0014ef482273770f0f437d9f83bdcaec0136d63f6e70bea3f9e6dd8285c76fe3

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
Size

2.2MB
MD5

f1306023ad1c7828b15c02b02990711d
SHA1

bac1b2c69da71e36642b331cb9649f11460c5712
SHA256

0014ef482273770f0f437d9f83bdcaec0136d63f6e70bea3f9e6dd8285c76fe3
SHA512

94185f743a721aa2f82c2744004397d2da659de8acb003c889837a853409376c1c225f8a51965af622d3958ca1e3b00f469b128facb0b1b5d7c42d5026d45313
SSDEEP

24576:eOObVw4TaN1wdkukCba4oXtgLhU3wEdmh58BTduSZpUR0GHrVQ1aW4mSOgv3isi:eOOh3aN4kuLbegmtGspAHrVQ1/fSNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4932	alg.exe
4572	DiagnosticsHub.StandardCollector.Service.exe
2968	fxssvc.exe
4004	elevation_service.exe
3548	elevation_service.exe
2836	maintenanceservice.exe
4332	OSE.EXE
3312	msdtc.exe
1172	PerceptionSimulationService.exe
3244	perfhost.exe
3844	locator.exe
1840	SensorDataService.exe
684	snmptrap.exe
3340	spectrum.exe
4960	ssh-agent.exe
2060	TieringEngineService.exe
4940	AgentService.exe
2940	vds.exe
4592	vssvc.exe
4048	wbengine.exe
4112	WmiApSrv.exe
4060	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

elevation_service.exe2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9e5d87c4b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exefxssvc.exeSearchProtocolHost.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a76054015a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aedcaa3f15a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a862114015a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd89184015a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bae5d4015a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002202f03f15a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c01def4015a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4572	DiagnosticsHub.StandardCollector.Service.exe
4572	DiagnosticsHub.StandardCollector.Service.exe
4572	DiagnosticsHub.StandardCollector.Service.exe
4572	DiagnosticsHub.StandardCollector.Service.exe
4572	DiagnosticsHub.StandardCollector.Service.exe
4572	DiagnosticsHub.StandardCollector.Service.exe
4004	elevation_service.exe
4004	elevation_service.exe
4004	elevation_service.exe
4004	elevation_service.exe
4004	elevation_service.exe
4004	elevation_service.exe
4004	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	220	2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
Token: SeAuditPrivilege	2968	fxssvc.exe
Token: SeDebugPrivilege	4572	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4004	elevation_service.exe
Token: SeRestorePrivilege	2060	TieringEngineService.exe
Token: SeManageVolumePrivilege	2060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4940	AgentService.exe
Token: SeBackupPrivilege	4592	vssvc.exe
Token: SeRestorePrivilege	4592	vssvc.exe
Token: SeAuditPrivilege	4592	vssvc.exe
Token: SeBackupPrivilege	4048	wbengine.exe
Token: SeRestorePrivilege	4048	wbengine.exe
Token: SeSecurityPrivilege	4048	wbengine.exe
Token: 33	4060	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4060	SearchIndexer.exe
Token: SeDebugPrivilege	4004	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4060 wrote to memory of 2088	4060	SearchIndexer.exe	SearchProtocolHost.exe
PID 4060 wrote to memory of 2088	4060	SearchIndexer.exe	SearchProtocolHost.exe
PID 4060 wrote to memory of 2828	4060	SearchIndexer.exe	SearchFilterHost.exe
PID 4060 wrote to memory of 2828	4060	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2864

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3548

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2836

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3312

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3844

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1840

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3340

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:388

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2088

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ffba58681047c2855c93f534be7b0807

SHA1
6119c0108d13adf2de7da0edbe413e7ebf4692be

SHA256
7312726c7538e13d0cff158188f236755ff82e045a1331506023317b3222f5ae

SHA512
bd26ef29ef404c45fb22487ed82d92372781f09b160572c4f98d64cfe6559b79434cd26e2b571d5549934d3a20dadd8a6b6f84a3cd189d3a08c74aec8be6b32e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
168601a070d0e2bacc765619ca958315

