352abefc3e194c046f5d1f2ed9c7ce1f99c2627436867db0f17610537ae8e67d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
Size

2.2MB
MD5

4635d60504a9834d1c5be933a92b46aa
SHA1

646c456f6af9d82742177d931459b0f329ccd0c9
SHA256

352abefc3e194c046f5d1f2ed9c7ce1f99c2627436867db0f17610537ae8e67d
SHA512

d1790e7dcd0bdd3202f5a22f00c6f8dcb5b760f6c88b3f9fdec3b2dbd6f3e5a32403824e3cae5e9de6922fa4a4602962eb7ac3442457e55c1263a2955f9b9a51
SSDEEP

49152:7OOh3aN4kuLbegmtGIMT8aYDp7JhN83T3g4:LU4ku/ctPMIBJhN83bX

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4052	alg.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3196	elevation_service.exe
4020	fxssvc.exe
460	elevation_service.exe
4292	maintenanceservice.exe
2512	OSE.EXE
3600	msdtc.exe
3384	PerceptionSimulationService.exe
2300	perfhost.exe
4340	locator.exe
4936	SensorDataService.exe
640	snmptrap.exe
2896	spectrum.exe
748	ssh-agent.exe
3448	TieringEngineService.exe
4216	AgentService.exe
3612	vds.exe
3116	vssvc.exe
1528	wbengine.exe
4420	WmiApSrv.exe
4588	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c1bb9d764bebce60.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F22A0C79-EAB8-458E-BB67-27753F7CC7F9}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3a10702fdbfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab8b3202fdbfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faec5302fdbfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b7a0002fdbfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008def1502fdbfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db36bf02fdbfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9d4bc02fdbfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf9c6402fdbfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3196	elevation_service.exe
3196	elevation_service.exe
3196	elevation_service.exe
3196	elevation_service.exe
3196	elevation_service.exe
3196	elevation_service.exe
3196	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4100	2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
Token: SeAuditPrivilege	4020	fxssvc.exe
Token: SeDebugPrivilege	3616	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3196	elevation_service.exe
Token: SeRestorePrivilege	3448	TieringEngineService.exe
Token: SeManageVolumePrivilege	3448	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4216	AgentService.exe
Token: SeBackupPrivilege	3116	vssvc.exe
Token: SeRestorePrivilege	3116	vssvc.exe
Token: SeAuditPrivilege	3116	vssvc.exe
Token: SeBackupPrivilege	1528	wbengine.exe
Token: SeRestorePrivilege	1528	wbengine.exe
Token: SeSecurityPrivilege	1528	wbengine.exe
Token: 33	4588	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeDebugPrivilege	3196	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2920	4588	SearchIndexer.exe	118
PID 4588 wrote to memory of 2920	4588	SearchIndexer.exe	118
PID 4588 wrote to memory of 2412	4588	SearchIndexer.exe	119
PID 4588 wrote to memory of 2412	4588	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:460

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4292

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3600

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:640

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2896

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3172

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2920
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7ce892e9c7a378c9af54c968b6edcac7

SHA1
a5a1f81d30a8e5a2860048ce81e9555dfc0501d6

SHA256
436495a8e76632cc1f766f837f123c75ea1694a443dbb54f0a27d8af687db751

SHA512
c41037b31c22a1d8c799878c2ce950a9ed4df37854c0087b24b487848feac4cec38c76030806d3da25dfc08f8723d1c0b78a81f7c2d741155bd3cb2c14a60f96

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
330bc2e53ae7d7133a6c0259bd71df1f

SHA1
2ad5621127aec92226858c04f8c06988a9232570

SHA256
4bac9bae36a857b3c315a9a644f7fb3f536bd6f2117d6da16ef77f67d55a0dec

SHA512
4e6bd8ecc1c80944b08dd3fde1038d6ae4a2b59cc850af64548065e1a143ad3d8aeb2bdeb1c319127c577370e0ee526c031cbf254255d015bc9f573e767f620b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
756cf9af14524c302d5cc559341e496f

