49b18bb111b67b8c1e70bae04c0710e7c9a04da46ac5c68dfcaf9004ec00b8b6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_8cf4fdc9cdb299ea5d24b7ff89b85ca2_ryuk.exe
Size

2.2MB
MD5

8cf4fdc9cdb299ea5d24b7ff89b85ca2
SHA1

842f5256a281f28eb9e01c80f7536092d60ebf0b
SHA256

49b18bb111b67b8c1e70bae04c0710e7c9a04da46ac5c68dfcaf9004ec00b8b6
SHA512

ce4f279d360ee04377b25515d4f1f1aa5708ced1c20c429d8c1ff75048ab40ae52c88091913b47bb2b4eb0885d937ee2f8caf7e2c71ed15dc553f6f94df4c58b
SSDEEP

24576:cOObVw4TaN1wdkukCba4oXtgLhU3wEdmh58pW+vxWJq0Q7QqtWLjXTqM:cOOh3aN4kuLbegmtGb+pWAV7QqejX

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3168	alg.exe
4448	DiagnosticsHub.StandardCollector.Service.exe
332	elevation_service.exe
4220	fxssvc.exe
5024	elevation_service.exe
4892	maintenanceservice.exe
1508	OSE.EXE
2684	msdtc.exe
452	PerceptionSimulationService.exe
4028	perfhost.exe
4848	locator.exe
748	SensorDataService.exe
4552	snmptrap.exe
4308	spectrum.exe
4532	ssh-agent.exe
4592	TieringEngineService.exe
1028	AgentService.exe
4792	vds.exe
4664	vssvc.exe
3868	wbengine.exe
2192	WmiApSrv.exe
1084	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-17_8cf4fdc9cdb299ea5d24b7ff89b85ca2_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b7c8ac79c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-17_8cf4fdc9cdb299ea5d24b7ff89b85ca2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-17_8cf4fdc9cdb299ea5d24b7ff89b85ca2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-17_8cf4fdc9cdb299ea5d24b7ff89b85ca2_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-17_8cf4fdc9cdb299ea5d24b7ff89b85ca2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c27a65304ea8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6d9a5304ea8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a72a76304ea8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccb47f304ea8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006db1bd304ea8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d8bb6304ea8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041db86304ea8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4448	DiagnosticsHub.StandardCollector.Service.exe
4448	DiagnosticsHub.StandardCollector.Service.exe
4448	DiagnosticsHub.StandardCollector.Service.exe
4448	DiagnosticsHub.StandardCollector.Service.exe
4448	DiagnosticsHub.StandardCollector.Service.exe
4448	DiagnosticsHub.StandardCollector.Service.exe
4448	DiagnosticsHub.StandardCollector.Service.exe
332	elevation_service.exe
332	elevation_service.exe
332	elevation_service.exe
332	elevation_service.exe
332	elevation_service.exe
332	elevation_service.exe
332	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4740	2024-05-17_8cf4fdc9cdb299ea5d24b7ff89b85ca2_ryuk.exe
Token: SeAuditPrivilege	4220	fxssvc.exe
Token: SeDebugPrivilege	4448	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	332	elevation_service.exe
Token: SeRestorePrivilege	4592	TieringEngineService.exe
Token: SeManageVolumePrivilege	4592	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1028	AgentService.exe
Token: SeBackupPrivilege	4664	vssvc.exe
Token: SeRestorePrivilege	4664	vssvc.exe
Token: SeAuditPrivilege	4664	vssvc.exe
Token: SeBackupPrivilege	3868	wbengine.exe
Token: SeRestorePrivilege	3868	wbengine.exe
Token: SeSecurityPrivilege	3868	wbengine.exe
Token: 33	1084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1084	SearchIndexer.exe
Token: SeDebugPrivilege	332	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 4420	1084	SearchIndexer.exe	135
PID 1084 wrote to memory of 4420	1084	SearchIndexer.exe	135
PID 1084 wrote to memory of 4156	1084	SearchIndexer.exe	136
PID 1084 wrote to memory of 4156	1084	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-17_8cf4fdc9cdb299ea5d24b7ff89b85ca2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_8cf4fdc9cdb299ea5d24b7ff89b85ca2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4892

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:8
1⤵
PID:1256

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:748

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4308

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:372

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4420
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
bda8350cf1987c7e9ced106e28fcdf63

