4a073a0199a6d94436a601abb048bab0175ab2500b23bccefe5a0f1495c9a860

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
Size

2.2MB
MD5

68e9a4d08dfd3fe2ffc0fa3b6939968a
SHA1

4303a1200e222925e36eaca815c09bd26bec8c2b
SHA256

4a073a0199a6d94436a601abb048bab0175ab2500b23bccefe5a0f1495c9a860
SHA512

974e6c78c5dc69cb66ae97ec697b33d30375f0499a8f5cff438701e99567aa3cd879fb71bda59481f28152e4e8e794ccaabdb3450fc948bd4623a87a15919398
SSDEEP

24576:0OObVw4TaN1wdkukCba4oXtgLhU3wEdmh58IdCN/j2GLl3iFSE33b9:0OOh3aN4kuLbegmtGMN/j2U4FH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4896	alg.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
2896	fxssvc.exe
2908	elevation_service.exe
2804	elevation_service.exe
804	maintenanceservice.exe
4608	OSE.EXE
1352	msdtc.exe
3884	PerceptionSimulationService.exe
4808	perfhost.exe
2308	locator.exe
2172	SensorDataService.exe
1852	snmptrap.exe
1340	spectrum.exe
4296	ssh-agent.exe
1984	TieringEngineService.exe
2076	AgentService.exe
2496	vds.exe
3456	vssvc.exe
624	wbengine.exe
3996	WmiApSrv.exe
2460	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a58afd9675cb61b0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105781\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a6db7bacecfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e36d98bacecfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064fc44bacecfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007733bbacecfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015e931bacecfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000427c08bbcecfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
2908	elevation_service.exe
2908	elevation_service.exe
2908	elevation_service.exe
2908	elevation_service.exe
2908	elevation_service.exe
2908	elevation_service.exe
2908	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3976	2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
Token: SeAuditPrivilege	2896	fxssvc.exe
Token: SeDebugPrivilege	4024	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2908	elevation_service.exe
Token: SeRestorePrivilege	1984	TieringEngineService.exe
Token: SeManageVolumePrivilege	1984	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2076	AgentService.exe
Token: SeBackupPrivilege	3456	vssvc.exe
Token: SeRestorePrivilege	3456	vssvc.exe
Token: SeAuditPrivilege	3456	vssvc.exe
Token: SeBackupPrivilege	624	wbengine.exe
Token: SeRestorePrivilege	624	wbengine.exe
Token: SeSecurityPrivilege	624	wbengine.exe
Token: 33	2460	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeDebugPrivilege	2908	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 3060	2460	SearchIndexer.exe	117
PID 2460 wrote to memory of 3060	2460	SearchIndexer.exe	117
PID 2460 wrote to memory of 1796	2460	SearchIndexer.exe	118
PID 2460 wrote to memory of 1796	2460	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1748

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2804

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:804

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1352

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2172

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1340

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1408

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b32db26329835356e9d88126f201b399

SHA1
f1bc498c8f1e0fcf889e295298651a9ae91db74a

SHA256
70b27270d67626b24caac55e11ea722ab78961da851007b729c2977e83fcadfb

SHA512
5a78211824fafdc57affd659e1dba3c73ddc0b3b468a33f78db12bb914bf8c6a86ebc7ca3425d790bb1ef57c43da4cedfb6b11b968d24daad40e0c39722767fb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2ac3470aa4832ed226ec250216843cff

SHA1
bb059ba15dfabe3ecab19bfc6d6152ef522d0b32

SHA256
b7c2061fc3dfa89e6913996f1fd0badcea3c82edace289d8652eeb8b1a06d8db

SHA512
886350f127106fa6e7dd595a9ddf0b7704629ab2be5ca1d6d7998128fb801525bf230b55a34c05f2d8fa1d5b437b93271d0eb0ab0626d25292a25a725b777b71

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
bcb09db304b4e47b92284b6f278f80b2

