c2b5bf1caa420ca87a4b1ff4013e0a25201f228201aba113caf62339284a2bca

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe
Size

2.2MB
MD5

69328701147ffe4d1495f95070734da6
SHA1

c5f03d4a3868db47e72c5cd6813d4cd605ddbf19
SHA256

c2b5bf1caa420ca87a4b1ff4013e0a25201f228201aba113caf62339284a2bca
SHA512

a210e91182985b6f35430c1f1d8d6ffc65e155797789bd6c4603d0a9531cf41c795f5e8925bec6f7acbe3508b2d2961e2e128b231e41378ff82b527ad5553b63
SSDEEP

49152:5OOh3aN4kuLbegmtGs19zPkAwtdwKzDX4JE:hU4ku/ctbh8AydV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4844	alg.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
3644	fxssvc.exe
1188	elevation_service.exe
636	elevation_service.exe
3184	maintenanceservice.exe
4472	OSE.EXE
4828	msdtc.exe
808	PerceptionSimulationService.exe
2008	perfhost.exe
1872	locator.exe
1680	SensorDataService.exe
4612	snmptrap.exe
3704	spectrum.exe
3520	ssh-agent.exe
2020	TieringEngineService.exe
4088	AgentService.exe
4264	vds.exe
2208	vssvc.exe
4432	wbengine.exe
2328	WmiApSrv.exe
3616	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

Processes:

elevation_service.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\39f71d5caa61dacc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{544CD458-F493-4888-9A56-33661A7F5454}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adacde636499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b572c4636499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000739cac636499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0e074646499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000703b6c636499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
1188	elevation_service.exe
1188	elevation_service.exe
1188	elevation_service.exe
1188	elevation_service.exe
1188	elevation_service.exe
1188	elevation_service.exe
1188	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1312	2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe
Token: SeAuditPrivilege	3644	fxssvc.exe
Token: SeDebugPrivilege	4872	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1188	elevation_service.exe
Token: SeRestorePrivilege	2020	TieringEngineService.exe
Token: SeManageVolumePrivilege	2020	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4088	AgentService.exe
Token: SeBackupPrivilege	2208	vssvc.exe
Token: SeRestorePrivilege	2208	vssvc.exe
Token: SeAuditPrivilege	2208	vssvc.exe
Token: SeBackupPrivilege	4432	wbengine.exe
Token: SeRestorePrivilege	4432	wbengine.exe
Token: SeSecurityPrivilege	4432	wbengine.exe
Token: 33	3616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3616	SearchIndexer.exe
Token: SeDebugPrivilege	1188	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3616 wrote to memory of 1992	3616	SearchIndexer.exe	SearchProtocolHost.exe
PID 3616 wrote to memory of 1992	3616	SearchIndexer.exe	SearchProtocolHost.exe
PID 3616 wrote to memory of 1512	3616	SearchIndexer.exe	SearchFilterHost.exe
PID 3616 wrote to memory of 1512	3616	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_69328701147ffe4d1495f95070734da6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4988

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3184

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1680

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3704

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3708

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1992

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
22b5c7b2cee6c415b954e6648a2d8b57

SHA1
d22e73190f665af204ce79f5a91b99889771bc06

SHA256
ca3bd2650f493e38bd6a594569109c024bff01586251e329414d9059f84be6f5

SHA512
b7b8475cea1cd88693220252d89ef260ae9a2752bfef8243be8bcef3f94b705475929f15ca40d9f3cce817cb1fc13276c68021f8ace6998a0264c7cd71bc926f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
da6d4998b8824f3f444bae8fee5ea93e

SHA1
788142c273eb30049bf5d42dc19fbace4578f814

SHA256
9f6f15b668ae944d2108c9cf1b3c72023b1321cb90c4b8f3313c3295031da95b

SHA512
92a8748ddb4ab116142c8cfa8ba547868172a8824449a9f049cbad4082226edd4cd741fa955feda58152b44de58d2c17dd289ef3cfadc1dac0bf1a113567cf74

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7956de330cc47adeff38f51e77ae3dc1

