9eea5b3df9513f49caac87b40a81d34c6b1afda9cdd771f347ce8b7a009bc849

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 18:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
Size

1.1MB
MD5

f95d733e0535db9fdf77687259ac929a
SHA1

8dd083674c26136774d73351220262fc0b34fb38
SHA256

9eea5b3df9513f49caac87b40a81d34c6b1afda9cdd771f347ce8b7a009bc849
SHA512

7718002e2671ac41ca9fdf9de8cd5b0fd09e476e87641f530b73f4e8509094f2baca71cdf7ef0e5e202664a4638dfe2ee25f4f8ad40b1f2ac2adaa6273e191c9
SSDEEP

24576:H5phzGIvN8KFeWROc/Px13mD4/wzXyuWk95i2XJkrQYMkdPE1Ew2OikUX:bhzXDeWROc/513mDzryu1Yrtd8+w2OJe

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1544	alg.exe
3304	DiagnosticsHub.StandardCollector.Service.exe
1552	fxssvc.exe
3736	elevation_service.exe
3668	elevation_service.exe
3596	maintenanceservice.exe
4460	msdtc.exe
2700	OSE.EXE
2540	PerceptionSimulationService.exe
1516	perfhost.exe
2848	locator.exe
3316	SensorDataService.exe
1848	snmptrap.exe
4876	spectrum.exe
4488	ssh-agent.exe
1948	TieringEngineService.exe
3876	AgentService.exe
2908	vds.exe
3904	vssvc.exe
2736	wbengine.exe
1276	WmiApSrv.exe
4128	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3d05de42aa61dacc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000862f24da889dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028b2c8da889dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db6c00da889dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002aa196da889dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ee3f6d9889dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab861edb889dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff9126da889dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff9126da889dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3304	DiagnosticsHub.StandardCollector.Service.exe
3304	DiagnosticsHub.StandardCollector.Service.exe
3304	DiagnosticsHub.StandardCollector.Service.exe
3304	DiagnosticsHub.StandardCollector.Service.exe
3304	DiagnosticsHub.StandardCollector.Service.exe
3304	DiagnosticsHub.StandardCollector.Service.exe
3304	DiagnosticsHub.StandardCollector.Service.exe
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3328	2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
Token: SeAuditPrivilege	1552	fxssvc.exe
Token: SeDebugPrivilege	3304	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3736	elevation_service.exe
Token: SeRestorePrivilege	1948	TieringEngineService.exe
Token: SeManageVolumePrivilege	1948	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3876	AgentService.exe
Token: SeBackupPrivilege	3904	vssvc.exe
Token: SeRestorePrivilege	3904	vssvc.exe
Token: SeAuditPrivilege	3904	vssvc.exe
Token: SeBackupPrivilege	2736	wbengine.exe
Token: SeRestorePrivilege	2736	wbengine.exe
Token: SeSecurityPrivilege	2736	wbengine.exe
Token: 33	4128	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeDebugPrivilege	3736	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 668	4128	SearchIndexer.exe	130
PID 4128 wrote to memory of 668	4128	SearchIndexer.exe	130
PID 4128 wrote to memory of 2368	4128	SearchIndexer.exe	131
PID 4128 wrote to memory of 2368	4128	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_f95d733e0535db9fdf77687259ac929a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3760

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4460

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4876

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
feedb1a3d208ba47490c70b6f4b20763

SHA1
5f355c11339df1d3a26e47d7955049ded50f4882

SHA256
89f79dd26bdd1ac7c1332601b979eaafefb0038f2f09fbca9a07534fa1c001b9

SHA512
081ce0364a6b85331312c762a4556db1fe0382b04e51536d02c1f61cdd8c13ab3412aa20af23efbbc66ee2f5037a22f52e16ed14387e42628f35c0bae17f67d8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b7ac15fb6988078cccc00574fbdffe9c

SHA1
42f0d9ce14e6087bd7a5654362c2dc3aedc6bcad

SHA256
6e2acbf73353cb7c7d4cf6b10e03f7fd66b1e5e5e5e16d219d40d0b50293ec6f

SHA512
b204559682ee6a38896510d46d0d99851b61cb3d291afce5c747847ad275fcb46f190da46c6a367975ba5da50d80a16b49d2d44499e3d41136c08fbc1a68dd03

