efd5d3f82c5913164c1ac52bf055beee2200fb2e83ba7e7f58ea228b4f2f3ea2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe
Size

2.2MB
MD5

3adcfac751f3b8d1c67bdea6fc8bb43d
SHA1

b421a6421a5871273ffaf6e9dbf81b4d50038772
SHA256

efd5d3f82c5913164c1ac52bf055beee2200fb2e83ba7e7f58ea228b4f2f3ea2
SHA512

256c43e4c90279bbc7f89bcb307299797f51108aefa1f00fa8f2518f7fa8fe321375c46335aec294feec5d42071d4db8f20e4019de984755e3b6a1b1efbd05ab
SSDEEP

49152:yOOh3aN4kuLbegmtGMXvYMLprznyDSga9:UU4ku/ctTXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1916	alg.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4896	fxssvc.exe
616	elevation_service.exe
4588	elevation_service.exe
1084	maintenanceservice.exe
2224	OSE.EXE
4348	msdtc.exe
4280	PerceptionSimulationService.exe
816	perfhost.exe
888	locator.exe
2324	SensorDataService.exe
4816	snmptrap.exe
1552	spectrum.exe
1708	ssh-agent.exe
3228	TieringEngineService.exe
4504	AgentService.exe
2232	vds.exe
4860	vssvc.exe
4952	wbengine.exe
1804	WmiApSrv.exe
64	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\abf8b3a7c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d249e55bb3afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c06a875cb3afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000493dfc5cb3afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b6b685cb3afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b91e3b5cb3afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af09665cb3afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
616	elevation_service.exe
616	elevation_service.exe
616	elevation_service.exe
616	elevation_service.exe
616	elevation_service.exe
616	elevation_service.exe
616	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3048	2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe
Token: SeAuditPrivilege	4896	fxssvc.exe
Token: SeDebugPrivilege	4364	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	616	elevation_service.exe
Token: SeRestorePrivilege	3228	TieringEngineService.exe
Token: SeManageVolumePrivilege	3228	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4504	AgentService.exe
Token: SeBackupPrivilege	4860	vssvc.exe
Token: SeRestorePrivilege	4860	vssvc.exe
Token: SeAuditPrivilege	4860	vssvc.exe
Token: SeBackupPrivilege	4952	wbengine.exe
Token: SeRestorePrivilege	4952	wbengine.exe
Token: SeSecurityPrivilege	4952	wbengine.exe
Token: 33	64	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeDebugPrivilege	616	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 5128	64	SearchIndexer.exe	137
PID 64 wrote to memory of 5128	64	SearchIndexer.exe	137
PID 64 wrote to memory of 5152	64	SearchIndexer.exe	138
PID 64 wrote to memory of 5152	64	SearchIndexer.exe	138

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_3adcfac751f3b8d1c67bdea6fc8bb43d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4588

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3900,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8
1⤵
PID:1084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4348

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2324

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1552

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5048

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5128
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
961d6d71a750ea1a4d5aa9f66264778d

SHA1
ee3a1c88371a515122d305efc56d459f6d50cac3

SHA256
8d5403fa7750a1abd045e8bf32ab54f6c60f5511cf4ec1b6f8879239144f035b

SHA512
fe3f97ff45998b757e0f3a081f1e43a5b83d93b8a4caaf75d0306f2edbbdefd29a754a1feea942cac32caf5e32b9d3e2bf31c08ff201fa4e95445e5c49382926

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
8428e17491c0f6cd50a7dc2b5f081b05

SHA1
ecf4a6bfaa570f68274858f059ed3950c7287f83

SHA256
ceee52644b00ab69dd7614df9c7345dc2fbc2116d42bbcfdb338f9187c0f5263

SHA512
626a8f0e51547679f48719810d436256f47c8d20ef7f3d5988efee1b7844ecf5af0a53b1688c52af1d680eba67af43a9176a455f85d0983637181f454e02f58b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
d34f5b705a748e84c58e503442fb3083