SHA1
244c7349a16c1f8857c0e569fc3a695565bb4eb4

SHA256
5cd4561fd277c4509a797273230c1233addc9c6b168bf3eb9c019a20f546faeb

SHA512
5c638c1a0585a6747930606986b7c32868e7f8fff388ffbeaffba076339181578383a6591f651d31457caaf7ef15cc5ffbbddb7e92710a29387ad4bcd93ce716

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7e3e2a14aaf494e85f7ee4e148364d29

SHA1
49c3de30c5d9efdae90386cd9cb91f2229df1652

SHA256
a5633a23bae333887be3cbb539f640833f65131ef37867082d1647d4bec5eb7a

SHA512
00ea83cb3c42b11b2ad1c3c2d40bf0cf7d85899fa3fef5930ad628768df2c2b2d2a18ac222b514ee6d1e0e185e92fba2f9a32e463b74832a953628a7d7589aad

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
22aa68875d99a4d7a98cd5a1345fcdb6

SHA1
2d88a964ee228f36bd83cedaacb9dc4c8f721778

SHA256
f954df07cbd02007f931e48c53f23f5d52c2ece7bc36ff4d808514802010f30f

SHA512
bad4818ee408915b4a4475d06866f7f65322f1addb40abc91ba30677cdd2b040bf12547b81c6dbfd450059121b69c5895441c8c7b5ec87578ded13f2cf0e8deb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
826a67e665216bd52d137b4cf2d9ae9f

SHA1
f1671aa82536bb8030debfaa33a2a9aebdc77aa6

SHA256
b67d34676510fbbc549d05b364fb46c08366c2501e02a0c777216ec370db2a31

SHA512
558da8773cf01ad7123a7f3067bb5f8462fa874d11bfadbc2ef3230c49e24b1736ef5a88469872e798b1d1e0b27908f24fb7e5755786ab5a1f7414654633e9a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
466626556965069a837dba152512be59

SHA1
a39ca29c731593e2a10a742802a4f08c2b3f98bd

SHA256
94925b892786f963649b3a68f2c912a558d80a52df26014086d1e0c028259818

SHA512
3ad72c6a0a090c77c9d0909e0951b1edc5adf186ffcabd9b3d3054647e34e946e1d80370b6bbadc59583b6d73b45688e695cd78310a1f8b46434989f4d8bae00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
30ec86ff99c23c19398010ceb1f8c7fc

SHA1
5ad7bd27b68839c1b4bad9577ff17bbb3234aa6c

SHA256
699554319282a007e72b1fa369b5d177188f0184b1c03afa004ea8433de7d844

SHA512
fed25429932822e1656edf5cd167735150699960b75cd67c635c10cb7d5e810378b4c17bd24b9f74e7ae436ca04ea6d6b6cf12bc347f4ca140e997b1c3b67047

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
46f1a28c63a919b756315b6c69f72243

SHA1
efaf326e7c334b029631777cda464f45c74f02b4

SHA256
3965039d8ce9166a50aa6b33b835327cf746857835fe5161617bf6f90c34b71c

SHA512
4992406489da2ccf420c8eabf2598cb0947ba15b6f32f3d9adecabffda69b8f35559be5a010de6a8d7ff4a2ed5dc75e41bc01eb6902f83de980c3ac3de434ca3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
eb0caa08508f5c8b9c191a0e71f35494

SHA1
9bc7de53e93978221624d993315596092213718c

SHA256
181de1fac7a659d9f296ab8fe5a51004ee3ba2508b5f65a69917094422aec7fc

SHA512
b01382c60d90834689feeaabbd26bf4614f2121aa09ea8026ad94d0a44bd7bbdcf6ba5cf71921b0192fcddc24b590c5b9fa650435e2afced5afa8ac600649b9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0e8018978e802e9db393143f8d5e0ad9

SHA1
1ffd63de6c4c29d47ca0cfe051db357da5710711

SHA256
b1ebc6d084267ced07af3af07d41a37512369323b96005a95a847067aca6af17

SHA512
de62ddd1e0a727ea7d13799d3963b4c1d08e77cb93d8e2f391a136d4350588e0c899c49038a3c36f9688746eafe82cfafd5f6848d6051fd1781adc0248984155

