e40b3c13146565df99e0b6520298141a452ff551e86bac2ef62d37668918e370

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exe
Size

2.2MB
MD5

d9cb954dcc1218d4a747c3439c48d931
SHA1

dcf2bc36e090a19f55a5be4a9887d51daafa5dfe
SHA256

e40b3c13146565df99e0b6520298141a452ff551e86bac2ef62d37668918e370
SHA512

3686dd40c53bf2e32ecae7f746d61d081832ae64a4b7d33ee628fd9500bc04abc31af1a38a2b3883f5e0e881748877fc1e1905cabbce6686ac0843128f472e45
SSDEEP

49152:lOOh3aN4kuLbegmtG4XvYMLprznyDSga9:FU4ku/ctLXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1608	alg.exe
3656	DiagnosticsHub.StandardCollector.Service.exe
1736	fxssvc.exe
1784	elevation_service.exe
2252	elevation_service.exe
3716	maintenanceservice.exe
2932	OSE.EXE
2424	msdtc.exe
1020	PerceptionSimulationService.exe
2456	perfhost.exe
1056	locator.exe
3584	SensorDataService.exe
4428	snmptrap.exe
3980	spectrum.exe
2172	ssh-agent.exe
2532	TieringEngineService.exe
1728	AgentService.exe
4260	vds.exe
2348	vssvc.exe
4980	wbengine.exe
224	WmiApSrv.exe
2924	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f0c5456485ca13a2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dafa64656d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acac56656d99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015dd49666d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d35c67656d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fef5c666d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f6553666d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025103a656d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087ad37656d99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d1a07666d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a65f29656d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3656	DiagnosticsHub.StandardCollector.Service.exe
3656	DiagnosticsHub.StandardCollector.Service.exe
3656	DiagnosticsHub.StandardCollector.Service.exe
3656	DiagnosticsHub.StandardCollector.Service.exe
3656	DiagnosticsHub.StandardCollector.Service.exe
3656	DiagnosticsHub.StandardCollector.Service.exe
1784	elevation_service.exe
1784	elevation_service.exe
1784	elevation_service.exe
1784	elevation_service.exe
1784	elevation_service.exe
1784	elevation_service.exe
1784	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3820	2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exe
Token: SeAuditPrivilege	1736	fxssvc.exe
Token: SeDebugPrivilege	3656	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1784	elevation_service.exe
Token: SeRestorePrivilege	2532	TieringEngineService.exe
Token: SeManageVolumePrivilege	2532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1728	AgentService.exe
Token: SeBackupPrivilege	2348	vssvc.exe
Token: SeRestorePrivilege	2348	vssvc.exe
Token: SeAuditPrivilege	2348	vssvc.exe
Token: SeBackupPrivilege	4980	wbengine.exe
Token: SeRestorePrivilege	4980	wbengine.exe
Token: SeSecurityPrivilege	4980	wbengine.exe
Token: 33	2924	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeDebugPrivilege	1784	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2924 wrote to memory of 60	2924	SearchIndexer.exe	SearchProtocolHost.exe
PID 2924 wrote to memory of 60	2924	SearchIndexer.exe	SearchProtocolHost.exe
PID 2924 wrote to memory of 2004	2924	SearchIndexer.exe	SearchFilterHost.exe
PID 2924 wrote to memory of 2004	2924	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_d9cb954dcc1218d4a747c3439c48d931_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3860

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2252

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2424

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3980

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3272

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:60

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2528bd816bb2f5c2da2db37d49377d99

SHA1
1686547a3f7a579bad793a96ed1fe9b51cdf9263

SHA256
a461aee44ce795cbbaf81d82316ca789abbee595a66c9eecc6c5a17cdff9af72

SHA512
44776f8af7f827e466cca8f6cc2b9fe15a347873bb20e18e09da33bc4d92920fcc2d116a0a29b671822d39d173545a62d4805737635131dac02526869593d851

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
d30ff4b98c2d22bb7b91bfabafda226e

SHA1
f27550f3f25a31974781041ed79d743e21e24d81

SHA256
bcfea1e852ddac7d7bf5c264042b7f6dbf83afd850ff140f3a73c3c382d4f3d0

SHA512
2923b95d3e09c01b72c0ab3f09689770e250a3ce8bafa890f2a0d74449534367bbd92b450c0560b55d3a988699c5e5d46445cdf93fbee3aa0bb34ac9eabbf4b1

