2d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4adad558d7218be9604c6c8b3fbc46df

SHA1
f31f626fab1ef0fe45cb3f2f52e2bb80d06252ba

SHA256
de384a2133f3f7635e22e11fe951d78f66a366900ed1e36e01db29c9d26c007c

SHA512
33b9171e8ae6c15d99466153706c0ea74363d40c944f85ba8eaa7d8cfeddebccd36485f88adcbc42bbe16c85e127ec00e3b7c345c2e8f71641bd3b123be37fae

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ea6eb36fd7f4d90307221aeacef015eb

SHA1
d4eac816793304a19f153405e9dd108a2d3bc0aa

SHA256
e00db429add50047feb368c915e8a88562c70e215a0bf9801fa61fbcd85bf0b0

SHA512
7d87ca971981784612d4087a82db206a4ed4369d0d58fc7968def3172bc96b40853fcda6cb204aa3481543f8e5bd6fa6416d0b7f06a44ab54ccc09f4f7ba85e1

Download Submit
memory/540-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/540-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/540-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/540-245-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/548-83-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/548-248-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/548-75-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/548-78-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1000-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1000-455-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1436-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1436-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1672-274-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1672-329-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/1672-275-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/1672-280-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/1672-325-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1688-293-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1720-269-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1720-270-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1720-259-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1720-317-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1720-260-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1916-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1916-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1988-327-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2152-296-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2152-304-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2152-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2160-334-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2160-465-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2168-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2216-426-0x000001DFF1F80000-0x000001DFF1F90000-memory.dmp

Filesize
64KB

Download
memory/2216-446-0x000001DFF1FD0000-0x000001DFF1FE0000-memory.dmp

Filesize
64KB

Download
memory/2216-445-0x000001DFF1F80000-0x000001DFF1F90000-memory.dmp

Filesize
64KB

Download
memory/2216-439-0x000001DFF1FD0000-0x000001DFF1FE0000-memory.dmp

Filesize
64KB

Download
memory/2216-438-0x000001DFF1F80000-0x000001DFF1F90000-memory.dmp

Filesize
64KB

Download
memory/2216-431-0x000001DFF1FB0000-0x000001DFF1FB1000-memory.dmp

Filesize
4KB

Download
memory/2216-477-0x000001DFF2380000-0x000001DFF2390000-memory.dmp

Filesize
64KB

Download
memory/2216-430-0x000001DFF1F80000-0x000001DFF1F90000-memory.dmp

Filesize
64KB

Download
memory/2216-423-0x000001DFF1F80000-0x000001DFF1F90000-memory.dmp

Filesize
64KB

Download
memory/2216-476-0x000001DFF1F80000-0x000001DFF1F90000-memory.dmp

Filesize
64KB

Download
memory/2216-457-0x000001DFF2380000-0x000001DFF2390000-memory.dmp

Filesize
64KB

Download
memory/2216-467-0x000001DFF2380000-0x000001DFF2390000-memory.dmp

Filesize
64KB

Download
memory/2216-456-0x000001DFF1F80000-0x000001DFF1F90000-memory.dmp

Filesize
64KB

Download
memory/2216-466-0x000001DFF1F80000-0x000001DFF1F90000-memory.dmp

Filesize
64KB

Download
memory/2752-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2752-468-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3452-343-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3452-475-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3472-322-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3472-437-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3480-7-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3480-32-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3480-1-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3480-8-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3480-0-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3540-319-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3540-425-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3540-310-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3596-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3596-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3596-84-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3596-19-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3672-255-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3672-308-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4428-285-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4428-333-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4616-60-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4616-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4616-67-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4616-71-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4616-74-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/5064-35-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5064-34-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/5064-45-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/5064-244-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5100-13-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5100-76-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download