e2b2c093710e307cefc681b1a66a6b30323f2bc239045034d69dc0479c3958a8

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe
Size

1.8MB
MD5

eefe0b0faeff4f448770f0c6e1320a79
SHA1

0de43986abbad344e9773501316e163b8b7e40c3
SHA256

e2b2c093710e307cefc681b1a66a6b30323f2bc239045034d69dc0479c3958a8
SHA512

2be3c7369f15f7d853d6dd6e4be78f9a39080451c35144e8acd62b73106d876ab8ad5293773d98e299556b01db718ed40fb4b85ad06b0fc3c4cea37d2fefee51
SSDEEP

49152:svjx8JfsWc6pu9aj6R+ft983Dl3gEe8xA+:GhWcv7R+l9EDl3VxA+

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
844	alg.exe
1512	DiagnosticsHub.StandardCollector.Service.exe
2040	fxssvc.exe
452	elevation_service.exe
2948	elevation_service.exe
4556	maintenanceservice.exe
4236	OSE.EXE
1832	msdtc.exe
4104	PerceptionSimulationService.exe
4384	perfhost.exe
3368	locator.exe
4804	SensorDataService.exe
3676	snmptrap.exe
3940	spectrum.exe
4428	ssh-agent.exe
4404	TieringEngineService.exe
4972	AgentService.exe
2012	vds.exe
3128	vssvc.exe
2548	wbengine.exe
32	WmiApSrv.exe
3044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\af2e1625d1b02b8.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85546\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85546\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85546\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfd42a2de800db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e43db2de800db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009591e92de800db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005efd122de800db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f9a102de800db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa0c642de800db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f5c532de800db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005710262de800db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1512	DiagnosticsHub.StandardCollector.Service.exe
1512	DiagnosticsHub.StandardCollector.Service.exe
1512	DiagnosticsHub.StandardCollector.Service.exe
1512	DiagnosticsHub.StandardCollector.Service.exe
1512	DiagnosticsHub.StandardCollector.Service.exe
1512	DiagnosticsHub.StandardCollector.Service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1752	2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	2040	fxssvc.exe
Token: SeDebugPrivilege	1512	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	452	elevation_service.exe
Token: SeRestorePrivilege	4404	TieringEngineService.exe
Token: SeManageVolumePrivilege	4404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4972	AgentService.exe
Token: SeBackupPrivilege	3128	vssvc.exe
Token: SeRestorePrivilege	3128	vssvc.exe
Token: SeAuditPrivilege	3128	vssvc.exe
Token: SeBackupPrivilege	2548	wbengine.exe
Token: SeRestorePrivilege	2548	wbengine.exe
Token: SeSecurityPrivilege	2548	wbengine.exe
Token: 33	3044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeDebugPrivilege	452	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2972	3044	SearchIndexer.exe	124
PID 3044 wrote to memory of 2972	3044	SearchIndexer.exe	124
PID 3044 wrote to memory of 1476	3044	SearchIndexer.exe	125
PID 3044 wrote to memory of 1476	3044	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_eefe0b0faeff4f448770f0c6e1320a79_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4388

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4556

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1832

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4384

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4804

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3940

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4924

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:32

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2972
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
500ce515448fc00ef05852d3a60b732d

SHA1
32982c93591fbef158a42d0eeddc8794ecc6cf92

SHA256
71b9f0cb26161616a2bc3adc34e6be5d8b3eb60c83d45318c72bac7af4ee8f01

SHA512
ce8aa09d0dd4a85aa1671dc071fdacd1cc70ecf705c37957a4d0ea81c7299bbdedee715cce88d9efc2447ae4d3212f8ca0f2b3eca5a84a3d25a065bad36b2882

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
a61c82da23e1429c4197884fcf0170f0

SHA1
acc895c339e82da98581588c162cb7605dc06bf0

SHA256
c6123c961cb4d62a02f2d84d83c420544ab09de081250adf19409bdbc4a3e5b6

SHA512
fed893e8a1ddb49c9d515a86787c72a53aa7b621b9f1e8ead88f4e7a4084de52609781839752b47c4eb262d61fe954fef8c393fc46e89763bf46f2dd449edb56

