a1404d0fed6cabf1c610437722d3a7ef0b9ef2e89c35aecee744570d92b952fb

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_b9ae7d55498f375cbdf5371b7bd7c897_ryuk.exe
Size

2.2MB
MD5

b9ae7d55498f375cbdf5371b7bd7c897
SHA1

be2d68e3fc680f34f73d9f8e88ad462eb650cf8b
SHA256

a1404d0fed6cabf1c610437722d3a7ef0b9ef2e89c35aecee744570d92b952fb
SHA512

545ee38a01017f0bf52bc51ac8bae1faf49b3bcbdb1c4db1bf3039f7441fb75afc67ac39a31276c900b51801520b620ed07b368bc21a2b153031cc4586c9039e
SSDEEP

49152:zOOh3aN4kuLbegmtGmm+brLC2hTR9quLB:jU4ku/ctNmqrWETR9b

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2128	alg.exe
980	DiagnosticsHub.StandardCollector.Service.exe
4660	elevation_service.exe
4580	fxssvc.exe
4332	elevation_service.exe
1052	maintenanceservice.exe
3440	OSE.EXE
1560	msdtc.exe
4304	PerceptionSimulationService.exe
3944	perfhost.exe
3252	locator.exe
1376	SensorDataService.exe
3080	snmptrap.exe
4500	spectrum.exe
3128	ssh-agent.exe
4712	TieringEngineService.exe
2964	AgentService.exe
836	vds.exe
2416	vssvc.exe
3928	wbengine.exe
3484	WmiApSrv.exe
2132	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_b9ae7d55498f375cbdf5371b7bd7c897_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_b9ae7d55498f375cbdf5371b7bd7c897_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1dd68346c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_b9ae7d55498f375cbdf5371b7bd7c897_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_b9ae7d55498f375cbdf5371b7bd7c897_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_b9ae7d55498f375cbdf5371b7bd7c897_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092e2ba6d2eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e05a926d2eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8d8ed6c2eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5e91f6d2eceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055b3c76c2eceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000418adf6c2eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
980	DiagnosticsHub.StandardCollector.Service.exe
980	DiagnosticsHub.StandardCollector.Service.exe
980	DiagnosticsHub.StandardCollector.Service.exe
980	DiagnosticsHub.StandardCollector.Service.exe
980	DiagnosticsHub.StandardCollector.Service.exe
980	DiagnosticsHub.StandardCollector.Service.exe
4660	elevation_service.exe
4660	elevation_service.exe
4660	elevation_service.exe
4660	elevation_service.exe
4660	elevation_service.exe
4660	elevation_service.exe
4660	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1448	2024-07-04_b9ae7d55498f375cbdf5371b7bd7c897_ryuk.exe
Token: SeAuditPrivilege	4580	fxssvc.exe
Token: SeDebugPrivilege	980	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4660	elevation_service.exe
Token: SeRestorePrivilege	4712	TieringEngineService.exe
Token: SeManageVolumePrivilege	4712	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2964	AgentService.exe
Token: SeBackupPrivilege	2416	vssvc.exe
Token: SeRestorePrivilege	2416	vssvc.exe
Token: SeAuditPrivilege	2416	vssvc.exe
Token: SeBackupPrivilege	3928	wbengine.exe
Token: SeRestorePrivilege	3928	wbengine.exe
Token: SeSecurityPrivilege	3928	wbengine.exe
Token: 33	2132	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeDebugPrivilege	4660	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 4228	2132	SearchIndexer.exe	118
PID 2132 wrote to memory of 4228	2132	SearchIndexer.exe	118
PID 2132 wrote to memory of 840	2132	SearchIndexer.exe	119
PID 2132 wrote to memory of 840	2132	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_b9ae7d55498f375cbdf5371b7bd7c897_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_b9ae7d55498f375cbdf5371b7bd7c897_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4332

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1052

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1560

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1376

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4500

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4228
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5965e176c8534bea4800e9d5251df441

SHA1
0e52aedd40c2a083282db11ef2760adefd9c4fe2

SHA256
e04d76a8b86925584a11bb0d9807e0d431c04e537e701050fe901789c13298f7

SHA512
afdb5294b6adb6ec38daef0ef5adbb95237131966b900ff366a4c6e8a331831164be7af3927465383e56ac7e26223d0c1a21ccc0c2accc709755872dcecdac9f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
55c82bca41b62ac28c77f511b22a9629