SHA1
ff54950b96cd7491b526720c854fb1ec3629e6da

SHA256
dab32ca0151bd1dc619f3356cbfcb9a19cd57511174aadc030f217b8adc46153

SHA512
9ba95721a2ab30df1575facc53a08510e96043fad0de316836dbbcf1c57b4fdf520ae2750e318539751bdf6fde46e84d09e791c20a15b062bfe36e2ac042f2ea

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
26e5dc57c49167be5de943ad6ede8b62

SHA1
55cecbf09d15ec9c1a3ad0f39ff8389aaa4a4ec7

SHA256
e9a656fcd77c612be54790baed79bc887bcf60f7acd856686ec81099692792c8

SHA512
61366cc1d4cbb17063468a09f15d6d8a5ee0ececb383d17f9277fd1980bc1ce740f25d54827b2cd80de107696aa5acbb2ff0966953250f7a04f6299221ee0987

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ad27c8ea39837e0b52f741d44c9ed3b4

SHA1
59615415155a8b5663e12df3ef3ae821a86dcb44

SHA256
215397834e7d19c7fe2a7e05d5f1aad844ee928f712d00ffef5259ae4ea508f8

SHA512
1fa8af0b8d4f95f4d2cf9d997a61e04e8cd21592d6916b5cfb8a2acdbd58e506b1ecf0b314c7144884907cff2d7f669e0dbf0b6da730063e4668e77d6640e730

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
87a6a6c87ee6769f959f297a2d3cf10e

SHA1
cff887218f7322a9545a62caa9a55ad29d9e7661

SHA256
eed71ee27249d572d93e1dd9712e27288c914031e8647ca6f5e98085b775529c

SHA512
5b1b633bdb1ef96af17f005a6741cf21526e518579f907d0359b2635a6617dfb9594a2a64b5fb511d9bc02af163d35f112a4ae9c4b3abdd0875807da19f613ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
31c1f62b47d39f5876431b6b6b02e6e7

SHA1
b744e75f0a5bdcc6efc4053d53d95f782b6e393a

SHA256
8b561a685aa30f73caa08903ff100f70242c1ab10efab52e33cf10b4dd65845c

SHA512
6b21cbd3cf0c132485d7086751d7be99d0ac4c95e3a5f9a604512fd2d5c0e3b9320f8aa706a93106687d299452fe265c9b6c90b2d5699c37c95b7e476d23cd5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
647c6c6b29f582f0c1b62cda94cf321a

SHA1
9bb56ff65d677037f5db406c74278695cdbadde7

SHA256
c92d62a6c538ac64fd9690a20e0dbc8f6f67ac88f47ac10d9ef8b88c7fd04f30

SHA512
7264fe890991c19f0ad87c1ae127cdc993ce8027429ba37ec8183f75e6aea232c1cec121df4cf0b4cd5c49029b056c0930961214f4230e7948ffb19338de1837

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
a4d0fe9082925255298f5fa00d9b1f22

SHA1
3e82ce845089b03183c94e66c3c3ea4400243a55

SHA256
2fa2f029b1d8b6c6907c7e6fd24e299fa1475b5357ad8f4daab0754effb2f77b

SHA512
7c0e269769b345e73e79e4bbfd044a8d58dd6018a01624c7aa708c3f9abfdb4a5ff1d1a1d2f17b3baa7f018af91a455239563378808c6567312f4565cc5c6abc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
78a58404a87ab58007ce4a59eb31ed00

SHA1
3f0a158b99646af304e0a2ff47965ddd756cbf42

SHA256
719d0ab1643168262a13a276519fd86be664fbcd48b33ec46c653716e02fc6dd

SHA512
7085723bb5dce574a3e04f2aebfc4a4b6d3885e5f11195d48623fe8b99a8004949eedff2893d85f9b6a84809aa6b9ad3d01f53bb0de17a9f239d05be17156df4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b1318ec791338c02baff218867c9401d

SHA1
60f1c449a1348734116ebe989e026494b3f8af4d

SHA256
39bf77e7284c95faa330c60663da7d121884029211167c5c1f65c1cfc6e16931

SHA512
5d368db08cb0c2ccdecab4f79de12f0889c224dbf04089c0b3b877a738cecd9b18ea350bba54d8ff2ebbf170db2fc0d0f072f3fa2f597f1a97fd2ff22f3fdef4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cf42e3242506f0589f4ac7714476e7cc