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
010659013601ad70561691860c76d710

SHA1
011c6082eae57b141fb1e39e96396714a8cbadd1

SHA256
9ab25ac82ccf7c9067b25f8b3ed1b5fd2942ce3f7ac4cfcc0894c2dee34a09d4

SHA512
514c025a82429e4911bcc7139cec902dee2611a2fb4ed67d32935146d446c2464fca5868cdfbb01c35a586a81a8dfe89ceed1e282bd7611ea4fdcdbefdda8eb5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c25587a8338bef440286f2a8260ee403

SHA1
685a4aba384671a3c6326f01a53d6694d559ce36

SHA256
d0040d0e4b97cb1c92c9fef610da8b8a3404e32734593b3a6c515c7268e478fd

SHA512
0f4f6b257c40b25a74098337566c5ad939cbaa6214b4748322dbb3b0c5adafe157a34d9fd8f0d3ee563fcbaf2b1b1711a243f62e1e98337d0912bad6d2f25a16

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3022639634ff53b95300cdf5d1e8e9e6

SHA1
fedcd572085cc82eb88f2d360fb0239e196b3e07

SHA256
ed17b34f588363058f249d20b56b183d7c2863ecaeb3a06df2eda591cc2219ed

SHA512
ae26c015286deea9afa8fa2ec685d5f36492c7e8b123dc64295f6f6bb7d40eca199f817383c0c04f5a5e2e86d0cce8c411f72b132c1de0eb31291e9cf14da1e1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
907355cd90fd4408df52be8a00a87f20

SHA1
07a5a24d0a3847c99c74dcffef09df2a3a646e38

SHA256
46c2ce298aba55fed968cda41cba647c418829b3e8002c0f9860b4b2ac3eed99

SHA512
d385f4dea6608093de4ad287037de4073d131bb146921f7b64f9eefdcc0e1899ef44e573882988b9c8b35c28ef8593fd9eb3f4d35e49782474b149d9e6500ad9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
787731f74c8f920983880e729101887a

SHA1
2d37bd118896ffa8133705dbd5a0e7c0348e3c53

SHA256
8864966c4e9cc323063efc7cae88600b9bf8f655e611b7e45228da559f7e683b

SHA512
8889cd3f3bc9778a830adf4bb4c61fae967fae459e855e4f10c75dccfa44a8e54091683ac72820daad2cde160571c5b244869975f9e9ed3a44cb0751a8878b08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2b9a3a06ba0935bc2c965bf8a55c1ac3

SHA1
660f3b1740b24ce675513e8399d642ac00f20a9f

SHA256
0fba99b9e0223accd02db71dfdd83ffdb045f96e799a21ae6fc4fea72e916bab

SHA512
5a5e4ce6a550cf9abb57a34410e41da89737e6f4a924a7a89a9a3b599c68f8a7d15e891743ea88ec47adea8065890a376a57d5c4af2e21b51fa2445eeed262b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
dd73484e9b439d04976d9255c8f8c5d7

SHA1
eb3d516ac1447a9d3726d94e679d6a602cbe7a41

SHA256
231e242131ea14418aaf88bd98cf5e0d56559bc2e2c0dfc6ac9ba68efce871e1

SHA512
0a8817a64ae609307b017d21ec6dbaad9a9c64ba67530350d779ee1132295a0576097c357ac3935e3fe915e76ead250c342932651da2432be69e2620da65bb81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0e787421d8f43a8631dda4d46352ac5e

SHA1
e7794666bd1eb03167ebdf153fbca9abe9e0c62c

SHA256
151be8ed8c2b0313302c7405042aee250005f7c2e92d8ac362a89a6c8f5a32b7

SHA512
de5b82e75126a39fc17931979bb98047b1a633ff0ef832c1e413e9edb2f98c77a16d6350c6537f65abc4c05490530e7b95790d25cf39bf43259cb2731a876211

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1ee1787ba00ad74e433e523f69cf7d49