SHA1
32f3181f2acd93ab828845b5df36f6d13093c97f

SHA256
e1a3539a9d859f186ec34cf8dac66b284c512f1da6ad95e463d92ba3cf2129dc

SHA512
61224418d8164e671554c91526e3101c15dc6bdd120bbc2ff8d5e673332f1dd5116c1ddc67d924ae7b955d8c75df1c44fde85bcee962cc794491ac887d112354

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5a366057de49ba4f1a185888f5f167d7

SHA1
b36c1ab0480c9122370c305052d2f359959a3581

SHA256
8b93bf7af0b6eb0e42b318c47025edd22915d74ee3fd444b36bcd360995abf5c

SHA512
c04f34f82bf59083677e62b13dc593eaff6b03e69554a4b2b1658cfdd351799d411c62f17bb60be0da491fed7b6a93eaa37f8675138dc30b5aeaeb13444debe0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ca1c595ee5542560fc9c711f3a4cbe9a

SHA1
2c888d1bc6cee9a8b2859d1edadf3fa4ee6623c8

SHA256
4108738b246c2f99b0b34a296497716dee89509212fab111aa2908a4223b9dc4

SHA512
f602051a76daa6bb4c13d21a93da29dff0572e8bb8e903090ed150013330c81ade7048931b4836f61e08003d1fb47458d31f2c85bcb36b5cc258e049b69ee7d8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
aa198c6a5432935c772ccce4ced1d8f0

SHA1
387098b5c1f1b1d76a836d097a71cd4065617652

SHA256
3e894509151bf3491f757a955868f0c7c3d9da66be7f72e5533e9180eb2d0f54

SHA512
90aed515f2453180451d58034e2bfd89f58bfb51ab00e6610098f264d141a98837a67876f5d5d2541265c5d9b00746b7be83ae65351a2ac14f4f33282084230a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9014031f01c330bf0072ae35d3467c51

SHA1
f65072965cd7539a86b07ef06b01553fe3107bc9

SHA256
c7c7e000b7ad3400d6b86a4d84dfae11b77f543ae48464c92993bbc99dc54f04

SHA512
73426e363b8290efdfe5a7f3748f2b9b6122bfae32b2afa272ff95e7eb5b23de8e6d34ec82f6d5b57eb3318bee6155b3234bfd4a8f06b324c8a8130765191ee2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
862e714f9ef4867ecb147f3e93721720

SHA1
beaf657130535cf1a32b5893ad1c3a9f1817a483

SHA256
df0d44538e793577ccf4297307dafa7a4411f3851fc75a8177d9202e37a96d1e

SHA512
61150ea41ad988d36a3d8a75240864941907c7b2bb1b167addb4a458f460e924a47a5dd1f3e8e9fab55804589bb7e3d1f8574a4e757a656c193351292a689958

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d13349671788c7e517336da052cb46aa

SHA1
82b7c0479cad5a4402d2f8b47d57079cbb6949f6

SHA256
6a76c0beb5fe56ed8f33d7783a20f03061b28a82322e2d8f14706ce679735507

SHA512
00543e806f7e5e060b9c91f2a6dd7cc00e6cd426290c24e314a80e911a4f2cb2042c7196ef1bd3bb3ca4e5b6e2b97115f636b3cd70912733985d283f4736b7c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7bccdf2a4b59182c78496120f9dcedb1

SHA1
dd31357bc3aba676525874ea752c1c49b345d3e2

SHA256
e9e660d112aaf69d7ea1f620350f78d50ab96061f25f5de4d2ebbec6d193fd4d

SHA512
32af0c36b37d2f3542667fb218e0ae216530b25dd1abafec3e5a855bc670ce2997e9f5cad22df32c4d01723879c82e615906808b4b462b63d841510ca1d6cc9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
56f9d0edce001d40ad7f754995e5cf99

