31816135adc265b101a8edc66cd30cfacbff29e808063982cacb04b0e1a2018d

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
Size

1.1MB
MD5

b7398c0528c864d34332673105796a6e
SHA1

760cd21da88a1e492afcef111f036fab93d0a485
SHA256

31816135adc265b101a8edc66cd30cfacbff29e808063982cacb04b0e1a2018d
SHA512

ba443806c578cec45bdc40716413afc806d7155cade9dbf79c27b3bff55a24c082ffc4ef1644143e00fe0491ac281d30ec9d85ae51d0a533ea00ff10df8f2cf9
SSDEEP

24576:7Si1SoCU5qJSr1eWPSCsP0MugC6eTvmMPtkSfhcGXv44a8RxJ:7S7PLjeTnPiSfhhvEU

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4980	alg.exe
1268	DiagnosticsHub.StandardCollector.Service.exe
2664	fxssvc.exe
3248	elevation_service.exe
2976	elevation_service.exe
592	maintenanceservice.exe
4208	msdtc.exe
3880	OSE.EXE
1940	PerceptionSimulationService.exe
1616	perfhost.exe
4388	locator.exe
1816	SensorDataService.exe
1308	snmptrap.exe
4428	spectrum.exe
2252	ssh-agent.exe
5048	TieringEngineService.exe
4464	AgentService.exe
1916	vds.exe
3396	vssvc.exe
436	wbengine.exe
1648	WmiApSrv.exe
4368	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5fbb95303e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{86C113DF-C14A-4A2D-BFB2-2F0FC039BBA8}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc14be6e0121db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000862fdc6f0121db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077a44b6e0121db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc91386e0121db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b1cc96f0121db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1268	DiagnosticsHub.StandardCollector.Service.exe
1268	DiagnosticsHub.StandardCollector.Service.exe
1268	DiagnosticsHub.StandardCollector.Service.exe
1268	DiagnosticsHub.StandardCollector.Service.exe
1268	DiagnosticsHub.StandardCollector.Service.exe
1268	DiagnosticsHub.StandardCollector.Service.exe
1268	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1120	2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
Token: SeAuditPrivilege	2664	fxssvc.exe
Token: SeRestorePrivilege	5048	TieringEngineService.exe
Token: SeManageVolumePrivilege	5048	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4464	AgentService.exe
Token: SeBackupPrivilege	3396	vssvc.exe
Token: SeRestorePrivilege	3396	vssvc.exe
Token: SeAuditPrivilege	3396	vssvc.exe
Token: SeBackupPrivilege	436	wbengine.exe
Token: SeRestorePrivilege	436	wbengine.exe
Token: SeSecurityPrivilege	436	wbengine.exe
Token: 33	4368	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeDebugPrivilege	4980	alg.exe
Token: SeDebugPrivilege	4980	alg.exe
Token: SeDebugPrivilege	4980	alg.exe
Token: SeDebugPrivilege	1268	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4268	4368	SearchIndexer.exe	117
PID 4368 wrote to memory of 4268	4368	SearchIndexer.exe	117
PID 4368 wrote to memory of 3760	4368	SearchIndexer.exe	118
PID 4368 wrote to memory of 3760	4368	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_b7398c0528c864d34332673105796a6e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2996

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2976

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4208

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1816

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4428

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4528

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4268
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4fd1c084ca4a3ac0c4476b59dfb3093c

SHA1
3589021defd869f52190f78040fd8cd0a815d38f

SHA256
3edc6f4eabfc79a7eaaacfc72ba62c845cddd7a0da6e050eb97e3bacdedf6fcf

SHA512
9340af0287b9023ecadcb28b8265034e523b6b01760c0d175d79566d01dc9f324de9d359a3eb8a67c9cd6e5be023be869b7cc12250914352f5f862bf9f6b35e3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b91354f3154b22da50bc4d8ff74a5098

SHA1
f80325d5a956d3c68df87f1e78d57f6afed22d7a

SHA256
5f7fc5dfebb5fd3f7193523f99aa34c4d11b2b81fe548932d0b48beb66b631b2

SHA512
9c4ff84f7262927a43ee3309a486bff2030e230f515c162a06fd2203608c0ad5c0abb1afc1189564fee989bea44f3ba8e1ddf5ab13a5532514e86433cf0ccdb1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b6675b6a473266e5bf324522ef8666f4