SHA1
eed6fe4eb6d1b34342600fba95d6768a063f79f2

SHA256
0a8df42de205c5e47c0bad96ee20def3e45419ccbdc4b9652dd53823a36bdbd6

SHA512
b579f0c3c0cac6ef987632cb9293368414bb1206f50cb622e95262d592e34fab2d0739509ce6192f7c780fb8d4db4fa235830b5083d4ee5a322afc2c2fe7612a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a779c9405060b2b466e314f0f39a4d69

SHA1
db85e32c3abf09e4d52eedc5568cb1b9eb5bbc70

SHA256
843809a3e957f9bca8b151f8485114fb5c7c445afe2d2343761a8142de4b554e

SHA512
c0d63117db2f616becd60b2c96cd76aba4545c6c05ac4f6fa74d83ad1386dc0567b2f24c1462b31e9a907c7511f77f333848f9de2e7b1dc5805c7409d5f8d7de

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
44b6bd1e7f25c2b9ee3cdd2922ddcc94

SHA1
77636ea4fa7b41e79dd422df54d538c56ea7b1aa

SHA256
2177d96cd609b9d8b1573a5bfb251265047f6742847e042784ef015ba8a5bf35

SHA512
b2e7b3ca2168426492ac84fabf38536aeb64d90b5c0e99a37678e0690189b9a4a5e88a6c7bfe24d19afb6ffa8c5dbeb68540409d67510009ea17f4c18da74770

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7be3df26d390a3ce68ea34742d85a571

SHA1
981ddbea19303065b90d0d3e8ba8fa46e86412fd

SHA256
27a26a03b70fa42a66be5bba77701aa90f79d4937b11ecda7ef6e32876309c67

SHA512
9926bc7cfb32199886c68312939bebe8706da542abeccd27d15ac14393450c023613498f0e461519fe464cdd4d673635cda800cb61973acbf5168d369003c0c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1058839f3bf995b3ac6434e4e6578c58

SHA1
61801a82090c2f1d290b53f61d9b97a96ad7d71a

SHA256
546d1fb669cab26e1add640e1b7a769ecfc3c95251b24029c42ddc55b6763762

SHA512
fef26aaae8a938cdb9f2d222fba304e0fac5f212d7017e206371851135f40c2e1ba332e77842d15374ec8c81c6fffe05968942b6ae5875bd1e70e03fe80726f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8168a5d6b9fc13b0139b3ad7484cd902

SHA1
af646b47430b358c0d9ed04c127645d6185c915a

SHA256
e34f004b215c7a4410412f7a00d16d4c07f0665ea64f1e3e10bdf668a7638025

SHA512
d428a853cd22edfba78583cd047b9336c4d9a7cff3191a24fdd1b6ed30ef1df5e18b3101e278c287e53c29b5c7899441fff8f80adfa4c014eefae8d0dea8e444

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6ba3e43063e712bed3524780dde9ce33

SHA1
5a0ed95a15e464488eb3c06303d8bd3d4b24690e

SHA256
cc8a857639c4f813c1c1b5fe9bd05c19ff47bf35fcb82afe4eab1e2af2d9349b

SHA512
8ccde835d808faf45cbd52dc7f032df7ab583d669ab7c960bddb6cff9cf65185e9b7818d3ca58680a0286c25c3d40073fdb01649ded3413b787f5e3ea9033edc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
32819dcc06134eaa1ddac27d8fb8af37

SHA1
a0bde320ee2fb8d722cd6cf26ccb20f0442b91f8

SHA256
8e1e17a970edfe2c0c33cb83dae385d30290ad1cba9aa04a96e4734b2600a867

SHA512
0adcba4e30b55c05c5f61c0a670938d3966b5f34e6b2df5cc0e42971024fb55077189bdcce5ab38a4adbe25a9287796c28bf8ad3fd4056a7509bb9aaaeadedfa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
85b9b44e03701c5e5b0b0e599c0d9a02

SHA1
f4475e93c0a4b92f9427974e5e0d13f0559af52f

SHA256
250e86cbfc53c3d1dcc0d557f0846fc0014471a72f730c131b28c4d352abb03b

SHA512
a055da1328a81dfe937c76489167bdbcf0a3ab74dad0bca74b83d7d61e092e64eac0de4c2ead965bcb2df5ea9bf764ae09c4a65ce56674fd9c4af323ac071d2a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9f09b89f3b19ee7943592bcfc16c15f2

