461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
Size

2.0MB
MD5

584ee8b58b84938f456fbdb28142f750
SHA1

e3633d1e7199589aa1998bc56e9e3affe3ce2c79
SHA256

461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68
SHA512

4395d74577654ce35f4405c84db4e83c1819da3415978c768f15b7aff2dc3d4e4827d368d296adda9bb4e6366b297d5265cb4b3fb692835a09860c107cc2617c
SSDEEP

49152:c2AnkV4pirBKiyq6kWISQEBVRbgnHyNJslRG7y00ibS:c2AnxpirB1N2mnH5x00ibS

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5080	alg.exe
2508	DiagnosticsHub.StandardCollector.Service.exe
1212	fxssvc.exe
4920	elevation_service.exe
4728	elevation_service.exe
1008	maintenanceservice.exe
2324	msdtc.exe
2428	OSE.EXE
1624	PerceptionSimulationService.exe
4232	perfhost.exe
364	locator.exe
960	SensorDataService.exe
3732	snmptrap.exe
4340	spectrum.exe
3204	ssh-agent.exe
1600	TieringEngineService.exe
2680	AgentService.exe
1212	vds.exe
2580	vssvc.exe
1908	wbengine.exe
2948	WmiApSrv.exe
8	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d063af66253fadf5.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b9c3b1a64c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000847f5b1964c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fcc881964c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086bc371964c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084d7551a64c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f1f3a1964c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040314d1964c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce2dc91964c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040314d1964c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2508	DiagnosticsHub.StandardCollector.Service.exe
2508	DiagnosticsHub.StandardCollector.Service.exe
2508	DiagnosticsHub.StandardCollector.Service.exe
2508	DiagnosticsHub.StandardCollector.Service.exe
2508	DiagnosticsHub.StandardCollector.Service.exe
2508	DiagnosticsHub.StandardCollector.Service.exe
2508	DiagnosticsHub.StandardCollector.Service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1804	2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
Token: SeAuditPrivilege	1212	fxssvc.exe
Token: SeRestorePrivilege	1600	TieringEngineService.exe
Token: SeManageVolumePrivilege	1600	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2680	AgentService.exe
Token: SeBackupPrivilege	2580	vssvc.exe
Token: SeRestorePrivilege	2580	vssvc.exe
Token: SeAuditPrivilege	2580	vssvc.exe
Token: SeBackupPrivilege	1908	wbengine.exe
Token: SeRestorePrivilege	1908	wbengine.exe
Token: SeSecurityPrivilege	1908	wbengine.exe
Token: 33	8	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeDebugPrivilege	2508	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4920	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3484	8	SearchIndexer.exe	113
PID 8 wrote to memory of 3484	8	SearchIndexer.exe	113
PID 8 wrote to memory of 4880	8	SearchIndexer.exe	114
PID 8 wrote to memory of 4880	8	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_584ee8b58b84938f456fbdb28142f750_ryuk.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4728

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1008

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2324

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:364

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4340

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4312

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3484
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5f7272c0aac8b04d43730e24a44b243f

SHA1
082e2001f81056289c713ed12fab19e92f20f643

SHA256
6e47196e6652a8a9b48cccddb7aaead78b4e7c363913c753db446dcba34ab481

SHA512
a62d5a650c945e2932bbc62581957242e9404ed85d22ce9342c7019de9e333bb8219a2cbf85640b867c01750130f2216326e25fc4af871b3b9e240b792017f65

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
3acca015a8ae26464f99fa22f9d491cb

SHA1
125423121ee62d870362a0310b2cbf5bf909a32b

SHA256
277cc3fd5cc4685fea82b0a3144614e337f23d582c9286c820844f907240e064

SHA512
2c5b498eb53c8b7f63394d56c2adcc34c49f8874ae514637826d8803efb3909691f57d88058d88914e75c13df0e666414a782f6f8414d3d71681a09834968fe2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
9f98b4123609adc26537fa71468b26d7