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
6b06be100bb337fba1a4ad3432b2f517

SHA1
3dabe88b1fbcef8edbdde9732e988d9178cce82d

SHA256
76e55390d182aa551608a647d3c1e36cc9b2507118ad9d2de342d6c7e4320812

SHA512
7f8ef93f84b031fcb3464c44149be4f4196a9d4fb6754a4d808d34736a600dd35cfc1f5707c2e33402b60aaee88079a8fda3d7abc37489c770666c328aa713ee

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
a1d0b54e8dbb963b7f7197718e2b4db6

SHA1
44d608cdce7156a2d3f33a59fb0f87006916a9e6

SHA256
cd1b2b7f7509dec77ea419f1f144810e6bd6ebfe66d04884fda0b677e00b4fa4

SHA512
359b785f9c41d37b94ba83d5cc01a25c17cd0c324e2dd32ab08ad2a5412e300785ef4adaf93d3128e9df6cd41378464cafe86fdeed9ee9eda096f582eecc4db6

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
dbcb482d6058fae60d4f2f13733e1b83

SHA1
cdf512d2300aa7c9a26da577d63528a1890d32d8

SHA256
1b88556fd9b78481675757ecf0d60d34af126575e032f253a6babdfb4bb2786b

SHA512
4ce13042bdfa1acfea94ca6d8eb31dae5d86a541e939b6a6b451ae7bf5f060bfb579a0a8461d209aa9ce549e4c2b0d1251efb516ff9979346f8312009a271108

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
d6ee46d2a9438d105ff36ce7217bc119

SHA1
07302bd01b4b1e028080bdb77776ed94e3a79865

SHA256
474c954bc0cc95f093b17ef6b172667ae6628e090ab4314ac55c8db463aa0817

SHA512
1d76e81828fb3c29c6ac1923bbe46771e4272b893053bacb2fde5741bc27f3579db75bf35c2774ce2431e6d787292bfb23181830f97bf5fbc90e877f5ef4aefb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8ab1821bd5729f796abb604c9b6241b6

SHA1
6a158bb729101d0813396baf014142c92ce26147

SHA256
7eb8f23cedb1b9e9ce26519c94b62fe339b1e8219be8b351e9c40a4f2c47e38f

SHA512
46f4356e871b557cffe275f385564fa1b5f50228545b691db7830ce3b596b190e5fd0e359f17827319c3547bf29be12e01f933b1ddfe8405020ed553c562dc18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
f7ac413f3a624b0806cbed7fc29bcdb1

SHA1
87b00a42516cfe3a7b1b8f4059a9acf424b5ec11

SHA256
c7ea90b6d450e2f1703203fcf3f46db9ce1bfb7bc88e6eda8c4c2524e880bd19

SHA512
8cca0816430b20c44b5137d057c934b25e28e7bd9be383ddd82951328d02f7cd9fc31abb0d53524c9f1338d4d672106f6662f449384d18355ecc2c4f1d4361e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
474acbff13e7e217014245301221ab89

SHA1
568fe4108295e2bd46d93f6e2a9d62ad2ed82835

SHA256
9aea4350ce24777931a87b52737e7205d4c669a2358f6f8156083da6cc13cb94

SHA512
ff278ac6cdc64e2259f102efbd58fa5f70fe829862ded4869fb137c42e4ec78ef805aa775197023d17b5a6edfdf9f2f5c44a77cce703c8e9b77b9ed025f1f43c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
5f998683c1f65457ded743cf75020d45

SHA1
4efda3362b149122da39bc371dc624117d30d1b7

SHA256
81dd2533700a03f285bef52499287ebd9c117f165294508c36c1943befae31a5

SHA512
f7f40c51e71420bac1c66b3bb802806e47f830e2d70afe9dc69d185d2e14c2f93b782d0361c5f1cde28bb6b647cf5cba48fad71cf7ab335240e9cb7f79fa35ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
94b075740da5f690bc1d581cd35f0ba9