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0928bc4c8fe6339358de134d1422ff17

SHA1
b7b88be3cd4d94813d409aa67380d3f7cda81750

SHA256
8f2d2d9a02e2682d7ba9975013889842da25cb9767d5c185ffe84736c1625c86

SHA512
8ca4bf62f2309fd8abc261b00148d1ac255fa60d575c3353efb60074d088cd960260438c2f297835d5a11644a90b135683a6206971b96d4a0ebf2f4ec09d4e35

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f0bb2293cb683334a5ed7ed78a1bcc87

SHA1
de9ae181d2a5f1f9a90f524d8140266df574bfe8

SHA256
5edeaad2a05169d44d7a35fabd226b6781fd7deb64650e5c7ae7d60c3fd6255c

SHA512
fcb5d498623776c3c33b17091bcbfd8eda0cf0af10653e8449e906044a59f1da3519b4963185bd9d1786989ab62a6c75c723ba0315c7b38cb7b178b95749c3fc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
490b3ecdd3331dbe10a288464beaf421

SHA1
6008dbe86bc7d885335bcc33f2d28cf87d8cfb17

SHA256
53d9c90e0069a1052759474bcc7271684e4b5faea1529ea74c853b7ad182f2f8

SHA512
575a2f0e00151d15ec68a5c2ac454d888c010659f4c0ac2bb9c5d4a8f3d0c33f87236cbc399d2ae2ef308d54f9b54be7109fe36fc4cdde1cf9bff6d32b1f6d86

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
15766e9cb92b43e71a0dc1b75a808a9d

SHA1
2e46f1bacfe1b5955e0eb0e7964a24329033e789

SHA256
97c02610f185eeea765f6f02b866e9feeef1b5b07f09dfe52d5819e998fc87b9

SHA512
d0c4888709818a765f0d5915629c1780d16c007eb7d2ebb22400aa232e8de48d6fc81383d1c496ff3a925dbe3807ff7110e1d87d060483d6af0969a1410eda10

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
2496727cbc8d5a2c48003e9a0adf3961

SHA1
ff787553f222e994893b20717943e64b9c0478f5

SHA256
3da993ba73b8f2c47f76eabae8d977d00466c128e5f4f748efd7a6235d06b524

SHA512
42ed612eba6e7786a5678c2cb2a438487cd56b05c6a1833fdcdc23375832991b0bb65c50097aba219139f61f0d43db66be201f9a48fee149f919df831b778c47

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
eb86fe0dd15c4f04bdeb6b0078278892

SHA1
c46c0cb94ebe3c32b88d4de23ba70d8d9ed1a877

SHA256
f967fd667adcb53244b8c9b50a2a21a1c69a15f9af8e6e890d5458e01368e536

SHA512
b097719068ae26a87e5345e835acb105fa107bf8f9a4e8a856af5ff47c79e89769f6cd20debba3a31fd20f29a10a6ab310cd05fe4ed2fc16a2aaeea911552c0a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
a5c5656caefdb1bc9669a10381f2a316

SHA1
7216dc04d5165de6d9f826f22c800603ebfe8535

SHA256
36155d1942f094750ac9a07e37c69fa82ad5674f11ca66c31f829df0f9d068ee

SHA512
d836c9ecc2b8bbb4f9c0403917e3c0b025d0f5ac151f803df5cbf8c630860d74aabffbfcf6ca30b0e4313ec27b2dcd6ed09924c7a63ccf73cb0091f397ab8a30

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
1e92beaf861e220404ef4b961549b588

SHA1
f5c2c4be8e763e0ac293850636faf976bd96b2a6

SHA256
188a746d7b7f3cbf7c95004229ae421f123c620ce5a8c8318f3636537e814cfe

SHA512
0d74c155320033035da4d847e0b482e165c75d512fe37661b2afb19f65cb52d1921552267bfc36eb2887ab2fb8e3397a442465b8f785c903c2738b79606f5087

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7e9eb07a569d4f7d952daa07a152a274