SHA1
2365a79e94366b19aea0c76fa02e699f4e5f38d9

SHA256
747cfc03d564b7c2bf51841848751e246cb1812fb49fa9c918332b3f2e2edbbe

SHA512
c31a482c9a4107eb468f807ee0f6a10118714b5fe29eb38d48bbd8ac5d48ad324caee0e8347432ac7050ebebd0419b6c0e7ebfcfc7fa79ddd1a104dceb405c66

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e741bba9b44a14bfe4fb6578b17281c2

SHA1
528febcad8f8829512e314d59f857c14d2b804f0

SHA256
f3fe90040ce78a90e1c46ef90a2c4cfe01cd40dda8730b8332aebe36e2bb3192

SHA512
f86eae3b6ea65a0ec035af5ed0984a99346b10a53307a07210cb22b2a6cc26f2e96b444da6580099edeb14da4f2cbfa70671995da87a6a6e200ef2c3393b51d4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cb40004ca7777595b089f9a4e0da75ef

SHA1
a527cf18b23ed79cacca7e1b16f9e3b262a0be7e

SHA256
b1ebce52ca9c12226eddae254ac44eef890e7e32aeb685bc703b275a2232fc40

SHA512
6b9f87b64138b092f3d80e2b7fe42c24f8d53d6205e88e3d85b3dd85081ca046658eef0c86e8283e590b478f3a2df0a06023fd111743f84049a6e89c227bd963

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c5e85d47372a216b9637c80e58933d1f

SHA1
0dd2851aea0f15fdf53ec81c7c93ba84aee7e4f3

SHA256
1abc20c7f8f0ca0db6e246e6bc2d60cdc975fe7effa25cd23939b4cea12d2253

SHA512
4fbfb72d1da2ca8f80076ca20bdf8db40cd271f15c12e2aadfa4370040ff28bb80a4a1e96752c020e9c7ccbcc7a560865efed7e6bcec2cab5f538e963ec33859

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4bc8147a62b28a99f166499505d57462

SHA1
f3a38d450a51eddd6d7f4f28bdfbfc82e3fb905c

SHA256
c6b1f6934997f0ff9f60e6fb55431743232a6f27f03519553ab704a1cc41fafa

SHA512
1caf3f34f83af24df3d24458cfef227ed83dbce936d90597add016f1dad85adfef157f64f470be452346fa921daa0f0419035f9ac0c855d6238649758d4a1c29

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7dc9cc6e928aee01cb83c0c90c62b96f

SHA1
7da0f07e129e86ffd3bc7e10decfbe76877df2c0

SHA256
28afcd068401b3fed9c56028fc8d3747132d2cb2d3dca423331f7db2d1bedc46

SHA512
86d2d528d5e5cb85bed93f52b5a4103e9674fe02ab59245f88ee58c16d8351f0fbaabd170f071605ae563dd5f69d543f690e17efe924d036a6b7a326f0b833d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6353bc90a37957afa0ce884717c68670

SHA1
4f2a76a04e9bebabcad553515b1ea6f924719d52

SHA256
76d8427e6245eb0d3a081ed8a8f9c811ef0d62cc0bdcef85e723e7a889e472d2

SHA512
7d1ed8092ad82795d3c47a95bd4ec095aa19b3dd3f1c08aa8b6601d834ff2e42d125dfb6e97f3e3fcec8b9970b6fcba1ff517bdb21fa9c2aa4b86aeb0514d9b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
abb694fbc079204375773fc7d3a346e8

SHA1
3031247ab8d6a5b53641bee7ce92713b3df29626

SHA256
e56b043e55e3477fa512c78b090dcdba78de3fcf145d5a40c0e2a4b2c9340786

SHA512
0161a156d1df42ede5f3a55fd67abace565f2ce1c2d64619251ca146818cec4a84f8a9adc4b1e5421bbede98a343dcd643e835b8780e0f212a9de9445469ba74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f0925f01ef05fdf560230c6575d2b67c

SHA1
ea4412f2ee2fce855a08b539f90c6434fa51132e

SHA256
4cb168339554e09b4c8bcedb9352a71506cfb4a0d5869678bd37595d62d50a14

SHA512
2922db018399a7f4164088a50ee1ffe62d03a71898a392b51bb93c3c6091623e7236417463769ef8c9c053e5056533ba86c3a885a7bb54f7f583a91604cfbaba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2b3fe7544e0eddabbf7100e78138b542