SHA1
bcc450224e7f05db7652c818aa7ad7f2e9ab960c

SHA256
4928d903c0dfc3e7210b7f228fb0c7ef37d3f28b503b445ab87efc0fc94cc549

SHA512
1e6f07eb166b3e0eb5da90efbd9544aaa4fd3b8aa8f67d38eca9f98cf2620fd07665aaf59a544c8e528f59e8c0a485958014f0dd1c4146db516418fa12be108d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2e32bf055cb6adf19507bc97506717ae

SHA1
108cbf59ee11eaecfd43421b263ea7bce655a169

SHA256
952a75633382e049e13ead087b83f600a0dfb509b32d79c1cf646d8371c2ad4c

SHA512
9455356c7c18d9f6f5a522a6c93855b39310f89e7e68fe3057095d0727d4eaf926af99f0a90726852f31b31dd8f172936e4b2fdc6fa56efcf669af07e50d4172

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5dcb7de973893147110837021c85e953

SHA1
e9b23382375ca2fcce1592734de49c3cdfd0cf4c

SHA256
0f70774a0930b623bcb9612abdfffbd32246a8bdce03f02d9565f5a628370852

SHA512
cf81f5a5a7250885344b5d5fc50c50bef198c586482c5bc25568cb3a2e752b324fd4d7de76f0ec9886ada598288f4a395ed272dfb34bd759de233eff9c405b2e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
efbbcfd916593dd8d28bf323d77f5e4f

SHA1
5c940b93303ebd80b4642ac8008853189572cbc0

SHA256
d33498dc76e2d9a1b3808b26e78533855f8bac2a3c37bc6a90c794e9eaa7261a

SHA512
d67cdcad80f6b2ef9c90bca768b04a83b1852103424dfe264bf67ad78519bf8e68da625f17cbf90e68a7016735d50b6e125ed13ae6c5743d858a433e7601858c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8c97b409dfb6d11e061c1f5618be00a3

SHA1
374edaf3bcbb8254a4eab952d01f55b50078a221

SHA256
99b7c8be5a4c0347380dddde588566ad9d5921fe852c90d50ea3a93429af67a8

SHA512
18f9032c98deef1f71428d48a896b77f9d51f2fcd17899101839ab5e0a01028db39ef4e98dff67c0086ad9851faf0408d52d002a38a696976c917e109f5cc631

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
53db1154a20c9564111445dc0f424c04

SHA1
916b6bc4611560456c6cdd9be16d90e39b35f05f

SHA256
184a78f83b5ea8f7f0f87c6f13847cf05e8a308688f750aaa8529917bd01c18a

SHA512
52a2e9c6aed268f72468787101fc172fdb089a4d905ad87e494b8217706d6ca252765a294db7a66e82c1c7324bcf53082b1662c3334429f41d8433ec476cc2a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
25faf7ec4dd844a3a380048fe331ff68

SHA1
7e787f290ba5594efaeca0bb26b28b4fba9e94e2

SHA256
282715a3ce62d8ef33ebb1392c535dd55772a326d99076ada1f73a66b3adb0da

SHA512
dac3c8c7aab8f8e10a27dedd0842970eb85e2179c97ef44d1394c062675513929a2b2bcf2a1323c971e53416f13f4dcb7d2afee1e6925a4c82bead25f219583d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
42abe38fcb58816e91e2760422ca12aa

SHA1
f7643f0e055500694fc9e09be999d6154d8745f4

SHA256
344a78edba26aab51234749bcb627c87bc07191395b9849f562526eaab1b7925

SHA512
7141630119c25d7b26776b8a8d3c8fdb8f8a52e334372cf5a1716baa9d7cb02d289847c7685414b83eea64c2b9ea19d0448342bb59bc057d02a2b869e432d8a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a72f1387c661e8b5245722eb0dba7035

SHA1
97c2365496c333092bc48dcbaed62bec825c78ce

SHA256
db1db9d85928df6ce8e958178bc1648cf3d63f0e97792bc7c4d5557bd8d4677b

SHA512
4838c8a2032f4f8d271489ac7a6ba46f7f30ca226aacf73f9d058d57331b30f003f13f29cdc52166d3b8186db496b81eade11a792180fa9821ce90f7b6360824

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fa8c0978c87caacb5ce4ade9397e4310