SHA1
df4edf264fd5abfe352a628fc41ef53cf0a2fbe3

SHA256
7399a215728d4a2d3858d063474337bea647e311c66d96d2cb49545e2d029c00

SHA512
ade4765e4b263204282d08eb449835af58bdb1297329bc963d04ce2f927165bfefdbd0450d6cbcc2568526e4fcf6b8023c4ef8486fd8540fd229a44745438ae0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
024dd632ae386c4d435022612639b3e9

SHA1
1af1274c80358994e136459d95fb304518f1517d

SHA256
8f8290615d101985bd88835a21afc74c307ba07159458d0d31ad2eecd8b14766

SHA512
91be52c1951d489de2a8521e0457c920cf1164656568833cf9e67fe42dd9bd934bc6202b905a0e8a3b60c795fdaa306280edd3f5aca9bd2c382ce929c03cfea5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
393af4ee0759db6c31134f95ac967636

SHA1
d7d90863018ac000c633c4cf9a5afe9c81399849

SHA256
414b08668c4998772c6965fbf18c64cf274f45a9b367ddb51ab5d83d96d62e6c

SHA512
3ed2e717321d562fa335e19be574cb976fa18b91ed071a1791f43b008f120d421eead1d34e91b2e2010c596255d7c984eb7c58e7ecf26341bc0de92206c5ab38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a18e06493c7d2d4a93735cc07387b1a9

SHA1
b63cb244777bc077ba98093b8a6fcc18d9b526f7

SHA256
f00455f195465994e3fa9373066b011cea14c7debbcce00ab2f44ff281233e03

SHA512
c20298d57187000d2795341af627547be4d547b163ccb4411de99d10d1fa0c2b1a6a3f82d63123729b7142bafd6215b0a7743fb3f65e85de9603153f3b39100d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a9d4f685c3ee73f5dbc4552f516f136e

SHA1
18f5b97ea27b186c7ecfc16f09de6d0f6b922eee

SHA256
cc4695b1a6c3d4fcc347a880f7252e383d3a0bcd47d97a9930003d9b38ab1de2

SHA512
875ace69477c2ac64bc7134fd44c75b74ccc4997c5e1004c961eb7ced27ebf6ba236b900dd0492b6a3fa050d260eec01c5ac9b92b9439066eeace5d921340e3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
18252f11c75b8a1e8b28c73d4ab5151c

SHA1
f6144172ed867e36dbeafeb52adbd3723dafb7b4

SHA256
78ca56253be88453053aacadb386f5ea3298d995007fa8b2d612a81979b91acd

SHA512
5b1e1fb9f243f117869077a15472b486ace9a3264e73290a0ed1c955f290db8f00c511c04839d434126a02304e869bd5dbe7b4d8122e726c47b5d1bcb2e91aef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ba8a3cd00641a3dd1611c1ec88527589

SHA1
3c94bf514bf4739d16648e5c3640f262520de4f6

SHA256
de0a6465da5e134975d96f2e17a8e65e99e07fcef9293c59143a96e45b34a4ce

SHA512
12e1de6a4195a0ca5d28b12e1d4b1e507409909d7a14cfbad844862f26fff1ab5dba99522112b29273e180cb030335c25a70a9ab4948ad301dac1b0c3ada80de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
66ef90ae6621a7a25efc6252a2e81897

SHA1
d95837241bd253f4078e9424cac3d3e123e36b61

SHA256
ec5d73c88a0a4d678f805226d6fff8a2e437680d466de49833ca877dc1f3101f

SHA512
f1a7f07657dbf6188b4f139b4cfc7ac2e87b068288a2453b2c3bed1607306849ae1b119928947616450193f0baf8be46b6af350bf57322f1e9176ce8430a1ebf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6d6927bbdbf8f96c25d0a3ac57564994

SHA1
780812966d0249afd7b5e5cc9069f3414a7fcadd

SHA256
18e5074a9117c56d45ed2b237b890ed7c98524821ab02d42ad80d53596d92e39

SHA512
412e69a47ba31b9da65efe98b6d65b0838a01e5b32496395a65f3175fca185c61b4050dc44c23d4464c3ea592088f83d9a7561583ca873b6034d0541711de3c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
95dc565d42db9e33a9a854a7329ce63a