SHA1
9b278d0c96aae5dfe47dccc579af17b77bca6a35

SHA256
2f6c0163cda68c0066461d45b849674a9de884d34da9de1336eee599b2a83267

SHA512
2fd777d4f4845ad01083b11b7e59119e3bc6780ca76486ffa2bb0e03101a5e07e03efc40252b8db7b987eae4064cb4fe0d6aea76313d91d2234567b5e66cdf54

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
77af09a7603f27619a7b90ed9aad9c2e

SHA1
d417dd3acdb610b933733c8c6f7a024b644c171a

SHA256
571173ee6a47d4a0ea633ae4da62221567310052b924307eb6a08e4e0fb732cf

SHA512
708abc00646827600d566b4736d854defe020e5bc78e5ebb45bf461aa201fec6cec7366d6967e2b14ce919f0ab5e36fe46a50adb4eb05832e82395565dfa4379

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
22e5d925025763fbde0bea40def36255

SHA1
aeb5c7f2824dc08bb0b4f02126d2d68c2ae412f8

SHA256
d2c9b309ec2d1cac8f99a67257eb2193fd929e91a025859795d194a9d30aac7a

SHA512
2db39566280cc1e698f4eb6e06b48495422612558b2a6ecd7a3d52244b01c656dc6ef38dc3619190d8be486834a53f774cf6b9d9ed2778fa82af40fbcf5021f0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
19a1ae3fc4d3c1d627c5c507fe554efd

SHA1
406f8dadc535f5a7f3676ebcae34895f88455932

SHA256
0d36d8f342ceff1962a78924fedb2fdd3b7c0dbf88b422f5fbaf121455d238f5

SHA512
cf579b84a734ec5d3776ee206d1f65671ad19df025c7475bbc6852720cd7faa05c8346dc74bb25649bff394f934b802cde2a043ff9e0f9401f4bb10fc90c2d8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
ea2c08b1084a509f8b3077a478f7cdb9

SHA1
c51254d436fb4b9c0ead21dc8d47559649731a54

SHA256
92a1f1f8d98c5ee92eabeac3a6ea3b969a1f328bd061f5c5d86d6dab44ef7d85

SHA512
5d5e3acda2cb976fbdab45ffe8124ebf5ea97b5b4bcdb38d1a7740fb887211b638bdef6feafa97dd1e4f61264aecf3e455e19df7f618406a47c2b19fee46618e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2e3b5af1d180a73c4ecb112d2dfbd75e

SHA1
e5545cad279014152d8d20afce7acbf19268804c

SHA256
14bed61117d55cd2208daac3a8ab91f477b6a0f3195be39a0cce1ba317765f15

SHA512
a34947b78b5ee5b0d27fa6e91726f0ad47cd34c2981a3618287570ae7ee3348134d5c037a357c9b18fd2f516bf4bb951d3893436da3010a826489c0e25c78132

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
0f523b69dff3e12d4d43f75df024a5c8

SHA1
f228bec7f267c61b07d8a3211d6cd4c84cf0b7ec

SHA256
0dcd881764b258986846f8aca2812d1ed86a7405d15f8c3153c2e4f22eb5a788

SHA512
6d7708f8673bbd8a46080aa69f4b64c6b23ad02fce7976a50b87e0a2034c05892a99c74c49b9b48b1c3294bdea987cd4b47a62cc8ebf3bbe97893dd787604c8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3ce5a65ee1a7c75e6b7b995591ac4b9a

SHA1
593f4d0f12d08b44bc762449c46c4b199992c3ba

SHA256
45c28c9743f67acb1a44db464197f90f87217019c746fe56b4d05f1d19b98904

SHA512
badb963c780bf8914f810ee799089708870bd3acd3a545b765c910937a2f229de08a91dd6827233d7d7f06cd282a772d66cb200749c821be399f637d1076882b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3f6e0d1033b81fc79bacd3e81aa4db53

SHA1
3daf984cb9f6ca598c2fabd7763b59c3a47918ff

SHA256
6519f78e78980e0a51c0f56ae9b8254e66a32692a165cae94a8ec2c790a0b5be

SHA512
54ce9cee031c8bfa5f190a1c9737c9fd0149944a21e41bd4f939089d1020fb883b5d478ef9cd0db2b2c068ded3765528017a277fd6a35257ceb9c6cd560a98ee