SHA1
3e3eda8abbc9b328a4ee61f1ca6a512ecd58907c

SHA256
83dcd62928282391d0976a4316294a2ee6fe21d7723747b774e22eb37ffd1aec

SHA512
e19a22cf31cad60729b08f49ebecd56324d1fcca65085d675816e08ae6f5ae1542dcee69dd8106fffd43d72fad4a470c30e8613f5c4a01e4dba12aa37a15ccd1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
225fdcb8ee21d9095d58d920bb9880e0

SHA1
3d504e7b76aec50426edb5d0bd73cf75e65268d9

SHA256
25dcaffb8b03c15dd2ac03d2c57720c022cd72cd0c0b884aa603d544ac85e7ce

SHA512
0411d4cb88723fc3ff3156f0d4b42173522f17a96c81c6410090c16ba657184a28fc9cbbf8b99b2e4d14db7eb5710e3edc04d2ece09c9a13f473292e1469ea50

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
24373abf7151d3fb77c5b563f5bbd8ff

SHA1
4edef6381091e98eb0c702422c246a0dcd6b101e

SHA256
9f40dc72923e34d9fa6a0a552a5394e54f7b03534975a582a018d0d6d224d1fd

SHA512
d0429974701f3d0d53ffd1b8ea28cd074b6f21ca3ffe082a7faec65f8088d478e13afbf1e9465d732e7df3f4f144d356e22103b4c9113c9ba168fac4fe588be9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4fa68b8c05ebdb1da750d03d42c54f06

SHA1
f280e1994e6df18077179545fedd553f05f4558c

SHA256
b8c29d9edd9cbfa8b4de3413d8da122681ce20e4d5df95dbf029ba6e74b45cf3

SHA512
dbe8055b9888fd910f26c7459e7f419cdd0bc87abb70d908e80f423bae87b39d4ff37a6430fbebe95955148cd0bde0597c39c5553125b61c877861b5877226ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
aca0f1ff818b3e5a5f4df6d3a3ac443a

SHA1
054cca32b198ef05775d8ddce22a69ba02bf2b48

SHA256
49cb2c59aec3a554f8c1da39449ffc0ab9f51367c52d39341d32bf01395dada0

SHA512
462476f08435a94578c5bde0e2615acf768eec2a7f921288d42d31bc863cff93fff87d3fd1d7d4525eaee4d9bb4bb3c384110103d9909cb8e21976e101f80c1e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a56c033c7137175f725fe2a2dfc1cc0f

SHA1
ac17ce0eb01d87ebd2847a9e9d85d47edf8c9a78

SHA256
a03c9788bbcb03653e03995bfaef960ebf94e124b7f497abe7fcdf74ffd18fcf

SHA512
44dd80016d4fac7329732e11518ad8a56d0a3a062eef4657f341ace5d9ce3bbee1c40b6801580ac90ece85b9e2caf3a2d33fca644dfb374f51fb6e99b12fb1c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1fd9bb4e0c2272990f1a96aa841b92ab

SHA1
063fb65eee7e779147333a892e362fa3d7b17b6f

SHA256
56d2857c0c3c3145dcdd5b6af16a522e4561f6a706668a984971238b50ef6341

SHA512
ce70c296a1b5d86f6348184a3d659243c86732aea323959356aff56c2077e763a485e611ca71dd2d07addef01dfa19efc433d23efadd1c792c656d1f4091d4f5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
865c4dbf2decc679e99e26d43a162973

SHA1
02dabcf1e8f0a8c077c0f180551c09f1667aaae3

SHA256
1fc775a0ee3deb61e10e448c55e8bf944da1cc05d07c7b2974ed21aa9aad22b7

SHA512
fa6adea154e294a32c63a726a4346b48bb172d2d5446a4edfd26a25cf1db7a6000dd2a2538c320f628342fa12e2ec60fb575f2566f6c18aed895da632e7b1005

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5659f11f6145f245bc2cea8bfbd0d2d6

SHA1
1b4f4a8a8162ae28668fe4b51ed81caa64d1409f

SHA256
936d2fbbe29d25e41a5f023b066c8504be853a64c379bef5cdbfda57a9449f2b

SHA512
e8eedb541174f4e61c848a8e36032821ec12ef7979d77817109777cc33d39bd63d1747cea7a18e19ad5152c7b533d619729fc0d2ad93ed9108affac85c8cbebd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
30dc996b5c22a30c68bf27dbd9ea7f9b