SHA1
1a29be5c577c18ac40d7e5ec56529435cdc22363

SHA256
24d9c678a2e63dbaf5500e4a937cd081065e47e552f74cbef4ed2a369c07b2c7

SHA512
9a9188ded6007281e211af87e3f8c81d974297f13ccc73d0b065a4354df9fdfcc9da954700240f2c6a726157ddf0a54cf56e0bf61f2512d8076621573ddbea5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e673ee6c31d2827d302fd86f91cc3408

SHA1
8c371841623855d13be37e3fd25f13da3f208822

SHA256
414fae597049107f555ea415b7a123f6bca576e2c45b458fa6f1aaf0390a5544

SHA512
d30b33315c11161dcb0d36ca5e290d6bd1e2eb8178c4a9915807857ca1d169ba05d816c9ae2b4a7bd293af03e5aefe0b68e1b89d9521169eecf7f81a8d544838

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
8f66a76d3c00e8351e07c7c409db534c

SHA1
d359846083b466fd0ae1e9c16f759aa7f02baab9

SHA256
7c5b2978d3df0e22c90532b906e47b143ce7d21196d35ba5949d2199f7d918fa

SHA512
e5823a011cd63892dcd82b458fb5357f9ecf44116028371892afca572648fbb4817c127973b5fc12ee1415fd97f04e00cfc2b5c6421852cd5eb9485a322c282b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
bf2a9a50a42b7cce9a29835112828965

SHA1
fd4f1d6fb4d10cd937262a14824df66af1af3b76

SHA256
e48b6b2441da66afa270b3363c0f41ef89fd970083f42dbb5b0039857efda778

SHA512
1159e95986e4bd0db9a15e2b7a61ab18b2c1a9a653ddf19542893b3c5eea5890754d367de4df44017bdeb10c91f9bdf055319221f5620c4f8c5512db1b01fdb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3990471797f0bf0c35638bb0d1725655

SHA1
289ac6b30cb12c6f8814429ce41b1f8cad81e476

SHA256
5abd64f3d241fb8424ac0e17c9ab8f324bdf797db0bdf73b9be62356bb2a13cb

SHA512
0e5f34021e4a6428775f89de37aea226ae5abdc62c0015fdd8eccfed7f79e6671bffafe699694f6b379f8b047910a6786b644418d961b46f38e32033abe0d2d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
eb3ef432308b523640cb57df97aa6613

SHA1
f1cb0ebc39fd01b085d782154213d0584b8a499e

SHA256
59979ab9390567cec46dbc6a23b3bbb47221e7a5bf50488ef3cb3da2632c7735

SHA512
288fc04a6e09029329e2e777c33de624f49780602a9b33025e2e21905a83cd5f0bbaadc84cf01c07e58f3d606fda2a6852a5fe731530928bb43d10b1e90eddd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
0006cfdf1fbf6c737646a562093c1ba1

SHA1
a2c8e19f7e307426704b1e33a04d7441c5e1f839

SHA256
a63525ff83397234b2fe8415150eb3a4ac2384b249560c7014b85091041e1f57

SHA512
e9a0aad1afdd07cefcacfc1aa093b8b58f3f2a03f0abce7b0c434892b3150fa091735413d60169f5dde8f1fa6e6001111af8319be56e437279e7c0dfceb55d96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
5a1ab8340bc9c0e177c569c2a770a78c

SHA1
3521a086f90041182e3865a21b437b5d6230dcfd

SHA256
a0d35e028975d7be811257f248efa1fe6dac6e1879a8ed218eade59d03421708

SHA512
b820894b972790f16531ca0af6d9e5b4ac6de76539ecdbcfad5851c672273a8ca5e27cfd7885517b26124eb641796f4b7b6fd1105d77f438e0314c3567773a86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
4c3415a09afd6a5acca2ce63fe7be1fb