SHA1
2fd0bd2fdd0f5a584138be672ec9afbfa5927e3a

SHA256
8843253c8175f66fcf9f591feab44224573dd81316310e9d18fb31b749664d2b

SHA512
cebcc9717459fdc480f9888471dceabe768c8d2fa75b95b33b3134cf05845b202d4d9ac834be7c61bf792546279418e732d0351e374ffaf141caa2568632c9a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
818b52cf1e6904e774534bb815b611c1

SHA1
fecd053192fa5f8b126f58fb5ed1fe120f12dcda

SHA256
2540210e9e12ebe2b4e6db596dd3427b510b7d34d916e1a27cf452dd9dc4f00f

SHA512
6bdda809cb0460db65b2abba069e71041123d553fb9fc8cff6a6d4a2b126e85442661e6e1f772b15fcdb01fcb19e7da151e0d2f509b8dc88f49aaef2176fe9a0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5ce67e2ed29f9b96b0e4f4883e0045d6

SHA1
0573b72b43b0b406e58d385189c07232226ade4e

SHA256
88d32a6d2eee19807fdea91206deb1f82053f947d8a43375ad8d624b347e11c1

SHA512
e13f6adaa1df2ba6a7b4b252d0ce19a25be2bb994be81361450fd115f19f7429c548a54683085301c52edbb5dc5099e23f3cf2e06b420e80fe1063e647147c1a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
87238b785575913c1541c6bda19c13c1

SHA1
7d7436cda9d8071b0f687b54328881fe5744347e

SHA256
27fc1bd52f08febbdb3a7dbe682ad9988e2ce61e7914e1b5ac3cad229d6c43fa

SHA512
b11162c3011315eced544427e8eb09b6ee73d6caf94cf9dd94888b569c92693dbe5eae9b949803e7ce383bf10194beacf0ce8881d6b9447631eb51c56c727171

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3e0dbb7160d46a8d201b3a4b3147e16a

SHA1
b01a7195680734df0ab6b77007508c7562a4f0fb

SHA256
7cff404e05289e2621a5f9af033ea57c32137d3f7e832aa81e3ad80418d3d537

SHA512
8711804e97fc42da366f1ab4f1ecc2431f2e4f00f32b2a48587acd1e66a56a05bdff24aea7c6802e01018dc97d2324147bbce98201bac4081116535e4f391243

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f09a24dac7a2fc95d50d2b42e4468d6f

SHA1
1e92839a9376e6feb2c5eadd011bc09baddd892d

SHA256
a725ad8aebfce856ffe5ac1a7dbe094265d9668719bb9834ddaebc27f32b4c81

SHA512
1ae194d282031fdee4deccdb241c8a8e5f003f84774164e3a8c14fe06bac71a6e8f352c3f2927b0f707b83419c0aef8b2d75a8fa3645f38b9b9495c38fedf8d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
234c4ad5ea431d6cc026c104a612e7ff

SHA1
270a8909e81e31be187179c1ba98b75b8a8b3420

SHA256
a5d0ce99d9b2fdcc8b66770317a9e4f0c12ebcc47afca32bf706d6d8ee0b100f

SHA512
6861c1c5cde0171a36ce9a2b8c876cdaa6ea1f6a34dfadcb1a4727a46174bd303e0893074c8b9a834ad431e9b97c97ac88030b507402e313874fcd4fdefed239

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2ad851b4e7f8f9da8af708b9f65427e3

SHA1
e2ff5cfd4b9526ca79f0c6cd665ab78252af0bf8

SHA256
5862952d50b2e08c70e4fd37fb890052ae24db04220bb0172d29fe8574d419fb

SHA512
533a737c72ad7dae2657897583bbda906b419c8c875f354e60f864ce9177b5d0a1d3564c62f3c0fc3727c2fad61c045d5dd095eddf77dbd5ecd8e63bd2b486b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
79f2506bc9e6b5b92c28ccf72633b9f7

SHA1
610f8869f1ea2bab5655dd84d79fa1f465b5a692

SHA256
40245a8516b8f98859ae9f472a3d99b12c4879998309b76a09f7c5768ab20224

SHA512
75a859fcf8e0fd726415bb08c519feaf464e034ba46ee5f163b2718671ab16b5e6d8dbc981f82d5f14dbdca476ab8473ca2ce640858cc487fb8412885cb8fa4f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
88e833b9ebdd0f5255f137bf4bdcd068