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b14db06bce65bd311e62b762b61a30ff

SHA1
ba9335da7644987851621f6822243e3d5041c218

SHA256
078134acc6c284ddbb1c5a357d4ed7d8a11cd53253ade881518c2160f9f1276d

SHA512
585ad9f089a1e1bc6d8f9592cbb332db3ef4852f67bdeec83d462b2c74c2ce97fcb3d55dc037b64064b3ad45fa39aa877ba1034bac7b927fcdcbb6f5ab52b3da

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
691c1b08b17827c96c188e6295cd9689

SHA1
18b7888c31d037fd938f3647f167ed3c3cd61a5f

SHA256
2f66e28865bc242c21e003293b087574beb5e46f68668b9ab4209823abe51a96

SHA512
6c59fc6492e8615ad6c85f6c078dd1c6686e598985605bd75b27ff90f0024d0a2797a12db5d944ce42872b02df602384ea53a08052eb025b48bd22c65044f0e8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bcb773b0224f468e4b7dbadd6f1997ab

SHA1
a6288d5c81667febd218987f5014eaf3965ca4a1

SHA256
8eba9dbaa231333b584a38efd94bfd467ed3f0dadf2ebe6d9dd18d737f4f17d6

SHA512
066799390da0078e4404a0357cb75ab0f36fe20ecc2d7d7cd9775de345a8cde71586f2f2b2dc07b9653704fefb157e391be8b6490ae46c5d7931454fdb3d7b81

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9ee6969a363c3a0eb97a250b9f5b6fa8

SHA1
f71f0f6ec0bf3292de6eb068f8a1e4f18f85d875

SHA256
47905a96abe37549e59481fb31e873c065f479d01245ca74b11955ed3c451cda

SHA512
831405ee5782be5ad70ccd54c09e6b85f0cb4ec29f818299221817e77d3ef77ae535b668d11eb111044a5c188d5e254acbaf81626108b9cb33dc0cc3e38f7030

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f558dc6d542d4c7e94f54fa1b0468851

SHA1
83b7fa7d3e7ca412153a052ae42a9c8a09f361a0

SHA256
7707d031b9788bbfbde81a38b259d463577255e192ad58e8a7cee7c629fc435e

SHA512
1f12169fd33af7f5261469ab2103c9ab712621eaf618bf4f6dad3cf2e8b513320033ed238d323f59aff01fc1065ffc18fafcc78ea27a345e61b97c9061d49f42

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b1597d9a33476d802114ab15525daaf5

SHA1
4488cc7e73decf9a5bf8c1e62573803cab74f74f

SHA256
11513f194a2f5a81c5f483016aeaf699446d301d5d0192245fa070d475b8a99b

SHA512
20b101cf6dff6a716811b11bb6e90c317d597c9a257c623e14dc5994f489694a98fd3aac4c45ddc71e3f08a79e41213bb4926869150b43af82d642c5f4caa86b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
e8a4c584b79a47d52a900952177bca0a

SHA1
05a5b3554867389bad3dd9a9da6f5affe0dab21e

SHA256
030e47114c54f53ed78d0d49174f57d2266f576366a5da679a89fd6796df8ab8

SHA512
4afe234ec0c50d2149cbb6ce51f1871ff3b15e3e10b57eb5dc2ad69a4752cbc2f57472cfe04a5bd708baad77701c1c250be7aad2d671d95167b5ec68084da782

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
97fd3e10202c03a0dd6548f530884674

SHA1
f96d65365710c235764eb7a64c1296d9593a5119

SHA256
42076d86534d3ebf2da3b95742810f4737b8a8e7653288caa44b283e2784943e

SHA512
3d69910daa5f88b650d1f200b190c52d68dd31032d75060a8e1fdefb876f0ddfbe557268b39a07043ebc248f9cab2f40851884cdc731897eda6d10f9d8448aa0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a1b3d90785f2a61d262b93d59de2f6fd

SHA1
e7c6acf9d2d5e5b59c89bd60841ce8d48fe75af3

SHA256
17e394dcf3c90444b5f494aa5bac56eee04b742c6dd2b5d9ff071680a031ce88

SHA512
848a986b8c5c4ce86ea5e7c669a76fa25dcf01bf3b69d0eb5741317c1246da9fe3a9829f37f975183733bdd50d01350d777138d0c765902c5f6c0595aeafa556