SHA1
b32a7aeaa170581b7b1a55e918257fa5581b4858

SHA256
c7fbefdb6deb66562b9cd7f59bd0224e4714fdfc95c94292c2e387d3ae831b20

SHA512
1745477d283aa4b32a3b3475c7c2cd71833832f86947ef291936d189ee865e68eb0d7bd179f0524cce6178fd4772e9cd127b9598611cb6b7bdc70f7363fb3f4d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ff08a8a3896703113e897885d20c9a29

SHA1
1f8cf2d76253e251ebd3a9a5e23ffccd2ae9fb08

SHA256
b0f6799129f79c22372cd0ff570f1785d4883cbc5bac2be0faa1056684481554

SHA512
de40ab6f0306e434e43a3a663162257e00431c7d0ae001f20e751d04666c63428e889ca94356e49ffb50c977020a11d453fca889afd282b606e8232f746a098a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6e4b6c9602d1efbf6f888169515c06f8

SHA1
2e4dd3178a994b3d0e7afdea66ead07bd4b5a353

SHA256
10efe1f4bff04d35da13acb072c141c388947f0973202abc516b6f95895a1862

SHA512
0c35ba8160d7ba1e91e25845591655e77f5e2bdaeaf05547f4aff571ba6224521d5c38dd614cf260a403df9a9f3b4c3ba84c10f71f77d2cb175ab5d037703e2e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
95b80cc70b0c22bc43734f9be320b2cd

SHA1
bbdaa5aa2978e99cc327e58ebe217dfea8335c4c

SHA256
48e06146c3990b08b5188fbdc4734c976030e69c4cdc7168d91f3fab7c5a8a51

SHA512
685b82a0166651ca45341333ec8a4a1b511186177a1987a4f758780f3ab958ac16fe2987095bf46d292917f7d8e0e289b72c210fc8acec8d839c35d5ae11daf7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
3beea82826a06587ebfc283c6e1e5954

SHA1
87f2fa28c1de169827d223f347fcdccb7ad93258

SHA256
413d84978f050cc540c3f50d5a62f444e68934239608ca42fe9d5b801aa77688

SHA512
9bbbba8e255b5df2e2e584c84cf112127fe7ad5808b461ebd041f31810e22266f82b3ddc342cc815886766b29e6406d668d43baa36a6d4b78f7c1d7d0e1a84b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
788fea8b1adabdbc0c22692be675bfce

SHA1
53b06f8989a45e282fc6dd19358a0a9084770c1a

SHA256
85014dda58019686a6b9daf71de9b9bdef3f5b21baf2d6d7ce8c5831b3123ff5

SHA512
9c2da58c279af803f9f47a022697526fc899dde284574a78b9fed34b21a12f807f9a3ea4b02ca46a6c669db171fa1ef0451eafa3f57e086d300cfb191cafe88f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
201e20257e05a4309ee547fb177bf86a

SHA1
88db8f67fd86055040a685fdea6060c934bfa2e3

SHA256
8ae6b1c4e3806436aac66974dc07455d95644e84e822fe89c239d82b4276294d

SHA512
f815fadcc57f70c4c5542d40a5bd442fb5f7a17991603dfd5104e9785b5c7b4875b5ade8c0fb81010394b7115c70d5f703bf636648e9699a683e36c1397cf4df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cd31f8ecb9aab8b3578ac63fa2124c40

SHA1
2823198752d5d4d3315e7436e221663522d3a814

SHA256
62d00f17d3810edf149739278a31ee80cdf3d7161faca7d065da4d2e7ed4049b

SHA512
e8dce05adc7220e8d21e7dedf9e142a69b0f640a06bf87e2f8792aebbb0bdea7aab7d6d4989739ad0d19de58bd81812a704623c6c85c3e185f15b58472e626e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d147f77e134dc74a35cebd68ce4ee012

SHA1
73ac707a611d3bf92c357a0f6bcfa75d5284eef6

SHA256
d272f5f08b8479679f691b47b5810bcaf8f8d1abd37a731ed8e3a52ff1355565

SHA512
e9c779c4e3891ba28d62d206a4b01b25f7c713387df2e2a576cb8491a3199cfdadac65dbc7bdabb3277076bdc283188633173b3b4260c426fb9c00dbd5db25dd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b734a186c60c8d6c1aaefa859f0f4439