SHA1
3b60bd4c5b31cca16fc70114c9262ae7e4e84149

SHA256
4f357d51e5c9376d1724a390310bb413f00a1080cd4561221ad96134e686f9a4

SHA512
40086d392728d56719d799cf4f9478790067d8aa73fdef2344096fabf5690462e7c3fa2aaa43d89b7d53144c885f00cd10f3b514d9280c2027a3a6922d2eb042

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9fcc5827f004205f7ab4dd124589d9b4

SHA1
1305e516bf444b2874f6564537242205fe144107

SHA256
ddccb33437e224d9dc6ef346b1c0d8fffc267ee68ff816d6c5ff3372266b4f19

SHA512
11d40b31a61dd0824e12e4a99b946b4efe3a08322e2b95523b602f01f58b4107838da858431e05a335e00d317d437b1fcce2ce8a02a79d22fbb25cc2bca1a8ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
eb07665548be6ed27c135dc2782dd490

SHA1
e292da76f6b14cc0e98f0d54de5ed60a38a94e66

SHA256
0f89a4b7c4835a5867c0c5ca78960e76a582ab1ab10ae8100d7a1d01c1bb33d3

SHA512
37d191fc569a8e07dcf0799abdcdfb485bc7f4a925b100d238305bedd60a0622675d79f749d62f339f977d72278b5bf46af6c707798ce34e5be88b00bcdd925c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ffb8ab730e26d7f3c25166a3a51a03fe

SHA1
ab0ead3f43f7f0f84a631f5f8f46c8928236e3fc

SHA256
a59a7fd9c3ef5449618ba1a8085e9b54a06bdcd3dbb134ad1d5671cd3cc9548e

SHA512
d91748c01b91d77cb28bc0110f02f1d9856ab8430dfb1ea2b645d238b50b1955465c752306a6d24958762b21225a01642f29b972c2010a4ac8c211724aa042e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e16dd0c10359df3b3279b6a0680b2af0

SHA1
a8fac147ac2a82c3f3aec5f644c89eb557f27df2

SHA256
ff57070282dbec5f5adbfcac9ee0cdf51aaa04159ebc718b9dd26bf1e7cf8b77

SHA512
1cb0242d410cd574639545e6bc5b058ce98acbdc6a0140128c00bb5a5e23d1355e995f2f4ae8b12a3e39d1e7a4a5b23456ecf2b3850e4497e0f6fc511d7fed2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0282045adb1f3b7dc9931504f2fa1ddf

SHA1
0de4a5bd0302ea56377620dcd00f2748601b5e28

SHA256
10a4242fe8dfe73484f577eeb051318dcbdd756090b61de8c64f1e266d74fa2d

SHA512
f53925316ae57d30b78eb46b9e2d1f05e31eab0dce88366a0a59c48133734294e5bdb1a4582c0f46f5b16493a9e6d8062ff3d2b30ddcbff087ac0f9133ffbc01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e341cfd599f7af11758c9e53058dd59c

SHA1
9a2a19d023570b015f223dae91c56ee20ff1d4e1

SHA256
27ca36d055f70982c431ad1226a06f2f1f7f3515c99949e31a7f33301d6a680b

SHA512
bcdfce30eea82d44b0938525777c36b44de6076b2e56064359acd0a17a95bd551e64cfc9cf03f122d953c7316a517336d197271f0c09143079c6d6f698b4e931

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
14fbd9a43aa724be87bcfa421b666708

SHA1
044439226d7e8700b475ca1acdd71abab4cb8468

SHA256
2f901341e309e98336fd4130412c676f13c9adb2a798b92c1cb05613472ebffb

SHA512
2e7c06c08f492f81d8d9b94dfb1f6fce02a1ae9aa67a7ebeedecf751116be9cc4556e9928daf06fcdd3dab68763ff123543c17c2d9391073ea0b10b0081abc8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
026014b7ed7d68e33c0b86731522a348

SHA1
269cb952882a0d0fce90709b4e4c4de562e06a3e

SHA256
9a0a0b09d78ec65df590aec96d533c2b92323d1ad5cd80fba24e4b1cac963e0e

SHA512
8fc9b29c0d7752a24d1a46a28d942cf9b6c940cf9fb8d832052ebaff90e41ebb94445d0018983116fb2a434ecd9bf38f7adbb2a69fd36d5ca11da1e13a993e8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0ad32773c30ebd64dc33f273c2e0c84d