SHA1
18612a35f9756f06d13107647905e170a995a84d

SHA256
58d393ae82db311130ae2c4bcf9895cd371a453c546233e575a86a8311add629

SHA512
4187b9b4503671bcdcf96de496f8d222d23f9f9e2642b1df36d3c90bc7675413dbdc391a77122e718dda20c3482dc4d7f5b229f2516e0a2f0166f6e05fc6d18b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
fa9c973c18436d21d6b9409b429f9d8e

SHA1
e4660a12d5f1634c37f69b28761421aad3bb8f04

SHA256
fa54dad126c4b311a88f474007844f9e67c08dd399a2407a67c7b866321b6f0e

SHA512
5e215ca334277c4502c99ac75473c59a9a17704180fb409e2e1123294963ef168fd0a57f391e889bb6c2fa8bc73c1afbb73818adb70cf514032c1b644e07066d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d1242eae99f330939dea8fbe83a131dd

SHA1
5c9d63af220220a4c49345eb74395d9f895695e2

SHA256
06214746111b5ec05c93cb66b6130d3a55526f3fb761528e66770182755bc441

SHA512
d4a0140d14a450831e8c754552a360b5e543a7ee377325c25060984ddd8d0261388bcb2ff8b459848312cf8d90d484cc3ba61f51f9712b856521719ef1a7481f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7be3f8be4407b9ab4254b25bda646a59

SHA1
02adf9a13680249129a84c83485aecb0c90211da

SHA256
5a67c533102c1e928187e398fa7a6a8446fbf8ea567620cb7839a3c8c2b2f93a

SHA512
75ebab0e6b3308af3350632825953b6660663a6cdc234c6afe666517cbdc4f10e51af44c9139dd93f61ec7b81eeede3800ca8db0a682bf8dca66709123c9eb0d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d9c6e855a3c515c27a35d02cef6b8646

SHA1
ced579ff2f3ba7788bc1397ff4f31eed3a9e6d27

SHA256
aec505ecc515eaa6cbfb975ce517ea0b29d424a2fe4821f217a50e654cf95675

SHA512
c83088b87247b21d2ab1467509f8cd62db30ca61375fd78b7257531f168d0277a20e1368dd8a8e091d37dfbbb4c8bb12a2a780f98a6398733eb87625dbeda9ae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fe933fd12e1b3c6623b8b53517579e39

SHA1
b068b13b6a476feecb3e3fcee0497bcd900f7ef6

SHA256
0f25a4af16498146e69fa7adc19e8d4e89ae37c946b3f1c764dde36ff5dc8341

SHA512
2618efa3b3a70a5349e9ebf20b458b4199d1f7c4fe53239389aeb36873aeef553956c137b2a141211ff060279f2fbe191816629bda2b918e8884308b1661b4a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
59628e56a19dade3498c86e7e96e0442

SHA1
d42eca11dca793f22b187c3f2731775d44245068

SHA256
a6c316bc913b95e511d0ef7b7c082543b77c7f94a767e68fb6dd5dd51a79f412

SHA512
a6c67cb8ff626eef8c03a9ce4a995ffe05e998485f419066579f712dbcaf47ab153eb68b010b55275748d18dbb4c00da6b59e9f6c16dc00dd21f96f534803466

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ffcb8f8e53014f5dedf1409b434687e4

SHA1
941ce0809b45394f42918a810a975d0769c5ffe3

SHA256
c0f397f8a13acffc1b7610e6efb542b44fc636c2980b89345bb5198c3f6c7ac9

SHA512
49c5d249397b3c6a6a56f802e8303fc7b21641f96e0914b28831d40a2688bb1a0b8525b8e5a1f90a9f48388fd65b781c5bfb502c7c9d5fed849648e05816c739

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5e54c8ac2c613e8e502888ea994745b2

SHA1
b5461f507c194e6a13f708b4f09e363ccec35309

SHA256
69b3dd38c3a6c8b0b0422c885f83bb965fe2c2ed546f37150f55402efaee4ee2

SHA512
47003af1698bb2eb2831049375134ac7c5b4cc93134270e84d293e31c5351b9533137e4d3659eaaf2fb55841e9dba1ac349cdea020a731c33ca90a1686a2baf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
01254e500db3f29a1fdf276b9ae760e3