SHA1
871999704b5f9db34778cfdf3d9ea268d02201b8

SHA256
6c42172dffd60358ee61aee8c38beac23ca249b2ba77dc7e6b58d15643040255

SHA512
534dcf91d6ce0bf8096b7516947a846d11b34cd31866665c47789370179107384846935c06d0b94a81499f4b34cdebbebbc1e984ab8a6be26e60e098ce7ae6e5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
994bac35e2dea8359168085c8720e9ed

SHA1
62408e8c23313b0e2a842259dba0f6ac76935224

SHA256
293936394c1ead3f1058c2b845b1475b04cd09163bc66e6ac72e035bcc4a6423

SHA512
09705b5447bd2a7fba946a12802584bbd325f33c14fa7fdab556adcfbe67046a13dc2eb306b8c97487440ba4295f4ef319050f8a067f43e26db47a701890deb8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e704288218d2c485901fe6d36b96e273

SHA1
cbeacd1e92207b83c36f8e1922e6d409cc0a3bb2

SHA256
2ed8a5603b90521ba5d778baa1ebe9c782a031c96963cc42d3209e15757db36c

SHA512
60b90cf8c6e5ee4c558207f738d114ae5e208759dd7d2570e1e1e803fe36f1eaa8fcfd3f149b91179d8ea4aa0fb9cf6e03233219f1083639bddbb262ea32fb5a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4ff76e985a59816da687f024f9257e7a

SHA1
dcdf710dd5d88d4d28dd8138b5ad9e0dfba966b9

SHA256
b75ed2d5e9862b6931c935e8729c62ca9839b03bbd4d6caa54f017e2939c5d33

SHA512
174a80963a968422e53283d1da2956d0af3a2024ae7d40802764ca07133a2377efe8908e7c3346f86f6e0f4a99ee192e3fba162c929def16d40a0a1cb9a371a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
07a631933121a184a7c07e29f3718bfd

SHA1
02aa7966103d5f25631853e6f8fe59e61f70ef03

SHA256
f5ac3df5abe1a3f789f03eb505941c234a74b23d719bd5ff0a1da9a4f92e82e8

SHA512
8b0efbb7cd5981617251b1407d0183196edb77df1c03495525b809bf7355ea299113595e35bbbf03676407aba3a3e8a5c9f9164b7df8a307e0a1dad27b6d81f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8533ad26407f80a855ba57aa2f98bdc4

SHA1
a6eed4394bd2e78251a1e1c396e23356bd5708a2

SHA256
284750df223fe1f1d268c3edae5704b13a0702ba1a134805b0d3a04a59dccf10

SHA512
29ac95e1169a89d41f8244938acf0b37adc5f7f647afaf1f7aac85349d7891707015143e0cfda56133a8f51a9083ae927cb419f9ec63cf7a99bd7e0e69b8466b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4640bd25914648b1a98af32abc431851

SHA1
5b6f0c2d85ec2cad444c30c95546a24ef9b3ef66

SHA256
bc27e1ffcc66b71d256bc2818be61d02af186707642b830c99ba73f13c2805bd

SHA512
123fbc3e24d53d6dd37f9f9a64f13e0b088b0ad3e4d87e0da88da4a0e9c728328b03ee5dea30979fb8becd87e07c437d34025cbb9ddf384b470299745a280927

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ac7ace5acadf5c756b8575106017eab9

SHA1
bc31188c490172158e7b55415ba80c7dbf7ddc8b

SHA256
ef632761e9a63cdf78d9c9e0a437a5e0519e66354353d726247b03c7b5fb6a5e

SHA512
fdd915c7242dda03ede0e08b0f3b609cde0f9449552e1be436bec4d77dcbb75002fde93e6166f014cc80d50a62553f3fd3e591ce0b7696e0826b35e88cd5d640

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fa61f629febd960ce8f66e410a2504fd