SHA1
6005c1f2689a696a47f2fc09db8e821e7f248abe

SHA256
31e43f15add979d459e4f1cba2f42b50683b2206e24cd828ac6d947f83316cae

SHA512
aa3467d032dd5ae63c3cd00af2dffff565b8f4f874dddd12dd6f061625af8c2ca93ef55cbb561cc77678d8179b7043d339c722db7e38606e6d3999a5c8c6cc9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e5cf596457c3ae667b32027cf6622975

SHA1
037d2f0439f4bdff4366f213ca8290c1501baa5a

SHA256
c02d024aecf17b2c14f3fd4b66372531bb355d160d9f9e3ed2bf107edfd1a6d7

SHA512
5d644904a1a399e2e32790b22cabeb6ee2fb3f8d0e780bba48f23a8146a6a8b71dcae90c263517df63c20a88b0fdfd5a061ace899a86d8c0e4337c43745d29d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f9931a2310fb42144eca541d8dee9894

SHA1
ca3d5903a835127441304f4aa98a3ab825c61b62

SHA256
84fa66810589cf52f1b595865112074a0d9d0be5a67dfdb227cc7d22915e876a

SHA512
7bfe9fb6ae9b6c307b3a36c21561ea5d5c24593a5570423cb0dea7d2c14cbb8f94b11f364c000fc9ffd17273a942f059fa09f9b43e625bacad43135c07f3f947

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
424a79c9126645a5aa0e03c055ced933

SHA1
9bda9d3242beb013316f1aa391eb34dfd0fe3797

SHA256
40dee2a07ca34df76b5ec84f74ff1b6e7e9de70c20e512edcc0151b175d7f256

SHA512
cc71b2a5f4210b63631330cd551fd92c16e1e574e148d639216a75af11ed90506fa6ce3fd70d8eda427f4f9f3bdb6a94389ae143cbb70b9f6da732d43f4ca41f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ad4ac98625e2f5076b28f81171b2e4c5

SHA1
df76e764c176033fbed68b07f8819323d2fa6549

SHA256
8dda4b4ec1c948d466b7a25eb914efaafd1e3bf1419d324bd66258e6cb1e68f7

SHA512
9460ca965bc275a67e7fde96154ba162acee171591f624a2c26b44aa840976d3a29ea125016400cd52f9fea0a4291b6479d13544076a487003eb071233ed1c14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
49b247f09d6253fc5c913c939af09a1b

SHA1
b81f34382344149c9382bb2e055b9b10fdd81277

SHA256
23bbd0b49c59b1e47a6bcdb761f746738244a64861e1ae27e0204f7503142a8b

SHA512
ed4c89bbeb84f8073fd8212e8295513af86e1d8cead8dc0a9905eabffa558bb8dad3b65431710481355bc6d7f8e0530af41dfbb52acffc7cb0f238d0d877dd44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
6794298b0d17c61cd607b87db2440334

SHA1
bd5644e85a9dce46f7b39b56bdeea8d216ac80bd

SHA256
8ab5171d1c461d0e926b80d9ef41fd5543d39360ce3d4b1374bde04bae9349db

SHA512
a9c0cdadbddcecdcc8a9d89f0ab981ae8ccb13c41969481fab25c459686766d090213c960699ca4aada81aa7ab8b1e25b54685b539ef9d71008c2e8dbcf7fbe4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
827501f5d44a450953f898b6cd0e89bb

SHA1
8807f86580ae64e0e7e4e7fbd600e835c3a1ec72

SHA256
6e11e885ca3d45b2c14f8399ffd577bb29fc9d05b39e4ef3e463b3860adc6196

SHA512
aa5f5f95ab06be3061d078bf431d08735474e6454d7f312e444ec227012a2c0c0b7148181426dadff3eeb3c87c12cbaa863473de621927fbaa00ef17acb92591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
983ac23594e38eeec6f00ada5b9ee8f6

SHA1
4208b4bc3793484ff824ae2bd366137806577096

SHA256
a1dc15bd3c3f6652ba921f9a49fc8912ae7f5a271338490b0e5df2ca86ec13e3

SHA512
25aea929c7a60b37ce2585c6823afa0c52364ac577a2e654fef1516d6ef2bcdca3930d5f742819d7d74ce6c59c54839363e2a59c39600ed8e81841d399cc5adf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
967c6e11429184ecc2791e9a54277923