SHA1
d1d73f6e8ceba2bf79e6f8b6b03af57fd84d04df

SHA256
840d2f5f2932205eca9b5f9824f6637954f4a529c7b36efd9f0ee18194955f82

SHA512
b23bd86844e039c513a96bb5d53842b38a16e62092bb5888d1f5e58b53b40c2261c3af9a38ab50513f75a029b8d83df95ad8538670bc635b6e071c0c3db0e1d6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
41bdb4fe0417c48f75da74720ce325cf

SHA1
d1bab2a99a79b7952974dbf41b10a22b9b226ef8

SHA256
0705cb6001fec912d995c7ca9e44ef69c7ea1fb637ba20d5b270b9fed0f771c1

SHA512
17bea1b765d946d389c871808ad4c6d9616af8842aafdd1ba0b5d68431ee64ecc71222ec523ba15325461a01a105e8acfe1bdd7df840eff28c4f45343d25a8ee

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ec85a036784d2821d8cb338db5e1e982

SHA1
6829b2b6eb1f8312778af6ed46c4e5112210a4fb

SHA256
05855c010fc832d62e02a7d8bccde19ba2c11a06b06059272474397ab185461d

SHA512
23a1e3ad1784ab5688495bbd11ddb8e10e076fa7a0786951d24c83f45c8833ae64931c5d5c460766277e92113c264faa7f45d376444caf8b9a5dee193f921447

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7ab893107cd04d0a8240353c64ec91d9

SHA1
ddb1dc515983573be384277f8447afa5b3027992

SHA256
6ce788683e4c5092ed97bf6fb7cf35106b428cb3321cb8975879c08a9c4e0769

SHA512
aff80f95c2326e1d5610813bc85bdf174cb3a5c2c2f21fa5fa98caca8576fcb1fc2bc4379e4a0eb30c3baeb5f6d7a6f7ba4b7e07ebef282efd0646beb8fb0de1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
63041adcc0530c13d802357e40e3c267

SHA1
55f4c3318e399610d2eafc5497359eb032b7e201

SHA256
73a49a8a44a3ba3a169e55e6246678bc18368d95b864fa6b3af287c6f038a459

SHA512
3bf487f25409aacc1078e8eb593f77a7c782e6edb33023cb81cc5b3b8a60b481406d15eb9611f3ce331ef6b8e3341ae939bbb74205d9992b091e70c459f48ea1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
874729adfb8144278ee5345a7938ec7e

SHA1
6bac54d2fb343f557d3032b11b972c140a95eb82

SHA256
bf0eaad424f12fd7adbe1eb1f0aa16a510e137172ca0dc2c4e2582b4fedd054f

SHA512
d86d8a09c4b2a82f46923f23309ea3bd0b40435a58a80a9f29dc6000b964d3f20ec7db13a98b3b90f29008894d9c7791b20bc513cfd163a7fdaea040164e00ad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8e4c41cc2a294e45929abf1b5a2980e6

SHA1
c9e89a005fecc1c6454b4b2eaa385b06f44de3ab

SHA256
f04d8ef1e5a12aeca5a42ed57ad888e6e6426e1efdcc3e0dfe83c280d93e9791

SHA512
ca753013fdb21c5e2c74fdfeb47083e380b95b6ce77696f10f3a0421cde39844f9dd73247efa9e0a85ad84c70189f9c721b3a06fbf8643efd5558fb5586a9e80

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d081d825aaa557623fe5e705a46f544a

SHA1
ff620fb7e95c466b2b302a0987444055cb186780

SHA256
ad4a26e2312a56f2ff84a5993fe27b4a05939648deb8b7054267eba8d43ceda5

SHA512
ec116b9b464ce4e2abcec74a6192285759e313253b5f0b7366661173a122327bc028b899e8b0c2cf4e055490d497b4796df83de35926c39f60993d640b29467e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
aa4ec4f2fd9acbf1236e81f76b3eebfb

SHA1
7b43f4994b7203790a62ff03ebe5997380f47ef5

SHA256
7b50b81dffe362dc1f6a1105c3e3944e645e6384cc40f661a46ccbe3ef1db4c2

SHA512
574a56ea517a9712addb9d169dd81b4aeb65e5173aa10519b9d11752a494fc5caaff37b6136f79670529440d5bfe57bfe357fe82855c54c7eff607da9d47518f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6ac77b3cc66d8a3a134a808f653f3942