SHA1
c8cacac09a1bffc70d3983448629f2bc7952da6a

SHA256
2c589cc40f8d669d7255054b53c118e359cded255687a4b2f17dc56a3f827d37

SHA512
d5f24299af0ad98f6fce0938973df61565bddf7a15fcc2352304b6eceb87f550d69dbcfebdfb9175831e9cbbff9eb92a6ce2528fc1ca68ddf57d09799a6bce30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c58cb76d33996198e92ffa819badcc1c

SHA1
40a83288f7f338920d291057ffa49b85dcdb560f

SHA256
03efe2259b24c99ba9e43ec5f470e7b4ad7e7a922a2bdbd627952faf9f03e918

SHA512
6ae549a1b2fddf62cdb05b1a2ce419f95bb55f2822fc0b0553d7b26ffb97e6d864f04b15eb7b3bc4dfb6e113c6dcf1fa0ae2fcb9127527ab61b88176ca3455c2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a0d5d39de2e85830a097b4f4a04c7cbc

SHA1
eb144b289ad35a061e8764ebf0744f1431671487

SHA256
78b034075e303a4c53d0f1101ab24e8259f5da788e15278a62bc03f83bdbd3d7

SHA512
6d33aa164acc62212c22cb5a820bf0c975700d9a1b5c5ea10afae44f2473ee6af91df187ccb3bba41407cb46a9b332e6ec9c8edbb6e52c42d4f216d2cc67da19

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5a15ee151045183136fdfd0a93d6de39

SHA1
769b77c8416dec2768fd001a3ff34ae0c58b8c13

SHA256
fea0ad470942fd13a1c82326b6ccf8934bdf2972b31d47b6bf0165b930bf85ca

SHA512
0d8245d417568cfb9f763bad0add4018a99ce0c0c7dea3d3680cd9e5b2a7f780677c0d97b98c8068d26d972fea26273e3794d48e4b658b6cbd5f065fc6820e7c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3c3e1f2fec0d812617e4d6e1c5789531

SHA1
44245dc442a44dbff2354d4f10c52aacc013f13d

SHA256
881b44f0a5cc796ee9234bd915c85c9d353b98d6c3883e5d7cccba029b2f1d61

SHA512
ea4ff6b1a483c0b04813043b9ba4e4592f08094e22bef4275e231bd9d82503fae362da8b4311faaa3d3e9e1d6505950afd5158a24fc8c6c30d7bd76a00687346

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6ac6f063ad73f37a7bde734f2b79c19c

SHA1
3b8399d81359be92e194f3f660ff931644ca694c

SHA256
4af543c15a24c5bf96b7e6e54fccf0885ea4c1491320d0694bdba70e590a2f62

SHA512
b5fee079d64f054b19e086dbf62b3c7c5e318719bc8c00c6b1ccd8189fd3144b569e76ab7dcd9cf67daa3f58d4f2a3033d00798238749e70266831bc975faa57

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
94314d742b9620331ba544f89c661e3b

SHA1
b2f42131d13fb476944e68806d76e3b60f2d5db0

SHA256
d6b69410335b30a0a5ac2d6401f78781a6909303c21477c23310927ba60e82c7

SHA512
3e2fd7e43c5237af26c3e5d455481b2af78bea262f88d8733d661548eac7ad9fa87bd539d133297cc0743c4a3538897ebd4b60255f215ed163af6e93715d53db

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2e858f141813f90426e29e000ff23337

SHA1
7bc9e8c049ee4babaa48d7a910db7e3508316b48

SHA256
44950ed4351238dce5f80fe141a3834407eb8d06bf1761498589bd3b2cbc4f6f

SHA512
9f04a58a43622021edd23978c5f44497804d7b7c618ccab313e4d8dc57725e73048adb846220fdb9a0bcef9ef39b61a2278b337f78d5f9ac4f39eb4b3559398f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5223b1560c4c6c5d09c8c5313c53c651

SHA1
4740b6a260d8a19a075e2a78a953c6715ea509e2

SHA256
6c0c897b5cff1edcbb99b2fc8db8f107f01229d75dd84f294f82772d3e64e743

SHA512
b9561020dc5e706e06251ab3d3b5de7409b00ade383e656b54d83deb1883d6ebbc60c19344e91d592109657f7ad639c9779f13fefaeecac29b348d98a3cdf026