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ad3788bf710ff7c9d61916213d008e54

SHA1
203fe39a3d85ba8aecc7bf891cab0b1cb05d70fc

SHA256
b36c1eece4a19d499d3312d5ad73f585e6dfbb83c813eb4781719d75d891c312

SHA512
144b758257d17e81b28fc3704572d00900a7073c598e5e0c6d2c57c8635c1cfe1c9f46df9774ae4b638090cac9d7747d28f0c7cf503b77d272c7e867f619c13f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
48a215aea948bfe0f67603540e570125

SHA1
d0a4094789c3ca926e9883d6a3d22ca9c8e0fac5

SHA256
eacaf83979abdc167ecb60d1c9359fad9abb2631356683b58e4d02ee66a6eea3

SHA512
5029c01dfd3ca64e5511fa89d897f17cc2150ee466efb0d5842a4096b215726dec40fdcd8c9e07994b8f37015fcf296c87ab86c7d7ec9b041bf6a88252101fa0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
cc4fb502f2c01b3d52799faaf77f6355

SHA1
e243d2db2b95bcdaa32bf2fabc069844faa7382e

SHA256
b0cad8fed2755225216b1eb45e442de7a5c22f26257b2e6db7ea6f8389af1e60

SHA512
fd1388b6ff14d0882e7585fe79f32f11ad6e1384209ec4d886368d85bbde4d2b5e47ad11493eacbdc4b77c0e78bd5ee7ba95e8be2fb41b0947e4b01f062316e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cd8096cb3137d77d5d6c198d9cff878e

SHA1
70d3149bf648090f2a45a2751ffcf9dcdfcf9cd9

SHA256
9fe045c67dacd3b24f0038806ef446fd63b018df1d2a9228038bd1fcc2b203cc

SHA512
c402be2ba63ba7e94192be7b6cd1124fff41422d62c6559490a82c17087cf6846a67da2dcb003115336c217bb65a9c004873d0a56876ad7cf3498f9835d61d06

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
60c2b68a5ed949ec7be7ed747c96c149

SHA1
d31ed11e54e3878d164a2d2a40f9b34aa7436b58

SHA256
a2f4463b4a8fb8f72be910cb5b433942d3ff6c3a5b771425aa9a8f6a08548f94

SHA512
d95484c2c98c906a4360ac832575ddbe37b306087c415ec0beb5844f4f42946f7d332978628bd29fe68cc7eeee24494d47d53c109c74bd3a6f46b8ca30ff7ca7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c5d6aecbfe47bff2d97931323984fb82

SHA1
249b987adca6c98fc8af2a846df2e294c2d0d8eb

SHA256
19de55f8f3b5e5f83284339f06ef8c2ae1da4184dedfeef1bd221145206a5e25

SHA512
e61d453bc19ba84b0569e10629e615c174e5698326697884993348ca94545178a3e1c89a1fd4745f27757c747a1380949d6d02c790abefdde67bd96ba2b38f86

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ee92262254ab6978a323aac612c637ed

SHA1
5df0dad87fbdc98217f38c201a04895b13b67bf8

SHA256
88a125eb4b9669baea61ebea40fc45ed32939901f003032d77f5016b98ce388f

SHA512
db2db85707956c683bedb3e43d2a6337612729f86010687c34b4387f114cfef67dc4d0cded2986e22ae4e8576e7c482c677a032bdd0a0aa2d014f4c87caf42d3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d296377f94eb32b5383cb4937a4515db

SHA1
c638afdee645e3acb6d09d4ebac40fb0f072bad1

SHA256
f6e498964fd9378955e6cf7c48e6bc214b64af6d30fff42d1b245b51bcc2c678

SHA512
607c1d43e322d0788adc107cab03ffd69bb06e5591293345a8c35336759c3fa9d518a5bfdbf16fecc00192f93d329d8e296e3e47840aeadd90d7a19dec77ecac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
2b7ed60a16d11d24e2e0f05b83ef90d2

