e0063c661af4454cc42116097fd03283ae4fd93379c768a113434072a7f6fd92

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_1bb55a23edb4bf85204aec010fb470a5_ryuk.exe
Size

2.2MB
MD5

1bb55a23edb4bf85204aec010fb470a5
SHA1

a092c8c05bc6423c25069802a7ecf3537a7ac733
SHA256

e0063c661af4454cc42116097fd03283ae4fd93379c768a113434072a7f6fd92
SHA512

c96d9c57c31205f3dae4617ec6996ae6cc1a4ae123b68e86ac171df26e2537bfac4e1cd1f7c88399b06104f7e662f029a5879bfdfc13b8e2175cf65f77966945
SSDEEP

49152:HOOh3aN4kuLbegmtGI7DcMlQpRQQMKMZ:fU4ku/ct/3zlQpRQQY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3860	alg.exe
448	DiagnosticsHub.StandardCollector.Service.exe
2136	fxssvc.exe
1896	elevation_service.exe
400	elevation_service.exe
4524	maintenanceservice.exe
536	OSE.EXE
1756	msdtc.exe
2236	PerceptionSimulationService.exe
452	perfhost.exe
4004	locator.exe
4440	SensorDataService.exe
3936	snmptrap.exe
2716	spectrum.exe
5016	ssh-agent.exe
1388	TieringEngineService.exe
4876	AgentService.exe
4724	vds.exe
2284	vssvc.exe
4272	wbengine.exe
4708	WmiApSrv.exe
5044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_1bb55a23edb4bf85204aec010fb470a5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_1bb55a23edb4bf85204aec010fb470a5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_1bb55a23edb4bf85204aec010fb470a5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_1bb55a23edb4bf85204aec010fb470a5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_1bb55a23edb4bf85204aec010fb470a5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ac50b4e4bebce60.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000405e38f7ffcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ff2a6f6ffcbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe536bf6ffcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5336ff7ffcbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff4ce7f6ffcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab8f47f6ffcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000074fc8f6ffcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cb3abf6ffcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb13cdf6ffcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfdf36f6ffcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9c961f6ffcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2ad08f7ffcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
1896	elevation_service.exe
1896	elevation_service.exe
1896	elevation_service.exe
1896	elevation_service.exe
1896	elevation_service.exe
1896	elevation_service.exe
1896	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4504	2024-07-01_1bb55a23edb4bf85204aec010fb470a5_ryuk.exe
Token: SeAuditPrivilege	2136	fxssvc.exe
Token: SeDebugPrivilege	448	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1896	elevation_service.exe
Token: SeRestorePrivilege	1388	TieringEngineService.exe
Token: SeManageVolumePrivilege	1388	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4876	AgentService.exe
Token: SeBackupPrivilege	2284	vssvc.exe
Token: SeRestorePrivilege	2284	vssvc.exe
Token: SeAuditPrivilege	2284	vssvc.exe
Token: SeBackupPrivilege	4272	wbengine.exe
Token: SeRestorePrivilege	4272	wbengine.exe
Token: SeSecurityPrivilege	4272	wbengine.exe
Token: 33	5044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeDebugPrivilege	1896	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 888	5044	SearchIndexer.exe	127
PID 5044 wrote to memory of 888	5044	SearchIndexer.exe	127
PID 5044 wrote to memory of 4252	5044	SearchIndexer.exe	128
PID 5044 wrote to memory of 4252	5044	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_1bb55a23edb4bf85204aec010fb470a5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_1bb55a23edb4bf85204aec010fb470a5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3860

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1104

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4524

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4004

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2716

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4776

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b0640455ef4a45cb2b5e9600027ad064

SHA1
839544e06e51d3e500d2448dcabfa312f346092a

SHA256
ef310a83cf8af97919e2ed45bc1b3a5e52fc0e16026c87ad386b39cee4bfa1df

SHA512
0a9a2086b3cae16f652a04647ad86f38f9677704318d9518b8aad4abd17e978ea28868f9f773a8336fa8e9028d8d8f6732ef45fd47b4902c72cb0565cffd6d65

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f7d738e502f102b1007426f077e65bb2