SHA1
47f9ac1d7c738cbfbfeadf55f74e3d2372daa8af

SHA256
c5b9872b395d49b8c591d5d9f8ce1cc216864ac292b3373c3ef1d90d41c90c69

SHA512
e447306f18eb00c9cbc1afa7cdd0762f1f4b0b6287046988bf96316bb74efaae6c2c1e4b2626d4e33d6961b27ac4b3e34117ddc043dfeff6d3d5ba1586fd92c8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
cd2dd34d2f619e3677a46407874c8204

SHA1
c4846383ec5b32ea38cf24595b9c9dfbb51a2980

SHA256
5286312bfcab9e7e880091e372da2a4cafb728dabb5c2d303d08b0b71edcd767

SHA512
ee3b606e8f8e5dc3496ddb355a6104904b01227b224daea906b2d04a604f3d82456325aeae0d43904f6a97be56aa43abb9493127e5efd5b2bd17ba94ee09a047

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
2bb2fa1a817ee30337f84735f528795b

SHA1
7ba2bb52e93ddd4f3ee71aa75947c4db588f36b3

SHA256
3f0d62df82bc81e5e9e129a8b5dea3cf5c29fba6e1b41ac9d5ab25dbe790de1b

SHA512
6e56f1454cbf8b05ad44b8e6d70f42b1c08d7b0a2dce09fce54ef34f8693d33c674eca6e30761f012b93a7f800b999d9897f1b0907fae5264c51455ed8d9003b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
706617be4bd836a57496ff96046fee99

SHA1
f2ed2d47d8913f2790f4f972f9b32f54a1ee4fb4

SHA256
af1d23f06df98b1160ddd7bb0c97c0289b84d34f2c57c8cf7831d522b422d08b

SHA512
9f76cc754fe09bb13b74b7f31d3a0c9aca807a953f2b007562512319cf86d58d48b1084259e26c3059a98c0b5cc3204fc582373baa64c5e77a558392bfbab78d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
b4e17bdb15350efab3437470f5e58b4c

SHA1
934c89e622ee35774d799ce2bd640e59be4a59a0

SHA256
59aee7bdd6725f11a707fd1eb55921c4c6e6e47e510c1b742465589459fb72ae

SHA512
1894dc07807c24b557fd145aa7802aba95772afef2eb1b04ab3f96a5cc3177f33db542c7b5682e2b4d384152bda09dea14d0c4357f191b72cd0cf48e381999b2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
ff97a3af676d5037bb3b2a6b2a9fd702

SHA1
f3cda7363fef6986f6b8036c277a79b7dc3684d5

SHA256
046ed24b9b0e5aea677d2a747cdb1ba0115381c25be8b426818b26fb9f6cf904

SHA512
a9b8308083780ea03af7f225e47c8bb5801ef1a3c461acaa0ba48efbbf585224aa5c4a5a3c00ed07ad34854d00468ea383dfc04b083a31b39985ed14a0d17b46

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
cebd96ca47b94fdbd6e98dbbe2e4b990

SHA1
27e52508ccdbe0e43e3296d3dde35434b5cd2d6d

SHA256
ae25f29f7fb99f5669052c793585123b5e6a92889aaa55893d92dfba6b12559f

SHA512
6c824fc695ae5be29ab33d7178934a797ea80f2195525ea6d9b3ac0b8b43c6cc61d2580b7a41212a665f6890273a44bac7af22a0034e38c9ef0e2ed83d4a37e3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
d5eedd6ac78f5829f8d5e52b9f7f5656

SHA1
634a0bdc413198a3cbc931e242576302832c113c

SHA256
874f62ec4cbb82666d60540438feead38aac7724d5153b9b456df537bb0ba171

SHA512
71c2d713c9d1d62e962a189e48abb5f4a9c8153da7381f30af0699046081fa0e5af01e39bda4ed96a645f86385e81178076a55d846b03248bd1d145aaa8f45d8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
c8a71d5992910cd937e99b39c3f924ba

SHA1
9cbcf4ffeca557b5b4025959f096b0e33d50b063

SHA256
61f24d243814c2e1b6616a6a0a5c5b8dc9f652aa1a41f205a5ead51e012384d7

SHA512
95adbd73088760bf6719c0aaa2c67517cebb76836ced7793dc9e7cccfc1fe75a0e60eca1b5bcbe3317cc2eac58dd14dcef8f017d3a70bae914c61d5f38304ffd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
f7ee6f77c07770825c3753dd4cdab624