SHA1
7451a7987ed60c4531c627af3d6ba8969614eb6d

SHA256
45478bb228aa342a0ac0ad86cb3c6eaa9f931094c02874976497b17c8a21a4c5

SHA512
814e7823b7192c4605d3f505f6db9289d11d30aa2d5855741a1456d99f188ad53ec53e6ba365ccbf2e7cfe3f3f63a5f4b7d8034fff84facf341136fd2be91351

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fcb91fd9dbfc81bfdc7a5fae6bd189b0

SHA1
c549e081d92b483924f79fd3931000b9d0ce33ef

SHA256
dcd7e4a10ad1d079cd034342cfa36ece18440b886e1d2af4a9313ddbae5a6eed

SHA512
f27c1a17d780aba219332424affbc8b02cb3ff087b67c8e4bc658c72e45b53d36bf68b2b5afbc161380c47baab3fbbc8f2b575a21ac776e7792a114dc33efac1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
fbbb55b800f6546c1c7b0768005432ce

SHA1
7cdb96dd45d944d1111fd239f6a60701792cd66c

SHA256
ef6fb2a9642c3a427302a9eab201516f2161cb8546f65664065bd16c8e26bbf1

SHA512
c17429b976de8e487faccc5b13431f0a369e2c5d78eeb0427ad34c2e6ff0c9e82815099cbe923ec04f1f782e2238ebfad8d509a1c9787054483a58ec0c4cf607

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
52f67d494191e63487e3bbc90cb4e166

SHA1
96b8cacac44cc85a2f4e4531b0a21b31050f4f14

SHA256
72f9486bc2f6a7920ffc194fce6aedb00ba8d62e43d917b015bc23ddfd9d0c07

SHA512
6ae49df244ccf318e6182460f7acc73cc99839add60abb888b200afb125334bdff85919618ddafa8d2d0afb79a7cc1dc63b4d7de43fbf6203d07c8bb65d5eb6b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2218512ef65426bf72490354e1726e68

SHA1
ea1f7e0dca561130c344975ffc76a62053f57360

SHA256
2d545077c8f554cd3f6d1ce4e55d2b820bffdda68a5f35e444e95dad3df4adf8

SHA512
05dbcb571e229523d3aaf86051541a27e227d0f85fe2334efa91e09d9b2aa10c748210b93fa3dc7c3b7dc49a852d816ecee060c34e4c034a1acab401ab5bf369

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
02ab1e39c4fb3e9b67f38e0bd220ab35

SHA1
7b9b7a778596f09eccf77445de80702e0a6c7721

SHA256
8e9e8b2acfa1e502eb4daca6e2917dc5ef7e2cfb246844193e569dd72dac3a9d

SHA512
df058dd7aebff1503a8755f8ef9ffb90ac4f8d2f64bdc3a3b126eaf3019ce265dc46edceb9613302f9a8c64a19eafa5a466e291c2e5fce0192990e6f20ebcac0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4b9a795049d5a0e0cf87b98345bfa118

SHA1
3af64abf8fbfbb3c299602c0cbcc69d1c829ad85

SHA256
47d99a78ecfd277627f330396b976e3a603183b507199871745cdf714b1bd7a0

SHA512
53a3ac742c90d67706ba5dd33ea9de13d590c16846e194177d31a41e0878966df811376dc53126a1c45fc9135966274e4517220b0ad887aa38506a2528c3edac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
73b7c60d35ed61f86bd199515d4bd31f

SHA1
cda0c25cffc6f3a78af3522ad9e21a3db52b5553

SHA256
63eff086a74f6b0c377ce5405f1251fbea2ee1175bfc2edc114a77465b88d8db

SHA512
65c1d065c065ac9fd48f0ade5fde174711c52b80458967489c91c5f5d5ba23933693a04fe4880f4216112f90a62eeb33e93012719a376641f8e5886b1863ea4e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b385e69490046561bd7371598bacc266