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a82fa4adaf226abfb14e2d56cab911f5

SHA1
a96b317cc87e180fca2571e2744be0208d3eb1f4

SHA256
70d6377bb891b4e86d8fd2e931574508a561f2ebe5823cd2b32d78c829684621

SHA512
6017a7be98f343951686e7a5847446c0516eac67712a666c94b0407ee2c27c0319e92a2fce791a85679777b89aa80c49f4f90eef03deb4fdd2659844d87a3e38

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
861160d31422bf1d67acc13e7acd86e4

SHA1
67de583f3a208ba30b73d0904327921da8a15982

SHA256
7bc790066e1c01ba904ec24015ef0ebc3558ac9a31027c982870cb5cd2fecbe5

SHA512
f9153298cfcb5ff5600ac577c50e783e4425f504ab68d3eecd09df5815ffb5b2b7be8f1d4a35d5517f8d54d9a0b60bc647b5746b7c7b51d324647eff37b15a82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
96163fc65f69758fdd035dc42a23fb4d

SHA1
7e1889ea865ef22a6d98f0d5532e7622d1ea1384

SHA256
d4dacc30f2d5c4df444886b1792ab8c481de620d03c5d5b609dd494ff9aa2fde

SHA512
8ad7944eb95e04ae04a1fcf82ca2f30d19a3281d16868c4cc78f164cdfae83fff3a5c41ee90200fc5d48c0104cf850145944e7184281032546c13db58df5bccb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ee26a4006c56726aa32d24f00db2ba60

SHA1
08288ba16c05d7de5dbd29867bad38332b83b63a

SHA256
2f9f4d486665ee035481f2cce17822c2567d87494e01c3ef358e6c5c44da80fa

SHA512
5bbd21517221d8fd27b5efff6142371120adb4815cf7b5e52c0a044ec9d12a2b966fb9f98bdcf834db0b40db4315ce11bc76c507cd6246dc0b5b8aa5c0173ca8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5ef1cd22961b2c2e6a2ff5d156e18dbc

SHA1
abbde534d8e7dd7d0f956e7ebaf9fb8262bc4b1a

SHA256
e950804e90410778a4093f96218f11e67668e60c7fe3fea24b0db88c2db97965

SHA512
8b106fe5904a452210be81d7583c74e101c4cc4a3e359fd9dbe98660ea41d088d07ee101a05e8994a395a53822561b75ccaf9ee550eb37ccc3cf9e7ba0c7cef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
733b2446683f893206ae1a2431521bb6

SHA1
c29c3110133534d45f63f89ba88e07559a370734

SHA256
e310625a258b734b07584db224a5d6b44b17b3e5ce96691d8506741a5fb6db96

SHA512
debd1ebf430015fba478acf9afbc92967381d05d1e240a2f123b2bd1d4a1b7055bc996866779faac1aa6b1747c25314c1082a5868c8ad468ebfb20f17bd4515a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a5afa9d99bfdcef8386c0b8f9c45d7d6

SHA1
46691de2245b4b558be83e38d40f6b31a0327218

SHA256
134fea8ebe78fb3cabfdbd873257e8e601ac4059aa786868e7ec4251018dce46

SHA512
11370413c9e5dad4648723f231801a921248f6abdd268927e0b8e9ef76e856df9bbc4da1e9ba9c687def72e612ab6b2727c273b770952b9a73f77d38ede8dced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f1589aca569c5692d9ff5450616fb456

SHA1
3dd1f028ab551fa8dbaca99614379f6c4c2252ce

SHA256
d3c5fc8c5bee5f82b1cc23b7c90c5df613af1c6ef45dae30cabc42cc8d57bf6d

SHA512
b17702aef9ac3bc26ec6ef315f5fcae028f38e8cc7821f8a2c025d868aedae4cd43526926ecaff07dff1654bf27c1795cd02e2b14aafc98769a35e054ab5227e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1379f2a2fbf9ee0d5fa40d251e305348

SHA1
72f86d95bfa7dfc132af929bbabaa4e9f8629e02

SHA256
034517382a7b9da5407340770e813f6bff931dbd9224f7524698a601b3a5506a

SHA512
af1bc6f506e9b8763a87aae669c2a1d575fbf4675d518684f6bd20bfdb7ec3e0a52a82d08f29d1e4c234b35d895a89951c2d3c046b1338ff558fddf3e53cf151