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
16d100c06f85312ab6f21e8aed1f685d

SHA1
53269c8043c0c05789e5f9fd73adc4c8b777dfed

SHA256
d09fed0cfcef08ffd8b216222951afaeaf9e6c17cbefa9829f0f5f420e5888b3

SHA512
cfb0e9354e76c9849d2b40c20b0a24aa3389f6d98089d63c1ef2fce583dfef0a0d09f60d38342dfb2cf7d9822bfced0cf939b794e510e74fbe86f71fdf1a6014

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
242d788461d97e38bb68d1dfdff88240

SHA1
8ce25571a52a5055f6a62b4287ad21f842fcd207

SHA256
72ae364c0ce00a65d6dbfa129359bdab4e8c140c50f21c67eb70552beb2aad60

SHA512
8e1b8cb638c2f77f68776fa0a964c6f45f38982eb682e04e4fba6d0d0d1adb289ec73a2330df45b5296272603d9bf9b2d0ddf93b96b47c96054509d65c77d7e8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0160443297a36fda5a9789f011ef0611

SHA1
eebed8596dbe3cf44bbd6525cdaaf699833d4c12

SHA256
39295ceb02e56cb1b7993f42adc47d245cb80a936e3475c62dcec24c8df00bbd

SHA512
2e780a88eea7db6177a6a84db73d57b61fd76924f58f9efaac66a3262fe19bf395277fe48864b948999a98a0b68989d9b5a5631959347b4de63c52c6593022b6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9fbf0c92891e20fdbc7ee59b551d1bef

SHA1
8dbc67f66711f48fee129b1d5b7bcc7c92b87515

SHA256
685ae69973b4e2ef61fc5ce72f4e9f27c025a48d77c1a415381f31e4afe58802

SHA512
ced1eacb64bafc15caf33221a43c1a74f6b56b25f23f88c84e06613e3e7e2ef5e9e96185e8910b3cfc592a36dab5cde3a2ba6f7414641699c251d11cdc24ef31

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
f393cc9ba5da59f56d5ff87a5ff28736

SHA1
123f1669abe8d37cf22f9c6fa1c10cd7b95f34f7

SHA256
439a01441642b9c754af9370acadba03a580eeda43319b35a211cb5de77a48aa

SHA512
4de87bb511caaeb8fd49a44c3cc5b1dfdc57e9b96b2afaa4a5fe2b99597cea21408b477d19e089b5a45e1419057b14765727f4b43988f4ab8248cac8f2876c03

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
2c5ca38fc91ac685dd78b7e4adcdbe2b

SHA1
4edad0ae31ea1db4d7f8af716b57ce8a0be3b11b

SHA256
36c640d7657828d5670e590f33bfac22c6052ebaf81781f170832323715fe577

SHA512
5d6463813d43b0726c520bcd49a6d3c1cf8f97e16c6acfca9a8f1bae3c85472a27d5641d7822a188b55d7b75121ed16e35b461b9c9c326931d74d2a16f1dea71

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
f5dd56008143774cdcafabf2e8a4b662

SHA1
aa68bc37b53c155caa1914e83f13b002feffe47d

SHA256
02616965e708c5e190b5c0cb9ed203a022ebdf4e7995d28d98d7fa557c2df802

SHA512
a68fd8b368648b160963a6a222f56c29a0833436ec9deaba3bdee1fa04e2cc0b417567cf9c654ede415d70e518371d46c561bfacf1cf59b2e56829d7337e8dda

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
66bbdbcc03c923044a593e944c3077c8

SHA1
aab431c547a0ef786bf49611b9e997aba9812814

SHA256
33b7871b34e6da4bca0c0b846bb43f06f9edfa5d312b421d9c09480ec9c8145d

SHA512
c9a28fc1a03948c3ae2d34302bfba4549b18c539c941ffc06fffcbebbbdbcb3d0162bf3389e6f878f392cb2900ee3941f3bfcdfce3ef20991535f00dbe65a830

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
bbcfe78d69324d237150eb118313c2ee