SHA1
6c5b30f7b276a32f2a0f0bf28531b4885dd98449

SHA256
bfa89ddceb6242b3cfd3d0ebc1279183fd61c29e4fae5b879340882724a70c53

SHA512
eeff9ae5499bb49645c14ff932a76ce992d1b26c6a425258de21321cd3ff588d00e4129654ee2a188ad8e805443bb28eb7c91ad29a38415b37e0ae5be7ef407b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
254045b2a48786c8063d775954f780d3

SHA1
63a37024a6bae7bf3b6723bf15c45e92847ae30b

SHA256
7e988bb50b66be2ca8844cee708a375d8b08a526ae4f5b692b3ac3752971bf70

SHA512
60ce039087f5c196ec42f06268a24c1450a998c7bdce873d836779b864dd7432f803db84b79a5f2ca5a893a40223e7b0016d67500e332e2d52d24e0805bc24ce

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dea3539c8ab4ff721a15e8b0c8b1af94

SHA1
6926f18f005faa69ebef7568e14b110bc78b13c5

SHA256
17eba606482d14be41da9f2545d151df55fd3c962858cae01698b5d8190909df

SHA512
fb024234f410a9cb8903a40b6d82394dd74eabda640349090377b139ea3ae9d6ab30956788c418f4e1ccb8fe7cec56be4c6314d2545aceb973764249d6c19361

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9404bf739f078cecd54f9c2ad50c1561

SHA1
76800a58914d711206c0b8e242049e902ec047e4

SHA256
e014cf90e770ea444e6b6340523e99a42091bfcd63577c138ae0f8eeb98e729f

SHA512
4796fb589c5b351ffd3b552ec417c03aa60bb9fa9c9a665fb75844427b3f7a9ff33d16c9f465de1a669497210cc866eef7791978d8763b214273b75c8becd81f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a6cd98372f649efd951b5616fa086b17

SHA1
10b339d7d1c468f386e13aeb975498dedd29815d

SHA256
a3563d66d5530fd5234fbf3aba0b7ceebabaa4fc87206f4d5690bd09e3aa11cd

SHA512
bba442593911f31d28ed0b1388602e19ecded1096320354f9066c9f29ae13d2e63a22dd5555ba2bd6e3bfbec0ee6bf8117b25760cc799306f13b4cf286028974

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0da813bbe55fd3bc19d24259af701d5b

SHA1
b5d64fe84903f026f28d18ef3d0d66c7d935dc84

SHA256
71be955f6756ccd86735e06eb6dbd5d62e313ae99628a320de18c1dbd42f3416

SHA512
8eaf3baf0f364f37b9bb1494ddcd025c1ebd0857bda61c3b88fdd37f3652d7f57dfc0b63f705d716766814b8242d0f8d1b0b65c10293b0eeb0ece4715f6cc7d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e2da3deee9d223f776a5ede4078f4844

SHA1
66e2725e6d3533aebcb1f013bccb126561b597cc

SHA256
bf189e4345d7a8b29075e99b8823b2e955bc5a6fb33084e3b09db024dc57104f

SHA512
ddcee3394fedc2640dcf8f074cf5866be7e266509b2eaff834646e87622367ea1ebd02c6ead16737b7466d6e905cbe15c8e48f7a82e98e19ad3103bb8c57b97e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3a3b66578e57dc4e6605891a64400a89

SHA1
f010dbb96d152222c5fec78d3cb4f5740e7671d6

SHA256
fd417de45e5fbe2b999b71b1b740581ced0ed8b8e7bddd6ca4484044e4ef52c1

SHA512
b1155eda41e2af461686a2e5660fadecd988ea812a2d2d9d895e3a93a36c9676ebb598d73b47656f58e4973b961598186c56b352e097c2fac9f1e0d3b5653768

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1ed90c605a38bf77d4b9b5f636bb55ac

SHA1
01f434b6e9eed16d55457aa94cb8c63b7852829b

SHA256
eeb20f2b15608f0f9a24740f43c8e73714adba8b7c77005d354625ba75f34e8a

SHA512
781787a21cdcad86081ab2e02a80807c9edbedad8521211dc806116f0fe56eae9729bd3580a95055794ea3277eebba286d2a2c0bfc56fdfe62b5741198387901

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
21a3f3b0545aeedc2842c3f0a046ca10