SHA1
158c65b8cb82a3bb420eed3b7c81692e8c18864c

SHA256
258e34920b2038aacf4a85afb81b9604a0c6d1ef1268662c72a072fae2cbbfb9

SHA512
09907469205dc8bd20adbaac3ae188c75bcc3ab49ad253fded62e726fe1f5ed307297c87bdfcf549043e82670de620d8ca76ad731e2c3911648ed3f685c8343f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8b6580a796d94e86e933bdae68e9e033

SHA1
8a89c4e152281602b918618ccb25403d6aa18a05

SHA256
091528b7d96359b57122cf69ed0f1fd702ba08bbc56794f90e907ca880b7a204

SHA512
67b22fd8a613536e5824866ecfb4398b7c2a8af2f5bd462a5d734c418d35aa3ed13fe10511727707bfa1bd7aa376d4792404b0121326b1d6e0361c819810c32f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4f241a53a71d9e9fb2fa15fe0eae3457

SHA1
4dfb714c5ca6eae7c01902b29ddbf0fd69370508

SHA256
e3d143044d388b2e0709af88dc722f1ab4b8b14242c8384e7e2b2cc0ceae4214

SHA512
937ff47040d95ce6ee4bf6caadda9315327c0534a6ed46a704fa2a3c61d4f90079f082feac6d3709b9edc3503f09837a5109dda488146ccf252bb5ec9d4bf8d2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f9d36d048a247ffa916d7d96ac5ca98d

SHA1
92c092816db3bd848f21699db5e8d223c2aa6ff3

SHA256
db505e99316c090a4a467210019f4b5364459f4491344cf96f5f9f5e3477580f

SHA512
1804436edf022d8e43e665ea44c2d9448656a61a67f12fc49b9b5bd85f4a4d2926f6514c2b117b22d9095787e197e82e017893c7d3f11302f57d9aa19b08032b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3e8ccdea6bc1ca6e83c2ef354196df3b

SHA1
93bbf4d31ebc7bffc4e4151eb66e0a8c538a1f72

SHA256
7c579d2c1b3105e25a776c4a61f1f61962f23fce13955b4b5c1e333e2c6223b2

SHA512
d664fac7647d61d9848c004dce25d139aab3b6a1bbd9f283f59a38ae42ef55586c08414948921a4541d5c48bf2741f59353de2f3db0d58686f3c3e7fa92e3001

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
873726ffff3bc3cdb40845182bcb2600

SHA1
04dccba4d6e109feb2851b88567e32933a185eb9

SHA256
ed32cd56c18cf6bd2aec3d2f34890f50e3fd9444f77426ae3a6283123154c5ba

SHA512
6ce0287fdc49191c65d6f9e7b722a834085751e6a2991468a1445a5e2a5230f7aea94f61071cc6de761daef6db12e068f9dfd080cba57c850451cfe4815b9269

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
21c00250f5263983f4d4f36335dfed08

SHA1
8bb12179f675ad1df961fe7460f44ee6df8fbed7

SHA256
9cea1dbd4fd08399b48ab2558c0c5084e5fd61d4b0f99e18bad949996dd1104a

SHA512
7870ca0ae2aab17d8c5f553df25a11aa9888b1b67ccad77a68b6c9995267bec4ed4464566804314e7607668ba95a8fb5ff4a173f1ee3f0ee47d95175e166f007

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d81b77648c12a3edd12e06dbd810d0db

SHA1
65a074fac58375901c9c9b103b6c469861cc882c

SHA256
24715a27e064c393d61e2769ca2f00059285b4fa4b2256b07626c525d96e0c71

SHA512
f54c27f85babf032a9feb35b5b355a1e509c98e5ee4e2a8447f1cfa97d7cd0b1db1a2ab68b4e89e174c66bb9995f18c18ac0dd69b6340b9693ff856142ccb48c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
73431e8c8893d049cc124590380aa846

SHA1
f59824b11af2909139cc0ceff384b37198feb7c0

SHA256
8cf9439ed3f3c6dfc746f41d9ac718f8734074fb29059f358878d0164c7e26e3

SHA512
7675b0588ca53aa3ea5b87144506e22869c32e13854e476893e1afe918ffa7b7d92aeaca21bb4342c822191029e75503bdfb016a79a4bef17ffb7a22e2c4e656