SHA1
eb700cafb5f11f6dec61c916b8357e49e9366bf9

SHA256
c1d8f1e7f87656e97e902d93a7ca81560dea90ba9fe53eb54408e8974f2c554e

SHA512
458747652921d3b3373c6be61529e88dd496467b80502b2e3c7085977a8ce7e9c34e252702e0bf264be3d340cccf9c847f37117cf2efb998d7498222d72ce809

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f11c405502b0a50478238c5c2c11f0d6

SHA1
68b6a077ae3507f9d175c95b88e5915737e3c6e4

SHA256
8215cdcee702e60d65441dbfed8cb7ddf4fc4067bb67ae4e5c9ae41f1d2f1357

SHA512
d0d476cf58d3047a9351e5b895a59a1e64ee7caf14985006469f71d9a9557a55b38522a633387f4d9453a9f5cc0710452351ed56ff2f5a1f51aff5d6433a2546

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
1f7766673a488245314fe84f48cd7142

SHA1
95f88bc0e79cc529e8913773b92c06fda01e0ce2

SHA256
aa7c0934004babd7cca5956b744e1a799f2c3e46110c07cda7c0d38e5e8e3f72

SHA512
1ceaa5d88b84f15d1930da6d47220e5ac2728f72fbafd3e50641227ed472847b68bf7cc01e233dffce976d96afe4357e4812eac638a124a3206d0346a899e7f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f90f64ef7851f59a6d45d6f492b9e1f9

SHA1
5aee6f486531e8ce04fbcdf6bbc53cde5d7bdc44

SHA256
40d06709da0dc51c4718e77e3ee7a4906d68b339933e9458a04dac6d493e9315

SHA512
147bf4363e31e2018f88192f18e762c389cdabac659cb00e00bce8a091d195b54722898c0c6838a21c1e1867da1f586b3b6606ba8ef39bd5d2038adea9691b61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
6e1a250924eb92d5552ab138c54cb8a8

SHA1
a8fcb6de93a84e09421f2b54e29a9e58e9f03c63

SHA256
628700d44928b4fda2faa95e2ddac0d253b311c601e5ae2ff1391cbf7e1df556

SHA512
d81e0b968186170a32ba464f04b1deaf4b4b882a459d5773ff66e61e8a946f6e84e5cfdafaac091601d0c3d70875d6b5d0ee0556828a933b5eefb5f5b85ca86c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
abeb287e828437c8dfa88a196eeddb4c

SHA1
c7b200dad79c1e44c64649615637b92f26945f0a

SHA256
39efa947fe8eb2bac29bd6411086f981b0b46957cf2dbf20067dc96c6eab25e4

SHA512
b8f963ab9f0c80648de047f7925af7723718353bdb7d60460fc0d885d9a1dadaa7380976ccc369c36157ed96cdf37b5b61ca8b1121933a354d2a77ae0243102a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
db3831f909b7680ba90e962ea08aa3af

SHA1
7d75f3403707c612108e2b6bc878cb794162eb13

SHA256
c102a4d804c5bc5fe8bc73a8fc8270a82ad4333a751997c3776352fb51cda113

SHA512
6f36bcffc9aec55bb48f488febd8646690bc281a903cae2a4bd508253ed1c5ecfa89e830a658da88d31da253566217ba87ed6805a7d78e85117e460127cb5c53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
14c9f3aaf9a28384721d81a87d857c89

SHA1
f121cf0e2018210f75eb121f25881b8c846222aa

SHA256
091f5dad2d830d4237d8ce52b9602b322af95e431fa96126929fde187a5c4088

SHA512
26782b8d37b73629632e401210642a9a4413ca996381129e680587edc7c246f01bd6fc601a4b46f7610677d4e7633267be43e63a5e1c8200f68f187439d8b59f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
0033ffc7e67adade7d968d1ff177480f

SHA1
904a69eca71b23e18be053543d54669ae9d20c19

SHA256
76f397dd2975c57acf5b75c3011e5a4df5ed4e97ee6b059a28f6fb0108628590

SHA512
410d7b9ab6812ddcb20acdee27466ae45d0817cfe7565679870ef6acc8a32493294fabbe3ebf7d1c7f08fa61829f81532634ed71e59ad9ce6c8d7df7447ff6e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
82947a3b968075b23cad5005be93b233