SHA1
7fa0161ae94976669783eae0a416a9990990b507

SHA256
e503a95c2523ad659b0fab382a832739bd990a17699b2fcfd7450a3a7530c78e

SHA512
a3eaae4eb743f38f47f3fff3b2be2a33374ec82809d7d87599011e320026340f33fc619b437a318f89c61510dfff089c7205e6ec44772e733cb979f7d164dd8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
bf0a315b06a8595a49a8f08079bdb422

SHA1
19b60ef17961ed5cdbe0646f1fee38a154971008

SHA256
7e2db98f32bc5fde9ef1a582986b5e91ccbd76a4d33bd5bff645599f34098b97

SHA512
1ccd8daa57216e48f74bfa9e2974791ce969b949be83da655f0cf0e75f3acd2ca136d4101ddf086ad6fe2edcc23b2b38357eea9029dda8b5b15dabf9a117323c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
3e8bbff56836eba3d9bd6b04f7789e60

SHA1
b7e8349ea65b751dcf61fabbc954d2ba4d741b8f

SHA256
4213d9d99f4f01dac9d69b5348ebcb17142eb107560ae240ae7ca776434d0721

SHA512
8ac7afca3ed4c51731a25bb67262e67f7a4be3ba969d8553728626ad08ff5bfa14f302ec45a1559ef5b54da94f85ceaefe5e8f7c5221df886b17fde84fc2b709

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b353f41e414bf72160f95aa53d79f7ab

SHA1
90d4343ed99d3df8521c66e90150652e63f76d89

SHA256
2a91bacf269f0fa011de36fc1908ad34cfd68c4afb3f42d7d7146a8cda09dbc8

SHA512
71dee8ad28da712ebf7d457ee169e115af23beaed409ffc6b63c35d7d494f1625a2189dcdddd197821cc4cd2bea69b6662665f663aa9b174f4b7e4f27aa107f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6652c676abf5d35c75275b6e62fa73d6

SHA1
ad743048f55613853623f3fd2902fafe57f3b363

SHA256
55970abdfb99878a9542fc2a54f0e8c8ada4ee6e613dc1fb50f77bfdcaf0d146

SHA512
2159883bdf1300f49bbb5ecbd90d64a365dbd6fb65e5aa6a5119376306db11bbd33f4397efb8aabdcf548e9a41bcc1ef3708ef749c646f6a1bbf8c76fef8b0c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c70d6130bd434dcaeae145a7465ed1c2

SHA1
17c5c38c61ba99444a54e2dc0d721bd5949583de

SHA256
765783626f1e7e5410ef57e3d890adf9f4dcedbff827f0f1c3abe5f533bc8917

SHA512
5ac75f71cc0521d576e9a41195781196c96147aefb85e96465a713db7f652ec3aae765ef57f539b5732606af7459f0dc8d3054a537d58a7a06ab2ca3c8a3a85c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
21fab18a6065638ec0640194bbdd5dc6

SHA1
b32a4e902e875377ce7142c78499a16dd2aefbb9

SHA256
1e41e3e253e2a743ab0d0d3460a1154d6a82f19edca364fda3acf5a7c0f3fc2b

SHA512
d6e2187e9bcb526349c083b7742a8859fda899046a94da21bcb7c167482a35a364362313cbeebf75039e79b846b56c11d8381e59a28c6c976eea96767ee609cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9285a0bb68c66dfe68c186511e0ede16

SHA1
8815b831dacae42bcb85ed1524347884645bfa17

SHA256
389797b07b23b9656bfc94f97ad7ce2109e3522555be1482a16f07b72c65fed4

SHA512
d0da91f7ec003c88388201dd299fd10e4532c70cf67527a40746c8bdfeda75fa9a1d35992410b897668e0ebe6eb92cd7f7449cec3bc485e9ddb22d8b43bd595c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a3763379b704c54c5382142a0cc65af0