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6fd0a93858cc0078f0b1831ede34961a

SHA1
0e0666694d6f2590afeecf60233e76db721f48b9

SHA256
5ea2496f041973bbf2ea5a7ad7a235264aae1424351cdeeb632178c407761506

SHA512
483f0683ca9ee51ceecaa255a6fd29061a33071a36f0610c23bbf408ea17c7d7e05c9cd6f189d266bed03f54af32b15d419040af5e06eab3a74df5f9b38f86e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
3591370797c6f49067df2fc73ed9563e

SHA1
d75013a330ac6e39a9538db4e0c0f5d80842c484

SHA256
96e4811565547d840b1e999bbc3db5a57ab9387ec8528ce4068db2f1eb84dc9f

SHA512
16b2225ce42e1d4cfef801995f0532b968f1447423f89dcc81d0cc11df5693a3fef886bd9a4546ee7b0e1847fbc248f01e12a1a402ee1206b023a1c9f8a246f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e667a51e5d8f020913e6055d469f4328

SHA1
658a09a4de516f1992a237e652e81b9251b51db9

SHA256
6a181eac1b9702c0c45f8e995fec3f7e2ce63ed354e3cb4d950b227e22ba001f

SHA512
46eae4695a9c811317a81c3611c0b37471ed4f0a40c80f9062255061e1fd09b238ca4a2e9acd7f434aac560fe934a1709f4b7bef5bc1f000c86065435d7494db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
434db908723a50a62aa21296cba898f0

SHA1
902e267e77606a0a7916813673b0ecaaa5fec796

SHA256
dd2e9d74816f73b4a4ea01378cc54c2f91489918728317f557823c3846f632e7

SHA512
6996963a08c9f40a77745719400b21ba0d06e861a5fdee0ee97cdabe1280f1588918f714740b4db1977704c79501e1b2202197c70079296a867b81db8a5c1136

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
69818824bdd36973b0da52c0ed4c14f1

SHA1
7a987f4b326ebf6ef8161179cfe7927eb72e8d04

SHA256
fdab0ca2ea332cd1131c3791ce8b94a1910e259c595107cf0e942803fb53acac

SHA512
0e846f8a081369b383410eac17dbf8c2ceaa364a84044c70d6037342ac524cdde4b7b6ae69bc59b696d5d73f83733769f225a53162893d5f0806aedd44a44be0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7f4166202f839cefa01cab95e556be76

SHA1
d9fdc469a2a1f2ffa891cf1f18863f624ce290c0

SHA256
bada72c5a58d0ee21d02f9ebd0319514d98862a43311ec41b199ede22e4c5700

SHA512
57fc26f0aff562293bc457998793c5cd9b102c7697febcabfecdb2aff6ab2feb4e564827b4a7923aa035c9567e0f58c314415dd0a3d252f330976e1d74bbf217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
a2b67f83f54f02705193e9f54a9758a2

SHA1
2ea47b78137da9722a0706d00d2d32f5a4b4c510

SHA256
880cb487fb457498694a4d30e3742bb6ddeb6c17491333f31caa1e22971c7762

SHA512
bb81cead1ef955418522355c893393b2dce1d636485dc29b787293e0308d3bb40222d16ac79ddad0b734d145fe3ee86a712972dc255e19f885b818dd300ef49f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2dfc081aeb6aa980ebce4a8db78a01c7

SHA1
093452445131bf752b91c761734820f56a3821e6

SHA256
fc36acc3796718ad4931b71fd5b5b27bd1ce8cf33c5caf482608b9b7a4af2f3e

SHA512
4dac45874636bd671af4a14ccbcaafb36dd89d6b891778a2733f6060985f4c6e19b4a383b099ec56708e6a7f12742870ebed91da029fa943095006c95a2bb96e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
6747a3ff12543dfda0bff27338471a7a

SHA1
3f500ed18f4f1ffe9ab1f1728ca27b391e9a2b23

SHA256
2de57317b6eccf0a397c1739dfb4570934cecebb9362b08fb86f320e7461684f

SHA512
a6fe5aa8315f4f6a1455448a3992a182bd4c0bb0d6203547989804993b28ace405b572b7279a96891728b1138c39e91774d70f4efce3ce228a52e5212cb74f51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
126d82f2f2ef24c31bcf4a52c22f7314