SHA1
e041f57e7a4001b5f3f5996ae4f181d5e8039fad

SHA256
8ca0025575865399e41f70382b7dabea96c739b34e0bf26e34acb8659a5e4b68

SHA512
a999789e711644889906e015e1f75611e80c8017a5e060f77ca2e763bab2bc460d17856feb403f5b518ef9fd4d70c53c62815d61513372368c22b3a48384a18a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a6b0036960586d8eed4e4b9b250e4bb8

SHA1
7b3a2416c21051f5bc26fc84bc1c4ec0c351b057

SHA256
aaa46133269802366706abd594909ecde0bfe7df01fc09c6cdcfff0cf1852395

SHA512
22720c022dc31ea38b96527765a053ac785b806273b1d58f0bc58fe209701a2e79f57b77e16019e971be10dbe3e8d7e2e14f07208ee8122ec87e10cd90e76f82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c1af0468c479b86c1698285cbe826122

SHA1
2b49cf623704b4cb885ac98eb513c2b108014074

SHA256
e9d72f778c640da616682db1812354e149c3350cc51f5b8f594b4f3d2124a1be

SHA512
b2a6a5bdf14b556840978a67e93727a860205f5a711f7cbd9dd05000ca1c5c39feeec137fbc6c3b8b4bdfdb9e082dd82b47c87c867d476abaec542ab757e3887

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
2d59e31f3508750d5d82e6850a44c224

SHA1
f88534334d3e809457fb67f27b476241c4dcf50d

SHA256
2116da6655e9b68623123357834933b4dfbcb1add1df5064fe6b7aa2451d1196

SHA512
1ec4aec33feabc2d3ae709b3e1ef3c46829138055e780c89602e781bb457a929fd0bd5a6bf58372c2d3be907d052ac555761fa93c04841bba5ac5cced6c47dbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6c8fb9414034d7889efa07673b897fd1

SHA1
609e0d6428345de2fee4d7744705f6cd34c4cb2d

SHA256
5d4ed958acc81b5102ead86ab07f4973546b628b625e729f68fd31209a1abbd2

SHA512
8db870007d467e32044c1700d7ca71a500ea16cf3a6cecda58fa940cd4993a2ff2b984291e49a19b5ed9c39836157a70a1abe03dc0a3801a75248f570cfe9fc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2171e68d741cdb85767041428ab55e8f

SHA1
9ed04bdb1ccf4ed22db358f6527cdc411f9c7cb4

SHA256
bcd955deecf3d675d491d46e238154cf15fd103c840d780c82a788bee7d6e16a

SHA512
b8f03c03d1fb41e36f85efa8530faa9d5c31f87046fb7d3a9bbe732772f3fb6237ade616573637541230af4fdccffdd336a68da33e793b3fe179c0b224665fa4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
2f135416be16f2558a449d663983ebf3

SHA1
f09b696f6f70563f1baaba3818a61d4c019eefe1

SHA256
326ecde4eeae463e01bbc892e7f89403b1188de54d395c366b431b5ad3fedbed

SHA512
97af6f1a247ec302307f49f89e333bae6c9fa785a6d1ad9503c7c6ac1999f8de14460ec897a624d19b360e9629b62828ad07af7cb133b499d3a22f207ca57584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
5c99f258857485ededacc65a0c59a548

SHA1
7a3feb434218150a47e1ee44e5c01bf4507e1b1e

SHA256
b60a1fbbd4ced4822c1cd603d7b92ac220f5abcbd81b351f412ccb26af50331c

SHA512
f54414cc0e29ec25a6373be2d52382f47f2adf05fcb588fe9cde0140fb5782df5ada06e23237d1cfdc79c940e93c0849d1472ed867d28b6b98dd73d55faab909

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
45dfd7c1e13da4dd82ce9781d8f7ce5f

SHA1
073bda7a2252b09d2f6ffd9c4ccd8dcbcfa18ea5

SHA256
ef32951fef75384fdbebd59688dbb08f72f83ca4c941025e2ea38381f05e92ef

SHA512
d0e84189f9d205c6721084feaeac67b66488332c3d265b4c2bf09dfb711f3b918a9df0ac418313474c0d45e863d13e169b071fa088ed9a14949972b67891e6b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
9ea0d01bc7cbfb81d0fd96ade09638b8