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
35fb7d1fb0637ae649040c4c7d02ac99

SHA1
4052f81e5a5a44d242e0a47e3a881a4996112827

SHA256
fc6419c6bc768d2f65e1cfcf5183e1744087c9fdf86806d7907b74973ae48720

SHA512
49570fcdfa7b4f42e2c8d71e2d6c2689e804d90b60456fb54861586c56ffb84756c4f26e49f3bf92c99c8e67872440e6e142d41014f6bd7bf9aa4a70d3096314

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8d3d3978614f025f7605af844dd15bcc

SHA1
4a3393d43ac8289cc91487b75fdc688964f59545

SHA256
ab7f2cda7182c780327efb729425bacde013daab04b84cf60116735fe8a70172

SHA512
465e2344335b1ccf865f0dfd636a6f344c0efd0793500fd551a50a5e37d7b0836f321613c434429d487fa624cef90cddaf22d43088dae31029e437a16ecc0073

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
68c9e55e31e134ea1580f2b4a0a38055

SHA1
68347642a2f492a7997c7787bd29bade88ee6906

SHA256
a3a97eaff80bea5ba31ee2e098e039ade2151ec4deac3a4f83cca82963bc1980

SHA512
347cba249c1a25c5f47423fb340f9c2df40c777d64b2be52e9f7621e54a8b094b8913dc23d35a01cecb59be57e991e0d60a822396017428bcefbebff62ce9de8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7698cf8be0625aac2d985a0e43276ece

SHA1
a44d3cbc3658ff936b90393980280846c67c97de

SHA256
29955586b533b4d10e40082ac7ac6c7495664596716a15a3e21846f63545f17a

SHA512
5bb2b5a34dcf3b2271a8a0fcc4d7e9cc3f4b69181e092f9430b32011fdff67db60bf8c6403c4b9282b49e170c8e650bcdf99639a979da8caef195be756396ca9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
39b9012a93c878e841b1cd586400777a

SHA1
e894969a94ec4e63ffb4fdaabc5556337bebd10c

SHA256
37ce8b5b0d2f5497f08eb413cb82808667f19db8edb20d23192beb5578a22f51

SHA512
6317a9c1fb6ce09cee5fa91c0553ffcf81ece4fe0b65fc6c119c825b3eaad2852c1edb2e04ce92550b107aa408bb2592b03f7bee5829151d182704a1237513d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
084937d4cb8816602160703b1a0dd14d

SHA1
db5d44ff9bad66d45749e89fca83d5a2e9abfafd

SHA256
e2fc6a0074dc26a4344d27eaf2b7cecad9a4ca3ecd7000fbb8739dc5f565f8af

SHA512
6ad4e9f98fb65a81607a90f98c9c754f8d63312b6d103091bf20edadece6779deaa4ece7a5ed10990e5412dda49f6e526cbf21bfb0e73e77da4a541b069b22ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c3abb00e0c4fa46ee6af648804f360d2

SHA1
c4f7b1dbd87f5bd0f3383925f71d03b0d2d0c305

SHA256
c8940ffc700b7bf3edde83174d92b3b8d6285cf7b456e7217a08d86baf0752d0

SHA512
d3567c06806896c78e2a7e8ceea56336fca0671ec7a8764c8aa1354fdec38b9c67b5a6ec4f8757ffac21bc929451ec78d4f8e845bf91c9a353d6cdfefa867490

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6d1cc94e4cf1aac1ac9ec5ca19ec089c

SHA1
0878426edf14509104784774a29f8fdbe2623f1a

SHA256
c14293f7f8175e16f6832868a8235eac0f076ca07504a2a0eb306531f5140ace

SHA512
c54d0d9ffa20a04977ffafe2691a0394560e34e2e9a11c30ae36805ddd221fb2ea51f6d15eb09e7570fc134bd978bfe18db36142270a60af026ba79e247a54d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e2a9c772512df7a902d811f890ff8cfa

SHA1
34abfbf1f65fa13e5e8d81b461f4d921e0c58e8c

SHA256
3fac0a64425eee5a86e869d41033bbb1dabfae303ed1b4e76a5154572a5fc711

SHA512
e577f92af2efb88825135de5555464d5830a0eb9c37f725877549c12079ba6225c53c92ae15c516d20a17cb7ac22ae3e85c2bea5f429b5c128e1ffba3c49a249