SHA1
644653275631e43831c995be8c12129b1e333162

SHA256
941fc0691df07b6fe8c5265c2500317d5ab58192cf3a3fb83f1ca0898624a955

SHA512
ae784d86532f92f4691e5bdee288dfc483aeff3220f5f6125b2e3cd9003ce136cc41b5cadbeece1c7a45207e00e6525c9571de864861f9dc75d5be71ec1e809a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
5b8f5b84ebe658ca71d6946629eb5be5

SHA1
abe4546089cd85f0611224273bfcebca5b004ef4

SHA256
5717fcb7604aa7c642abcbc037d9fba1b96b5b776cc703fe424c32999a5a7e9c

SHA512
7ab90ebe582a30917387647c924eb22d0ebc5bca5be7a143a4cec5869611126a0135abf60306966cab96dd9d265467b89ab235cc9f846286e2d4aa92ef5e2cb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
3abb37e22bd20b09985b01125759c266

SHA1
74939d4f59d2f2f59563b623bc905958e0cd2602

SHA256
491449a07d2a029d9b0b67820b4019508e0860ebfdd7f88043f6f7a1723182e1

SHA512
7b5184a44096703ed7e59d73b76a00674aed661c745278d0ae9a79955ef663a6b66c41358bb53e8a562fe718855c3a084c84c44dad32e96d088b38c98f4752f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
db5d6cc84b51be46e53bb13551f3a936

SHA1
6528a3b65bf2a764a1d718a17060418468596c3b

SHA256
6494e946cd0d74d9ee342319108e97194da70cb2422031b0d08cab52d594bb91

SHA512
83511f7f823956eaa0eec468f16582425b7f9b88df7a8ce353bb8a31f19a6fedf15d3e57225497d0fe215e833b2b14efbd1b12786d43ca99b40fed52812f4cf1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
fd248533afbcecfed7c781953eaeed81

SHA1
587db40ade567ad5e69459efa1c89c7cce25fd9b

SHA256
75ca12ac743813f9460460c6c22a9973734f589d98b0ec0820bdb5fb419f5544

SHA512
576e5e12bb5f43e8c3af2558590a0098308e2820437a49bdc8d58c42b91bc309d47783d7384da30d0ace174b3a70a66f6ab4b774fd5a2a384d01665d9afd5e9c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
784525dc5735c8eb9c1511d69ebb089a

SHA1
588ff068047cd8404a1c82d64c7e35573db29014

SHA256
41b825ebbe798023999fc95aeb65fba1e53d8a7f4be2ffe7f86f52c7cf122673

SHA512
7941e418214762abecac38e475d7011afc8f0c72536a0515109d68a1e1a348efbf72b2c2f226afcd46e42af7fb7784ce5d0a6e2fb59244aa13f95b2e47c56a74

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
645a75dedd619b8cab90623fdc14b341

SHA1
e3c40f7e3c8201ce4a2a259a4b6c76499686a625

SHA256
98a311c39f55080e671aed38230e68d342cd7b7c7ea2ffce8dac0c7cb37861b8

SHA512
ca8d6929114cccb23109934769e29027d3d6d5953ca5cacefd8c38eb3974c0c5702ac5f45cdc3171e713a2e210a85797ccaa4e8245b0bced42c6ebfb84636f9f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1fffb938f8f9ac37f6b5703ff0db377b

SHA1
7c790e564be50e853719a7b6960b928635cb1b55

SHA256
cc2d99ebe15287e520a313772afb703856fcf71cd5d6afa7e1e10a052241e960

SHA512
2f2d86b06cb8a8dd8e55a677e3fe0de45803cf9ce4c247bae533520233352843df6645e5b45c91e08a61fb443211c3759645716a144c45e73654fa584919b979

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
77cfd7a6f8f72dd4ab861323b79ddd27

SHA1
1029a7dbe321f1f0cdccf3480de95d8ec6a7afbf

SHA256
62b4b73ba09bee550c5c64d7e718347162206e9f653c5bfee99ec63b9e3cc79e

SHA512
6e2ff0c7259d9648bfd58db7329ec1955fd41d81be3aed9d46d679326b77b673347172e77e6c434ba6397949e814c65b696ccd36e0957d5a25309dc4cc6dfb5b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5bf9a0e34f53158fdb1a2db1f04e2e97