SHA1
89effb2a238acefc86a5b26d8323e551ca8abe08

SHA256
3836accda30b002a954ff78b5cece7500a55f0b43f9aea758fdf90b3276c5aff

SHA512
ed8309bfb9ab27a8adc65c3a546a5bd9b7506a08b9e456b646987e116d60a2aff6e0511dee2919732aa63ea233cb730f69277f798e6b46eef8588200db77c0ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5cc8afe2630f5c1cf0c62464953e8427

SHA1
530fa5b67ad5895f28bbb2664961179db9869c22

SHA256
65c36e1ee012776a54e7a3386804a1a371d895b5f1c6d5799a690a09f0f37fed

SHA512
c04cd43fa808c8ab1eb433e1b6d98e916204abfb4c4c8b90f710477141d417d35b429d32cf2360d729f2aebb9ee9c6d2b2ba05935d625df31d355cdfa08d3b7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
67d7ea73518e969aaa84539b63d29558

SHA1
8a2f79d2a08f1c024843568a015d23d91deffbee

SHA256
614c7079e2d9cfedbde785c5fd4514ee93f2de96cf2ed22831244af03f6860cb

SHA512
a37e7f9e1770eb5135a1bedcd1f12e5e3e8551b74bdaf6da7a7742080bf3666667062601e5ab3dd9b29c8201e5cff752321990dde3b44c4c9869b12020753bca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
349546a7f97577791fa552339a14f533

SHA1
a82fe60d7a04c7ab38afe948bff813c3b5a44ae7

SHA256
53aedc3a483923e7ad53b5b0a44edb986a98bca6c85534e87f8f1d8949b37de2

SHA512
6053aa749fe71721a572261aa50319442721b498fdf08c5b6867db0544de76b2fc2092c391f36f3d2beab46f553eb17d0518e0ad773b71b950f9b8658d4283dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
86a8bc34238e842e87c5600ccbf485ff

SHA1
50609eea02f9aad8b678658710428fb076f96119

SHA256
112cf0fa8dddcb259774bc02a8ff9fa7e10b8b2d3619b5a9948a75c198a8a316

SHA512
bd0038027388cd76005be0167e77dd32baa087d991204da407b37df29468670d3895fe7295839ff668c429c3248da0f9dcec4c24acfb0add3adc078e01691fd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
afa7ea2c031f9162b44ec051b85c851d

SHA1
e7f8efcda606de0e705529afa31cf15f7d176913

SHA256
c74982865202712acb70c2b395ad31d3075f64bed2b5d3553dc622591d8bcca6

SHA512
426c1d3c381299aa2698329f52914957fedf48f2df91718a36108de6eafbd6903a546f16af8b7d8a2ad076e40558a5220e4c7c242f3edc68f5eebc8164894875

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6a71a944aa576ccc4f997144c34fb6dc

SHA1
299f1ca9aa960e4d9fdd19362e363d5fbcba748b

SHA256
1b833755cd1d6c87940492215f806d55a1a2aa89ca61b2f123b7cef553d19de1

SHA512
fbad91627d1f9f3c1d4dbcef462d8bdfd1e52b70baf0011c6b4885d00a6a4b814ba30d663c00739d7ca2be1a7c2beb265c749898b6dbde25c5c4285b6a0b4460

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2654302bc29975194474f3756d908703

SHA1
43c376b26085e5da7ec6835ce2ebf021ac8ce006

SHA256
7768277bcec2cadd34d3860603fccd953b8440e54d46c0f24d2d44c05710c8d6

SHA512
5158aba4f5d287441d0d01f9fcf33480c1fb06b0f035f9242ce50be9aa91f06670123ea1af50178ba9ccfad1135e19f04fd230cfb29082be7558c1b6e0556e7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
67f2693b0071c2c6fe90fb144b851f49

SHA1
81ee99179f0e9ea10baecf92260e34375796b775

SHA256
5f5427aa63a8c9e774592abd7014dc31f177f271a7238512a209d62409aee9aa

SHA512
bd9747c66b39cd7efb19bae353957c1378e33e6f4189fa7aae9f0297f05a9e1a399f76bf8cf04fc20f960482324f051b4c21700b02f251cdad233ebe4208b800