SHA1
19760d3644638e0829a4c18e5390f816ad0fac78

SHA256
5c50c06f2c4e30bbff21e2cee9ddf253bf859ec03bd58d545c6405dc3914b9d6

SHA512
7c5dbcdec4e7e750f09682e4ad82898eb95430cfacf9285b835c39ea7c66532e8487af00a799c82ed2e08061335077204f1e41a175f49218f85181da99c33f9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
ec88d2f9cf3d07fccc270b1109869085

SHA1
48ff3e0a82240c0e971376d63f404c5b6bf3f400

SHA256
d76ffad0999edbeb8f1e13b8a7843a7c07c8d7e1420079ce914d4a6791c5a3eb

SHA512
d42dad04da6dbecb71a7bd86aa77de71e2dc4d9d9fc33f45edd96d386d6bbf6aea92e5c360001ddcdd7fc93b68288df62031ea9ab7bb4628e41921d1897d1dc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
d0a82d3089579a5867b9cd3039dd00fd

SHA1
6aa57f7350867eb368c9c16a98bb8c2b6c944d69

SHA256
309b50cfb2551dac54c42aefb67d7735533e10de73143c57ce8ff6f7055865bc

SHA512
25659207470298befd3c2e4d93d4cba652f9ef8b75dc6287353e5561d4e9ece0d23503bb45de7953726c360a03a7a9721ec92f03ded045f0be1b36d1a3eb7810

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
a016696a62572d8bcaf085504825aeab

SHA1
47bdef53f91a219db147ad206000f6b8f14b3e1e

SHA256
a2f7f1318d274560262551a6336cf560103741e22e737edb3729c6bccac50e87

SHA512
13e56885e3c530ba2a61e61043cecc5cd8eac3d3e185f374e9793f0887f1995e164792758275948cededc58caa05698b3d472bb1f1c61249d4cc2942526f9fbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
874c021d7341adc0c1ba05649e378240

SHA1
6896fe74451535dab86306e92f82fbe503fc17d3

SHA256
9ab77f4e573ba334ffd341f594d228eaf9197e92632653e51f4e476a6cc6380d

SHA512
f6361ebce6fb0553a847916c27062155cacc3512d379da37c2fd865119df04e9a87cf5feed259838d02233cd3ec4d955f4387e28c942dea2956048278c3864a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1beb6a473da5e3379c6fc53c836b646d

SHA1
2f06f366c61e93ce0137b7d1e98de3c00fe8393f

SHA256
9def93330ce955fb11df4ee5969b392ed02b4ca22436cb9b5e3d1c8ebe401f10

SHA512
3a3e1482df7586d7d07b05c91364381ec2aa52e090f4633d4c45c5dd48118230f2b2d2c4d35e82940a71b9557613a102f6e6da4fc11bd964ca72a75650d7a335

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
de9cd6be9350d1a98e96c3ccdbdcbb88

SHA1
bfe522fc72176f2ef3cc22a5575f9771a1d9fd12

SHA256
8d217b8399f1fffb0a2030fcbb1daaeebc8afb05d57dbe93c66f8a6c5b3bad0a

SHA512
2e524b6eb4be69bdade4fa5248124f6bf5f7fe8b02a89a58744cd64da397068ea3ebfcbb2f3c949feb4053b94c4c1d4ab34dec2161b82fcdfcae81e4fb85578e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0c565ef23ad0e401b62896df9e2bcca1

SHA1
7b3bc784f61afa722e33f5d0ec314575dcab2622

SHA256
adc37b76db80129749f013fb2c10660515230adddd8df7b3784eace28ecbf835

SHA512
bd69284207ca23f5cb98e2d340ab9fc41bc0a3aae5cc9973215d589a730acf3f81e8fee227eaee1228d981ffee703eb7cfa3f994498d272a3c2a2589876f5632

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
d05fd5ad7013916a8a1b5af3a197b70f