SHA1
2e14a1e246fda9851a17fa65991a753513f95651

SHA256
399cd519f157d42d7c476060a44432f799e02477a7538bf2e48b6d039ee414c9

SHA512
1960c8996bf74161deda9355fdcae44f461714ff07180a2335473b1804afb5d7ac41f98b0fbf2a91ec1100309a95d38cb2bd7e23710480566a596536ec18abeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f2f01293c5db9fa0c7d8e4bf0047806e

SHA1
f44c11882bc68b2f3ce260d3b66b0fb6d78b65b2

SHA256
63abadf802a7b38cfb9705f64d1a8286fd2ff2df9724632a880212d41b7a2d41

SHA512
8dda54269147b6cd39914e88a492b315767f3ead332583f8a557dc02c4ec0183dacf6b146110d354661ee8e08475599ebe823eae0c5ea3fd3258a81ca92d872b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
efa48b53065ecc71d0aec0051c66b707

SHA1
d979a8a42b144cdda61298576198650e7f618392

SHA256
4b0925fdc68da62f5643f4d58ce2a9c42ea6e21de53604cf83d6697f97e70f67

SHA512
8257e34b9c93746e716d1d04d4765fcc00c43e05b2ed99986760832e984dd1afdae57238d3e579bca2151232811da36e02a4a6ef60ca3d30c0e5fceaf1770df3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ad32a6302119d106888d915bffd3230d

SHA1
860bb37cf4a7fe24d07fca23c04065edf9772ffa

SHA256
633d42b4a38db7c7eb3fb13c4cfeadc719c2e8fed1e8b373ef71737b9c3a433e

SHA512
3b9acdb63f6abcc68a7b6af3acb0b11f24c88dd446481ce4bba0812de4f80cb1aa567d12e866165d1b51e81322390708f8dcd56b3330c565eca8f4eca6b36834

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0cb1fcc25127a94ad5802e73e15563a2

SHA1
8f1c01452759f5a349e6c5e25b1d74c5f1ff035b

SHA256
510a67dd8da0f25079911d05d6aaa325567424d9f785780014c4ca3ed8ba73b6

SHA512
a38de08cae2e0cf17474686e95662e523f5e31ca2747bb3af2098fe9df62f2a522ff5612d5b239fc538525673e6e6abc2caa755230b02c3a5f44d52456895a0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6cc2030b9b0db43dbb1593daea4dd548

SHA1
6e4039810f2943ca78cb785d8fb902ca1ca57312

SHA256
9f17a19b81ad31df5fc97971cc7ef30088664d4d0f9cfacf9cbb0056acfb8506

SHA512
c159a7a6abbf8e738bac58e49d7430e93765ff3d833bc8e89d745c5d84e234c6ca9fb9855bf97e973dffa281b2eaa211fc7a15115b02293a8134d384de1ef026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
45163d5c7312ab3a4e289f3e8de19477

SHA1
94487f1da18468364c46b937473eaa7193b5c2ed

SHA256
7b80a3833fe95c1d4a8a17180f35d8e5326d05e0c95f9b5e62cdf788d54723ac

SHA512
972095fdd78f5e3e1e3f1109895151d61d1df1df71097c953bac65d125f06269a982d5808882667ffdc4b7cafe55298399d020595968009e78ac796249bac9f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ad2d856a0512d54031b0c64575c98bb1

SHA1
1d60bba6714c1518eba4932a5504b9a057eabadb

SHA256
e9b676cef3bc79c9bc028083cad59f8c104650130c2f82270a29726ee8a7a749

SHA512
45c5b6fcf0d08ab59086acda5e0a04570d5bda4793ab3fba0e32616619a1892c8c1545c0706eee7c540318d1115b17b34171029e70b0dc684b94379e0bd8aa6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0166d793da2464488214bb3844a0c59c