SHA1
cf694e680c701ea5aaab8a8b70934bec32a71535

SHA256
5e5898c3b978ae5bf4b78d8ad87aac6751c07c486baade77055dd411bdd5991b

SHA512
3bd4d90353df6e425d7cacee68e0de2a7f02b9c17c3e7f5053a596d6e2e1ca0a791881b120596e39211ce1e732e782a0d8cf88c273c2c7509066d62fbdfa6cec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
1571e25f629ce9244f2cce0c78d4115c

SHA1
a5895d774849634cf6ce3c91312ca36d3afac525

SHA256
4e815625670ed0c5b8a59b8e45b9bef0ca8ddf2203de4a815f0bf0a57d588797

SHA512
83f6a29486172976cdceca47f4c52471702ca064f6a8bdf2815861b1f32f96dd6e823f5f1c41f948850aba9c9b7a0ecd8341ba3aa84ba540117ce01b2cd4665d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
27bfee16989fa268b72c7fda632ed24d

SHA1
308a0d2cad84aa585200931037278925d676e42b

SHA256
ffe5dfb6d4da23eadd55663ae4902038fcd71490d0c79002d6133892e7a91650

SHA512
c9164d379e127a55328071425635348753c88136dc5da3ab1e1ddeb61b5385e476fd97badd6f2d5c5eeebddfcb8542938e4be0a3bec3329242923a10c089406d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
50fca8ba45594b6d2dfec8344bf65610

SHA1
c79d4ef6a521bd545516d53b6c16905bd12fe3b8

SHA256
522d2a308a0c72e79610acf70b840258c4243eca64ed994ce041cc53fd47f767

SHA512
e00d2a88efb0a9fcf83f8132aaa4eb5e3f2262c0c2046fe6ea6c74f1933234b38718fe250fb8e6a752e5d5ad0aa1ff4f01ec78f429925d7a08bf4209a6a787c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
6fceb06dfb901b8953bb9d839a70a274

SHA1
379a894d565406b755b71b386c6db15fc1f6386f

SHA256
e0e624a1b6b95105dd1a22c646bc7f3a11d9e34fca95b0f7729a56022d17bb36

SHA512
b7da184ea2760238108fa32504cc10e3bafa6c64a44b63f206d1f5c45f12ce8968d41bdb078e082e72fe63c4a81d458f4c4bfeddcd09d1f9ad851772eb5fdfc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
34bf220df8033e49eede86583af1e3f8

SHA1
bc76326566e1e21a59497ecbef1512325a85a0d0

SHA256
f079d8bba7ce0a77f90f9856049fa35eae19ddc583ff5a12b1f96c2765caaf43

SHA512
822c07e3cc7892bc69a4c0a0859c41376fc5ad818bc3d840ca26ecf4ba579a296ef5a10f40d7ea19732937d4391171935e68c62e00a6e74fd0025de8d9bc41d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
c5eb4f53bde9287262ce122dbd21af75

SHA1
3399144564ff0019ee0cce179bc93494668aa0da

SHA256
6f6acfd693897585882f85ecc9b344331bee8ec1b6da3563c32b20f199ed8141

SHA512
a7c53e5c74ce6f963bffa8b0487c9af2b4420ebc4613bdd046138cebe26954baf47625324c91d9c8c41cb9b8747d10e5b3948afd99961085c05f2716e1296e47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
78a98a5f04339011a70868266cf99eb9

SHA1
78b4512fad7126e2976ffccaa157f911bc7b93a6

SHA256
b8869d1b6d96eb6996324016cfda25af9be0da474cd06564d3d043e95e3585a4

SHA512
36cd0af70e52b254406a0e5b100c4d6d9b5a64b0e96fc1dc5e58e0566f725f331a939965e437869608465198c4c09da07c34d64738f39cb86728a4d82eb7eeef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
8d1e57125db30469aba8d652c20efe2a

SHA1
f60dda52007f03a656568c14dad4c860808da772

SHA256
26dceb72e7ec2541653badba1f96d7ac4cb576e86c508809eadf63907205082d

SHA512
c2a30f52224fcb8a091f87dc8e28bc0dbd325080eddea87b7dfe245a7d75e5b236e1ed0e84d2bc0f0563383e07f9a1f343389bfa069e24b71557f779b119b659