SHA1
abf927b020d90d53b3009c9e5dd0ff68e947aaaa

SHA256
4a5af9a6a7a2b4a0e1144ad3b04899f3a657b194ef1aa16ad0c08d434583363e

SHA512
ba31f97a9b26582b727f19d5e10d71226b022b23f773f956130d9f04aaa858378828f8ca6ed95743a8be432a557e15e083deb78ab5e6cd5657ceaab4dda51fb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
abd0905a7f02427d1983b569a7261381

SHA1
002779ad1cc6c5a26124b585a022d62b750d121d

SHA256
d7330f5d027b956edddad656e67624f5df16599d4f73c2fe961ca292ca5ad00d

SHA512
d45dba8de57fc70e179efb6d95f074e515c0cc3346d30e65d33b2b12ee4b501a490887df525541f2c5d806d269bbdb9df3e57be4043bb693ac0c15696a22e426

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
bee1953555e71d1b5ca1f4dbd99f9c97

SHA1
ffbd4a514f8e78d094bad1c43aca56105e73eaff

SHA256
0de976cf6e600a4b16809547352222524811b3b0a5aa1c5aab0a2f09aeda8e42

SHA512
0206a1f7e5560e07d5f45a218ba98b8f348a598b6e0061b422655acb0407b0f507eadb5ba7123cb1c7dad27d244771c998fea7a6fc1ebc737738f8f5703a7aa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
8e622f50dcc565c9937419215474c97d

SHA1
466d7c8bae46a556f5bf9a958d938261b4a6a15b

SHA256
fefe06a77b7e73d57ea16399bc59bd10740984fcb75dd54669b73afb5b557d65

SHA512
516eda6430a465f49376d198f23d88790bc0966df9208068756165b70afc6df798cbe7053ccf68fbf9b5f6ecee901dd83220b2b739f1cef44a54ee3025d88569

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
b4063bc54f0bc6fea1f6880e6e62e176

SHA1
6ced616b9ba09db0b3fae40cc5afc57dd47a67bd

SHA256
28a2853e7cd0ab6a595dd7b65eb74a523c3f07f7e7696e08a26357e396ea2d30

SHA512
65f78f8facf75e40983aa1ce037435e233b8e4700d0bebda86e0d6e7f89149787b58d1ba9c8d5706492e4e0d214a680f36ed63412e73ae606b346f0046aa01f7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
df7da71116e0397fb79f57e1b8e332b8

SHA1
5b53a50b6fdb9a985d7e57740a4e0195880dd659

SHA256
779973817f2c1857ab76cf4e2bdc5b62b9ddfcb461fa0cc20604287c62f15237

SHA512
9db0943569e050f581b583f09c179ad8a62a746a695cd8645ad0047eac88ae3e3aca2846f6cb4acf7dbe84a4441234bcf924fec01ef6f5c144977a0c66359ebf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d4ee902f2c8553ec6bab1218bd10ed95

SHA1
f5f20f0a5eae92cd73bf1cfe4bf8ae0b8788b4ff

SHA256
b50a365c781ee9cf8ac43e1a263553d53f5b5de659e8e7bdc4072d91d1f4e521

SHA512
42d6e5aa68826624bbf892d5cb685313b350768ae00f7443e2a0b421ab88a33de7e7690b8757ca8eb6690dc71132f86a38af2f4f5102e3108efb596c7dd71e13

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
480f3a8ba4b1257d9389fad71a84d8cb

SHA1
8d252ddd5e963e8cf891a4fad2f054f4ededd77d

SHA256
b4bee6a4e00df2f431c86ab02d52aec9fd3e6edd993beb9d6a30f64a1c666963

SHA512
3547e92189d56e452561ffc1e373bbe1339b05552082a9d4376d0dfb74509fdd753f783dc8a0fd12d58a4821fb562ddbfd3496a0a5f03e10023fb920549d145d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
eb3c6231ce77e434162fc92af7e15dc1

SHA1
77751dd9b7b0d6d3ba12fcc5519833345cf9c288

SHA256
151df581e1d06b782e31759b1027e9f1b933391ac85250edb1067c2aad7cfbcf

SHA512
a68e35fd14879c754e4aeef90e09fc29a9c8af96c3966fee905e02ceaf66be16222cd28506a34b1caa44b8ec31ddf75b9e04ee7ee9445f67837dbbafe1c876aa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e0a75668e4b646d84b19b2686ee10b44