SHA1
9be7ab2679b78ceb7085596c614f0f83ed8dcf57

SHA256
f4bbf9689d1c60f1c22eb4cbe2e5f297dc0d6370b5a2c689631239e5492a068b

SHA512
d91e04fcb77ccc072a2a9208e2c34b8ec0c60c0539739630f368331846635d76270e353550b0ec0594d09d50bca0a05e7633f44cdf780d2abba4563bf5fed6a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
e4a4a7e66290d2a848921c6d89b4964b

SHA1
1a12c5dfa41dfd7b97e89331fe5da130f7143337

SHA256
147b765980684099a69e99ddaac8b12d1bda41c762b88536d8e78f56eb9ce7e4

SHA512
d0eaceea301368876128768e497e3790dac9f95facdec5159423fcde69fe9ecd4d30f12ea1c3c3fbaed8500368fd3062758e4b7c7375f95f24926b21491e8d7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
2cb7ee66e1e0738d3fc6c6ef7e20ada7

SHA1
dcfb39210da4155b9edf3cb12eb3325ba96df39c

SHA256
f63c0f07fb8dad388f5692c9b31fdbe3fd8b986408d8f9e7e7a1ea9457ff5862

SHA512
8ca7240e942d0913d915bcc1523a991cb7f85686685436db05da5abd82d2e68fef27cb7256f33790e2bada4707dc4d83b65bd0e84e18858490d7dbee634431db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
3cf160628b68267aef1671d7c6a83bb4

SHA1
3772029edae3c08e23ea785385839c9e92894fbb

SHA256
85181ae9e076e359a7991fecd24d344f43b6eb8086ff4aac2383c82085de4209

SHA512
55bec542df7431e45bc0c62e26fac3fb4733fcecf6fe26a5baa5874a51d3b5ab79914615478cde685b17a91042ed2615e3984e2e33853d6f884847e15d645b53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
15abbb12322cc7a32513e12580f33e72

SHA1
f96459d7508f38c2ec3f8a66ea7f67b3f2c666b3

SHA256
a21f0604c2863a569fbd35bd529fdf61addc15d6e8a9255f93bfcb3270652baf

SHA512
fe9aaf31348fd2663024bcba8acfbd014bc6b9d65703d81b3021eb1992f9e8d5450a6801331c33d31b2d702c43fdb50b6a851ad5cdff3fb101ca35c5f6ff13f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
b6f8432b94bdbdea3448ca070545d697

SHA1
6f561ef1eea098ae8bdb63069aeb001ac9c1183b

SHA256
f4d7680f65d1bb63fe0eaa6bee27643b9aa7c79c2593e9310afec2522e1974a3

SHA512
0570bdec7a492bc9565d1cc4a8aa12561b487d2c758fac4f021451b6ef985d0ad737bbb1f877f2c2504d37705a9a89ad227c6101ab92a4ed951734b0f3a0e0af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
1280b7d35819b45302f7d7fe39f33106

SHA1
8a440ae4f506661886c257f1f093c07add6ac4ee

SHA256
b16637022f986c26bcc5b796d4b16b63064625110cbbc7d502b6eb80a39f6cc1

SHA512
d9242907decaa37ca7a1eb877b7b08708936c439e796c1c711eeb3aec723bc28d45c4728bf61852dbe443b2f900080a18f0cba412758862e7a6af5fcd48fd129

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
1902d1253107a1b993b332c688c67286

SHA1
5d2a4661276448aa40c87816d52cad656787a1b1

SHA256
5b5e2b3f741e228b7e4231e71d401176936612fea1e87053cea3ab7990a58d7b

SHA512
e79df0e09f3cbc6aa0c9bd9e76471ad9d9e1215c990c5d3bbcfb5c6473829f9b565d474d817dbd5146e83dbc00bcc8ebff4bed9f7abf71744379231a2b6fd583

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
8af212732110d25839751bbc994eeada

SHA1
a8ea06ac5c571acc5b17cc54820b65189809898c

SHA256
84bf33a595d87aebcb78f92d965a2be820e18b4bad6fc84b961cffab850f89ac

SHA512
29266a6e7bf3c3dd401baa9bd08af0815b935ce481fdfed566090178dd877267035afe96c768fa032c75fe47bc87290c3e0f164ca75b307a027e66eb4f40b902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
0d6dd33949af14760761622e8521a117