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d8243e1071f5233ad0a8e2dcac639ba2

SHA1
4640fb0cf5648a0be549933a28c7bc8909263feb

SHA256
9e48bb835009449122695d58b505e75b1c572a4086621c245e21fdb633dfcdcc

SHA512
3f3ada2416576487bb982e36a0d0729b0309dd7c4b2d4abd470a93d62b57cae952640fb6e0b593f6e4f20ebb5211ec1495b02a51670fe07007b1cc1d49524812

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
385d5a6f2388869e5dcf0345c59c5327

SHA1
82eb8ff537f4ffd56ae71c9be441bf798d0b829e

SHA256
ee98adf561994846abbccfc04f5bd02a3aa576668efefaf185c0e147ae673fe2

SHA512
3e0d5b7b7d5e6143564c643ccfa19e85bed7706d54434d120acde1a1ec24d58762820e08510908c3ca9369f075f16bfe38b577c4737d34ec635f4dd985acf57b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
55007d6e1a4cd2c95b02b37751350516

SHA1
c1f55bafe47ad83bdf27e4d8bc8fb0abe1114261

SHA256
81a92626da5d3fb97df4dfffa9db5d505fabd742700df29a9c95aadd4116611a

SHA512
6b2db37ce428b06eb82e610d9720bbca5d3d0dd20dbb4867de12ce56d411723dc7ce5d02fbdeccf46b88972f3a65168aa8cb84f7aabb8adeae2dd847e7a3f1bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
fad26ca18099a1218408e219bab9e282

SHA1
fdcb84428d6cd9f6c587ffb4743c157146be0066

SHA256
68029feec043453e858fc12657ee24258271fd9f315a8ead95a951926a71ce31

SHA512
dd2ec9738f0f0c91c25355f98a074fba940d3b07c86d3e4a1f7d376d908fab49556425c7e21ca99794f587b023e07179062e9020c38ed594548a44ab46c7840c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
1b390cd5a1163d41f77a29cb95434df4

SHA1
7b6dfe0b12e0ec21bf7030138f95cd3fe2d57d72

SHA256
85ce6f4d65d49a4057ccecd326bb28d2addae6a9bf6180780627027118859aec

SHA512
b23251091dac0e9563b5ca3587d2e8b73acb31d20462ed95d6686806ac30053fd302138ed20ac59b7c2fcf45a3bb6d201e757732b31699b2bc7dc52b98d7c03d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
fb2c1f128bb8e68c587dbb70a8dc8480

SHA1
dfb72d104ac7d0811395e21121b5fa27e5f2c07d

SHA256
2a3b1ef1768bae8b479476c0735df6e54b32600b7de84f55ceb339f49e625396

SHA512
6d1c89231dfbb984000d5ee5bd4e3af95c9987d35c92cfb2e34080c5b9761951e640ce9064b0f403dcdbf812d73efb68e60435ca6b1f33d8957a216b0878f421

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e58a23b3707b6a5e87d844f6c3232bd5

SHA1
28fd91bfb1e0c06ef45ad7ae20cb34e237903c10

SHA256
57e719d4c53508cef7a398951ac8f09c2891028e8f2387cb12b03cd0852e9ce4

SHA512
942b0dc51d479e8885a93fb5ba93edb4a7018c4379ea844f948396e361a8cf4d5ac179f5033de8ee941470d3a4e9738d6d5b7e716ccc5fd07e74928f56db2909

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c51a968224da595222abbe9983187e68

SHA1
c83d9ce251d98cc301a38aeaa4a687c224526245

SHA256
d245197b0ee45d82495f5bba6115d4676d795a8f832674d0c91aae61c8e9b64f

SHA512
75866910eb020f7573f543648184155f8ddf358271a569c91657565afe55a8c93b26d363d70c290d5067ff67cc8e52c3d5811b6c8bac7c56b7de0fd591b3a18c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fdbcc34ee4864b2d6413fc877d0fb284

SHA1
94c4c56d781dfba92337f0cd61b138b5d45a1fec

SHA256
7d9d9399ae387ec448eb56cf38592a2bab8a3ebe40cbab91ef0e7113256cbfd8

SHA512
991c4f1c5dcbb8ac1cdd7944d242fe77aacd07cbe7a3ab61f8e02eca8fa484c38c41062bc3b5ae7ed1ca7e084b5668009c8b246869498725f766f59ed6108f28