SHA1
f4b7faf354bacdab8da5e813e0d6034fc488c308

SHA256
8840cdfc473000a553a2fb07ec9d9f44f1a09dec6164436180a909f1b1808163

SHA512
56445ce7274d8960eae94f7348e4d697e2f758d7f4ea37c7cbcaed66ab325ffe8762ca5dc798acba7dc5bcc31eb1d9b0d73252de386ec60968c90f92042cd206

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
417b61a76fbc6c4e6de0cd46df06a654

SHA1
771fe757221e0d2148a41680e329fae9c322611f

SHA256
54bc6cc9d035e769ffedea2d1dc94cfc719de320eebbcc3d812a2cd0adeebf3c

SHA512
4710278b5f41796ea9217a13a7fb429d8a729ae97458e1e63269054875b0ed89432eedc25864578a9dc9f536ee426eaa7f8ab46fcc4e70f2421278bf367eff13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
23e9d1524ad20fe68ca45763b5cea37e

SHA1
938f1992944cfba3059a0a789ee6f349b7cac0f2

SHA256
28d23a441a56e9f21eb0363dedc50f2b4e5462ecdc926b8a020320fde26e9882

SHA512
3779fd9400b7d09a88c6043330ab9c89e661d436a9a2fea53491dc6f8389de26e7d3c88a0473825672603fc17fbc1acda02c0b6bd6c54412a1dd9225c2cc7f3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
e151b9fe2e0359ca9af74b0b0aa5fbf2

SHA1
e2bb227cba1b7d61e1b974ab65fda41f2e66a6f2

SHA256
5f434353fbe7c74d0d814044674340793b4e1106cc6dc6f3d1c0da1ea9721489

SHA512
30fc72ca25dee795569a6a51368d238b6093f9e8f065451d9217d3e4fd7a89aa0ca3c34d6431f5d0aa0ad8eb9e7fdef4c975da3b5f094a2c8a692589337c9e66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c940cc948b14999a1e4382dcfd3f115a

SHA1
eb7038dc8784081ff647ffade483382a3f00796c

SHA256
31db29716ef5a66f817635b78f9277722cf804b53ae571d5342573074b4f3910

SHA512
62c2c4660f83827ad163510498717ed13314b5e3adf908e319ebea83394d1991175ed8cd1c7d8179975d3e45d61e0ce4be9b5aefc5b6647cc0bb6482d5d68ae1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c8659a678dbc1c4034ab736dbf85b4ec

SHA1
30bfc4622ddc5b042b2809d8002efd568ecda4a9

SHA256
a36b23a61f61403990dda0e76f5b84b211db6e7c75da6423ee0917082b023d63

SHA512
e1044bfa03adf1a73dc16bc32cac504444b248f0998e6eea5f73065ce26f9a85ac13a9297024ce4a548b01b07573b7325f26cdc7b42bd0c5b7c68c9e65d9d443

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d714273450000f1e3dd996d25f12770e

SHA1
6d9076a8d36e27bab6862ae9bf9ff599259dcaff

SHA256
2340ae59cf890e8320a732446701412d7122e19fb2df4f2ef22f6b79305bdeff

SHA512
99dda32c102569ba9a6622f84d29e73460317c8fd6f5306f100207701450807587388a6014e70be46264b74660fc8b334f9212ddba4cf2ce25eafe91c2c7d08f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
782d185ef954c1aeb2a923a21d25a20c

SHA1
a26a30740713f7bec8a604892fab1bdb0f4f477f

SHA256
847e68044e85ac5dc4b703bbe4738c261a51165784a939ded4709464de78bc07

SHA512
04b32b702827d51ee7b203c4089cbd9a77a7b4be17c5e1d1cb7ece8fde7d6085fdf157cbc9479285b179c5c2796ada1272477ca2d0a56c76fa885517055e3bfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
24fcf2dc45bd1b05930ef52cbebd97e9

SHA1
40be1ae325874932c45573c5be09453a6650e0e8

SHA256
0d8b5cee7224515c7f6bf30fb65b33c0259df880965323552705c635f281e6e2

SHA512
af830e7b59c5af1778b2e53a9ceca28b49e88ae2039601c8d44bc9e7c5b6191f0dc3a467cca10276e7f3f6e8cae64c036bfd3dc2195b7dc354fdcae644584bed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
120aeebf825ca39e34053386df63bdf3