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
a44c1290815e33b5244fabe8cc0911f1

SHA1
d36d772ebed006778577dfee862c2c911fed8ed4

SHA256
cae8de48a4ac81ef140143090bda42e47832513c98ec5adac5a6120b4f720dd5

SHA512
15a793b29faf66f90b0ec6e266a2621bff65649bef9dec7d34f9c282c23bb7a7e0e9b559b6716795313c88344e1e0297f503d08309147c123d3a688b952fa98e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
97fadbc0990365db930bc5c91188f6cc

SHA1
8ff54418293ba361c06e47071a2a882b9b9cdd72

SHA256
be5c3db05fde2ee4b7fff15551c8270b2a4d28ad426569cf1198582fd7cf382e

SHA512
de64f50a364e23ad01a9ba3694132c39233bcb3ce264508e7012dabb8f8b3a8d4895a9eb7a53622bdc35ed9d84e3ba9f3a2dc02b6a4a72ead1213e0e335b8196

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
4eaa0c7410c7acce46bd693d20cf7150

SHA1
c67558ba3eabc2c49a0d5c1a14a6bfbf72438d61

SHA256
b389efff71271ecc456efc5fe54975bf7dd93a271f6a8f3c1e7b3e0418626be8

SHA512
ffbc36bd1b85bc8578f8c926c78518cac16eebec542cdd534278ddfbcb5147efe1228bb1e9090bb501df93009d87675e3def652e0fbda84d7d016df0d4c31533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
25518e9f579ddd72b9fa778af2bc314b

SHA1
2503ada014ac552143030c71cd954e05286b6b81

SHA256
590694f364b695114bc50f18990d92d5eeac425598ac640c69bbee1fdbdb85f6

SHA512
2e30c6344c23f0dddd0e35eee41307edc7a40237d734ea3c29627bbb5419e3ca363fa5966d2933feca3cd3365898386b4e42b9ad62be6d2f1199900b9e4f99a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
6246935dc2d2382939292e4d67a8bd6c

SHA1
9a29c8a128d1c58415ca8f4567fbc02578a4f3c8

SHA256
cdc5d5c1eeed0d881598a3db6038e09b95139666e20e07570954e915ce9f253a

SHA512
9edb7414374320af2b9bb4a3183af8910e271727f9536c26aa43eca982987a5a5b5d0130b2e8ded4cf9d4764e27e991545ee2b93877a25c56921d2a8b3fc85cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
3db268448f469cdc958573e622861352

SHA1
d9d70009468a246d3a66583ee1a0a1bdd4bf1a15

SHA256
6eac92734f878787a5734dbe856e16119086254381c2ef9fdb58b744d1a9b067

SHA512
c3e3e8e8c3dad1c20c656aa9151b88bbd1649b0f7851b50fc9286bfe8be67b1fa7d24de5688d2aa0d989c9db2b3ccd95ac1eefdc16939c645eac170f916ef8de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
ff18816ff8347ede72be2f6bf2bdee68

SHA1
3f402072ce6138520a083781078a06c1d9de5b5e

SHA256
bc39ecdf04dfc6f80f83dd7c234802c007f19273df306e0468e1e922b3326d1b

SHA512
052548e4d7b254ebf8aa249d437ab3adec8c1529ba1bbe42bd6c35856c0dbbb675bfcd2a1af4e26e76b319ce6fc7d187c129e8e15158eb0372d3b08718ac4a29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
f50c5efb2c1a016bfa72273b389e4a54

SHA1
d0a1a7bac223c7201a517229fa07a4650dfb9af4

SHA256
59205ae0ccbe6f2728cde0979be50bed4858bbf480149e54d1aff167453811ac

SHA512
3a503b3bb541b5eb87c61237944fc78a4168ae97bb450e132b38f1de81ea9fe646ae8b8cb694a02818bd12a00387dc301e63ad4ad024f1f70064d604cce19712

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
2c4ab3cb3447b85db37a94c914e7b469