SHA1
95955663430e5fe6e5a14fdca22c031f65185797

SHA256
f0407f33bec2bef0d16b7cf9d01a95de574605922c34556081d5274810b94161

SHA512
9ba41d949098850aa0c7a8646b7cdb01126694dc27e25f02c0edf889bd3255d230bd3ce4404598ba46fb60c3b05e399426abecae4b9c1a8d42610b08c1c8f6f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3aecbe5c2ba0235d53f5280fde50c444

SHA1
338a5110b4f6962d4115a660435198ad456c079c

SHA256
fe4547addf3d2cbd810af4e06ad64daa4b11ee4c74841c23a712da9c543fabc1

SHA512
8c2e4e398b42f40d768ab7c45ef4564d8a6dd392fbfa1eb8cdecffb91366322cc681b9447b25ae4dc6d2262513e78daaf4d15601075c6f36b62e7e89921c928d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f6bb837402b2a0d309daa2e81b427084

SHA1
12aeac25b26afa454101548c21f3b3020d917d03

SHA256
c85d2c3e14e327a1705d5364493cf4c8fe53cfc81f620bb0c3a2f690b1f76802

SHA512
0a72e4130987ec3bed3f15f430efb7fc2bda89e909ed12cfe37f97319a792fa1d56eddf69b3faa197a37672715abab175b2260902bff804747703f0a72ab6739

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9c7509785f09f10127ff2dd641b2bca6

SHA1
0bc0e4fd8155e5f61b9e14f2bee00e7846f208e1

SHA256
b0dbf1738e4dec94a68e32609f6cb844846cd73f0e3790f45f255a07f82dc699

SHA512
4493ada47de282ceb80452be21615206c9eb4e9974647c31618d9ace80832cf670bb8938f7ebb22a457c21db39f1ea5bcece0814ceaa5f7361a54d3eca8df48e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c7d8e64fd936a8fd9de4db85e9104513

SHA1
8741ac22b31ed410488ed26fea79666495adaab6

SHA256
086869836a5d946b0d37576357235ee21df984884b1d3833c1caa2f039f77527

SHA512
67f76e1939f38160ff32adc27c441afbbb64a419d32f7746448148da8480cb2c39c923b84f18164f2315c0f7b7107bc220bb8d5eb33097b560a74c2871e03d4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
deab76c3d6ab59a752d7cc61d96b2e06

SHA1
4d216805dd22d20969c1e9facbaa8831df5dbae4

SHA256
75d96962a6deecb1476384bb7ccffab7c62efb366d90a2648adf647089542ec5

SHA512
7e43df511875a2a526a66d707c11689590817a7ea7536bbdb7c65397940bd34493bd61e2aa0cddeed625ee36cf44cc069fe261bd503635079ef17517aef4c2c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4afac8c5f528bf86edcaeb82c72e79a8

SHA1
2f466afe585060f88b757f80c6f254923661043f

SHA256
232b262f2feebcdd185a61c25ddf11c5a226cccad18962f104c2e2b82c4e4643

SHA512
593d6ed4f2956390c7cbd6038be1d6f679adb18876c45b58843b68361a88fde743aed1e304e2729bf3d90fee3ddfadebcfedcb612839512cffc73aa65fbc0108

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
838567db273a6bcb8b1a35662e55e0e9

SHA1
5fcb48850263d7c1ed91ad13107b5c0a5e4f7a6c

SHA256
90a11bc870a1403ba4b61ecb49fe20e4ef06955d451f3d1190900b745dc42cbd

SHA512
e31f577cccea12b1105d8e9df1091ab0d595191e6252ef54629585bd2e19cd2ff38ce1f753524f5f7a1d46d60b2c87052618c4a31208123a68d1d69d64877bfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e44f1579d66d54ffce026aafe1ad64b6

SHA1
0419e464f313ccb0d2d4e9277e3f053c50759517

SHA256
df55477dac1fae7ed5de5fd113bac960536bf90183340e8c24629a1043e3c14a

SHA512
2f2517718909170348fa169ce2320d48f6011bce7e639e7c46cb62095e5c36d5a24f50d3365e824f896ce1dd5af9116d6a38ce32cdc6eaa09d6b85f46f130ef3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e074723d970bb04ed5059a544579a4cb