SHA1
88939baa00640607cab125ccd153fabaec1d94e8

SHA256
36130c021609ac0441a8036f76aeb0861243e894db04e4af202126080703664c

SHA512
afaaa21392e99a56d975cf04bf2244a26a828ffc4d2729bad9006ba896adb183b9e0b4853f7efae07772ad9fe7036fa67bec447821eedd78d74326e6e9fc35ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
385f00b2446d8a693fbd4b22f5cec849

SHA1
8c883cf20f758253cc63e7124d04d825f9157a02

SHA256
a7749e38f213b97bc6a67fb209eddf3d195189c8acb42e759c9b500925ff331d

SHA512
9ed1e3cbc7f9506b2b30546fe1c11848147fdac678d4e9a5367ea8d33ff05efc4131e4a615a113d45bf05934d1b9828603fba0b62dc6029ffddda258a32ac1e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
59b3f4bcbc7b94902537d622d7ce403a

SHA1
ecac46db814b5c812cce9ea72136f993b3f4fdb2

SHA256
0fda1c699eaa8460f7658d50c4ddd1e442dc93470252b70479310d04f1d85ad7

SHA512
85eac3848c8d9674def2ad94331047db698c188c8c8ccba753646566e3ef196aad67140cde22ed602cf9110fa6badb0a855349c25726b1ce9ca0283e9acc7951

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
97c86670cad28f77308d60831c93c930

SHA1
51c59e735e9561c3805b119642b45514b8409d14

SHA256
f09a068eb391a3585c9af2963b28397f55caf3eba5a160e2abe4d84def10599b

SHA512
f8644445ad68f4e1b185c7875ac8b98767d088f404ea278548e7a44bcf49eef853dfa2f332994640aeff6eb85256c3fad22e738b22c825858bdc4a31fe7485f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
69c149ec0b2be4d433977b216027fe6f

SHA1
175ef08bfcda0f8487e2ba54e2853d3859eb9e84

SHA256
4ccab9ab6c6ee0a4a48d2b8f68fc54438975bce3acf11b94f1613e168eb08772

SHA512
b6bf21795ce4ceecb23357b458f34f4f1fcbbaaa94bd53cc32502a60258490d78886641f97d63d3a5a08d162a16e23f638ba7fa7eb78db23ac4b6c6a9eae6b14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
9082ce301735ac06fd1232f6f18903ca

SHA1
1e5532ccdd0d9c2970d00e3276e19378f3880c5d

SHA256
d01102f8f1930d6c04cc3e1bc48e42b82e26002554b035c4547c95339c2b72ba

SHA512
b78c85c6d9a74e2b57e1054069d0d4f924f2144f854103f1d71ae2b27db31463867c38a1dc23042ad957caed167ad103f5e0919339b4798fe90a6cf02a9bc290

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
7b5d0ed20f3c03ec42ca6b7f326727ac

SHA1
8e3955610917963cb67140b0b0f2e4163d5a73b5

SHA256
d4da9140b94fb17322926ed93f68aea56492e3266b8d75e53aacb784a3c129c5

SHA512
ba0dc0acba20f56816ea9decee6e3235249944eebcd8be2e2c3ff4d265b8ae1871c8a29536f290de8438b6c75aec57524e51623cd65d68beb48cf54193e48d01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
97fc67181a3c923177f2c0e9bc3d0423

SHA1
77a550ce2e8aac06eedc8012294211229014167e

SHA256
de4a51430b72fe4f9e74a306d0fa954054f92bc12e3773a1dbd5cd411b8f5805

SHA512
6472aa2d920b9f58e2c8b068a5a02622e41b2fcc84981040a6c99cfd44b518d6343dbfeaace0c8a2dfc0899fed558768548893fa8f0cd44025514a2727b5e929

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5deb685312e1a5a77c52d6bfd91704b4