SHA1
7d26a1607b007066eef33626cbf28a4188f60909

SHA256
805432a72bf5f615a3694b460bedcf8545da83afb1aeae7ee521588a5984b9a9

SHA512
9ec2acc5b819662feaf1a8452f67ceb98774c3e585ae6a56b251e7b1e045e168f3b0f6acb67e80c649ab63c5ea82f65675a4e20363d46c1d639763a8d0218f00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
9f5124a2349172ad29fefd4e838f54ea

SHA1
595dd29950a41a747cdebb44ce3ea8055aec2311

SHA256
f4f2ea7b8f0fcd8cca5880732ff5136e9ab37d3b40be965cc39542d6f4bc8c77

SHA512
5b6d71d60f4d1ed8dcaf58d78353afc98dc1dfebb66f1d9f19f26d2ca734234dfa688d0a1a068d13f0618cd03568134251f3df9d6e45cfcb2d1befab5f4b28e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
8b03a9152e49aa7ac791c61b382e1670

SHA1
2f2245794ae1054ea0967a73edc970d9987a24b0

SHA256
331691b0ef91b3d1284ca3eae4fe8d5ea52b604fb5a6664698a02736f96c2f4a

SHA512
0325f7e0bff3836e3d2c506d2a57ed6d08125dbcb47c41b68a48bfb98500e61638a8f17b2f5ba060546e381611afecdffd7ee6c52bbe3d4d0aaf426808412477

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
17672211febbda479c412af196dfedab

SHA1
638eef36f5d559b081bd14d290e49fed69faf400

SHA256
ce9f4b104d4e112fbff703454dcc02e416f44e2bcf16868c62e16e812bacdb9b

SHA512
11140a7bc913bed50af31fd912cd72ebd627430acf82e72a90dd92361c2c7062687e88c689a7ead5378d05942733e56ab42294d4ecd274ad499aa51c28eef557

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
e3608ccc947b9a9e6fc7f6607d4d6e4c

SHA1
908b0fc29f96c3c7065a4867b98f32cbe1af7b86

SHA256
5334346009ea3090285af86974e4702f42317ae1daeeb2da4e151098bceede24

SHA512
6c94e0b63a7aab3c928c21547e3889d421e75a071afd8220b2ccd75414778c65f8de4c4c795673bb82a652ae8de7c6f2a7b4c4c10703c4796bce8f0d793af52b

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
08ce08eb2c83133163bac912d51d77d1

SHA1
667998cef4c1820335e67a9dc368f8acfbf056f6

SHA256
9456604a352f8da0738df0e4946f5c9ad11c6f9c09dce99c8a49997dd220dfe8

SHA512
18f5cbf57073f14aa83a7726f3f19371a8ac0b006c09f35893f39ce0cc971a7d0a4b3c87ff11bc2a5d85b8312d7b9ccb20574b75f78657324b262f0afa103393

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
86e71de24abd9feda3ea229698ede1cf

SHA1
22c6a07701d9e6d05df320254dbecb719ea52bb3

SHA256
c153437b7ee3d25df759d9652ef1c4c885f9debbe194d3a0c4d9ec37a43eb4f7

SHA512
6054f29d469d8d6a228931b59c964cea410eefdda062880cf3ac31123a8781c856cc9f6e8928f6c293d6a45948637f42e5bdaa3c6cd42cd7ff30868c65f995e6

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d55bee070a1315a3b33063f1a35f1c70

SHA1
e4ae770a774fa7035ff4a956e125d208031054f7

SHA256
b6a77e25590175d4979beb853652fa141744380c6c7ee724e30f9153e08f40fb

SHA512
5725d291f66e518e9383046718e8b0bbe5d3fb416d0009e4e080dbce6f918a71cd29c764126b20645c8ff254b0d9063b52434de0996b78615b497b92a896e3a3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
315ed1d4c6e71f5df47c69096988b236

SHA1
dd479301c46bfed542a6f0a2ea64610e082fe96b

SHA256
9bfae827e12cf153a0633a5c0ccdfaa96e197c63406cf034ff37f8163695e0e7

SHA512
77fbf446d68ad5237af7bb5dce4b293b64721b83d594eb578e88bad8c765cd900cfb05f440ffcad6e85bcb97d3ee911c1d49e66f235798c20ef5b4ca1bad068f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
61a9eed6d595883ad068b06c97ba00b0