SHA1
4c38006536bfa491abf92a8d8c44c49436ec790f

SHA256
b4737f94bc22fba04252314a838ed94745a44d4305db43e1ee21e1eb9d0d3bca

SHA512
a62d531ee8e4f079c1904f5375f4eb0fc376877c5562327b42348baf4dec46795eda28059b48beb06f161996be8192e9a508028feb77f2be74739a8f453948cb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a464da9cb60633585d2a37129cbdceb3

SHA1
f87eaa7b440ac2f5b9748aed2432e6232443cd6f

SHA256
75351d7496bfb8be29bde691eea67393c4be05d88cda46c5eb4b8f79a742d08a

SHA512
ac5724de9cf8966615618ee45c327406f69faa5782b6455b39fa754fd8dfcb0b477a401981e29a09fb5c0f635a1e938a47e593c904b21c7052031a3af65d892c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ca405f9015f42ced67a4ae57d8ec863f

SHA1
f77eef7a452bc1e0227d181226eabc3b9941b59d

SHA256
cb7566bc324eeab8be58ceb093d29971946ab6565d74170107127cb7014db5d8

SHA512
93a21826d49195266ab09b36d55e709f414191ac9847d920c554592464bb1a5502b2c5d930a615c773f8df5603ebf1fc8efcb4afadda9a27cadab4f7ce5b4aa4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2ac2c68e802e97fe4f4aa2ee31dcd368

SHA1
89ae8568283325b3470fe1e629deb8ed9ce86ea3

SHA256
b95db9bf7ed4e3c9cc1dc4cca15e965895c3f45765f274e71cc990d87af190fc

SHA512
adc5bac1371caed6f6754544023fbf18e8e158d041fdffbaefb7d8ead64ea7a258751ca324a17b5bf72fd440f592c284bd921e96749fffb366306c81539305c4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3567731e75416a88f7dbdfc2ff442c47

SHA1
6314d289a9224577448e0b928b5b65425a16cefc

SHA256
a06a8805dea72193d895a5e8fca4359ceee15c56bbce8605d0d1171af4ca42d6

SHA512
e0103e7a068aaa781971fd7db7292510480116ab59dedbc548e8a78f1eab31e414f2609ed117bdf48d6cc2c2659e9021491153b713ffc4443c760c0153b8bcc5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a62d14997733734594eb438ece8ac0e0

SHA1
11dee15c48819f2e3f13340b8f6dc490b779796c

SHA256
bb30685b6d0f0707495a2cfe3665f678868228cef299b07beb1df3461af9233b

SHA512
3bc8ba22aad37df064e3ae414949a2fa910f2fc95878c6fc2b4ed9533164977a914b03690723cc80d231263e233c989b202e44c3cdf225794445b9a09a8999a0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b6bc6a09b37cf13d76d3a0d7ae3334ba

SHA1
293a58f22f3d95674a7789d31e30111f24ff0339

SHA256
e13d3287d5f5e2cb046e37f03c9b07e5862926432d859bd615444a318c2e3bb2

SHA512
ba337bc6147658712d1da809e70faedf857a48b2b412f98aee6c95f260a2b398c058d9ed8e4848512cd552c0be9a72de5b3e968309465faacd87075ff849928c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
16fda16b71d994ecb3f7ce6f79f9e59b

SHA1
a59f5d553e49ea130a9ea0141d9104c0210534f3

SHA256
ac7f1e798beaaaaf4ef0796a8a148123013d430f5ae7510c0074324b25c160bf

SHA512
e5b4eadbf82c8d35c44269e0e6d3213a43bb8b345d93400ac92cfb62cdc614f6ecb8eb0808367d4371ecab2cadff7742c89b4705ad972b2beff0ed1acdb82f01

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
adcfdf2c527dc3bcede0b3994b1b0b40

SHA1
c9d0e958f991cb3e83b38e1756dcc888adfbe384

SHA256
4dbec608cd2fbbd435a60e1d857a4fa151e6a0de38a65bd5597c8b20e399148d

SHA512
e04a3eb1718cdd307516c138a0d1b23e5e7a0263227eaa47c39ff9d39ee43eef02404aa59f2cc7ce81ca17b434c94445bae0e8d5b61f1d7d7ef2a8e7646937fd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4979a359e966a88a9131ce44bd904946