SHA1
5c688c45532ee3b38796ea9e281ab1a7b97d9281

SHA256
aadfdef237364429cc9559dcfc0ff6f972fbd817222eeb83ad6347927586e067

SHA512
21ede1cf836797e6287f97eb2839a89b9ca23730a45deb456047837173f76fbfb89946a19ff0da3cb482c96f62a74fc9391399b62ed773b5f4d299160c7b29b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
27e144edbae254bdeb13dbd9327c9f4f

SHA1
0e33913499fc67370ae199170e8939882e16bc7b

SHA256
20badbf246591a2e7053f2f584c29fd3d74c1fcb0d16788f6f16b75f9892d08f

SHA512
00b3d33bbcac7deeb1fba0876cf67c6a2e6f64d7b310105fed4cc5a5f0262fe1f206fac4c5d6e43368b6d59ceaed33608347fb3f342aab91a98997e54ee53b03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
34eaf3c8e7c6390ed3e7056fd4312e5d

SHA1
b59cdcefbc22694acfcadaf11b108e7d1d7b65fb

SHA256
6832b19a8cd9c537f654be12c53d33ac6575c965b0afce7d2a55b41cb2146d12

SHA512
45be5ba5d83c8c9e0005e7b8eedeaa5bf125cc569532e1e2a9914783e10f1d64e5b27a0b64aedc6c7eca84f3b8cdf9cbd664cbfd2c3b02f63f69d4304478f682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
cdea143b79c93849d41068f06cde4e6f

SHA1
1126acf042158482f82e80e9ecb54982b772bcca

SHA256
ced1dbd75c4870140d0cbf3902b40c72f7cccd3bfc81d9709f74303967eb9bf5

SHA512
d6872cec8b0bd0cf54d8402d0c26e7dc793df0cad4931b4c130abc118c6123b1819e256112251ce4bf74ab05a75c0e0d0d02a1bea30cd7ffa3381ab7a6dc7022

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
ff91a6432aa1005aaf6e747c3e086aca

SHA1
bdcecc981a8e4dc02d95358d52ce438c040cd307

SHA256
dbfe635dc24b94fc1c310a61f51c63a335b886a2c53f1a452897739f70232ce8

SHA512
6402c983feee516222c5658473981b39dae6f45ca940826e0e444e6e061decb186ccbb063185caba6faea9cf72857680a518ade9c63782e5b01bc7de01469d70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
e891661affb731c92ecb4ca3e5ab3236

SHA1
f1eb8ce72496a07d135d002510ac40ad184a69c6

SHA256
0f3657e151a24ea94a228fc0062fd13ed99a8c5861d31ee8b9d381a130a4134f

SHA512
078b7d09d1d3b103a98fc93d5f37c2c9db89f6d357fe75a0dda54e5214b12119bd5debe49734a306ce77d26a45260ee4c1a8c879fdd3c554d1392f450746a58c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b6dd77975cd8a11cc9499f989718a121

SHA1
9bb60194fc400236e86b537ec1322c27db3dd620

SHA256
2b6123a3f45baa8ad9fee45617fff9f128d81d48ef571521f0291ecdaf32bb5b

SHA512
73391e08c6dbcac462dc25828e8e794547d8531064348c83e0f4c48b975525b282c04aecaa5554ee3e2a7f585e6cc794e68ac13fa5538b6e3bc6fa23d46a939f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
46b4099b85b613901217ea336f8e7690

SHA1
6394ed83f5a73824bb91ed85ca0b213e9727b250

SHA256
36125026a10a0f92908b3be8eab961a9a775bc8fffe031add2ae13d2aff6c3eb

SHA512
54a4c88cb4ad13e14f852f1cf5e9896450da468ef1ecca6262ab67a2e1868f94c187899550259e64e6a15693e4bb12efa3a06d83e335f0b69518e39a3674283f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
bea4ae41f616cbc685bd0f69e61da985