SHA1
6d87a312af401231e608272d69e1c699953df538

SHA256
a5659bfbb979edd788aac6b4d724ebaeb381a6383b916326efbcd7f817153d1a

SHA512
bc43987c953f10907ceb07a39c9c926dc4543104bd078999be9f5d53896839cbf7c4647c2176aac08ac747f4fa1016a2b38b0819f64d2185c547e524a364224f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
e43a62cf1a0695953eb0385963a658c8

SHA1
ce65710406cb1a89a4df5167f168448d6a551443

SHA256
cbeeeaebc7810a31f5977270e25bccbd7b120784592cacada672101372c6632a

SHA512
b0e4f3f649b688ff871265becbc6cbb5c50cdbd21a961dd5fe83b99ea846f3a2cad40a9072a53af23c86dd774b9be1685a68a44aa8769ba2b78af81eb7419991

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
8a45b8390a8d34d1a67fe367b67f6b38

SHA1
9bf6ffbffc7037cab15310985f1b651584159f6a

SHA256
5cd96299893e0ed503d4cd8112f4ba8f41a556e02f991b0352e8fc80fadde387

SHA512
9bc13a528ea9e5e2f9fbb45314c6d1ec510ef86f76405ccb882058fc7ebb551e8c280e2b05ca2a40039e9bf818b1653e7c26913ee3bc6e4358f9262b1ccfa0af

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
7310547c741dee5ed40e3c219e88a9a1

SHA1
f3a7210cd7cc817718646512a74ed57ee5bea30a

SHA256
9596e40c2322ef7866c974af833a03b7808336a5b4f9f8d4d45e89fbd8a91a4a

SHA512
a14d93d7823b7abe4b561a1ff9cd654c6420eb1e0bf265800fe82a953e0bbb1a1a99b51810220edf767f7e2f747151404ff7a673e099a812391c3992769ac53b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
8370b08c81de3c716779d87851637896

SHA1
21f0aed4ec9738404dcd34c269212177169775d9

SHA256
dfe9b928f95756a4d42894bcc9725f860eab8771d9415df200962ac5a0ee9c31

SHA512
48c495169b66790334c3aa696043596a507155acfa27a4282d89a6e1301df4acbd1f4d9b890189418e1d826ed96b8d9ecf68025c0c71198f67e5fcc946dcfa67

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
518798babf5b71e2209dc842931481c4

SHA1
a90ac37d6101541dcfef7c4e1b3447a57291f1fc

SHA256
f53ee5e3eaeefa55667c22c5afa28670e65994be16bf501d57fb55ccdbeec129

SHA512
df87467ec5f3384022b73f8d3dfe5387c98f43abdb1c3e3a01bc52026191aa10467bdbd0249e177208bb6b004b7f7dc597546b5f2ce3878fc9969141c98f5d92

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
6d7549d70a65386d081fcb1a871137e4

SHA1
0443372166049af8b1e0cf64b7f3d92945b7d1fc

SHA256
8f560b0e91015a116a267c4960b711bda73d592ee246e94156229aed3e1bb3f5

SHA512
23b7f75b62183c61c838a58acee4568ca1ae651a0390975dbbea5a64c79ff81f9c078ade4d801b5b155c41eec5f5e7612eeb384eafcd746ec730d2bf948f06df

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c33dc12e991787d9bae700dc46c8872e

SHA1
9b614abc8ce16751a3f965ec5367113671a473a6

SHA256
215e697635a95936a87fba2f8144e6d2f875b61d6c84b135fcc1075b917ced17

SHA512
f20f68372b1f5efde0290e3df6031196e58978605087fd3ee19448a7733c98fcbbf3fa31d5c1e0b8fd1c8012e61c11732ce0bf572562de1e5c93890facc13f3d

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
934a1d8f380e4ce111748a1425cdbb9f

SHA1
4c573e6ce5065badd68101fa504d1f9092c6bf3b

SHA256
5fdb0018257bf7ec008284ea879d2a313cb814e67b40fbe85ad56dbf9faa38d5

SHA512
a7f10a245f5d929a91d51879bda2a622a08349487edc78378b82f8ea0ffead6980eba4e373402c0ebbc345d662ffb859f90f2b1abfa503e3968fe2b45baac573

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
cc88d58c472f57239af5a354f48971dd