SHA1
76695680499a4dbd8f95020a8dc0f21c759cb63d

SHA256
72cb89c9beadb6e19915c2a31b4d8e44a902b5381e7ffa05767aa0fc19f048ce

SHA512
29370f276c8d53918cc75b09d6afc1a3bd18b899287c30e5c4553a801f1985e99d4d9587a3ab9c1698ef73df45f7a4e896080451289417f23f25b0471be360f1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4fed914be8959e8a5667161baa88f51f

SHA1
243682e113826572171f17b7db02535bbdfb80ef

SHA256
a60d5d1b7360e37f87120c96e4e760229dfb2d52fc6cd4539672ea0b8f068b16

SHA512
3e8545477d56d4f62e502fabbf16c3f4299c34080230816932b97780d618bf69fc0759dccbccf43a07ee773b236b44e4fb5ebfcce02d4f6cc1e68c6627274fe4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
66be698b42c7e4912264b287ef018796

SHA1
0aa76eca75906f2012cda3a9fed0dad522ebdb56

SHA256
71b433be801ce262b1a152a43b9b48456f03f31b650ee7a4cfc16aed9b49d45a

SHA512
0f8ca2a1ceaea87f714f928873acc702c4fd6cb12688a7abc5bd5d2b2c33397cd62c75d367bb741fd52dbebdfd88e2e3e7416e2484d61bf1a6aeebc9ac987980

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
cad85b681a7ed7c1dbb9703bba5efb19

SHA1
fa548f55cb12292f9a92482f98a4eb825dc4ae0f

SHA256
ed2353d6ca3523e317cd0b31e8ae2837499b14c99c8a8fd9329a9f63d90ed753

SHA512
bb560db50c3e50dfb16a149661452ee96043616b63b8f04d0614c2f72e9dea90afc3c2c4f8d06d8d4111d110bea62666a6f16b2cc352b5c7be395285d5f3a050

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
448d29a1cb9ed86f809e97b4b97d0dca

SHA1
a6837634151d2acc3d4db602f9fffe4dc1bf8599

SHA256
b2d0155c10d5baa61c48051818999dd25b808e7fca3c86af00ce90a806ca4120

SHA512
56d744cfa573adff164deb347e493262a43985871e4aa57c50d9261bec3fc32f908bc2b552e0d6ef3f082756668d771836edaf1ad110f16b415d8fae83fd5457

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
844da3e4cf21fb49ff8a89144a55d41b

SHA1
a82fa612ae829e866d7d747751255b36fae01592

SHA256
3a669147659e3b83a071dfd26ef958d9ac9eae1801802d8dd3314ac9d399efe1

SHA512
2697a9ef37f9e84e4b7a3ea57deedd1cb6d7bc2e2d1b412ee61f129f53d3545b57f9e8cf1ca86f2615cd6c57d304fa8739dcc0c0f6b4feb571d2d7943c3145aa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b7cafb2acef7ceba5e193055f9c0de84

SHA1
2b57f26ea897f47c7b971bb3e556f7f7df4054f5

SHA256
e0233d22f597be4a58762403877d954a2806c05de3eb54cf271ba899e92ce146

SHA512
a133f48808dda3ca6efb7580a1ad35605342627817ad98f907eb1dbc4333c3c8cb5c01766d07181915571c188d97d797756196222d2e89782834a6b5149b3493

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5abad46f5949dfd54416a127993ca5db

SHA1
1d5db7dd55ad87838301ae1ef16b190048736eeb

SHA256
3575689cd7db76927fedb8a5d654d02734c72220c80bf12f57f5778126c9c75a

SHA512
a87911ffeb6937b923c8b13b238c23fbb42049e32ba01025d07b51805380fecf928df98897ae4309b7892d4e02df123e62a8ee525fb615e311555ecee993e29b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
15038af5cafeed562ac42253456ea36b

SHA1
c5f757b9cf49a7ef83f7d9e60730877b7ae1c3c5

SHA256
4aa5f367f0221a30aaf496654471d2b29b618efaa5814aa1e516c824ee6d769c

SHA512
7055e5c9e242286e1cf574b70588411d6bd1c2dab27dd457d35b799b2b2b0a47949646767efbb9d604e3156a9924ce0478dfa2d6ee2836e74c9959c3a66ceef5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f27a9625e882d718ff7a0c2dc078037a