SHA1
9bee771526a8d48e279fc2add9f05f22f01aa98a

SHA256
9c70efafcb608269bddbf5ebeb403a60ac604987486ba29e15f2203b67dc0803

SHA512
7eb1c4e4ac8bf17bbd096f5f9fca7eb86f8748685cf57297004ef324e61690768a06711edfebe59a8b25d0f0098c9638e6515d3acc74ea5b6bd89c3c1151bbca

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b7bbca78953279d9e1bac98b8c20d910

SHA1
071e6b327e76a73f6b9fefac5ba9cc368f4f59dc

SHA256
64ec738adaaa9ed426979f7f823327a2b5b406760f657c40b391b6da48c63520

SHA512
4e3e26d6b5c05e0b7882f13c8f1bfaeb7b7a2abd2ab4516238f6bbe544d30c536aa8d9dd8196df6ffc3985c8afbb237ea4f0f113f3a7e8d09a8dd279c794390b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
5606cb797d950431de32ad6889d28d27

SHA1
7e60763524a7f0eb22a4f20b55495142457128bf

SHA256
25971d18d68464f24836f307fcdb6dfd35e28170d0aa4a7e0a12d7b407c02dd7

SHA512
d1c07956cdee8f417cbc84af40798057cf9ec2165d2506cfd72ee47f87a79aed2d9304381d00c1a0856ac66ed95147b2dd136d82dcc909b1fd550e0496bdfa96

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
47472b2505b49e43476951507e70fc31

SHA1
f7442b152f660325355117e512b844b9d7cce792

SHA256
7bf2f9501024644c9db762151d8295736080737c1de89b6130494b447c68f74a

SHA512
ecd05a3b3dafa051b52dbd00b6b989a6b431dd1b34a4a1a60a1634df52426396c0650eb14d32e61670e78e03dcdf08e4319fba58acf95d2664cdda4071bfb4a3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ec535bda23d73bb8b67a575ff320ad05

SHA1
f785236bf2ee8443ec7f6f32aa4c2bf7c3eff060

SHA256
f9fcced864220acb6194c6c9dbef9a4af459bd967e2e09b6df5bd6d739b134e9

SHA512
96c35112d9f3479cfbdbce1da9b9b70c23812b967869c16514fa4d5fbbfa5fed5c62fac6f1568d10d0c2be71f55067d0d62aaa148d3091ee83345096beff77d3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a475282ddf9544b76240e968a0dc09a1

SHA1
ca38fc07af7eea9161b637ac14cbc798bf40f6e6

SHA256
6ddf3aa7653c0922033d3cca8ea3ba2dfc551a22d8d4e3b923973d5fdf8a85fa

SHA512
211d1bd7be28e651bee60df15a1534d1b63683a1462ad3701dc978e12060806a76c7a7b65cf130ab964daa94903fab92cb8f5777a464e8961c5261f8776af6d7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
831401aeb2d8e0de24a5134f536284db

SHA1
16ab953429964fa8be88f93a0120672b485ce52a

SHA256
a0df66bdf5be497fac86b6124b5c5df9e4ca9e632ffd62a224df7f3543bdc8f9

SHA512
cbd3452437bb3eb25bea27180289ae047978b4264fb86ca4c845686afbae05bb711b5d3f8f4034acd08c19538009c7561d04bc6801ee374243e5440ced27eead

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a8470092eb9ebe5fa6f48efb5237fb60

SHA1
be87e1977f3e4a91fd4b6a1f9a83cf38bceaa436

SHA256
7f47526bbcbfbf1c2b12c27c1b2b95c81cb51a6f328ae3ad7b1e0a36b91db0ab

SHA512
f5d0b772f12b54b360edfc9872b714dd90480d3a9536007e892801c3026fd1f94043b76e77f107b0736183f7dab6fa788ec0b821f938384416b2a34b87df9775

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c55f2b5e46e16bccc585d82fa5354b70

SHA1
75a93f44108c263ddc02bca178d6df33fd6f4071

SHA256
ffefbed39123a560fad5b7ce45ec2042b224b7c95e3b47c931d23ce9cf97559f

SHA512
24fcaba3cefb7eecde418b3a53ae81d7f81360ca94babfaaa351cf69b31fe2e73ce160fae2805d71a238932677e0062aeb77dbc2a7918bb0fce67c16487dfabb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
82799ccec1d5e3f28cbc4f385fd56bd4