SHA1
c7c65cc9ff24cf938fc3f6524ac6ec3d77c86f48

SHA256
71e0d92a7fe247723c2b801127cb2462a0f8e1e19b9b0b8cd87cd12fdba8f9d8

SHA512
4fe9afdd5a83ee83d4e2cf18e6f7a7868aad2020380dbda232ca1eadd1ab1663e490e84daa51a1e84c097e63942676b67c4f3423470508b43bed610c3650bbea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7e89f528a699b7dc9ece978b90574566

SHA1
aee55ac84e6c47f152a4a9d57e971efb8886956d

SHA256
69c2be2817e42c77f6f3b32c65e9397b0e280d50db66b7f4a570c118c3d81e05

SHA512
3bf1b3f9a88cde996d5880d3ad818207fa5b64ee262d970044a69292be5136559089bde55c6824203366c85b47d182f99af28b3677368bae4501569973064132

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d94816ca1a1669908164b5b3fdf1fb26

SHA1
476fcf1dcdc4a5f96b15360c83646cf545a4ccb6

SHA256
bf2b351bcbfb1ed7542fa3bfb62b6ac922addd755e1b22d8f16fb75ba65cfd49

SHA512
b928ca7af904ba66399fadd68d70b16060ba98b2c9c0a02cf65d29ed4e9b1f196a9e2bd042ee00cae6babea007e7467b2c50f11faf20254fc734c80550ac3407

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
0b508f4aafb63b11ef2ac049193675ad

SHA1
3c0fa8fc968172445c596f288215a8d6a1eed88e

SHA256
930c3097c225023d30b731c4165d8e73dac5f1d06c1b6c8262fac1a3a8f02ad5

SHA512
fce62aee977efbb59820ed49576c5bdd1c2c072caa650f31233e5aed71a91a7a3f846b816ab1907911fe0b23afc7950180f8ea2173f0bce54149b4f55d92181e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c68eba49d74edf4291dabc1601cef3a5

SHA1
af43b30b447218c0045822698a80c4b57ff563f9

SHA256
e08f724eaf6e0bbd88018fc4959288469f9921c4e5cbf1613f272b72496b1c08

SHA512
43040359a6775e6abc2059f21ba67169a3f924817834faeeba9642ed4cded37328f1082f68d05e1cdb699424cc20e5a7bb182a60d3b8fe4d2d5f6f14bec0ccf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7e656f2b10d679909f313432314558b1

SHA1
1e00d3511c5b54bba0accc663a631d64b592fddc

SHA256
eb551048b74167c27776fdc01c9ba7aedd1f402a6a16a2ba219e0cbd48c2981a

SHA512
5eeb7d8b2e9042419adb72a52ab7b1fd128845171d07b39ddca033dd4f1131e344107734992f523c898b81ec027b42910457c9c29bbe51a256070fa6f6f68a16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5da9673b968a58e7e1f7fd6636c1ed93

SHA1
7cb9b10c90dd6ef3fdd71d935f5c501d27720fd3

SHA256
24bbb84ca92226f6158b0810a942743436d8d8c84461d92734efc377d7eb8a09

SHA512
b17e2378bc04563a21752d7c94be6bea5c215c681f34703c076d88af8d6fdef6ff3f0b2fd59a513b7e10b6a01d9a251ae72928845ec3b8d8ca669c62de449c99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6e9b4043f9df652dd1a4c170d794fae7

SHA1
c6c32d5cf9ff04b3a1cc1369f02f98cbe39500e7

SHA256
f56adcd26bdff066c8180b1678c58b0f8386ab750d2196c0d0b90b8991176d25

SHA512
70ec8cff9ce70c48f5042f10b63510cfe4ad4d69c50ff321f23d626457e4aabb4f26df5c23dc35150d137ff46c007049700b63c95db880d9fe047eea5550d56f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e159a25817dfc00e453c003f1b5ac3bf

SHA1
826dac91554507cc2ca0ecca7e9efaa0b145a0ec

SHA256
7c36bfe809ebfe5ac0b08774afc29d152e124963911c0304d7464cc918da398d

SHA512
55d33c10173c0b0d2a3e4987caabc25e99aa09c058ce77aa1a3f3578b4d1458d41dc02919fc303aa26739cbed31d72366579d0a5c00edeba09cd3b2208ac8baf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d57c4ba5fb86c9bafff80eb6d910ee44