SHA1
23185c8e2ec41a9694ed60843d3753474d783a72

SHA256
f04ffa0b593f63631790e8a65c156a1dffc3025b7a94f09aad7723fd8368b509

SHA512
e44e52c7be1899db24e8d6117f1a237f916b16171d55f0a7c2920851db95ab6d10c6a64e28367ebb63b4cf31625c44d4618d2a23c0486ab74b04ba81f177a5d7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c78cad9d1af2f16b56f32b070aee580d

SHA1
8a290ee30b53d544280b0fe339fb2d1b3d65f2c8

SHA256
6b1691f803c64b26ad354eb77a03b4be65404f9e60d5eda5853e23689bf73665

SHA512
803f94b428688c4099641b2a40d1d0a3d5304b3e1c3b8024780ba0de0e015fdcf2ea03ac6ab4226408612d950e4e735ee91e459a64dc88a7802aec50989ebe00

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4070f72c0d59f25eb747039210b93a99

SHA1
1d45f68526a53bc3cd85295f55998d2d10e23700

SHA256
b024a3abdb55cdbc80b43820f028f3eda0076e40b0b4663fe2dce7155d782af5

SHA512
fb8ee53587d7259f074f9a2cf02a805f9ee6e752f4850c9765cdeca868d64e269c2dc7c0078f37ff3a1724478b399ff9b7f1813daca3bc89bde7c55dcdf4b4f4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
897c4329e853192d798dcdef78579104

SHA1
1c459a4197c84213b5c91aba678213b636c6b24c

SHA256
1edc9fa18820061118f13349c98bd01f59009063062afd8f710d18bbad18bf9c

SHA512
bc34a5b744d2296f22d819cc6c85c305218849c8b65b9656884540aa55da2e814f9c7144fc4e068d9e3b0f5375dffe79b327673d14b0d64d531ea08d9956ba4b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
21f64e5e259b819f9f6eb02b79173097

SHA1
ee3184e254f78230e5ceddef6e55b5ab5ce8daac

SHA256
5983d96809c9fa03763be88b6c43ec1748bb5f46a36b52e4e53deeb6d261238b

SHA512
9b7c3c96405688dabd03dd616091c1a8b6af2a499108ef28b5566ff4f90a52ee37c8372c0b5108e64d1719bc4e72d372059d655d4875a2b39bd7d08e7ae69534

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2904ea26975f0726b665a16d09de3354

SHA1
9d025b3f9d0319a7d45df0e023bba0308d938a52

SHA256
3165e98d37f1bf7c65c5bc5e9d808cb433a39c0942d8dac9b361c7e6e14803a1

SHA512
35a6b08af610e95ffd342540105918b30810c8f95e5493c135de9043a35da448cd2506eabd48829995381a3ce9de48a3fd5c85083874ad07133bc948b2845f1e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3686c0445fca8fcafee4f71706f5796e

SHA1
7ff6e3a10d25e3221693095dbf97a7ac99e7e500

SHA256
68871c07daf827bf8fc2883872b25cfc947943212230dd3496b7859ea9abc843

SHA512
ad558ea74806bccac8f866301b67d5d954536478b1a079e8499000cc18761552aa5c4aa50bc0a1c6e4c43b5ce1352dd2e8c19e4983bce57f0f851e92879c883f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2e6defc3044516e21733beac198e44af

SHA1
3dd7e8147fa36e1fc9fc274aaa7b92bc8a7f6206

SHA256
426326cd0c6986d307dc8cc5bc1a4d4290d9e8fe206b4677262d191b20849ded

SHA512
c983c0ffecc737c33c2849822c5ab02df3992f9ed7b47c6578fd1f2d40a436c43d11a2e4339addc55053d8456755ea951d74ca7022e1e9731f2fdfdcadc66457

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b71328e24de84c224f264aa49708d41e