SHA1
5dd8a069453e5dac46c37e53992d46b73c20e179

SHA256
481aed8e4735677af2cb2cf4326399e222aeb8fe2b68370561da1d3c603d504a

SHA512
ddb52ea621d5c71b37ead28a799d4e0c8e83c896870f7f146e0e646574ee7bba549aedb6abc5b9e2b230e38d5cc495ed6196ef6d261c93ae0c3cf879d3a376de

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
80c177f015d665971f7c8a9e38efa44b

SHA1
aafe9c9768ebf50574bcc0af423cab78ec79990c

SHA256
0b540118cd01361dfcb1459c3a269e2d8c33d761f9590e78a6c746eeff991a51

SHA512
47a85a235b68ecb54907f7e1825f5ca547234816b508861269c1478592252172eb1eb5ca9bd9264536dcadff361e03d2ba214468b74f22e6dab6c8ab2d2dbdd3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e38f9e12c976686fc5e9f1b27a2352ee

SHA1
8ebe71f0297ad656841d189647343238b1daeb25

SHA256
33415e0eb006b97b774501fbd0574a0d80ab3da323f5b4f33c23fdae9332588a

SHA512
3fd9291a2677c47cb2b2cabdf0120bfa5ab213406ef57e6b902e948dc1b53b37b940e159a8ad86d6a776d96b067a25b1c6724ae063aafad23bdc2c32c9960754

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4ffcc41cb2cb3a4479e0b21da80abc40

SHA1
6c9607ddc0c7e89ec07542253e6dc6fc84d1fa68

SHA256
fb0fbcefd79e3bc7630f0581ff4996bd02a2e4796ad819ca2d05f1689a851715

SHA512
90a04023637397a5fa58a3441069613a0a37d170c4abbc567e7e0be1038e5d322ac77cbe1477c2dbfab3688c5ba29d3505e39723d33b48f05646d677ec8d932e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
3ad2c7dc1b2689dee59727b7588bd531

SHA1
b5d9c5be913b48283adcb49771fdea8f7fd58bca

SHA256
af2c1c911d24ce3fa4a58dc920149a878e3f0d23404bb42de5fc103a0f31e9b6

SHA512
f511f61c465aba1b764fab4ed276d24cbd1ed6d0af19a21f2b6eee0c188823769e8d03c382447f4f8c12d39dfff0e5bb0817b98a960f14d3785e5972d3e6f621

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ccbe6e01d82bfe2baa6e10139dfc6e15

SHA1
79edb4a1bc3e73fbcaf4a19818317cf29538e067

SHA256
51258d3f32ff820a40cf7f0f4f98ab9f2430b381ad4461934656526ae34483af

SHA512
c142d65b19cd7f75dad9bb4b248a76e43db1d045bdcdf2ed02f1deb26d3219983270cfe442584dfa5e1102a4e8467b2843927b337aeb3755c871f6b48f20551e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4a8f2f669d157de94a2f7a3d1670fbe1

SHA1
d0f907a92a023b06ba10ce774885595156b2888a

SHA256
69932ce5acdd9cb1e025966cbcce78dfe820d7c2cd4a8220cab5361ad02cca3e

SHA512
47b9cf0d580b2174e9f4aaaa8c96c1207d9d075c4a4f37f9fd230cfc7b3e5621546fcafe72cfd644e7db2b594a3e49fc421ff048a34bbc857cc5bdea293fea4f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a5a1a11d1388456a4fabd631ca058d5c

SHA1
9e50d8230746085471bce8bc529f2734d9bfbb64

SHA256
ca8f65cc0582f7f1b90db196566b5ff757adfb4fc3058b9d040436561659a71a

SHA512
c57f215b8c026a7af31cf81e84796df15aae3148c24cc5fb010b02b82fd39eb6e8d89e2b665d0c63b61faaf6e89e93648313ae27c4fab14c4c79d7be8aa8e14b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6f268332fc4318e71657b04cd60f96ae