SHA1
b0c421b132bd0fd2886e4e35d5950d02f4e4698b

SHA256
cf76f127f02d84cd8ce401e7262188cb42108bd3d61056d85793d54454506e8f

SHA512
b9cee754fd063ca8aff2d5eab842d30c7beca802935d463b604f8b1a73744d0f6ecb3b08c05568a5567796917b7c1a0d303387c2479184926e51cd93f9830899

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3b4e8b2a6f78b5ddd22dcee9df6f4b83

SHA1
06eee8cf4533bdae78976659486afe0a21b428c0

SHA256
995a95a1c0bef0d9acf2e8a12f243f5df58f124d1b23ef751ba968a3276982c5

SHA512
2f9f575ae66a16f81ac755dbe2ea55aee374a2a03902644ca2ee361f1c088ce5540c6809c87631a43be34f34a2a54a4e93a4c4b2d8ddc84446243be2309443a6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e6703f4a045214d969c4f919fa69ac71

SHA1
8931095f1c2d35e0d315048f855742c48a98616c

SHA256
d05750d718837ff59382556d65f57bd4e370daf017c36773d8459368616bcea8

SHA512
664b4d84fe58c25f250fde62b1751582936328a676d5c3c9c32575c37c5469e7626f55faec004a4bef9f8d2ca40f9d76f7c6f16e6394fa0aa20ef14704fa6dc6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2dbec2c5a6dde767d69b680af84e158d

SHA1
111aabf3c430b980563df6e1c6cfbef5efd688a3

SHA256
3d442224e0e500ddbb2cdd0107f2730befd490a437dfee750bb44f3d38a3e1f2

SHA512
976c136b52013fc397e18b912f2250e349b4f3809962cb0b677248be88a9f6e97791df691b1a002196bf168fe528123a5a61a0cd985d7d8092f8ee58cd7f57e5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
87b2d9abab78c58b9203afa5953364f1

SHA1
fe17803b128d52ed1834669058c1aa5d896f5877

SHA256
d714dd7d5fbd4feaa1935188f9ef64f9f13b1672a391643dfc6cd030afb92df7

SHA512
2a4e0e90e5a27c1b182860c100f36de674f3a7e9c68b1411243db13ce17d68a8da7500eba40734b0ff3fc06ad9b973dfcff2de4798c332a83f706a37907f4062

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1cfbb9a60c7949f56e80a77854c350c8

SHA1
2ea0d7f3642f8feb6a0a0f98b92efbf6932cb366

SHA256
bb281dd0dd6eadabdd191ecd062ca48bae8614bff3c9de434cecf79d36d2487b

SHA512
9c7c8e4339a4f9aee0fa4810fb4cd2e95110695b159bc66b0e979e259ff8efa39349a2b00becf469eee3c31e84ec82ce359fce882650aa8e5a48bdb5e1321169

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bf5b94f28867ff482f88432285e22531

SHA1
2ef7207411780feee27a197d36d8348a528c5f2b

SHA256
d40dd0b3269e32981fc1fe99cf170f4cef8fd7d7cecc91d953d3d758c7287d2a

SHA512
4ba3cf8d79a03895319cc4c3992a8de6cc25e1c59b2b473423138f365c05c83f3bf153ddf9ed53fe8f17bde093e22d8b6857e34e1c5054d39c4875bbd5ad7d15

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a8fa5cde3f4854f1185f6f32ff0e4414

SHA1
b8fe3457cf07cb351eb09947aa052747dd68285f

SHA256
ca0c50567a2fe20ec9e06041384d4f2512f7115b35844dd7a65cacc4066de7c4

SHA512
ea733d7803376f84958ec28c05283702ed00b9ae69e4f0f6ea5a7d7e5bd4535c58156b0577afc83fd2f564c2faa3d86197222b0d155ebe4899474c001eeddbdb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ec41d25792716b9f3ea6effd69a1fd02