SHA1
91b1145ea9026a0970283fa0edeef07d9e66cf2b

SHA256
6de92b5c3667f802d49975724c223cde4eeafda4fdf70e67ab04d73e95ef8e49

SHA512
383444415b34761f9d5ab6799995a478d4657d0b93952c2f50763a9a2c1c7d824e0114d86a09e4e961ea6c3101a92836c3ec15207aee16fa1448b8f00b4b19bf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e28904198c1df64996a8bf0cfd561122

SHA1
c38bdb830476a5a2bfefedd5ade309bc31ee025f

SHA256
bd42fabc20772168e2d2eeea530c1250ebb8888bac0c534cef8eaa6d0d5471c2

SHA512
a5d7b6e9d7c207c790ff2e9678c7df858de49b759e3aa6ec55b60f16f5c22ccba0fd12410a9963f2ceea108ec6332b9ab23c8b004675355bf5d2be7b91ab1728

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7737d93d039a3d364da62009312e29ea

SHA1
128b77b5cafbd2f158c7148e5447d16f124db08a

SHA256
bd65c536be6a7528cde2202565def2d95aa44ae834e235085d61cc4610699d01

SHA512
d50ea9370bac0f0e1ab9e25fae72fbdc0b7e5569cd6b905a05af822ebde005374a416034352574351053b26742786ba5c0fcfb4f4e67d28222e6708760858f7b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f541738d377f2c1dd018c700ddc942d0

SHA1
3251769e31959a986c7e3a102127b33be1de5aca

SHA256
3f0df1c5de510b4d0547480fef3cac8df46be2ea12bb1c23849a00387c038c4e

SHA512
5c304fdc50e28bbbaee2d4748a74392a06df8254e67e541379ffc86f6e2e98fd163454471b871da8ba7d4ea40731c18883f785763c0e041000874b4119595637

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5e8eece889a1fc3879569b857bc1d91b

SHA1
71c09ae9becf21b678523c53729a25a0b0736466

SHA256
c733012b98d54232f2fdd56ba4f696fa83705f569f7fb610230b3ce184bc584f

SHA512
d41de2f07fe44de270fedc2ec6dc5f3fc6b7d2660badc2459c0cf8292eced182a556dca4f4e6ec5968a3d3a6c25553ebed807561d6b98b110a3b6f91932dc7b7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cfe043f58fdafabcf6d7401678a25709

SHA1
c2ad111d78d23381bf8a8f1c6a2d0b546cfcfcd4

SHA256
b45682d7677524a93c853938949e985818909e9ba0568d56bc333328775635c3

SHA512
833a99e3ae058ae4f406f333092c75fa75231090ea2d27c3ba2b4badf49fc6581eeafe3f7c735f964227f9abd9c491ad1412d43d3020ee9595e86d787d400297

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fa42a835a47b8a8333c2c0114419f761

SHA1
b6753321bf6eb50755b2a3acc1c306674108e187

SHA256
7f0aa7b26c926cd22ab83a6880f8935b2ee32db203deaba881a4b294b3e4196f

SHA512
9e9c39fe22cedfc2eb122ef76fbb14163ae1ec8d36c03e61078b36cea6b85116d31394fb4d7182b02c6e9d60895eb58d82154141ef85923d66bd13eafaaf3275

Download Submit
memory/636-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/636-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/636-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/636-57-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/808-326-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/808-258-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/808-259-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/808-267-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1188-43-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1188-44-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1188-245-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1188-36-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1312-33-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1312-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1312-9-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1312-0-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1680-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1680-285-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1680-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1872-282-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1872-334-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2008-330-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2008-273-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2008-272-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2020-315-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2020-549-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2208-553-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2208-327-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2328-555-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2328-335-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3184-67-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3184-72-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3184-61-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3184-60-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3184-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3520-548-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3520-304-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3616-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3616-557-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3644-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3644-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3704-546-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3704-292-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4088-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4088-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4264-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4264-552-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4432-554-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4432-331-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4472-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4472-247-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4472-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4472-82-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4612-289-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4612-415-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4828-254-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4828-322-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4844-241-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4844-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4872-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4872-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4872-18-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4872-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download