SHA1
99208f306a4ddc7e158ab93280a3bf49528df9b8

SHA256
e83e8894bf13b08bc3703e32474419f2173cdc3e615ab1fac3a97066d3f8b8d7

SHA512
1d0aa7ca6eaa440dda2fd4e3b1c4972c024580d6fd5bcccef8522eb9f817708dcb37cef3457a04b29422ff87938e905f5a32f95129812e741fec189ac15a87df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
36858c7b10dc39c7d6580ec4f46fa259

SHA1
e540d505c57f5bb2217f48409cd18a59dbff591e

SHA256
99df4efae491f5bf84c3e2dc31b1e6b5f81a32d64d84720eb6aed49a621ece35

SHA512
963f1840de4b61e83b0df7336f4d37bfaea1ca1902e77d1513dcfaeddb05587541c98db6ee3c3c9247952565841d718a7fa671f0de2c1d61fbd02f3a9963a520

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
111ccc008e1e85f5e0e82480d13f4987

SHA1
e0a663faac172fe6ca4620c3da3349237ea6a647

SHA256
c951d711fb3aab0adcf2aeaaa4f50922d1520dd7c4849dcc8dc4abbcf7b682a5

SHA512
02c7aa6f71d225ac608f536d424b9a7503ba263c90ce86a0ad1623efbf65573759289cde5e1cc7b97f0cf17ebea29deadc469fcc4c7c05ef241b19ce42f3b605

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c5b1855daeac8591b0232a25c00ae5a5

SHA1
7e91b93d1de5dea008ef743056e1c027928eba05

SHA256
a5e37e68d07176562817261fee0fc9aedd01de7d4e5090bdc0197a41905b6baf

SHA512
7bf9eccfce8db4f3a1722696d60f9fa3436f2c721b43ed38eb9cd2771edca75d5948f7d3101bf6b837e83404fecd37bec82e2f3aebd5b1bb50a9ebbbe0e883a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d0ab240a958896269af0455b00718430

SHA1
6ea758da7dabfe9ca8fa33ae047454ea2465b219

SHA256
1e124f7e182f6562ff0fa2a635794ed8ba3fced4950e9f1f913237d0f9e94f09

SHA512
6ae5abc38a9f1734ecd82e100a82f4f4c889fe2d12ef829c2e4683e554022e93bece76834d0143f6cb0ab3675e1d392178d669320422ebc8951a95c6aa8b1a3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a47aaa885d44d1a23f43c029e9a809ee

SHA1
69863f4bed76acb19e596f2b65ea4c3c687ffddc

SHA256
e1996baeba567eecffacb4e467b4068f2e171773ac6dfcc235023c162647c7a5

SHA512
217cb117cf273af0276158a64bed715b1a1f9211d2e6a96ecfd78fb54f8a79d60d21607dd54a9ce70121dca6ada30ab3dea978e61487884cbf813c12246b3392

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
aa7aca3ae2bdd2b21f2e34e29abe4064

SHA1
7a425c958e960d336987d05410f47da748fa3e5e

SHA256
f37773e74a08d8aed9f3efdf69833bf00742e7ce86366d4424d9a38aff56bbdd

SHA512
974281992f50930bc8539593a97d68f3d4fa86d1a464f72734437303227db102aa5a1e15f35bb551c36842710279dea3b856171ffe9d3e8ade983beb185969d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3fb163969136920c1f35ece7f8a8ff08

SHA1
8f730b931f6766d928b52aa168749e34533f1e5e

SHA256
abf37028ed6b9f164d46ad7f9ded172562bfbb2314354d5c4055a29f50ac78e4

SHA512
83aa688ad3c5c6bbfb19c398470f59cce45d62fa9e52c7171064694ff29bca5bdd583baeb793ad0b5faa8055827b4aa4d50ec05e74881fa00dbf9e96d9f42a5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
31610c2a8dc3a05426f0c9a8ad043f9b