SHA1
088d19f58037dabbdf72c70197f26af62959a95a

SHA256
4301311bd7bd7c9581bd4b24d535ab6e0baca02990f7b1aa03f297a0daf25916

SHA512
331778ee60232a10a8da6706913cbab17794440abf08b445bc75754e4005bcb990ebbb09c1d1e44e4ec9aa587cd726fc0308bced8fabe7e1acb9dec47c1cf718

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
8e40e3377501f124cd9dc5dba11fb935

SHA1
02658425acb0adba66df185bdae268008f8fc2fe

SHA256
f8a19211f28126222acb2d889ca591272768532261858a85a7c5579522fc39ad

SHA512
da6cdbee04c5ba93dcf4547b238448e6af8e7dac1522c858dbdaa932416594070ed34d99df175c95a2b3dfa4a19e024e25c3279002a9cb5b1ebc8ff0b37797b0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
108dc7b030f0668c8ec3aa45ead44ec3

SHA1
29f2be1e9abb27ffbd9e472314562e0ec7db9043

SHA256
52ff6a96167fb046820307b8f41c1859174eaec1118c28c497e4b5ba52aecc8e

SHA512
8d94f0e66ef5ffa8abf9dfa76bb2645e13ee2538047bd404b290919471831be0214460e28c47a4893437acf7d763873a12e3ecf34eba060cac7fd50bb057ff42

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4acbc212d7c281bbcf339d4a3a669e1e

SHA1
75faad178787266910270bb770bec45d5df776ca

SHA256
2e005c972c7b38694766a0f7430628a13289e71ed5b2a350800b348f90e5478d

SHA512
965a03d8b99a29d31d32baa4350d25d3cc66757e70444ec587ca65112f5115baed639796584386bfb85e58ccf6f0ba9f5f59a1740164614cc11d6a276cfb7648

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
7c93937c576b7eb0738829bcf965b360

SHA1
0e83506f6e5cb35b26a50bf2b495b50833a3eb3b

SHA256
b738c676898894362f304d8c6d2bd2a3a0c049598e2fabd2ea3cf864ad278d4f

SHA512
7b6ba3bcb039925b0f0c24a2f9e2a5930574dbce1ffc7e1973239420b09933d969833fecbb0f29806e9bc1962b79dbfb7e7402b7f08d74f764055d57c2b22f28

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
95706b575723a20e3bd08be9c63c8f06

SHA1
2164b3869c327e36bb0f2c79e65c62af7172615e

SHA256
d80919deb3e3de57054d3731d7cddf2561db72d15fa9067952a34698466b4e28

SHA512
1df13a39aa2d54fbd58b34ea93cbcec447facb06394289fe0f9f83bed28388dbf23f229c188cfb24979f6aa9dc7ac6f3f38875274dea4943088c123495b53ef2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6f5d3729aa6228d0385fc2436e31e710

SHA1
33d6c6bbe3bad81247cad622ecd5e0cb32b6ed10

SHA256
0dc1df5311cb511cddf1e2df53731272f86273bbc68c98a549336d241f7dda80

SHA512
cf2845fee1a66b569fd620b8bc58e6768efbe3da137a09bc52a3405413aae3b7521320e189505f5864eea582e553b3a16c60ccc7f27bd627f34875faa373bfd8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
b0c22e0dcce2fa2c7505d42e6358d44b

SHA1
5d31dfe98af7e0a578d4337949b983aa27091ea6

SHA256
36aa8bf2c6710e4684a184096de44fac1e8e06a0f9bd3d88b4abe915c5bc917c

SHA512
c257da1b726999ed8788e4d4a0e110df636535e3b2e16c261ed2c38f5c08269488b270d4f6ebbdeafa69a2c2cc20da4bebf0aa739b20d8fd4a7bf2b676fe5370

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
afe18d583d251def5aced2298bdcdc33

SHA1
242ce767464cc77df485bf8ea381a906de35991c

SHA256
64742bef9d3edc5a4fe5c8e1f67293e2622bc124d3fa74613e61fbc9ff7aa89a

SHA512
88cc33444f1c3e37eea3e48e7e0738d093da5ba52734291ba51b64cb5af651eac708e5884270e41e6452f41d2700b42d6c8c83ce6c515835249e352e1fa2616e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
21784f94e128631d7be2e8a972350396