SHA1
fa308692d623acc0b226fd725525b066740bbd3a

SHA256
4609a9b8c4f665410ec2b01a21d8fa008ab854679addea90843281619a0bad15

SHA512
d476d8d8abeb8549c693a3bbc9511ec64084416e76fb18ad5c0900a30917aa1bc8983b64369505abdb0f0f8f1393d9932e2fa238730d73980298d7b76286cb0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
8177692a6b9c1924f9f6696fecc4d740

SHA1
eea4f58195dcd21664a344c39e061525456cfc1e

SHA256
64ce79714b3288049f0607546e7e9a39b9d66b94110ea0829d29505679ddd95e

SHA512
65b3386a7b5d2f90c5f106651812d587638197700577c2cf7f21c9d03f31bced2672a8c97370cc265abd88a15122505489ab0e3245987da85993ce63627f4f67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
8d54afd133683ea591109f74e0ae2f83

SHA1
98ec992b936e5759735904da8f380b49ab87aa58

SHA256
4b4359e7a611ec5634937b9c559fe6b6d7b5242c1bb15b7ce623a285c569da57

SHA512
da3fefa874df3d3b9f85686888529a7d2e01525727adeb23ba879647e94125426583924fb577bda820f1a40acb4676d13d472e76b6ac20c941a9dd1993c64292

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
90586cfe8e0dfb48923d0908b741b999

SHA1
d914eb3861b85dfa33450be5c0277d0dafb85d53

SHA256
b3886a1fec100d0a590602bd0d5042b6ec627a5329c97a472b0b75a020805927

SHA512
6b8b88a2ab809f2b3d604b10459655f3c66d4e3ad5941ff291f7bb3ab72eececb9f942a50e1abc8b603b1acc1d27c87dd5704304f15a79fd67ef53a1370126a0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e2ba0576631e7bf4c6dbe008c877c271

SHA1
07aeaaae32f86030311e043bd79b416a027a495b

SHA256
ebe350bc4913027ee371cbd9e571bdaf035638b827c15dab2b8a1797d39815fa

SHA512
a6109b7e91cfac06eee569652df442e802f79c06e4e063963f1b9525a93bd7f1a198fd952377863143ae3e14cdc46f2750ddb46475b5203f1b55b582a9f33229

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d30e1a32879800fceebdd1688414cdc1

SHA1
a4318b4290f3c6d3165f24062ef72b4631540f62

SHA256
206f064f8cd00465a81160502a933abe0867740b6092d237697dc39ba2e3a747

SHA512
71248224780457c43ce087d497f2e2cbfea070a035b5a4dc88d02aaaba1e43a36c17d2e298cb74ddc5291f645f057e070515895cfb4efb128e5a28049c758299

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
11c7000846bf40ca19d8fdf85a70e20f

SHA1
59874afb3cdbcc9d59b8a729704c27d854683560

SHA256
d7e210ad32ba925882cf37cef70f29e668e8b6efdd78df1ac4885e27cfc4dfd7

SHA512
4611be48c20074bb40475d021df4424e78a1c16d80cc9db95fe794b8656e3af2a27fd573cc9d1d84a27b1c49c3a1dbe47ab9634818317bb326aeb2ace610eedc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
21f3c22b0115f3dad110868ea7f8d008

SHA1
d6e3676f8a9b2e9dbae3fc63b3b9c78660f4df9f

SHA256
b2e202954515b3d0ead3c008d8dcc66eb2c002f8f98b7e618936802b7cacd93e

SHA512
945367906bdf8f21caaa3478092d93e995f438683dc13a44c14cdfe13fd732cb9f9471e92d1828fb72184db432c8dd055a737ac0ac91bd8250eeb80d9a2a62a5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bfe8dccefb3bef34fa39e2bc21be8e97

SHA1
c67d875c89cf108d52501b1de0d4b394b0425cf0

SHA256
0a0cc47dded4c460baff8014ff3bff5cad5a4e53a540e44404ccfed044975ebe

SHA512
318a62c89b98b5ae04aab9941c1af2a8b790eef9e9922bbb503bccd19074e0a77f878cfdeaa562a18f1db64b78f28776815b678843a2fa68a30d9f7371e83f7a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a1685381cc118340633d68c57b2d02b6