SHA1
9c307b5ed348006cdb13b59f52335702830997bd

SHA256
5480e35ece9c387dbc5f2537d7b639d4e6443b8c7c345677322ec763a2fad860

SHA512
9849ddc00eb2600527b05dcce58733bebbd4f169bf39c58e3195294324c7c65cf5d0bae068e464ce4a291c7f1afc7494616b531ab0214d45a2dc5a2cb9d374f0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
93540e1522623c5fc7ccf375fdf3c7ec

SHA1
46e6c4dc0206430935319acb222a27eb596fca4b

SHA256
30848331d6996cd5405db5579a063cd74ece1afb467d36da0989cec4362a957f

SHA512
6d5c24d1b35095dbf0ba7c96162465d5714df9b714dee7541859c6264c0f859d35b51e8c8c254618d9be76c5d731343c9f40ed2c181d2b43853c189f1e6b65a2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
dec5c3300ab1eb0a4198ad949fcb4b3c

SHA1
edad516206039e6fb5af84f9c22f486479ba4754

SHA256
c68df61eba2b47aa3a3e9734f7be7d3d045e21fd07c609894a9ac35629ee404e

SHA512
c17ad0f9554426e7df77a8d9f0d8f5045045abd26625050ccf755f63e6af81aa6bbc393bcb793eee6a6c0d89d07466e773cb131f0fcd8f2ec12e3f95b0808677

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5053c82a7df9db74f056e2ccae81f3cb

SHA1
416a219a5a746f0ac0d4c59c5a40acdbd5e8bfe8

SHA256
d3b82de8a18818382db6c8a92e5e232baca82e89c4121fbf6d389f5bae5b0318

SHA512
718d5cd8851db7dab5230e5d952bce8bdc53bc3d094a37f916ca6cf9c3d52c19c04c23e9f68b851316f0b8cf93e40068fdb15d894d6af6107c422a05ca60e004

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b0f21860a5c911f531f31d060da5830d

SHA1
27d41696b680aaa5f2b6c77f025c1a843e339508

SHA256
4134b400fbaf13b0a25b03f060718092a789b2947da5ab7cef0493b3612e4541

SHA512
2fe002a77dec72071c585b8dd6459b3773e2620722a8c7219a5ce77f61d0523998adc3903a006db9856ab85ad3c181460de8680afabfa99937dbafd28522c104

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
4ce261d4d9f8399d80b6a1c4d5556c69

SHA1
e7c15fc4ce5dc46df22c31e436b80823671f4866

SHA256
b67199ee9b36200403c5682ee846482278a123ad0d5632f070e42e4efaeef566

SHA512
765247255c8ed6c73284635edc35df8d904ba210f309bbe24eee7e28626c640abc5f9e355c631a98f47720c71484b7c9da8b2c02a658f0fb1011ff1a1ecba251

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
ac3631344b2e7f042f31ea8f82abb4e5

SHA1
28a27b5ac48e9e99f7d47fdad8743eb6451be538

SHA256
103f692e6ef2d068163982fac69829b680b1584e702b29166c16ceafd6f7d62c

SHA512
90e139a1624b82009088381b072ccff5700816386d6ded9d2b1a40ed306f132f3d1e19b12066daee8c80347680b8b10eb8703bdb04d1f2a8e0e18cb0948fc063

Download Submit
memory/436-624-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/436-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/592-84-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/592-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/592-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/592-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/592-89-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1120-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1120-443-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1120-442-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1120-1-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1120-9-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1120-75-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1268-129-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1268-34-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1268-28-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1268-27-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1308-389-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1308-171-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1616-249-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1616-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1648-631-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1648-270-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1816-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1816-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1816-558-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1916-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1916-555-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1940-118-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1940-237-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2252-457-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/2252-188-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/2664-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2664-60-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2664-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2664-47-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2664-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2976-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2976-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2976-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2976-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3248-174-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3248-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3248-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3248-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3396-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3396-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3880-115-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3880-225-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/4208-92-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4208-210-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4208-91-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4368-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4368-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4388-146-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4388-261-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4428-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4428-439-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4464-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4464-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4980-22-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4980-23-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4980-13-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4980-112-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5048-520-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5048-199-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download