SHA1
8be55e326d22afa12bd9fa66d7c8274ad12ccc8e

SHA256
73b2a122df36fea00e28b31a37973f30f4ce073529d7b3b645e2ccc214603135

SHA512
66856404ed7d55bb649a2f2ce2e2c3bc875f2966d433cad9b019009bfea883d20b624536cfaff2578ee07d19811659ec257de44ce697fad791cf77eb01b984e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4b741841af26a80de55ec6192b671ed5

SHA1
d084cefafb1ba46ee4f2f747f7a5d7b80e5cf74a

SHA256
39f5913ce165ab23787ec5c63207acf0e86660f7ededa710841e763fc5e95260

SHA512
b6502b15941118881ce5606a4f55ac40beaf2fabb7be3ceceb10aa2c552c6f06576eb8ec278c26412e00510646f22daf1779003685f89bf45845b03bf1c227e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bc45b9e8ba2c2fac766ca905ea62adf1

SHA1
32686606d54cb1980ebb0aa204e02e8817bac726

SHA256
f841f00339d36836f5ff7d49e5147da30aa6843c5e171f1cb39196d17d35efba

SHA512
7c2a67673e3309143feb7b4c4e86f2a5b83adf514c62a1e3196c1696375ef7c32b37eeeb79e2a85d618761c72ce4c1caa6791312ef0ab17659de3e35940c9e40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
d9375917faa7b0009cb8017e6c8b2fe8

SHA1
439eedf69a85990c64fd369f4c5af64b9dbc21b6

SHA256
9d445a157da34680c90c98c43a1c32027083c7345315e02e9506531384e48c69

SHA512
8805ddff6232efcf06a70f2c02c7024588c5929044ba2121849c91b2fd9970932f683bc5846e5a392c95b24837d2be20deec4e9b634667e4429af46c87ef7a5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6826562f95530ff41bf7fb240e45ebe2

SHA1
cabfb527ed3810285940a16fdccd33ed176efc91

SHA256
c64503fbc1d6b31ff6efa902aefe2472af4d439199776597e16ce889dd6756e3

SHA512
ad7d58c61f367ca4a9fd9f1ac2d0830e3f96ac4d5bb9de2583b2c820ffb87878242dd4989831f9ed801dbb9043a1e0a0b943ef4afcdeb3eb1dbdae2dd8064987

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b06cab9842e58ec3a057f15a8b97f318

SHA1
24211089e9801f523dee3a167971397a1f8a249c

SHA256
278dd32d4bac9b411431dc6bf5edbec8039087b38fb6e2b0439c0c15176f7c4b

SHA512
8adf5872dd06fca4e7f8a3e38eb63e50180fb255a92ee43f9e0bfbedd5d0b0cc2520c4c9d13e8eae3c6c939eef4ad5eb55ec241ff07b39db6d20ad96d7bea895

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
abb465e27772b11b445f3e18abd24e67

SHA1
7f69c424b94c81ee271d4aba4f48ede27830996b

SHA256
b0506cbe9d5f3f0840fafd8282c34870457b2568c17834a7bd23da02d5ce8ac8

SHA512
db9609413a9d2f0a6ae3fdb74f68f438fe5cb3527a6f7c60bc24a481c0a79f8e9ef9490800a141c507d1849b8ac0452b90cb104232187a3cb598a7a81c7233d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
7faa9730590299caa048ac783eebf5c5

SHA1
99e70dfbfd91044adba02aa4b8bf1c2dafbf1a2a

SHA256
4086ed3b6e3af4b1b07a1161074abe07c2a3a73a757d3e7ff3a52fd465b4054f

SHA512
21365f9a077f492dc129430eaaf75492d539bd6b58ca0e995b3d6f3ba1f4986978c280c47547a33c83bb600d22b3e7141a1b3d93bcb990c4ae291d757a413474

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
cb710d1e4311f98c622f6fc712b715c4