SHA1
f0960198dd4669cf06e985a5bb61e92b9f058147

SHA256
9164b089b21f49bef7198119a7a5f1aa54079bc956b249e95756bd1f055bde4a

SHA512
2583a5d8758d32aee5b052404c84a6970681c4217abaeab7349412c5a454e8cf9524d5a4e27fbe47a4d8e793bfb10b3386d77340ec97e6ea186ac9e780df1b52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
591eb881530c138176f672e3ae2a1711

SHA1
784a34b5fc8cfc646b58363605cfc6471230c13b

SHA256
3000e7210e97c47ccf49c3fb3ccc000c4fdb9af002e4fae39891b551679c28db

SHA512
dfae11ea4372d709ac20a5d87b5dc8f9c9f694e84241af431984e137ad92d3c573a5b6c53c7b5cf4b0e94819a8cf0f64942ea5cabce0ee835bd86f892dcd13ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8bf3d5dacc5282e8726fb8b905e08b8a

SHA1
f0c91518b96b9c3c8dd2bc1c8464b915ede72a8d

SHA256
32cb5b65d96157a0b25690bb1be6fe9cd08939876f003941863673956d8ec399

SHA512
604883cf95f45a315b09bb06d5492558bf4e982f181725aa5f25a51355a119aaaf929c63889cd7f77ebbc1950085a8dd47efe771eea406fc29f79bf870031b8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
38a615feff89203dd74294c8c151e363

SHA1
e96061327ffc83ff00ce37203c2c75d3fa7f1718

SHA256
1caf35b42fc8c3c9207a7f7241e2b38c809c27c35e5676e328b1febf36daa50b

SHA512
444808633c9d1e5a22c59c01f66c6685af3503a95ac3173e5171bc087d52705d6c58bc0d5778c4c060a09c663c1c370737c8440add5a975561b00c95d8ed49f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
060d4c994a3daf1f4cd45f4a70f8dca9

SHA1
323bb7c04af863cd82bab9188031acd2ecbbd037

SHA256
9c03e60f691643cc677395256ace87b1ba88d54f544bbeff823bf94f6a811521

SHA512
ef5cf97158e1f29f86f2c43be309139472c8e26c0dbd9b93699a4c98b8ecdc233c016561e6aa2455db5e1fa021083628efc7c5887bab1361b398ae2b1650f807

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e32b85acfd9b16c3fe7f49adbf85452c

SHA1
29c0935c9afb7d61e1b34f82e21b55efdee2b32c

SHA256
52c97f2d357ecace9f4977af67fc0de33e4fbdffdc01f3ff98cacb406f13ec8a

SHA512
4ea83ec4c0dee63472cffd48cb208d420361123180940e554859db244d3be56cd3105acbc82fb1491c33422cf2b8fe8fe769a3857af5611d162b6394b174f55f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7c62a7f24f58cd6cbbcb70b6c3490b68

SHA1
369bd733943445d594098d24a357ca9239136507

SHA256
f95b061c5c4ec941a5facc959a7dd038ace6344139ec6e5081ef3710d67f6429

SHA512
0c9250cb32b7dde6897f711a37c3012a66e5cd07b6da26c88c2a12d0c7ace0d47b4819da135d000f8e1fc8fa8f9245154f2b0eaca9cee64f36c700ca8ea35063

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4c79501568ab9d1068e04a7c34bb1e97

SHA1
191971d06332c1d0dcbc3ffd57783fcbed03a961

SHA256
06d4247e7e85eb66bcee3386d1f143d5bae3e9e5acc8c0e13279c54d9a362c18

SHA512
fbd8104808ab49d1e2d729d24fc26aeac9e416d012170b6a08133b16d1ac1b2d92bfd7863763cd934b520e9f53311ebd52ad87846e6b147bd6d0a700cefdeab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
ff2ea21116223baf3bf7c0dd6f9b8477

SHA1
52de67ce04ab40c44603e6a75a0d114478ec7087

SHA256
bb1884c0438dd5638a165d1355d783dd5a017f06e916a91fe0b746cb50a33c1d

SHA512
a91baca0d87a364efd38bae5ea0b058576d32459b33d1ad701bb9906228d2c1c799463f7fa420861126218ae618d23e7a03e127c33def5395b107adb54f6b8bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
5484952c8d0cd62c46d85338594f6098