SHA1
6134e41ae41839774723572be4ea179d312c6fa7

SHA256
e9fda35d90ff9bcf5a454df34d138ef897e18e01460af4fd73f72be77555e2d5

SHA512
e375792c581eb850f7b382b2f1dc30d1cf9daa9a0fea8a9e596a730f74b77f3af6e86e6f52fdebe2808ea0875021c52105884ce99e20336fd64d38cc22c01b12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
ad7cc03abe11a7b25e7faf792f58a061

SHA1
e1296f6436e315a582050081d7ff43db6aa8a11e

SHA256
e8306f22a7739582aecfdb2159fd5b7326b8bbbf8f6a7682cce90d61abbb4b16

SHA512
258a877a6b5b2819743f879e070b16065c5a02849f5082fb46de2054c9598915c5f07406986654297c0b28349908c77636446c4a8b3e1701324c21db320596af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
fba7e9b8847670d7c5281152555acdd2

SHA1
29adde9f5acf56565643ea5199330c445aee101e

SHA256
5b111cff98cd82202eccaf8aa6f9291416dd3d40d6d06536f0b361a0776ff8af

SHA512
ece9023b178809d9b347b9845dbc9c1558aa4751b08b92a8661ec75068cc7cf31b8a89ccda55b15908b31c8a3be5b6ba06e66c750029ee3a8207cea9be1b628a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
f9b7d90b82ff548c7c16ec7ee43924a4

SHA1
efced1d12bf0c89e605622f3e96d97aa23137183

SHA256
ab1882bab858c0ee6b7af51a6dfb81334aa2c66ba05ac3b429d0e2be694d1db7

SHA512
48dfd1ef18db17372457c52b1004dd762c9d176eab83cdb13298d6263423fd0438b174ecd819fb0b966192ce984efd6ec2c7295c011049a4d140afdb37ee8d12

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
65fbd285f5a0e26cf92ba99b949874f0

SHA1
f59ce748b791fe6df748a101a776fa82b20696d2

SHA256
07fe1846c53c9ad9af4c7e4c07bfc8bfae5dc8543bf0516a6b2fdf13184f6a30

SHA512
d9e7916e6d146c386023101763c67fe870c1361a9aef8eea41058fd44bef622a3a2527b9b84dd23e511a271e7b2a1ffe6fecda5e26b08ce0004587c4c9d6eadb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
21392b5766e3569d7178a63804409c6a

SHA1
2c465dd837e6752397091527da545d0f4d805215

SHA256
faba25111eece023e57eb53f6d0e3588ef0cf48cc0ea546a7ab5518573f3a621

SHA512
ba0076b82d0136f0abb628be1b11e7a64b66018bdf4ca6ffc09d2a71536a0efe5baf2fe771735e790de03320d4d00a55b1c19f1ea4d419f2d7613087ab629c9b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
28bd0ed7bf46f5b04e20b2343fd2760d

SHA1
711b3eb7c828381f0cbfcebb4e5c66d20f0e9c5a

SHA256
11238ba94db64aceaed2b478a74531818a9429ba6851bc11c7e517e5efe735f9

SHA512
140c7b6ddc05aa976bc0d1955e8215d58afc15da28c1c2d83699a423dff85f1dad2660bcdcd52d3e6bd686d81314ec9f643737173dc8e587d28b1c85b5fd5391

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
3dc6441d5a50d1c30c434af476b13d47

SHA1
e76cacdbfa6ccf67ed018a063c04358de2db7687

SHA256
643edab2350053fc584ad76789b79378230756cbb15480d4ee5ca2d9846d605b

SHA512
d371261ab971a56d81e775479ecf58f275d6e880e834810c5718cd429a73b5829ea044911121fb4f9992e5fc4bbebef51c31dc681bb0b9107d93ef7dbc831459

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d8432a8de6e7b1a6a1c7ade8c7ac985c