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ea64fe1469d53de5f93865b189babea2

SHA1
1cbb0b9af4db323a6a4dd475e8a745e861230ab8

SHA256
1caf90ee59b47cd3161bf2ca4a3c48df0a3408b124e819e1fc5b0c82364ffd98

SHA512
d4c91385d7e71889da6d6b3d44aef53a1eafd2fe81de2dbe177bcf0737f7447322d091510b7e2002b58844d5e3e03e16a950b422a6f6a4fe0d0cb1689fdd2397

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
64c30703f8fe758079dc77e1e6bfe451

SHA1
05bc14202f4ac68169992172a2d13f64fc4f4d63

SHA256
8483d696fd0a98e0393f0ee6e510dff0fdd17d80683727a8e32bf401276b326c

SHA512
033b790690bf31879d427728224fec268f9da31ec14239f4f9e77047e2c39759dfa8b0731d4e00f9259720bb86fce91878482925f100d381a87d3f219ed8e5ad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c32cad438adfd151be9a6a64d720683e

SHA1
7744a7412e5fd5351eeeb4f6e55025a76aaef1ff

SHA256
db49dc2581cb377440818d0a9f74878f33710ac2e2f26c1327b199f6590ae76d

SHA512
fdc614a001473f022183a3fb7940b19c5851c218e96031d887fa2505fcc58fa31811cb1f4afb18e4b4d2b48a105f933655881349fad0b883ffb50c2fecfca386

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2e4a06fc096624326be3c92d128f2b3c

SHA1
afd416e67a985e1cb1651bc63d1add56bb3126a1

SHA256
51fbc7493d377a91186e5cb0d87a7de47e62efaef1a4413e54e49c78b51bab0c

SHA512
4f27ddf56b1cec2e3ba6dd26ac5d48ac226006809b37d6b6b073ebaad17df2c47ba777a90d54291bb18f5ea7c7bd9f10dce799b37e90a9d49ae8b2f35b77f5e4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
296aaa9d02c578fc9bbb555aee53dc45

SHA1
9d819aed60eaf31ed14494737b51064d437c6297

SHA256
306cef63341694b4e15b73ba93f2951c850f8b9710e3d634b57ae6dbb237eabd

SHA512
012d33494afeef813f33f58b552b0cb03c7a0c247b1bb077ff987b22a0a96405aca38efffce5570460350ffe8e8c30c764c3e5d3911da580a1eda3bae1e7ac9f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
79801233fad6d4b1f281cadb2ccf2d0c

SHA1
ed92ba39d472868a503e45fe05bf449abe50a3fb

SHA256
bf057a2342d07c717ed3c07947ee66cf5cb1718caa66b97ec6a2ec7ddb59e6cc

SHA512
3ae979b65e7b00cd2399d1d7fd120b0929e55baac7d69988a6716cfd57276cfa2ca8be26dd345047700f7b89425672045be99b996eb5d1b63eca71fa52c9502b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f1cfd9f833297fd1dd5e9f8c7166f8fd

SHA1
a1a2a72a0f2959637c398193234ed7fed0940d67

SHA256
cca3133c446ed61d48e1c4cb519a943ac3adf24fd8c78699581a71e159729907

SHA512
bd09108190dd4800d5d6ad5316715f979093ffa9c4622e714e76b682464ced89f5f7dd478bd025c6367d87e1cb6be73693a12319e126c7fae7ea37780bbbc8d5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4b29e7ca1b47617ababcd0cd957f1792

SHA1
56dd8f16b2c181fccefd9aca4a013e80d734dad1

SHA256
55e07dd3bc0f203334f1a522fab1cca648ef0f44bac1337740741cf713f3e456

SHA512
dc46da964bb040c6285c759bd122e372ccf7034cbc5553fcf19172cdc9e4181ede4b8fada9413669ed205604eaa680245bddb7ad8d41c77dc69a794b80572efb

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bd4f20f330958d6bd740c7b600e482b7

SHA1
4340261b540018f9b388b887745b2da85e39642e

SHA256
48b383005643a7bd1e02cffe7288e247e1a7e1188963081c98b42e33fa6d365b

SHA512
f00865d545df069df9deed4d52ad613a5302854c4dd4738050d43bd98d59d39c4b4399edf53235d4ddcc0cb46a5bc15eb7cb130330fbfc2564d440e5c51d3438