SHA1
e33532d7d12ad0aba6d720ee2c6c847cba9dcf2b

SHA256
1cb4e5a922a9221ace060bd22248ed66b4f417e85a169f5c6fe28c983deea932

SHA512
d70787e5386ec35ecaab03a76257617a60dfdae4c086fb4bd430aa40658dcbfc1d9f04ba164b5b6d304f693676b254edf7dc0274bf688a3f7ebec138417c20a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
f76130413b710677943285607ce76c0e

SHA1
821fa67601a355c4e1f95f414bd39d294852d34a

SHA256
91810982102431120b0b4aa906c8b8d3f273e0282b1d2b37a54f0fdadb1a40df

SHA512
9b505a3df6f39c24e32c05884d899a15dc289bdb851823ce489341f6d2af376b370d7b2de7ecfc6e26181cc71ec853240db8618c581fd876d3be062c1dc9f3d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
d43950641290c6c2175ae1ad61f950a2

SHA1
b665ca9d25361c4dbccf0d8676b99fec59ca6e83

SHA256
29a8a6abb0c93e34684b64924c9033e61e0f83a4b5b4f76c23dc99f988881c47

SHA512
58e6dc2d6243d1cd8614c6602d406fd3c15ddc1ee8f91f432cf177f8a80b9e426f3ef5432c9419e168ba89499a2b4810cced6d6f6be161d5aa8b2f8f20707179

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
79ad26d469f70f2ebda1ce8ce35566be

SHA1
01b7125b97e99206a29eee1e1284aced21a23285

SHA256
d96b1f1b47903201eb606af7428f90e465c30e05df3066480e3eca1cb9d7cf20

SHA512
36c3870431508ce0ff8d1e58728ea1f94873827f8b4bfc3dd4f42e3c9cfa5089cb1bb248151f75703d9e50379f94ff7aed9172f1a6cd852312d5487749e09483

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
5125815ce808ac279660830457869208

SHA1
aa949b86f607b74155cb592f14e29c55c4b346b6

SHA256
f46979563c08f9af6894b675af442d07557c757367f3c3c7e5c50e5cbaaccf0b

SHA512
139b82add346f06105bf83305e81fc0bb5a79a3509b9ca2415904475bcc3e757c75b127c91bb16d85afb834d9d69a874117e99ddd55368fb9a0a3a9f33d5751e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
351e07d5093e08550885c2bc1bd9681c

SHA1
5a1de69458db8218b505b572a1e9eb7597b03af1

SHA256
bd591013804511eb32b707156486063693eaf3471b6c32ef71467024ad4b9cbe

SHA512
603f119b32319d280428ba98bb6f379ac03aa944351809c6ac11adca4fb60e14a06e23884af765328e7a9396e0e7e3f722596748fad00d3c7f0e39a344e60b43

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5bf8587905ef1db361293d32b00fd8b7

SHA1
0e9e5357a992f27756d126461385b8300f136d0c

SHA256
6113f09d80507db847024e96336d182ca3759ea47041033b9c340f177f9b68b5

SHA512
08e94168e8c07ac00c26f5a50f0a1e97e12a5c542ab8d34ca2fe8f0135413d566aec02ccd3f93c19dc091efa7ddcb8e2f74ed123459502a46238736c2803c2a2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b87ef06629990c32eeaf6848c7a7135f

SHA1
41efc9c940f7655ff85496bdb68f4a56708b850f

SHA256
0adb3c9156b729a52b29fbd922dcba6027ce0d1f8d2793b0ef6658d6d71acf08

SHA512
57f215da3afa0048369d8faa6bb4e073fdbed0fcffda8dea505c32ed7f60cfce6aefcefb7115ac7efa2acb1ba4043f30a19ebad256b65f1d04b364fa88b90a26

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
642457d1ac775267fd52b55d2e003a40

SHA1
10ffdfda48a55702082cb9e8449c24b197d464d1

SHA256
73171b7fcb2f2a6cb64b71faaa0b69e5d0fd261ac34126110dd05eeb69f72d7b

SHA512
93b9483ca51b74966076c934ed9f6e140248eed49bc398d8de83d3e84bd26634040f5da4720222b4c4a8bd069b3f8a23e547428744dd51dc54bb23f59a745cef

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e981ce335e2fb0233d092746c436c7e3