SHA1
f9cd369cf93ae5210136b1ee1e03f809642984d7

SHA256
e4f92f0ceb84553fde94501411a599ce775407622be06408085b4400fe67e0bf

SHA512
14ff338cf00cfbbb3933b32ab8b98da63b85a9eff10e51878a37e7551c29ee1fcc37866a49b94424f6bf69cc4f424554c5f92fe8a2a53b20251d400cd83a7951

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
349338fe6ba002bbc5bca42b5dd2cc8b

SHA1
f1a59bf5a4adb287470b5e92fd8e6ad08a0c7326

SHA256
6d34a40ee6fddc7b67f3b8b9172ff3499e02ea75f5246bef2cc91e814c5cf0fb

SHA512
4b46dd2bfc4c5bf394c3d3119fa70ef4f633905c58711dd7b4176cc8b313b29b9bc87c36fb55479b4a07ebd0d8be5d410efbf43cfff31c791d802a8ab54fed31

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a8c4764d5dfcbcc8b46e9c22e18192c1

SHA1
aeb9c750b3173b757e93469ea90f3c4beb0b3f29

SHA256
df2195d39d42d8d4827d5f5bf04c5cf1f8477a672428140261f2332ed0b3fe23

SHA512
8296fca8f1e789a5010c54ff0fa37d6ef77a86980d6651e576263503eb21d606d13d3b1976557b27afed134abb437364cf7437e01965e5b0898ab660194f3a65

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
42df739c3f7ac7e799773f653552aa7c

SHA1
2a6b24ed5c1f6e0bfc8892c6424bf8a4bd1e8113

SHA256
89b4a16f6831f979f5aef8218d84b25b4c4dc150bc26083599db77103f4d6033

SHA512
97a70e313c8ccc43b35d060bb9063de86353a6306e4f20bb5ff4bc7b6ec376dfc26cf88b6168e617a5c333c94b7793d8cb5289759e629911aacd60896a310e3c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
d112a261cdfc565d9e56aa1b79aeffdd

SHA1
3dc76412fde51363b76a76ae681f504d8605aa45

SHA256
e9437d502b13249bff8ecee54a12db1e71e83575c32d671be1a4b24bb03510b0

SHA512
971ec3af0aa074629f88846c26fa67b78707ef7d70762ae8c66d121fbb964d5f38073c3921ccbe5ed2d87cf07fc7a54420875b9303c52ae97d1632d45a3f66f6

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d4dbb0dcb1f09acbd9d20e6690e868f1

SHA1
4482c3007f6c21cac9d27c904bf4bc3e53a30adb

SHA256
23892d30559236505fc68379938ed42d593fa7313b0ec1680a975e0eb24d4a92

SHA512
87ecd4c97c5d33315e7a428af2cbf775d69a25d265910488b5f2d8c16d9a5eb66f987c2f93f384f5b7eb89c7b4f50ff2f74699c5ebc97dada867d33497e41cb1

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
868c13a1bfd90ea94cd87d8acecff842

SHA1
212e235c7e56986bf17d17d7772b4190f7683626

SHA256
f38e680c1077ad79998ff52b4207bad98456fd2c3bb165ca93131bf36fbb54e8

SHA512
c0fcad9a494c10826c6d85d869ce18814e4b96a7899a466c8a9bf96eff28fa4a14222e45906bb2db11967180562573c4077ec855dff43c88afac7eb3ca2713fa

Download Submit
memory/224-541-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/224-335-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1020-267-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1020-258-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1020-326-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1020-259-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1056-282-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1056-334-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1608-242-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1608-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1728-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1728-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1736-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1736-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1784-46-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1784-37-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1784-43-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1784-246-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2172-304-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2172-532-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2252-56-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2252-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2252-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2252-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2348-538-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2348-327-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2424-322-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2424-254-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2456-272-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2456-330-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2456-273-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2532-315-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2532-533-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2924-543-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2924-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2932-248-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2932-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2932-77-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2932-83-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3584-287-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3584-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3584-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3656-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3656-18-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3656-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3656-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3716-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3716-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3716-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3716-70-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3716-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3820-0-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/3820-33-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3820-9-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/3820-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3980-296-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3980-530-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4260-537-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4260-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4428-289-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4428-423-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4980-539-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4980-331-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download