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1fb5959e0332336281e02f033e9226b3

SHA1
00bc30023be203e3e0eedab50fadb0d30145a649

SHA256
605b02d90b6591aac02276d4cb52ab4732330e044ec293b1da62178abd801bf6

SHA512
5489fd209fd7b61239adda6b72bffde9428766f4c1b9537599aba7fbdcd4cddb4a2dd7d00de6e257a37c89c77300961f07666b8323b96841223f8b6f91880784

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
87b8c2887732af9f42418c4e37ca4cb4

SHA1
1bb261b95568ef105444ec9c0206f73bbc2dafe8

SHA256
9164acd06590854452dbede11aec8befbe3ace4851e57c4eb9b2e9f3084ec7d1

SHA512
452cd43c994b0029519da9d0681c4e00b7b3a2b2155d8d24a74de152abd271e3ff9d82241be71f2651959cc77b605f2aab971e8c265612e69777a0ec71bfd451

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d6932fbf95403c5a0c9b5b30ed41d6d4

SHA1
bad3187426e55d151ab86d6c1ad06ec939722626

SHA256
610b4f3365fc1cf3b5b36b30e000af696c2426f8ee7079782a94e35687cea851

SHA512
e85e7669e0d9169a52f7f2292b26c483af20defbbf7f9aee30ebd2a171f3f72aecb021f5a2f9fbdfbf6e9798cc03f9e290011a8a56a3f9e1378283be0ec94bdb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d7ed9e84b42d97a086e83c85f3e9a179

SHA1
938f2ebdf8a1ca06620a07dcc80ea9d8ff91b43b

SHA256
e96f903af5f7beb8527723559dbd34b88bbfcd859d350867f40ea55557a12e48

SHA512
c20ee06535f14e0549955687b13b999cfdc4d8c468b99a5075aee144cd531565da551e2a06b7580a9cde5a7569a4d4b4409d449b27657479b6968e8153f09228

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2107807c0da9fc8f9a9a4b416b5c6754

SHA1
25fcfd9365577fa03508fc48647d5e2217c2af39

SHA256
9b047596f5a950c1f14bcd0802fa66effccd0f3f568501f69b0ae19169a2943c

SHA512
a415ce5b1c566e469c1bc19868750ae050aad7dffc66e5d8d60ac7a7941c68ffb679cc3581a6fd4cfd18a3546c615944b537f116d01f07541d60b4ee76057196

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bd636db24a9bdf49cd4778265517112b

SHA1
37a3809288c0b931d89f2b874369881b521a8079

SHA256
0701186bed49aaaf9851a6e25ebb783b09bb32646de5863d67924b07673f56c4

SHA512
82c52d4ef50f0cf31de1920220794b37482ca51340e00e0025b0e338fda7b5ada050188a4f006065adc60358c6a9d2ac6a35ecb633f5ffd75d0dc304052d84e5

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d9d61e671411dd605d0f4b47491a879f

SHA1
46d496cd2f7ef3410b04c208df7f7e911eed6a05

SHA256
19ba2ae728986a07cdb66a91b7c95977c36f4355fff58c4db56aa95ac8af55cb

SHA512
5e95bf1b4f7630bbb3b83bdf2f34022a61761f22a977a2db63d3aa22db8f3c53f7dc6c0604f8c9e47a7968deddc765fd88c6458399b8d1965d4dbaad41b8c975

Download Submit
memory/332-244-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/332-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/332-44-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/332-38-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/452-323-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/452-258-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/452-265-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/452-260-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/748-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/748-512-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/748-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1028-315-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1028-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1084-337-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1084-522-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1508-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1508-82-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1508-76-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1508-248-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2192-520-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2192-332-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2684-319-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2684-254-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3168-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3168-243-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3868-519-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3868-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4028-269-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4028-270-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/4028-327-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4220-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4220-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4308-289-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4308-511-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4448-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4448-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4448-17-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4532-301-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4532-513-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4552-430-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4552-286-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4592-312-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4592-514-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4664-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4664-518-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4740-9-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/4740-34-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4740-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4740-0-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/4792-517-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4792-320-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4848-331-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4848-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4892-62-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4892-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4892-72-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4892-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4892-68-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5024-247-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/5024-50-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/5024-56-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/5024-58-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download