SHA1
7c05571396fa7eaaef0b9ebe15eb03516134fce7

SHA256
23c77147f03bd25c8f50327582906cfc60e2bdaf470a13c38cd6fa4139939edc

SHA512
b550861ba7b8a24ddce63f0f01641e44f7db043797cf6a50fd71f6504dae76c4b6d35d7880791a804fd49b432d2ca0e3b743239750d9312052f7f01743bcf1fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ddb168c41a0b23bff8960646a708cd3c

SHA1
628393e10256262f0048c29cb5b239ff50056101

SHA256
ed9a7ecb2e0d2bd44c3966a20d4d4a5b0b87d8e6e4a0fc0fa4af15e068627562

SHA512
027f79354078f91329113e0846d4c2cff12d80b6da28c244ed6cf55b59e3c114767ef99b3ac9281caf3928d315f6ed9201b35f184490cce9e8be5bbce40e525a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
bd5ba19bf8dff98853c333b2b1dfe8eb

SHA1
dc9798ce98fbee261cb468fcf0db0bdff73209cc

SHA256
141f58de5bde4e22f5aba59e2c50ae81759c5ef8366263e561ee96256c3acbf0

SHA512
b3a810ab1635e57656fa1d8eb52391dc2a78e2506cd1020332217ad0c24916a338bd77bab6cfd4da8b8511e5ec0518c1b264970084ad867be5a6b2d267870f96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
79492e298fc344fdfa1daa3ca79d497c

SHA1
d135b386f1909a326b1775dfc7091bc6faf4a829

SHA256
12b0265cfd9af2075be9207c080e8bab73bf1d1fda90cbbaffd41eff0025950c

SHA512
d80d3d6f45cf8ca0aa273d578bbf967889ed33c46f242d2dec2ea29c3c1a1f0c39641cadb867ff143bd62e2e6129b3c1c4d0182262daccbea386a35c7ed44e93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c5937f671f53b765679f3c88e567e9d0

SHA1
c1ee37271756a621b000e359dcf06683c63bddba

SHA256
a5a8df59f4871b707b62e8f03914fe6051ce44efe5c915bf758214e959ceb7f5

SHA512
3ad54b013505ba05f4d9698a5c5bb77d25f8899dcaeafc3706667d1b3f3f91ea8bfc2b62adcdac115d3a4f6388cd2ca08af9d96d1918d07ca2b456cd8b50d539

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b187a8c90c76b597d5c2b7efa89aa24d

SHA1
a57a24304cc8491ffd7de24d047099a82182237c

SHA256
b3078e25aca19f1d966f5b2e628a3a8cacb6a4a75516b6608a4e15094900201a

SHA512
75375236000cc41644507e833c421e2366852abe1d396ca2a44cc35aa2e429eb681ba3ab5f8017692480f4381790189b721a789c929fb2fde5850c01a3cd9e62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9a5728badbc4415d0f743322352c6d31

SHA1
3f47c0908f2662ea17707495060ce3c67638f33b

SHA256
ed1d2ab1fd4e2c0d5138e98a1c677358cc6e3597fb044bd436c962a1a41fb5fb

SHA512
c5ea6cfbec1f014785c5b86423142c1edb6a8e43ae1796d6784b91439537454227eff21e05976845152f8d14ffa218c58ef6707d6537858eba32ebfc4e2d1a48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
47998e6da9776f53450b8e62fe10d33a

SHA1
2e964baaaffc547d1fe195293b542854e0d7a1dd

SHA256
9e1d4b1c4371fde4a58a32bc9e7c9e5d5abd9b1d89d2acd9814cc9382b755c52

SHA512
ca3f36e3b6c1faec797877ea4a053761a198ff17c840d790a3032410733e21384d60cb9dbe9422bb3e087fd06600d1e2f869393f04f52bb4b58007f30883bb97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9044b82397563766d36988bfe252aee6

SHA1
e7eb9fee58b75620be10a466b624afc0605aa171

SHA256
01e62f8c4ad36dc8271753a8b88d0048a2aed28cc23f68a15b2e18d6eb4e15fa

SHA512
f3fc291584595f40e66af465ac4eec9703da390bd5aaef8f228e4994a10ae6006b7fad4faba4818b6c90e5fd43fa408bb0a88cb571049f38b7c41e0e5d35f887

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a0d4bb10871c90048356221d916b054e