SHA1
f8169b7916c337e04c4dfd18d3f0a0208321fd5d

SHA256
5a3d65b79539a12df1c47589cfc70f8fe15b58e814187a714b771e80d5916879

SHA512
ed95dcede7cfb5e85f2a0e987ac6c7289d1c4159003f1945849acfe75ce4e4539dee2b0d036062db4897780754435f772ae721ac670e842296adf136f3f20904

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
baa43b7c5d8384509d6b02ecaa9c4928

SHA1
4c20c6c180e3fab117e8f159ad0b2016fb161a9b

SHA256
e9b431c87655b4cc15cc1a9f9bdf51e1814f5f12d83abc47145695d0476c47c6

SHA512
d40e76ab5415b853371251a4e775ae8caeb5860ded7fb3b1ac1824217cbfa693cfece04492a1290ad65dec9d5967b41ccfe3889b28ffb0cc80a75665fb2efac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
4b7010067ccb98267095dd8b24cc4e5a

SHA1
4544c13df6f6b202cd2f80795edd7977a525757d

SHA256
1ec2152afb69646ae7554aff4e21befc5d5f4f0c3f03f20f5f07c3264e5e9e80

SHA512
2ece9376af052e24ec1ddc2a1e79bf7a6fbe454c83ef555a5ee71fca0ccd277b972133fd0c58de0ff42913b8d2d9b299e27dbee8fe45dda3300890a6fd971a73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
37386816c12c97a3cde63d6d378f304a

SHA1
3a1bc8434abde78becbdf712c9cd63d15bdd0793

SHA256
6fefecd8dc6fdc4d57969dfe842fbd551dc8bfa305311141475329b5635669fb

SHA512
5d0ea8a14e2f3422e3fe6a4d300df152de40330f967ff90524264a85fb20849f7a6079b280cd4dc5d92700dde742833ad39bb57886b7211825876c08b93972ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
f8c01c5ead7a9bf91b809eec6aa570e9

SHA1
482dd5952be6ffa15bd9f0fc1b97a1151601fd15

SHA256
f44035b1d2e0603dd2bc47fcd5770320ebaf60856e987557412281c984407272

SHA512
85a27223236b3c105f7c22777f8e63696428cdb0cc76056e972d746b42136f2129fa5fe0fbf7698a54934f28816ac1337aa8c7bda9b60acb09a32eeb4f0f11a8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d5a9ce81ff5d3b36198540c93016b276

SHA1
4adf543f0457cafa301f8d8092dcb96c39b2277f

SHA256
4a94646bb492f49db12a12371ce639a759629f0c8c1e918e340eb8a0916431f9

SHA512
bb13cd1e9e835a767e6c088c3ad7d421584a478d2f95b309ce40c8c6f9dd773cce9d5b20e47d8e54d7bd0cfc9134b8e783c89d243fe2f45aae656ab7dd3ca1dc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3e1890f976c1f5e1f42335abc5d3e2e7

SHA1
32884f7ab4cf1b9261eaa53cd04598724ef26d5a

SHA256
e27255fecd64335585e665aefc390be5532a325c390da9f0a4b07cfe7f9a5c41

SHA512
f79c7b7d8be852cb508e7a2166c2af78ce4f441e7084bb49df7a662224ff8b54c479674ac465ab12740b6feec9ef54fdef4b9d02f89e54fa2d0789a13a777b68

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8de537e761f7d66a43039e7e5e887214

SHA1
cb4be46c24a37f5d5a1592b2e413c39d352e8c75

SHA256
35f2ea6f6fb7ae8f99e45df5507bfdf221cd12fb782179444aa112861a921d9b

SHA512
10aba02087572301ede27a8586a476d35c61e256a40835245167d9159d740e14df8fb9ec3a53478b1d7e5fa6376dbbdb36d7a050e49abf3a7ea936bcffbd562f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
faa4b1d78b569e205f239f327b18b7ac

SHA1
f77de18b3bfd79f01ffec02ac613e2b1b81119ae

SHA256
c030db5f90c87b45790bc3d19f5dd254cc9746645c77e7314e252b8f57c08399

SHA512
1777bb2218cb842b30f5abb74b508a6941ea7ebeae128494d3d1729b731642f1da3bcdd10a84de9dc200731e2a6e3962cec0f43f2587e252a7836da99df06692