SHA1
3ac4179df186532f4e2b325b4c1c72aaf390a0fb

SHA256
4dbf80b7380f42830cd50f4e92b72fcf62664c708360136cd2bdf890536aa0da

SHA512
7b731e73eb5e7ffba8f15adc596f842fbbab0e1eb50d6a0ae61d54bc5e599e67b5bab81da976c6efcd9712719ef292f08feb77c6b36fcf26c62bf933d73eb1ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
9d3a6690602b206ab583d40b60471b93

SHA1
60c9f523faf933a1b68626f40f88afb76d424b1f

SHA256
098e339af773677eb4308ef3cb7d04c59f4a59edd55caf4d8a3b13ce7390fb96

SHA512
807ec1e65838b6c558d23d387d924fc9082d26ce2f0ab04ad2af0fc22b81c7c05af672608bb345d700a500ff307c0d9a12081ac8350444e9abff5d6e5abd8137

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
b8b140c897c79d8ceb0d01061e34e3cc

SHA1
7c284f1c599a00c7228237011f54938ad9a9d13c

SHA256
d188d842add134700304d3b203e9a51e5552e2b972e81418dc0a74bab6d7688e

SHA512
8d9a5f0c8ca6d22ff139442b8764677ac24a0d76367ab7a7c8579336041679a4526daeda5f73f13121e5e9dda9cb236a812124eff608861ae759d7cebf0fd69f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
a361227d4aa6ce6eafa37e82d2cb1a30

SHA1
82b5b6fd38669d66f59d7e2b8c33807a92158878

SHA256
9ad52454d020ecb0f20777055b97b05c2453b4bd96767758ee71afe02b22d5c0

SHA512
f8307b4d83d857a66c8ed8553ea88eb81ba3c5762615610996480bf70a56fc53d765b589706410794737ec27db2b46544f1574e8390c4f0f41d9bda23ba090b5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a44255105f8c4759fd97bd215e008782

SHA1
1991d8b8234d9c061cf60801e28babdb9fe6f52f

SHA256
795f47a855d2590051d0131a464f1a51947efdb4f55cfdfe785900a28d4ba492

SHA512
d1cd26a5f3ac2a793d93eadb60e6beab9eac5abde79bb809e9d5a2c8be3b90fae293ce21b972c47ac52e3a218cd65925c4ee850e399109f3bf2a0a3a3af0b2e0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f9d4922602bbdc1341b43ac28990d2c2

SHA1
2820b422804c09471e1a16741fd36ce28d512c3c

SHA256
f17e518ce1feffc5598010baf6d640f71d3c315605f640fc928f075ccba27dba

SHA512
8fc89f01727ae01387be7804a6286e321f2c749a5586bbfe1109158a2bb507e7cb5b6728e9abdd2371ff8f9e08d34eed75b040e511572073b4a11a2dd6413fe2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3346cacd92e41a50a9e1de096637738f

SHA1
67909c4aaca4df6a2bd6e340edebdbd0d66e9a65

SHA256
8fde7a961c347a2d87750fe72cfabff9bfeac10f20eea0513a588f3548473656

SHA512
1ff02c2620a03ba295e468435d3fc4b954740aca2d544516c0e1a8343d5284b3d756344c34740990087d02d0499275a744ae9f05464df49faeb373388f6ab1cd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
cada61b94370cef478bbd1fd00761dcf

SHA1
9b6bbda1d9d0adf0f95d94df4b543c31f0859ab8

SHA256
5ab85ff9ca45c78aa18db57774154e9bd4d8a8c82b58e980dfa5c26fa0a9dac2

SHA512
4d9dd2cd3e18c5493db191c2ed6fabf23d48f40daecc6dd545149fb682f81e75a953963e1c62bbbf9e65b75df71dd89977c7be4dcfc8d5fa1aab56996d163573

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4e25a17b9a48693b77effe2aff983707

SHA1
a55b2c1c09fae2af4c209c4def829c316b2bc035

SHA256
2d2fe5b0b685287013ff92cdad60844f01981dfa58fd2a336aa48cc6bff1dc83

SHA512
1857a1ddbe15fe16c3c76e3e38d4b5013393db2b0a84f3db4c412b17a238dc0de8c122ea0f6a03d2d688f060cdbafb7be502a85117b16c4ad4caf92f27e3de71