SHA1
009e8a59b577d9e77754aa6f4796e4591d4c2764

SHA256
14c878f8cbcdbbc9705cd68b36712aee2da02c4c70b7fb98bb7f971a0004070a

SHA512
12d27ce2b946860af9c07b17409236525b6dc85f9395d9fdea2a78ac9549d6b84bcadb46c707ee8e0badb672982f3ef0e85b625a1fed31b5e42d5819dbb40ba5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6bf8424aa8f03a92a3e55643b220cc4b

SHA1
58f96234d0039ce379b422a0947d8444384cc5f4

SHA256
2f73414d2d72117ecb0684e0ab19322773cfdec1b3745adc76aff5e51c9e1187

SHA512
01a05141898a0b12e55c18882d2d48f791410239f330bf11dd1a4b4c52894fa60769ab2bdb7e655a43428833da17caf1d5501808dd44dadd1c225e9b5be5325f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
e69c8253fecfe3f3b6d08b5f18afc2e9

SHA1
3a0c33c41e2619addf1de1314d000a3427dc9827

SHA256
bd3dcc4e3fd48959ed7805b1ace5c14702680d54748e3ebefb6f0b000d751bfa

SHA512
fc9d34b72213397e0b0804111c222fe1ab68958df42aa518f244b4892917d3e428144c3a9700daa5ef753a9efd46cd82afc58828a60f70f84af6184c1f011298

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
df9731d579b5b341b82e5c09024f7dd3

SHA1
fbe8043bd4325c44cda553059cd82e092f82ce05

SHA256
1573730794aa998b74fbd0d1600bda7ff95d56566272f3ef6f4b5f6de5530363

SHA512
8f6c1b604c4f60aff7336b5b8481896f74ccdfa17078083180a64159f44884b5f3d46e97d1bb6bfea051631157fbd1dc8eb8f1e9329da39ed00fdad11a0d76fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9e1fb1edc890ca8cf77c29b3db201768

SHA1
4997bf629d0811592d6e1fc1761f626262bc3f72

SHA256
db48d7cbab5dbfae4c29967ef7e899ba7b6eda0dd711de9cfee88107307bafe6

SHA512
6b1af66b1a8455d6ad13052aaa56ce00ac65137e5354009ccf542558234e517ee8d15c3ed912dc85c8efe85e8617ee63709a9de9dc4954e14285ab358f9472b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5ac4771a2265c9d5a35006c6b831bc72

SHA1
7fc0dd79f5b4615d28ed2b6a64eb4cdfad9d87f5

SHA256
7be03e16aeb1270ceffe63d4213d2bb24563e7210f34b58cdc8888e308d72381

SHA512
3a379d6f18b6eab055c7c844a29b7c17cb28e6f0024c7fa77d5fa4c92e456c23e1d644293b694d851e20cf485dca8e1c2a9b63597fd78727c46cdfd109520ea2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ebcf0fe10a2ad424db8287f7bd20b518

SHA1
e20c7c0eac65032f8634c2ea851bc7935ba10bfd

SHA256
737aa299c9ecebf5fe492d90f650542acd84b672f909d89295ae5cbf5bbdf10b

SHA512
5eda01ad97720b1ccc52ff75016facb9e8740596aebe6cdcaa1d9142a9619be352edfae9c641292ecb786a685aaf08c75df6e28b565e8240bc6a52f8efd84625

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6d56d62673d013cfdd7393c3530d8205

SHA1
10b7ecc7f4561bcc1ce6a1d514b99efce155ce8b

SHA256
a948ce56bc65127f90ca50e170185ce188cd70ff64a8836d148cc12718e78c90

SHA512
3cbdd31f043b1b54277cc2b1ac5d0f8796ea46b2c0d05710e3051dc6e49bf5ff689353176706523842c72648059c803f44e0f3eef0e15230767713d0ee79de54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9ffdc5a7af471ceec2a4374522e7d5a2

SHA1
569bc417770f9a2e21448c309ab0b7f7f18e46b3

SHA256
4859427a9cb092854bc475693138e8dce5c6196da6180abf164568645d027318

SHA512
fc85e67ebb32430bdfecd1e084b5ccd80e5f2f3246c65041221b44c4b1bfab191b87ad7a086744b5662a466696dc216c49fa66e342721eb61a9760bc58cd8d36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
ed70401e359ca0d85d5d2ae7253d11ef