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a4314b07a2dd3f05b0d353406918b40a

SHA1
c0f2e21eb5fd2267f92a7c7472e9ff2cdad6e9f9

SHA256
95bb96cf418104b45cfde133b79f80f06d2e38eb557309cfc451a56e67fd0f41

SHA512
0e7db26435b00cc1dab281fe07a50ad47e3fd895a96967b7ef08fcde815eb78787891a365c79b4c68f35c860e6d3d578f690f87bcb230a30d28d97287ef79f8f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a1de6527072d87a9d81c4ef1122e9a16

SHA1
e6290f7cb4245c693add10aba3803cfe48f877ad

SHA256
d92993c667c627ef7613368b590ab4416caed3346141e1291f2cb50595363812

SHA512
6e90e5905195183712b28cbd9bfe0a594d2b187eac2cbf3ac505550cf3b6cfb00a8425b642ad20b6322ce6ee6ffe196ccf8349d38d7ca95dc8e850a97b10d27c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a1a0b35df925015f3bd5ebf28f06e943

SHA1
a72291f74b1aa916b3760529d73296d773211f5f

SHA256
8541cb25abb3f56557c8c476414dfdeced32e88ab1e219538c2abf9a7f1c20bc

SHA512
60c2cd458425a027c249df55f07b9d557009f6e7402da982b03b1746dd707e3d34d482b8cc8cfc8aa90aaf7baa52d88d4a07b74937dc59ff81815be16e498262

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
bc363af6237726815f320c1bff31e998

SHA1
967e2fac143c294a90efd398a81cf11b1a47d385

SHA256
6a846bb59b814b1db78965f984a9db1d9fc8fab03e04dca5bd32373f3a8e0cef

SHA512
97e382918be9a62a150201250125753ac8c89ffe2f90b4d629275dbb8f2c8b9e86ff0589ff2e5931137111f7c46081172b8de5f92841a19d5c135652c9049b2a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e95b831b1bde479f5e935f5e7b9b5d16

SHA1
7f84d9c93b1d8db9d14fde3ffa7d6290584e57b5

SHA256
f55a2a232c63759ba9db3a029b666a422337c98ec2913dd151d5622fdeb686c4

SHA512
84bc4930eab1b0356672ee15dc6f6a785417a0dfffa6f3459916fcd303bae17bec8aa200d5e797f9bfd13740d2e2f583d777423d35740e0cfb5968169dee20df

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a088f39453f98613a5f8af872690255e

SHA1
e7f9f5035e0b81d992a6a47b99b0ddac7d7d8976

SHA256
e40304d37eb8edc7e45a0157a38c2b7aff911c8b1f26472a716822269ca50314

SHA512
d2fd2fbed1cf44e61be0aecc1be82d29757c0b855e5e81d89d6d53722542d18de3340fd6ad6f527e5cc594e43c66767ce40154c1030b1edb62e9280f993fde45

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b9d28c9488b6359fa000fd4ef703a802

SHA1
a353962555777097b15034d9d8bea4b9d9cc8835

SHA256
b5f1e34efd205593b5d196d67b66d33abbcfcd36655542d9ed24a425ef05cb22

SHA512
149f8725314e77497b89936a8f661fdadfa0997ec9d3ab1afa3d613e3ef97287b8002e9d3e113226e6b25689e59f11ad8483cb0f50eaa4cc7a1e12d0fdd7f2a0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c744c229ddbb3112bed35d56783abaa3

SHA1
5c7844012c78b49942782cab610bdc41685f56ad

SHA256
ea15092312cb5bcb86ab2d0b51d822f153222a1bde23bc764ad5295b140ae52c

SHA512
08c1af574959dab0eaee1f83c062142558aa7beae6399842212f7a08db1acd8861fcaa03b58b6ef252f739579d4e72302ed3afdbdb538ba9b39d1a52e86c0462

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2a02659469b943da6eeac5b172cff0ef

SHA1
8078f62d0d043d3e9038a07d28fdeb6edd249ad2

SHA256
9da29454534deab291f08bf587e673d4de426a8970558b664cc56185abd19460

SHA512
06bd23ffae0799f198bbb1aff85c2e6a0b408cc048c8cd436e1afee4131a1905fc29c8058cefab71d5b7a4eeb261de92c67dd302313989b9d4f92e935dee1fb0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2fa3c13be6a04039ae5a1088b11c3285