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
34bbe57e6fc774f9e19aba8e72747550

SHA1
77bf05869860a666f0fab0418c05b6b640a2b0a5

SHA256
8b1432391c27b80e2b34711bfb422d8f50f0ffc8210285d7576070b5e8cd5cbf

SHA512
40d26e5aac8a4d41038c04128bf2c98e9fb5ebc0cc9c22b190f12f8b38d9190ad21f6324320229cfb6d9253c349a4560d50d461cb6f5b04beddf78e6eac024ae

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b3a33cd73babc77299b80a499b90f876

SHA1
860b143f4ac5e8d1950a6e5a9837b190223e833a

SHA256
1673048cbf82874253ca0ff26b12eb5e4d7b7e64e2b5282be98d4702ee903dd3

SHA512
209e58a7cc2e939bec79375723a7f6f44418ad910f650b714e15abce473411c25e7721e7d08d542f4b415ac72653d0e4a0a908e642cb45661878cfb0c60706cd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ce50711f58e1f1b6b5bf0c35a4b377dc

SHA1
9463540cdef6e5aed11f5ca96d5c14f228fd8f17

SHA256
42604f74c4b6d0f77142da0046a61340c12305dc22b8e2c298ebc5d1f284b21a

SHA512
9ccebc9a60324558e54f0619bf83dfe5f4be1cc9a0f294b9a963069a8db857d80d4f924dea4088706cb01366c3cb907dad6c1526fb344b1d25c9f335b59acbe1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1ddc9948c12d8ea3437fb414f7c70709

SHA1
d6128396bb8a029a419b4920e31ef02a4d794b59

SHA256
6e33448a7cd2737499de7ae9b6b91000eb67a93b8a6994a0ac50ca24b7ea0e8b

SHA512
aaa5fc4ec170ca4d7493f637a4a566df19b69744e4432dbe6ae4a81b18593531ef58f5e6bfafc9f7b2e2b93cfb2a92fca74dac9645720fbc932e69c1aece5ccc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
304b9eb6ca1769dda69c966330d0ebef

SHA1
8c86adb050cb8de1f05b51ca7c163788e2684553

SHA256
edde3ef36ed1c4367e13f0272221e45591355b88047ebc33375e71a141c490d1

SHA512
84fd2ee9a8389f750f60ade290d158c9498a9dab11311867d360faefb88a57ec890aba60b47fb52b3bc1adf06f846fdac4988c6fb714a8fcdb0c5e55b84645a0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3e8e7ccdf4d8b3c363b2c22737e91f85

SHA1
20b1fdc106d1053e871b7aed7de51a83bf992221

SHA256
0a67cf727f089f9141f2b962023a0f14d3e229ae9afed1f59972b483d4697d5d

SHA512
20ac5a3ff6853d5ee78624111f697cd69d297377b16b6f1c31e0d78f87f2eaea245aaf20cfe9f093b4f7e40eb2d0482759ea3729c16ae903fc1f625346df043e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d5095332f1f9f99a2b8af7fe8c2db621

SHA1
e1e80d617b8e40ca979b24f5a960a76541bb6294

SHA256
b90a88e3bc8f5e348b25a83568a7619d71493eff701ee1ff74e56bff75df4087

SHA512
9bd9fee509cbe8a76b2e774845d5bb505c7b21c6702f1af5b7a119e4bbc77b6fb15033a6a47f3365d0a2a41a3c8f6ac058e5b34dc19a99358b33b3676a91bd60

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
71ba46eab685628cab9959ada408e6b7

SHA1
0022a9d6a06b0703e3efcee8418dba7c73f4e9a6

SHA256
fc9436b48cab716f9e823bd3d6cebc57fc3acc72b0a099b7473efca40c454121

SHA512
612b74b50f4e37e2ff260ddccf7eec910b2a892fd1969f1c01f64305640f919926abc55c32efa607acf1066bba7229f0acbbc6d4c965ca5fea28b311a47f09e7

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
46a132cd2dfa5efa8a3f1f35ee971aa7