SHA1
49895e3bfbae9b7f2ecf69afa666ac67157878c3

SHA256
5767854b97aaeb4aee146e319756e023d300c27a13422f01910bfc8daee7d49c

SHA512
0b3faf29be0268984f1f945566c814e07b732244d7f4a016e26a8d5f3fd4aa6fba08f8328c141973f8ba7a65145f519f6f6be382cce11e65524be74f0f8b87eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
a32f103b088ce804c433da9d2cbb6dd8

SHA1
1da132a095a22fe9ea3648bf581f15f98fe120cc

SHA256
ff4540577fe2df75904e7ff2170e9ced80d0bae3fa8f05df3e2651093988955b

SHA512
397e63cd4010f6ff32b1e4313d850495e901537b5dab9abbc671da89ed113068a19c334a28a6b1ea286f88a2f7643bbc12ecbc34568764a62b094f6b214ad1ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
bc33926cbbaadc8193389e03241277fa

SHA1
a31a637517716c6fd0853309ab210558e8b2df54

SHA256
080ffcf487d871d602e747ebc6a1e06619e1a9ebfcb60ddabcef170c702b3401

SHA512
35a7afab431c91ea3bf63904ccd11695bfe29232ab162042d0a35b449d2add2f761aced73938aa45c74907728dfebc1dc809df5746e0d6174df2acf22c44beda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
86d2b6a65e2991ccbe2ca359044bb94c

SHA1
a0f3503ef859dbcd6a4a9225a008d87a0142b03e

SHA256
97fb1059c6fa6bdde6c7e48a7d4383f1cc614135f24e382bd50067ac3d2d5dd9

SHA512
ff3fa6980fa1414ab7c075d0dbc1851c08ce126886c4e9840e60ce0450468a76f4c4a6994a2034b42bd360597348638638f0bbcbac5dc997007aaaebbeaed00c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
148387f274e0a2c44f194b21d6ee7350

SHA1
803ba1383387f15ac5911044c524262e4c57188b

SHA256
e9d8f89760b06252478e0a74255196ff7bf8370a14fc1fbcd136d5a204477e30

SHA512
58349afe40d2d2cccd906e0628cf26141799616cefadfb9185518c1efa05cd49b4c504d860653edbfe2a054e3784d43aaeb0ff578f8e2a7544fe62714e46ebc6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
454886cf83615dabc2953194fb1bc727

SHA1
628de8aa32147dbefe795045214f91ae0219ddd0

SHA256
30839f82deda45fbdf45724e89c4c1ccb4236b59b3dafdd28bfd9d7220921f83

SHA512
2f908da9426f58813bb9d2c43929ddb36a94e36b1585db9552c03d8e7d75e81254e6d61e51c286ba94c2504156f9dfe734a3d667ffef9af829a08bf6f9d801f9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
88f6a2cd8c05f7cf438fa47f6532df97

SHA1
b324d36cb4f1768578dd2c6f6a84f30d1f562b9f

SHA256
9ac07f0ee98438757517752e851e836692379998729ac3df00f05e350a72a37f

SHA512
a5414ada378616ad2cae7c009cb62956afb5d3deb5f6af26082a7e71190ee28f1ed5dabd38d707a75e4575cf74821c17d08572f694434047f8424992173e248f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
20076d15520aee4fa46b8124649ceab0

SHA1
5406db6e4752a689cb8955bc560ee69129325cd0

SHA256
36f31ec8a60a42230a300bcca2666b2c9138fc832b2a2328a6717569f28b4b7e

SHA512
988afbfdeb099a628a7132570ebb5f2e535223233d546ac44d3e838a30da5081ee925282d8f957d367645f60e9b1bb9ed28be8d708e207619d19e7014558c541

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b3016b3e507c22357c61c6d5c6925f38