SHA1
45ea0bd7c3df4c12605023cfe6c26e414ab058c6

SHA256
6bbd56fa170eb2540a045a19cd1979f357c9a3deb125c963dcce0dcdfdbb305d

SHA512
d283d921d66985b6f54bc19d2f85ef7d3d2376822eeae07c0a3e3744e60e3e68b7c167aa115d35de326e7262020d120c19855f0b2ff88d9b0f529609d1f8c979

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7b919c31fde88eeccfee423ebb2b6be8

SHA1
4da824435d6b8186f41ec78569c5045fa3f7a0fe

SHA256
43f43b5467e159f55957fafe3b0bb9e7a275be8531186be02c551bc3b6f3196a

SHA512
a17d25a042d7ecae7e5a9385f4a915c1ffad2d07f2958eed0a62ec6fcc8638cdad162d6e405ed595c60fcf9e55d17f900b74dd39091cf358952265e149557c2d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
94904f8d6d4f736cc79a154741d3491a

SHA1
ae0ecad1c2e359a51a49f2d5a0f836e61a0c7cfa

SHA256
82435a23864b17b309717cdd2c42aeea891bca05c7399727c52429494e3741e8

SHA512
e859f5c0eb24121cc6270d9cfa0579df72e402bc91cb16f110534f358ad44f50be2cea24718a27857f8ea9657f00930bbce87c1bd9ff877f6f0072fdda14f979

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
794c5786ecb381381a4db8f19e5a8589

SHA1
8eb5ada20fb1a23f25d7c273a0d8285a12cd2561

SHA256
113b1fe88d1d02cf9e5ecd28b62a8e60db6ff675785b7983a04eb5cf382d0548

SHA512
7fa06252170c6fc3f95c07f526055fadc30631b641e9e4b224f5e358efd625c80455127d4c6d943da6f98d8436bdfcc3ba7bdd30697d1d47defacdaf9d74a6b3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ec6a8abf113853b03f40ce2c6ddfcc8f

SHA1
3eb23f6a34945b50ea85619abac1ed308a47e66a

SHA256
53a316e40aada820e56eb9085d4ae2d67394ca3750af7a0a8177812eb9687f1d

SHA512
690653cdb2b2dc0e79ce551b63bbfe9cb1a426eb859fa8f13b92fb10151d49949ee1bdbf10d0bba5784c1e1d359ef202d6b23aee56cfa39a0b6ed4a432fb5c8b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
eff946544356face93f61db0cb25f7eb

SHA1
26e7ee64f17d144a86c5020b581bd5dffe039ff2

SHA256
6c4161d678ff812310da27cbdfc82f84ef5e40c7f947e9d233b89c727ffbfda9

SHA512
f6cff97fb8dd8b46b5dbefbee229a5b2f995ca58bccbe2fbc1fde770f7bd3beb329d87a4fe5fe0503cf48fb728be55197253227d0bdc416562240afc61bbd666

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
3a26d8955f16ab9dea67c44c90bdb1c2

SHA1
84945e2ac55f275d12d8a7d5c5192ca4063245d8

SHA256
bbb37feec227e3a67297fbe193f59a96c240f0112648aabf5d0e38420f76c976

SHA512
d25ce0669c7a170f88b6ae3e0db92d93e0d5342928fc3c71a205c3de16a5cf3083fb9e75a539927d5071ef2116b7d0f9fab78f37b1060ec0f549909bac7dd821

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a16b19e498039c1c27fd2308d02e0391

SHA1
83bc65dcf7b6d062b3dd9ee67221b0c2679d59de

SHA256
a5df61cec2e0eea945478aa1f41e6b5f5a93aa4ef7d5cdd0c38984ab102495d8

SHA512
79870f3211b469f041b9d65cec534eee29710db2bc5a07270fc6e9600baec0843bc649d30aa225731f71ea9f26dd627c56e1870bfb9b83ab91e8d9577ee99ea3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
43611c6dc172e1e3f7737ee0bba974e8