SHA1
1b0bec005396f82ec1fa29fadcb5a260208e728e

SHA256
e99e8add2f675d4e82dec7819874c03ca80a6da1810ca18a3615dbd16c30f41d

SHA512
829f4a2d1ea8dc6f9485ad2c7d16e383c88b2163948ec8851a99d9eaa45f4168c6b3289037c6ef99fcbd41501e6ef25ea447a88146a0fbddf1bf301f42de61ce

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
0da91ccea32a99599a99d0a473e4faf4

SHA1
94dc50f343713cc716508fd6b0588f43957911ab

SHA256
eea36605c6e53055dacb8cb2bb45562ff954e962c89ac10b9562f0d1ec7b7274

SHA512
0c053023dafb15ade29675d0eed78c126d02afbef3425850121fca7e653e7b990fbe4c24322e17364cf37d098e9cf227f67a69a9dba1bae3683aa904d200c180

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
e66e242666e03278ed78f7927bd305fb

SHA1
53113df83744410ce74d56b49cc7f2af1144a4ac

SHA256
2cadf2920223c8be2eaa5bd6c2199403aa04ad20babaa34464f3381435a29313

SHA512
25718b44200e3692f967a945412d6e1b709df652f784a0bdee8bab822ac497e8dbecd9b7e6108367dc2a98ac9fa0e1fcb193d202ac1e1a6652e41121e83a362b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
00afb6e70e9410e35251cede241777a6

SHA1
7123f34b556301c71c8bfee8240c85225d9f1b96

SHA256
aad4c5a51be7762608c43aaad6cc64279d501f20ff1b24343f03636dfa987d98

SHA512
109ae82b503bef85afa7d1ad1c0c89c5b0eaba3fb10cffd02af6a90c489210e623f264bd8d05da5b12401e82b05cc5d8b6c8c337ee89463f4632247e3107be7f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
032407133cf6694921af1384047b6e8a

SHA1
9892e78b7db8488761d8fa366467acf8fd20a542

SHA256
aa7837dba1dded34a772035ab79a827445f42ce054dd991daf62c89425e6b612

SHA512
8ac7118a1230ed163aed07875d86ab18cfe283d893259338feff54394f165b767ad249d1a359272620526c7224668b14f42df5ce5062e90511d783d8985cbdbb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ad0105e74a7dfda82347f0089858942b

SHA1
2f53047fb8a91ef54445d31b456eb24a69042bff

SHA256
ebe57650b1364f6f29270b737e9c67a3f9f66d2b4e30d50088ddd73655fc472e

SHA512
ec58d59dfa66dece06ec785ebada1f51aebf6530e14c617507bfc9567e995f9c8f0c38f38e3eafbb57fd1e8748f06a393dc30f6d3e91df82eff848607dbcb7d0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2522bea74475a21aa7064028d17b7f6d

SHA1
645b9b3fd0d5e6e082f9d476314948c0db5f5ad3

SHA256
db465dd14d3b546f04b36dc596cc2059776eb7003be2f639d43f1f06155e9543

SHA512
8541f432dcc376b7ea7f0c0a0df83f1b26830271c840330a518aca19f9b0ce333ab43da022725e62f8ff9245f5aa8f43bd97766e2114af4f8d5c955afa098f64

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
d8d92ce09fabbe4edb93e40b1e221382

SHA1
a38cd236005c8b968273a37c418a055e34302576

SHA256
c13577299ca9ac639d9f1fef44ce5035c51fbe68c357342d57c58de8321a93a9

SHA512
c1b2109e7837c67af82cf9ecd6873d5b46fd5f1496796e6c074a2179acf00a07ff5ce12574222d0ec5408ebe8ad4293e0b137e1cbbc2b03fe082e1b64dbce001

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f0065ac72409d5ca05f6cff54276cb8a

SHA1
cf2cd9248e5ceead0980eb2b1ba8385ecd126ed1

SHA256
d3c8ff449639ac118ced97c49ac1c6132d6a681bd1aac28239e8a4a227942a78

SHA512
c27e9f3f5dec66ba07b40a8f94734a3e6e7ee757ba8ddb2ba331325eb9068716881238149483549550f17f78342e3ec5dd0021b1bf74346041e005964b3029bd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
58aaa7dbf43a7d4c9f67d462373022a5