SHA1
81fd1f5a2279abb797e35018b1a65a70eafac545

SHA256
18ecc7d348560cdecd2ed5e40945044c59b96af8e96d4783e7766c0f162d12a6

SHA512
49348f94002117135c04ed6a8026b0e6aa592745aa767eac8e30caa0123bc236752fd30b13015671a811ee308cf237ced2994ecd92fa3595cd789633419f88b9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5696dfe1f89c90a7c46b35f6104abb7b

SHA1
ddf22e1d0b4e1489de0cab674389616225411747

SHA256
0eaed9e3cb1556f0884b50b3ae0f89d5b32c1dfbd81da0b9fe7b7cd9508042ba

SHA512
544a2952bd9c5e1e27e03074575ae24b783c5b256495994c7cdef0c10b769ba4bdcba88089cf710e48dde2c4364c748f12cc3e915ac3e9cea818b4da49c15202

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
27fc5f9fe7f50a4741db853ae5fc5c7f

SHA1
fe0274fd27c816d2e0f9559094c2d52e7a67f044

SHA256
0d161977872208307bee8f6b10b44ac2b423ee42976fe650b9f1591d40360330

SHA512
656ecaef4c1fb3f248ee892e43374adcab9258f679cb1e997a66ea0365b2eb914479940d280197908cce33818b0e59f19beb365c292b0ece58396dd35f904579

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
77e9b02d48866d1f289d301d52e81474

SHA1
e3030688a6b30d516118e899d7b20077f5b8e949

SHA256
80e06d2e73dde0a541dceb7d3dd7792f559af63c4d3d4ae8f1ea189e3be0e080

SHA512
40f967020f78dfbd4e0b7c1f587859b3262553d30064b92ed736fbae7412edaa4741866b5ab44d72cc48b8ed4c654e17921fd9ed54e6b1c220b77f5c549bd059

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f3e95d47bea799031e1fa20782937949

SHA1
da2786f2b32faa791dd424ec7f5941888932b2b5

SHA256
a91bfe124fdefa74e2b11b16ee661beeb6c20fde658058c81d1247b5ac7ccb28

SHA512
820a764b2ba9a3b156e8ad569bac0616f8376362751d2b3c015625f62f473d5f8ab78c4f469d9a19c502e5d180cd3580bed04e1ea0baeb3bfbcfc29c0a67c297

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b9e6bb12609bd497a5f758b5096b3425

SHA1
009397ad12bceef0380130bece6045e4ae53d5f3

SHA256
6f8f2ab3a4cf4ff703ea8d79f22b540572c3b60c3ef00b6d6a6d1e0e9af25102

SHA512
1a5ac18a44491063f68d52094142856f41f60343b6b4158c60b5268a1b752d5b0ac8bac624a5b11d28758e5a73ecf6d2473d9dedddcfba7929efbea132c909d5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e1f875b039e9191edf51a4598f5801d1

SHA1
4c59939f1120dc100e874104835839cfce256386

SHA256
890feb1121139f230b105c3f88e312d612957f005443b71b8556df6ded58a2d3

SHA512
86b7c934d785838a600482a96f3b00420897f49ed171457de1c087f6ad89399a2fb88fdb2ecb71d3dc02e5a403003dbddea13512014fd00f5f2c04876cef7a5e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
309f1ec07f4a6e84958ac219e2d0dab9

SHA1
ff895c456d06d685c11d8c9969b80bb6b5ebe61f

SHA256
8110c214d46c4cf15df8ac8a0965c31c6a62e7f7bede63d1b091f4ae829cbf62

SHA512
b29ae84b29644b6dd7b5b1d0cc769da3c4d2b95b7c1aa4cfa4538fe1f361dc8be5fd06d0129ddfcdcb47dff7a8a127e235f0ff0c796ea1793a9875a30aae4f86

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
05b9fb7a827e55df4f15393043eacc63

SHA1
32682a7fb426e52d6ec03ba8ca0f1d685ecde634

SHA256
f2272eecfccf445c55f8dd08c1b0dbf7499d5f5cfdd8e047573a8d5b35fb441d

SHA512
6e4bb27c9c09829e8ca1d2b570d4955439faf915767634dd6df1fa198676c3bc87a042c86c23debefe17dab94295e15da3764f35f7ff05c3a44a4ce33c13b401

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6b1ebd66c675570e5e73443bcecb2f1a