SHA1
f288c969724504150f13324686e36149f3313e58

SHA256
204862a8bafa384ed7aa527078a6966866e18043c0db90d85e170365fa79d324

SHA512
99dc41f99b4dbf4434e4f438b95457a3c69029d146fd519a215655e92d729d43055b48dad170b3ea90959844c3765c947a00562ff6886e863408209fda91fcfb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b4da5160efef595608928132b6ad0fff

SHA1
f486467c455528f63ef2d96431f5f30091b6205c

SHA256
9e5d2396f8c948a908bd27eba728e2eff457311de2b4805d91e5f60fcd0661f8

SHA512
3c651fa7bf5732fe2593f063440cf5219988a395607abc2ad9c0830d8c75460c3aff1b85ad0b914b31441db91d41c9960d88fea82d266bb0e18327b74b566fd1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2938e482259be9071a8ab898c47cf255

SHA1
bbabd7349b1b586c6ca98f94529ae5527659fdc6

SHA256
32381b05f12c09354d89ae60dfdbda9b013a2aad60cf65220563589c901b1a2c

SHA512
cf448a4fe86a9479fd31204750f724764fe831f1f4104ae0278890cb958b44a2d444897472dcee1f984d58ca43b972b2e63a5b7ef75fd2ed99fd5ef71db060ee

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7af57a5f6a11159deec1baf3f35552d4

SHA1
f406aaabd53ef650d291cfe75bfc71788ef81b2f

SHA256
2622f28727ef7d6ffb93486bd1a063e4e1d41442785b9f19f6094ab9c5fac49d

SHA512
a1090d54e87d571b61bdad3110b59e67eb4d1937f3ce95e5dea46b6dc71bb6fea2bbb2a9ad2afd4bf7e2f30b9c5cd91154283f0cf1ae327e738f4d1b4ab05335

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d8c47055376847869959630d9ee3fbf6

SHA1
cd40e684421afd71fec27db102b7f4a65c292b05

SHA256
aba2d41d9c530f2588e977b93ae005de4bc3cf9791764c7cb66c99b3037d7c40

SHA512
a680f008703f04fec6cbcf54c888a73e1d29a59a3c4cfc5ce0d0b3f2d4038845c8ebd39c1302946e85cd831efd4e58c1721386eb38c1c6dfa0cc895825b9db7b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
219f3e0d7528818259e51b75cc277e8b

SHA1
690f87045b95cbb9477d35e98c4eae349bd13274

SHA256
5e83f2f1d2880d686e6a55996bef66062235680820ecc364c7d55a73b3658d76

SHA512
f2db576b15cec8da471c414c2c5c1de2aefb6f2a5776ff2b1ae15815449b425bc66726cc8b6f9bf758deee5e4211da563f5b495cd1c6533811d93a0fc68ad793

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
f12f7397206b6b8a130c98d0d1b6bf57

SHA1
0714d4f9693b3a0fafd2827e7140cf7d64d577bf

SHA256
4dabf1674c05bf9544b21fbcb128e14fa30cedf7169a83db5f032ff3f5201dde

SHA512
dd92dafe0ae42db96f2e4c6d2297b085cda1d219b55fb41c4919001d174e679cab5ae79d7bbf7bbf2ad33839e1e15d384ca64da784d495e8e7e3c71f237f5452

Download Submit
memory/220-9-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/220-6-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/220-33-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/220-1-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/684-291-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1172-259-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1172-260-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1172-327-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1172-266-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1840-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1840-514-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1840-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2060-517-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2060-316-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2836-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2836-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2836-68-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2836-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2836-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2940-520-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2940-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2968-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2968-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3244-331-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3244-273-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3244-274-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/3312-323-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3312-255-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3340-515-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3340-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3548-248-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3548-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3548-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3548-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3844-335-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3844-283-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4004-247-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4004-38-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4004-46-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4004-44-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4048-332-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4048-522-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4060-525-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4060-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4112-336-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4112-523-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4332-76-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4332-82-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4332-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4332-249-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4572-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4572-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4572-17-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4572-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4572-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4592-521-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4592-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4932-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4932-243-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4940-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4940-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4960-516-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4960-305-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download