SHA1
a76306e1c95011d7d25205e9698e93362cec6f39

SHA256
d2972d0dfad09e3a6a8308a43ed188e231fb349c7b4c5bcb619d7e59e268017c

SHA512
c5d785fcd46b982c4880d944e1ad76af01062fa37773de1681efdda605ae422510fb6724ff7b4818c2d6e1db73872fc3b2034130a3f354f445ebc5b7d8a4ea07

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
31f32296032fb53b2f590a97f17a1e0f

SHA1
f81141f49329b89356db85197040b755ab831edd

SHA256
4bf2afa836dfc2d0273a7b3e50373df853d36ce0dd2fae271c83a993f27ac6bb

SHA512
2f44297b6da350effc0709f62a2d76caa07be25e23c5979b7fc4cd9a32c37b8e9ea5fb09c840853b92c80002453ae4acd49d9916da4f0cd09f55ab303d0c09ea

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
63743b52093e130dc3b008fa7e34e399

SHA1
1ee7247304c75cece227b15a95788ada90d8dc9a

SHA256
d06d2baa6f766c13920e083860bcf3b9c83cee6bd6fde8f52e44f81ae6c785e5

SHA512
9a6dbb388e2030ee5f41b4832bfc13267184b00a4b7980fc0bacaa37656d088222da4954a425a91cb997e268be3008f5cfbb0b9361a67b48025e2ffe7ff915c2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f035560a56a9b568c2920b741e523b46

SHA1
e42f0c6fd3ea6260ff3456ea04cf53d5d8aac5d1

SHA256
b1d4fe1d0f78cc6cfbff040e7719c31e2993a3a909d762a064b9aa9fbb93cfe9

SHA512
9902d80bdbbf2770ce441636670cc211ea62e6f2f6ca4e44b080623eef89272dd7fc0bec226c066b33271930c7b3cc52e5c56d37710a7d37ea40c5a1f8218ca4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7a9558e4552c319cb9d29c29dff1fe2a

SHA1
b4c922feb31fed9b2bad587532c313372ab60851

SHA256
2489c62ad84115e6a73dcf19b820deef4c756bf4152a8f72161d8014ea7f433e

SHA512
b80333199f802bc6cb271359ad7cf05894949e7d9014ad8cb416b49e8c9bba5d7ea791d858839b64f4f2c4545a90a5883c66150b213741a7ef02b1043ed9afa3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7c99650e5e50fdc7f760ec2a3af996cc

SHA1
f6d76eeb6f77ecdaeefb3eb2134c12bfa9579874

SHA256
d107850f29cacc7cc6c26eb3ebf1553b3f4c8f1b120e8ab961d679cb92aa1781

SHA512
48e66b935fc27bd66e960d79f97ae67a73d45ccfee0a4cf101730f818b7bcc9b2fa013786333b329d53b068a191e14831aa9000a781b12cc85b97b5bbb4521f3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
384d959e8989a9d93783b31e580693cf

SHA1
495dca60c9799b19da1624391e3a0f4fbab993f6

SHA256
f9a521d492a9dbb32e5b5027374512d9aba0c526576808d1b3d84f811c8076aa

SHA512
935aa58d444fa15176e88be6fc886f105b2175d8c38e5768e70988e2e79bc8000d2777f4130c0173366871403e405317bef1712af089478f2c9e21cf1881b695

Download Submit
memory/624-504-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/624-331-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/804-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/804-73-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/804-67-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/804-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/804-61-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1340-297-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1340-496-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1352-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1352-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1852-463-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1852-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1984-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1984-499-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2076-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2076-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2172-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-498-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2308-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2460-506-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2460-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2496-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2496-502-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2804-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2804-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2804-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2804-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2896-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2896-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2908-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2908-45-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2908-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2908-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3456-503-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3456-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3884-264-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3884-258-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3884-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3884-257-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3976-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3976-9-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3976-48-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3976-0-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3996-505-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3996-333-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4024-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4024-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4024-17-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4024-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4296-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4296-497-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4608-247-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4608-77-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4608-83-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4608-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4808-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4808-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4808-272-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/4896-241-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4896-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download