SHA1
ea0d8b8d43ffba4b2ec6ae0d7b08b995cf7ab73e

SHA256
02250cebd39f85d3905760b75af4e29ca7858f6bb6b74c09976b7925c5313db7

SHA512
d1b0db90f8580e4326b3df48eafbd75ee11fc03d7e3b5bd54964480a06f917b58a6fa8a26b7addcce207882a78563f291260acf47697e7ac2cf92b56ee6778eb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
03bafdcf1241d353bf6f38b90d16b243

SHA1
441ffafb877e2eee026fcb819ed250737211d0ce

SHA256
fe7bdb8888bfe5f991dce168ee7413245379d989b0070fd312b06b8175dd6d1c

SHA512
82be7289fd6058840430a618a37c00c20960126688b9a0f9cf2ba50bcaed92cb4041a7fa773b5b6b6e88e343bef83eb00cf4fd7bf9c808fc361ce242f054aa0a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cee341d1ffe7412dfd466c29672f7c13

SHA1
05987c001c08e6dc670a1b674e160739c0cd7dc3

SHA256
e706726d41a0c625afe63b3c4cd04785e135ea79677006e3047fb20082df9e91

SHA512
3ab580f79a3683acffb8984c0421f59cd6d86d53395588c3e1edfe55f2f3cfd8f25bcd04eb56ac460f019162d9e86f8a5c7acab8bc0b55a6f80c884f67c492fe

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4a3d9980f7995ac088c0f2039fd80c0d

SHA1
76be11dd36c74d1e4489b076e5d47e3373001d0d

SHA256
48e3a2c019e78ce8e94845083e9c89e95ec7387ce0dcaa91ad76dfd3f76be117

SHA512
c96b30ea3ae5631de3abe5b3c395c6ef5f115933f1f04f490eb54b8e05608fbac43682b31dc2d860647b06dc1408b011198e422b6c0926ca74f19cee2e2a7b40

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
314cc71433be68474472da0d3c84a691

SHA1
f008d70d87a08df8303419f080fa3646a2c5e998

SHA256
0b0a7f13279444e6bbf27930907490010724a53b8d5365aa0747e593e5064e47

SHA512
8a8b871ce3d5d2ec8c42b438e30d2c3bf08ef2a57450c28e2fb5791fa056697acc31481cdfc2c90fa1f84d2ac305be76f997e852edc403ef08a60a13970ba4a4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
805ed03c580f43d8ec291bf2f3b93b1f

SHA1
a35f6225f0de19817ddcd045fb8e2ee2ad5fb1b9

SHA256
ea0c5501c6e97eb5903551ce7d26dfda95378df0af0ce3a3ea6322b89f25c6c2

SHA512
712ebb49b0936bbfab69c70e3b3f35d5241e09391a1bcef021bb1e3112dc3a3f336d624d7e52b5195dd4cffb2d9d3ef7666a8d65d4a93304b71ca91cc26336c1

Download Submit
memory/8-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/8-556-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/364-116-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/960-118-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/960-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1008-57-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1008-67-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1008-63-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1008-69-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1008-56-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1212-174-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1212-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1212-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1600-168-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1624-553-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1624-91-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1624-90-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1624-97-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1804-216-0x0000000140000000-0x0000000140331000-memory.dmp

Filesize
3.2MB

Download
memory/1804-83-0x0000000140000000-0x0000000140331000-memory.dmp

Filesize
3.2MB

Download
memory/1804-0-0x0000000140000000-0x0000000140331000-memory.dmp

Filesize
3.2MB

Download
memory/1804-9-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1804-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1804-217-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1908-170-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2324-71-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2324-549-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2428-75-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2428-81-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2428-85-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2428-550-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2508-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2508-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2508-114-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2508-26-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2580-169-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2680-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2948-555-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2948-171-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3204-146-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3732-144-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4232-106-0x0000000000750000-0x00000000007B6000-memory.dmp

Filesize
408KB

Download
memory/4232-101-0x0000000000750000-0x00000000007B6000-memory.dmp

Filesize
408KB

Download
memory/4232-115-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4340-554-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4340-145-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4728-548-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4728-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4728-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4728-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4920-41-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4920-33-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4920-34-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4920-514-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5080-15-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5080-113-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download