SHA1
9dabdab74e8260af5875aa589e1270043a2cced6

SHA256
92dd01627bce39ecfa5ed933b4aaae4acdfff81b2eda9da5604a36a1e62c026b

SHA512
2933eacdd5b0764404cac091875ab98b95685e346d2d07bd3d6335444f5d57041a09504e5c537d7829cc9f0555420d972155f4de3c324b4803a9aedec04c70fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
7086435f1a0140d8d28d6d74a6a8adf8

SHA1
13122c0f59e48b276dfea61b461bb4b8b4211614

SHA256
ecb832094f6e3062a22c2473eb3c48373058afce716bd581396468bfad05ca43

SHA512
ccb744987addf9c7b9170ae4dba2c535828857445312eab186f5ea435da7ebcfe7afd6bbf2b7cd06eb88154f2c6ba6728b28789883e2882a8460e2d2e5c4c7c4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
250562eb91af88eae456062d8640a154

SHA1
f708d81c737d582f25017422b5ac83da649c8766

SHA256
81aacddc75f8dce54309fe8b29f257a20e7223cea133e569a12913b1f28c667c

SHA512
710655dae8409514dccd3f36394c6ab6e224c5e52e3cbbce33309a3ea78aa66d419430d5d303b5539023c24e4da59468f3d6d375d71f550d424c4503807cb2eb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ad6a0ff6990d6765d63f68a088f4360c

SHA1
a43e6f524d74c4841f621314db6b353875d35f1e

SHA256
c569d53d9f552ce8d2fa4fcd8deb3b6cc32db54042c59ff036cda21101e97f3b

SHA512
6aec4713765ef872ebc6c171b2d4d703c40b3d5376991cca3e933985cd77b30faf7f52c0e0eb833b48e394fe4918151ace1ff80ffd8e8a83beaeb6e8dc5264b9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4a213574cb0028e7aefaa7064dfb79f6

SHA1
095063f0d962fe60991b3330eb7e833afc6636ca

SHA256
5539f38f0ca736d76b24484ba839dbd75f93f0264966ff89ae55cd7f2aacaa67

SHA512
b1782ab04317d12866ef6ae0a50b62e7d87e330366d981e74dc9e15f386648083224fa073b3f09f4e6d42bf5e76830f1de39ab74785545b165c6bb39de2b755d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
29e4e845b71cd8723cd3947f01df59c7

SHA1
d5e7038fc052993c390a46483175a531eee33240

SHA256
68345f469ca11958bb68dd3b9ee43635b9bddd3c89fb97d8aa00c662ee6cba40

SHA512
532e1c0fb67a1921340c979526ace226737974ffb810514c637e539b6928fa00ef0f0130469382314c6fd902ee91f8aa8dd4d6dd19174807fe4d9fce189216c2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3b171f191b119fd0f16310d8e80a415b

SHA1
b65021d9cae96b4336bd8ad539cd22138ef6e8cd

SHA256
e62fef310265f20038be5ecb39c3bd6e1ddec59056a279143789af7bc49ab99e

SHA512
a023683b01baa6893db9e5d530139006cae16beec63c5290434b11a0d8aaa362e54f7a7ef427c2d43ca73a958131b75631ab016fb44ae803e781b110ae3b3f82

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5d5f94cfe1bef1056c1c9bfb970cb72f

SHA1
73ad73e5fb51252a8faad277b7dd2f63337eccf0

SHA256
392944007bc00ce04dca3a0dd27c949adc091584d0d75b3bd95c5f21588faa42

SHA512
230de7a5cf602d89f5ee2246b1f403a7aed29c2694f3a47880bcb9ae91af1dd0f46e1e7b5e7101f95515d8fb6da4bc474e4030402de14d9f3242e85e6ac65935

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c93f2b7f8296658cd4ee467039777613

SHA1
639fb4446e36c0e39adac8a46bbe052f08eed3aa

SHA256
9b85b053647742686272543b21c729c69220180ea04dd0867010d1c0d99fc52a

SHA512
92212ea1336b89e0401368aad65563b3d7d239b5fa2fb2088663b28dfb0bf360f276c0fd4d5972e0c62b0a57ab4e286ddfa827534c8506fa7e42823286a10dd5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9f1a5c94f2f870a4d5d8fc009e6ab7c7