SHA1
ff5672e7b6ac3b78c3008414a5879e9146c24b05

SHA256
d749cecf5bdc2622d3bd758530ee6f2b34e689fe3ac88a769c65351158905f6d

SHA512
50f900a46b0b460d5ff96de14fc1621361ca75c7677f5cc123951580cfe8f467dc34d40e1004ab5e0b52b34b2a4cb8b6e689315c51e7a6d021212f4b7e2b60de

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
55ddd98fdb0b8931868270fc2bf4340a

SHA1
c3608d1e7f7e5f7e90f3dedce56f41947aa3f97c

SHA256
1075214d55e683adc813fec6ef106a9514843a5e69cd517382d7bcf62b1b6b6b

SHA512
62c783ef0c30536b8f9c36998ecdd890afbfddad6a7236adc91b0f96f024a76b9fb21358d95ae29c9c4fc8644bca8f0fd721b49b8feb126ea136676915f1153c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9560bb7b4e4818ddc004cedcae4a14c5

SHA1
eddb53cbdb8085bf5d601fd9536d285e6b94121c

SHA256
bd4a786d257ffdd7c0db5cccbc9b38575211e44a10af9e9fb45e356994bbfbfc

SHA512
021372b5797765865feab85f906e9b45bea72a55fdd828ba40e0f1acf694a9b07c8708856e6adf5e095ecbbd2c9f2a7578d4f60bce358a604dcd5e640b891a74

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5e7fca566f0b84dbccaee3c6ec8bd5ea

SHA1
12b5bb1fb84e77b458361a6df78d64fd84de1061

SHA256
bd55255f8d0ae1c31301afd37e20a7d29b5980901007d89aaf1f16ec1e6dbec6

SHA512
6e8d409a7be795e5f5d1f86be78d85b4eff3eabb3230788a3bc5f3af13ea4e9978af6722b86ea78738fc9d0e6c3b9075e4d99317b2329531263fd73216990ac5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
526ce26430f1b1ea773ddc6b70aadb33

SHA1
df221d47dbf58eb469735c2ad3f97f55c2f02ce2

SHA256
e834b5f3f0c13429874ba99f52cf4bfb27fd0cc2bfc4e85531eddf0b449e935c

SHA512
ab1c61f391fe88088599217d5cfe997d362d4948eb931859f018339801853fe51a22b1bf36fcc69370f73623421858602375e57288c48f250af5b0fdc036e0d6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c5a93f431820b1df9252ecfefea5a8b9

SHA1
cd9f08a20cc53f83e5d7cc488dd47b31234f21fb

SHA256
5da56513577bf380650dc7ac3956030d03583276e1feb3f5f6db3774080824f8

SHA512
68de88fd5f7c8f49384ba4c19923baf591759211f5db1d772a545deb85a1f8d62d91538d6212b0d761cf45375399384461add3db8c064f9a3a1732a83c697af0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
52f55b8251c2e09de03df37ec5a9ed67

SHA1
3ba53bdc21669f11c17b03122841fd27b2db2e5d

SHA256
3cb2fe9a96f121faf332fba28f5e5e2e09cdf67392cb70a7b36de23b94d573a8

SHA512
e243234fb722eca730fa581fb79a2134c7e9523b102340f88d10e2bb56f70587d2bb0aea3840235a261555a5331f46088485190c5451fabe0256651cf4117f2d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0b55f3d92f795b25ab14d56f73e26f22

SHA1
ad668a1629db0d70bf3c7f9833b26945c214767c

SHA256
72e6562058f0d371feca46458e5bf43f36d092d90a80f889602d79daac7ea5f1

SHA512
7ab8aaf246c0b4a44d2dc3365dda85eadce41501addf30ac80571eccce7e92b912d349bab219db0ef9c731a8d811a9e52ccfe17a2cae7963f9b2ae3217a63ae2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bbbb4fce5b7a669d9482fef227965e1b