SHA1
c7ba056f4b5df2219127e16c2771d829eda9d05c

SHA256
085a179b6fe2b63107bd61e8020431019e2f305229d5b5024b74641d56965c32

SHA512
85db428b5464da4f08dd946bc91f2facae59a699bcf2080f3032e706877d975ee55b5136ba58321a6c3500b20e374c0302f4dc38025942a2f2ed371476225bce

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
90e418ae79a3ba527f5bd8d994e4f795

SHA1
73492bc4ac8444ba8252206036fee850c50623ef

SHA256
4f0adc70d639bb69e5c30c6e2f920c0eeb779147cb97dbb006daf6f3f914535c

SHA512
431114c6191e35bcd13972080400b013d3b2a970061ae33831430b46894ce95e6663e76d6c224b35826ac376732a257eb22a33ae8db2ee066b42961321d24c54

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2d1786d0a9ad6dbebdd770b9aac114f9

SHA1
59ca8c445593910373483555e4ef6d95178d8a81

SHA256
26c43401e6c5a54bd6069dc43aa2f77007deb5f8aa912e968a3a6c0d21af1222

SHA512
26184272067395a9057c46c4ea754986af0ab81f420a3b8cc23dec656c376440869d22276c3615d0ce58a448d5109328f77f0ee16f1252a8930b69f73d4fd5f1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2a473df05180a35c096bc3eea8d1cc80

SHA1
a64e276fa8b2c6272eeb1d54c059d16ca3c5b8ac

SHA256
272ec666d864e99a5a478956ae8cb220597fc8be758fd0a58f701cff86f4b50d

SHA512
358dac72b70f57b60a773ef48a908cfd3a818fe1d8a792d29c97b6ffaeb432aa0de41974e907a57fc6c5a3ba70253f61d735c87119cce44fc2653357633f3bd2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0a6dee549e794361f0d7fad192ba8659

SHA1
17f890216d447cd3eae1e3770b0f63b895565c4d

SHA256
ccf8e412a2d3e723c74739760ad5f9cb2e655e335c51019e7d10beda32908031

SHA512
c576dbbd55cdda9399cde0b6e603b7db4cbfbd47efd3ff9045ffc3206c55ff14b685f9836e22480b60d66bc3d1b8ffb0dc2dd9ca82718a02c5468493c1eedbbe

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e884b397c3f6086e0279e369dd999848

SHA1
9efa82958f6833eb0e9ddc48581ebc5d727e4d58

SHA256
389a7df57e894890b77853e62f8ee9865f8a2ed588bc3e07feb4a53bc685da59

SHA512
2e3ca943ea7952627d858262c248b9a9a71ea8a3cee7d1bb5953dc229f5b12cf25a95ce71b68f88dfbf39594f052da1505f42a411b42b980109d6147e7457e7f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7c1736cae9dfd7ea33cbaf5663e3f11c

SHA1
23dd87e788ddc00dee55145637e3563a9a494ec8

SHA256
2bc1ca5edb842ad1836780338807e910f92b334a1cbb5a6e7401f642f3af685c

SHA512
7777c5646a155c96b914b8434740658ec291971f11fe95cd3edb03bb518393fef1a5cbbd3ca690d90d157517ec267646733e5faf8e0d650652b2d0c719993e3c

Download Submit
memory/400-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/400-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/400-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/400-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/448-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/448-26-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/448-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/452-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/452-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/452-272-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/536-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/536-80-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/536-74-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1388-485-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1388-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1756-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1756-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1896-45-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1896-38-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1896-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1896-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2136-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2136-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2236-267-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2236-261-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2236-260-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2236-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2284-489-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2284-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2716-480-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2716-299-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3860-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3860-242-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3936-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3936-479-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4004-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4272-490-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4272-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4440-483-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4440-285-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4440-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4504-0-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4504-9-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4504-32-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4504-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4524-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4524-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4524-71-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4524-66-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4524-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4708-333-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4708-491-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4724-488-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4724-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4876-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4876-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5016-484-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5016-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5044-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5044-492-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download