SHA1
7b372052c910a9b5a01fb28edb4bc0101decf037

SHA256
a35ac61aeb2576423d77248d58e74fb6d17ae279fd3482375e5cdd77b232571c

SHA512
e3d603d829352a4717eb9f9880707ee316aa839556073b70c07461320463aee9e45392a79bf80dd9bbae78b66c5efd873350731a622c6eb397e915ccbcf3d523

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fb09d0ff9de2206fe98d009bc0087e7c

SHA1
88f730243256ae96d81e286623959761725261f9

SHA256
9cb24ab3cc4c3aa04adfcd76f922a4f9de75ff151de8353ff396e281178f22be

SHA512
6af3a2cdb59fa3fa5bff326e378bc525b7ad2f903f0808ef4fc9b0a43af6f6ff2efed8cf70d10067a61a1df5aee7f1aa71376b267895bc8ffe8dfe366977ad06

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
623c848dadc3f870797ef83c3a120a8a

SHA1
ab63f02961690b104713f406127a4fa1eae7e0dc

SHA256
bf90be6755aaa14e69a01df9cf5abf2f9436eed1d08738349496aa17a2584a5e

SHA512
16451aec72fa43d8f4cf271d26d8be29dafe3addbf351fb6f5afb145c28ddc1de877ccfd59793c1bc8adcb501ee142cdd0e1e85241d23e7dd61239f986b62e2e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ffbbd18b3951c4153c9394a551eb62d7

SHA1
d5177d28bc5b77c2d09bd102a85fbc3d4c0cc0d4

SHA256
b1783947f4880bac5695d60e7ec27929a1db14d0243df586320c719603cadf8f

SHA512
d69d3732b90c66ebec9eaa8a3d54d01204331a5edd0e8bcd7ac83edcc3d7796157cda1e35ba68bd2f583bd256e4d858d0dfa7e4d820ce77921346d04fb85cfc2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cbabd2d9ba5ba24969da16340f7f6e0f

SHA1
547686909fd184edd3172b59392f0dde054f4abe

SHA256
ed77d24b7dd9c0da145ceaa82205fa416e6a1f441e13477b8a2c2a9ab4a13591

SHA512
089ebab6c0816df68f34837100580de7882ed44a306d0aab2e60969dac539672bb10de438bb7799d18f2110d03f2665186b6f4123e45e8f0bc79adb3a8b83dd0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4d0f2cf9378d9ac27452b360908045e8

SHA1
b19441c987b4b962bd3b70452cd6853e3df10582

SHA256
19317c3f575d4371115cee049ee9c7b97c510272d503486ddc8489144d949fd0

SHA512
2fabff8e9bd1b90a899aaf7217337cd62d23aa8cebabbe3c30a598156ebcc4ad6896f9acc00403d7ee619cac5a48e0fa9d7cf4d2499f52c48b73ed6d8ac85a81

Download Submit
memory/1276-553-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1276-334-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1516-273-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/1516-272-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1516-329-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1544-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1544-248-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1552-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1552-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1848-290-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1948-315-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1948-547-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2540-268-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2540-325-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2540-261-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2540-262-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2700-169-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2700-85-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2700-79-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2736-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2736-552-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2848-333-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2848-282-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2908-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2908-550-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3304-24-0x00007FFED9E80000-0x00007FFEDA149000-memory.dmp

Filesize
2.8MB

Download
memory/3304-251-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3304-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3304-23-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3304-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3304-252-0x00007FFED9E80000-0x00007FFEDA149000-memory.dmp

Filesize
2.8MB

Download
memory/3316-545-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3316-285-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3316-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-0-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3328-76-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3328-70-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3328-77-0x00007FFED9E80000-0x00007FFEDA149000-memory.dmp

Filesize
2.8MB

Download
memory/3328-9-0x00007FFED9E80000-0x00007FFEDA149000-memory.dmp

Filesize
2.8MB

Download
memory/3328-7-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3328-1-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3596-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3596-66-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3596-56-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3596-62-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3668-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3668-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3668-54-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3668-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3736-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3736-253-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3736-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3736-42-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3876-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3876-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3904-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3904-551-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4128-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4128-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4460-170-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4488-546-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4488-312-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4876-544-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4876-292-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download