SHA1
03c4aa64f5f6f7241b40066c8fb0bdc8c01d3df7

SHA256
cb70275844fe8772ea19aba73d751a4674bd8eb793e721353cc6c27f082d0720

SHA512
824231e6f29077136909001333bc09229de24be2982ffcbc2173a9f1d30bd818a4103b684b886fa576d33a7feb299696e6a2a1a11d78e8723386609d245acdc1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
49b85607aae8c9bdf6c2688c5135beee

SHA1
55d087e51f1b240e26fda75035c3c32f6acb41f5

SHA256
347914ab534c92ec9b8e08b6a9927b75101a40ce53e45b87d2749af7f7e7fa12

SHA512
b8579347ea5b04c10616b449e5fb367a4b8e8754b4c8bd8e87fe52a683a62bd6dbf9090ccac293f54b7f0d68a6c47c2b535cb0b5cab2000a939acadbeeff8e50

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7e88236aeafe20d9bb7b9d1bf6870714

SHA1
2644d32a022ad139b816940b1b3d92a9ca4ff38d

SHA256
716106a997a7c40c26df7e1e123b53a57c3ade9290f48bddf8809d20fc5a102e

SHA512
dc15dd2d6730302baee80f0a8ff0db07c1b2cdd33127fd08944d110b7cf2d5011e5461765a73db8057b3586df18781d70549b1abe1faf60ac654078fdfd84e22

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a5f3b4cabccdf761628b5a8ee2e140b8

SHA1
67216cc23568f3870a8b30c8672b049442f24d1d

SHA256
1db48600bfae65f15b253364027ab206c064c82f2c0a7604fef4d03d7360fd16

SHA512
4af8802082f07b45cb0fa2013956cfdbdf4623dac87f846648a44cb28be4669e5e88140412c870cccff3bfe6a53b417e4b3196a35b8977a17850144e17788e5b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
68f35f410298a06f153f1843cfbf34f7

SHA1
8d59de7421852c70818a595e8d0cd1602d1a0528

SHA256
b2dec1ddffbc8585834f04df7cb818b782b060e5a2188fd01553c70a21a60f57

SHA512
8816fdbfcc010379c847a52b386793bd392d1d9eee7d0535c18ad785bb9bff610d42d8122f0dfefbea8a26ea78269da522b90bf8556165d02dbfa1802c834053

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d30c2e6d85e83db4565bfaa49ffd9f1f

SHA1
0728a66ecc8d76797ad6e5ca4f674f8122f7619b

SHA256
472268838ba964f04368d40ab9ea9c55e6c7bd1d3146234d6bf8944d6b8ac5d0

SHA512
acd6f89f30e84f1d311e59ce992c48b102c691cd7ad643045a431aad578760d501a73bc14a2ce15861122185bf97f0957b4271fb6735ee7fb271b90b49d78981

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7f9bd6d14a016c802513773bf20d2e0b

SHA1
29339acc6373279b91fdad5564e9d37b18a1808d

SHA256
1b026759833a763827044632cb9640644b36a9d049c6dd0671b46e14d4fc8511

SHA512
8716262b1f42b87fae961ae19b8a1a2f3540823a80c1780e52c49c997682591c2fec28877b8c1e98585f2347d259273e4265877c63aaf58780d29dc4057e8f36

Download Submit
memory/32-333-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/32-550-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/452-41-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/452-242-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/452-36-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/452-34-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/844-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/844-239-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1512-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1512-17-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1512-24-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1512-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1512-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1752-47-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1752-1-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1752-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1752-6-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1752-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1832-320-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1832-252-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2012-546-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2012-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2040-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2040-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2548-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2548-549-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2948-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2948-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2948-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2948-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3044-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3044-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3128-547-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3128-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3368-332-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3368-280-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3676-412-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3676-287-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3940-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3940-290-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4104-324-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4104-265-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4104-259-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4104-256-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4236-77-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4236-83-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4236-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4236-244-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4384-270-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4384-328-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4384-271-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4404-545-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4404-313-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4428-302-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4428-496-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4556-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4556-70-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4556-71-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4556-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4556-67-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4804-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4804-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4804-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4972-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4972-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download