SHA1
41cc13cc49576407e97e446eb9a98c74aa90fd46

SHA256
4769e79ef57877b23585ea9c85d278e37eea1f613949881c2141ea4d93fd72c2

SHA512
2332ae87a0ab0d0550305a6493e49ef7d13e3be74539d195a7305c8a4fe95ef455a53ed1bb8e645d7815f4642ac582b9191bec9502093f4b050734a8e1270987

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
8c0226d069d2d49a24133f6e12ec6eaf

SHA1
79cb743997843ac368436e87c2b0e9eb870cb611

SHA256
78040979d31aaad1b7c78147bc3afb56260da012d9a3f8d7b9696bfb9b48882c

SHA512
170f7315e610cc8c5f31a7f268b490f16cae0e043f40197165031e61469322b75b2950bad5a04e0b27e493d83f84cb58ff710e1d9fbc0e23ca82b3748f794384

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
97fb3891f76b5375abb56d259108cc00

SHA1
5a15155bdbf0657f417226e26a5cfea7aa0b0b03

SHA256
fad507844c4aafbbc33e1f397cad0240e3e7df43bc34798f7df2c544b0328057

SHA512
07efddb5a2e644169cfb09f5764b62567d62cc42c4cdd0c54cdfb624d92ef653c9b8d0c138130c9cdf26842892c4284eda49415bdc5cd5a3b00d1040d4fb988b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0dae8914399607b3b2494717cca205b5

SHA1
921be5e97f4830ef36922896bed304b1a9c9277e

SHA256
506937d9fa79a3b1ee7bd529208a13816670890125fa5b4ad1b417b67db6e793

SHA512
57f7548a35e0b5b86f21dd2716b5b72d73b8199bbdf1d1530633d62eda78ce7835e42b6f055f5273310e8ac76ace6393cd143f574641c1c0d5aa2dcc57a3650c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
3291c0e2d89ba8a3de73fab5a56f3955

SHA1
bf38fc9641db5e1861044547fefcdb3d5271ed9f

SHA256
acfa44ee2510a97687acee9a2141235898db8b5eb89bde6efad6bfb2a72a5581

SHA512
3ff8b57f9889e169ddfc867c8f7c92070e13760e68ae8d7c16ee13dbf92936b93c89f969612711a5beea57c2b9d84072487d9e8f29317eb19dd7ef472dba131d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4f24fcb63ccfa78c85b068a46e31cdf0

SHA1
71644d92905e9769326a67d8bb9891772c52ee88

SHA256
104bdda26249ca12288b7486169c726c7b7bbd2327533dbc91a02ac6bcf000c4

SHA512
654f6a8bf062f84f5e60efeacbd00c2227cd3f6b20f9e2f24e3c4a728ffdff72ec0d0bd2f249d1b5e7bb80db67b24df5df277001946f51743946ce58fc8c86d5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
98389b5091fbb22be7fc98204cc2a0fd

SHA1
699b8067894a4d75c9f910e3baace4f16c275149

SHA256
73a4cb32a31f78c68a6ae503258b67f4918a468b124b3ebadb358f66ab3ed8f9

SHA512
8372be057e5baa050414510d1d7db43d4de8c96dd622827861d3e1f0983ba643919999964de2a877ce7c0782bc147bc8ffce05b77f49d00f2defa68062e5a4e4

Download Submit
memory/64-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/64-540-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/616-33-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/616-39-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/616-43-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/616-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/816-279-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/816-329-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/816-271-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/888-281-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/888-333-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/1084-68-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1084-66-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1084-60-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1084-70-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1084-73-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1552-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1552-530-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1708-309-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1708-531-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1804-334-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1804-538-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1916-14-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1916-242-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2224-81-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2224-247-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2224-75-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2224-83-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2232-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2232-535-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2324-529-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2324-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2324-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3048-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3048-46-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3048-9-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3048-0-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3228-314-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3228-532-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4280-258-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4280-325-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4280-264-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4280-257-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4348-253-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4348-321-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4364-25-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4364-17-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4364-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4504-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4504-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4588-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4588-55-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4588-56-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4588-246-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4816-289-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/4816-512-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/4860-536-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4860-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4896-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4952-537-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4952-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download