SHA1
dc6fabebebbfe1bd4543da9ce5034512ace785f4

SHA256
275406bc796baa84e7887b40797ac7057178735e67207e65e2426a07462cdd8f

SHA512
ea93793cc53fbd8928c7829a014c0bae4ebb93a35d81f6b8185b8cef9590c0ef9d8b89d6c537b6ca7c7f4db2bd3663c54c0774720c7539a1d8e1499c02940b70

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6a00b9c450188b5139c56ec4f1bbb0c7

SHA1
e16183469dfafe663ca2e7050609998058916a11

SHA256
a606b4d21cca17d534437efc9c48155bbe41094527df3e49947aee03def6a16d

SHA512
dffcf861439bd41b7be8b238941f58fd6c7256970835ba0c7580cca9c83c5084fb70371894059b2bd2b9df06a73386346f9b746ca8d5f0799527d6e610f061fa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a738ee69a01362f8abd2ff800a60462f

SHA1
1f768cc3f8e9744acc03fb03a2a32cd8b6e6acf4

SHA256
0bd02ac0b710eba40b04ec3bab6b444b062cf420b4af5b54a003fb2832d47085

SHA512
edd65db2740505ffb753210a36110c316904fbcb110f54fa0f13593d37cdc7a3939cfdb6511354bfbdb4a4eb7d279fc5d22daf547c2e14afcafea1c636cb1784

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4bfe3e971f9a6fdf3615b80957e48d3c

SHA1
a30d6cf96d80317f9d4bce92265ef78b771fa2f1

SHA256
e126cf70e8c384d32c702762cb2158c1112c2fd7a33a5cd72785e30ee588a017

SHA512
4df37cf7f132cfed9c162ffe70eb2c32ea809ef1c954a95090c8cc506ba50e94a9081c2db25a12e2b9851b608e5fac2b4f9dd4fe853d5048897f2f5f9fc5c4f3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cb56ad002f8e77edc906c4555b0b232e

SHA1
bc7f156a0a218ef1f290dc388924f66597dd4598

SHA256
330993ca33ed3fce2d845339298b4ab7c192d93a51d5ed3b839a9e477757afb4

SHA512
831b4ca224c1a5615f053fc9f74de0967c649d99caec21215c298672faea65f16be1e902cb056b06d1424b30d51b885f91b787ce8957146a97b88d73a070869a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
90a6d41929fdb55628609fba6956fd12

SHA1
a7bc5fa1b1f0137c8d077f7c88c1672704dd4a56

SHA256
84daa5fa09d11dc8405def850596ea6a1695374fbd60027feecf8fd56b59aa35

SHA512
20fce8ab55d867480174152f26b49df8c403ae1d934918fab79e13231bbd5f92a740cc786d7d1ef78879eadddada2cb5c4c886936833332a435d9f96a0510989

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8bef3c4167bb091cb4d557eba4e0bb1e

SHA1
76f613526797bcc97e921f94cb4bbaaa14a2faee

SHA256
c28b27f5df4871fd080f8d65b2992d7754f7413bda3ffa0391161714ba3f6ac5

SHA512
c118ff48aefe3a3a94b050e80fee75d1f664a3a1424e1a647a99ddd6543f8b3e0f8362086daf4549ecbfa3c07f83f9810177c5d7374a6915ad2036b28ce4003f

Download Submit
memory/460-248-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/460-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/460-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/460-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/640-290-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/640-466-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/748-305-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/748-535-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1528-332-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1528-541-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2300-274-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/2300-273-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2300-331-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2512-83-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2512-249-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2512-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2512-77-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2896-531-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2896-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3116-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3116-540-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3196-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3196-44-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3196-45-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3196-36-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3384-327-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3384-266-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3384-260-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3384-259-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3448-536-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3448-316-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3600-323-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3600-255-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3612-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3612-539-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3616-24-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3616-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3616-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3616-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3616-22-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4020-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4020-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4052-243-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4052-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4100-6-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4100-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4100-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4100-32-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4216-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4216-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4292-68-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4292-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4292-62-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4292-72-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4292-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4340-283-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4340-335-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4420-336-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4420-542-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4588-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4588-543-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-532-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4936-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4936-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download