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b0371c6d3ce7b6509fe291da92fc0920

SHA1
fb0e302666cf7da4a8c838115bf774b17952048b

SHA256
2856f561f519df7f090cc6467a2bf0b0496f294253b26ec756d608891aebb6c8

SHA512
1361527684023fe258f95f5f9583d538ccb7ecb12651284345f717a609a0ac0c90af3d94b358fe16af40524c2a8348d4b0836469dd5f51fd918f93eb5b6a1221

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
5769ae775f31f834729f0183710ae749

SHA1
bec3174b35d6ecc980d2d9d42df7d27945e488e4

SHA256
5930b1ae545fd3b3af3e7312bd27ace396a534711b712a9e24e26ebfb3ff8dda

SHA512
fba6df25e10817f27db45bcb4a50ba67f59dfa4b7e4911ecf3c754b04803dc112ac0db0ec7db0ef8797a197ba4623134aa794ebbe6fd2af01fe5a0ae771f7734

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
832956017ffb54f03fa5d7bb5b687ed3

SHA1
144ad5a3e0224a59a3e6e8e97013d6a20b8a21de

SHA256
67b6f5808d62cc7477769607041e840ebe17c85dc7850d0b2061a49774f5a75a

SHA512
250686f561c140c3ff362b2cfda5d70d07c6c4dc03124c8c4ca24892cdcbf083dc95c2fc772fbec5e36562346d7725edd19746cca7abc077c0db7a7cb9191e55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
2fd346731a300581528266d1a8804648

SHA1
d1f6fe0934dc57e534b5007a263e76c8d2788714

SHA256
1743d4f224b5ec19af83f8820cafafdf8dd906548a1241d0a54c52af209a8759

SHA512
7bbb1894f84be6cd3e8b5a388ee56c7d5bf671a637d53fcbaeea3c330345bc4ef300b138ddb905ce49b40cb3ff936536ec21deeb70124e5b65284ae4381aa775

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
c53f3f9246bd7e0ffe2ff74ec05637d3

SHA1
ba1dc7525d9188fc84e1e0c377faf3c1cf4cbabe

SHA256
62af3f44ffb6ac5d46a1334a83acb6ebc40b510539055e292288a4b472faa8b3

SHA512
6e94d77f2bd3cd8855660f17bc29f703609e456e2e9723ec7cca8f0c32849d49c50fe18839a1e076f039962043dfcbd72096f55a20d8bc17bd86e9fe59fdc508

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8dfe3eba59950269d9154f4fd0a01227

SHA1
f842c89e1d92b131739422c4684804612d68aea3

SHA256
fb18a698f10148b9a17f334950b111f77e89611140cbd55d1089db183c4530d0

SHA512
957d9927655fe8979db778a5c656691bd9cc31a7a97d87cfa8bf22cb327dca935dcfefe7e3b5e7a95bd687d84e3cca426169d1fc1f2f8bf16e3b33680f386f13

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
42ed8fb44fc383bc17fd95b423ba7404

SHA1
e7a543b7499e9ad6932de7b08865adf51329239e

SHA256
9780c8f4ab8b841f0e64f1beabd03915f9215c150fd26b33c0f522f5f562b3bb

SHA512
02899756b14ec66634405c7412de7b57bd76a9bab22f1d90500ea1a026a010ef7d05005d46ddacc3d5f2786debf302e75e8458d5cce79d713436ecf2dabdc427

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fa029b179a99f7df1731206f802a01a9

SHA1
3775453b1abe0cfb8cd6ea3859eaecfc02fdc7e9

SHA256
582407ac04ebe3e32a78ba73b1d2d5552925eb24cab119ab66efe918be859e3e

SHA512
62cb33eb0fd8f7ecd981222f67a739831589219a9d9e4dcfce81ae7f6406e9ffe8d382532d45afd0fc0af2976570a189e88a50fe392b9ff4fed0cd742857e359

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fbbabfdbaceae24cb755652061fb93d3

SHA1
1cf87c87de5b55feabe26e6a7f416e6e44a85800

SHA256
dc83f3583c818132e02130389a5da2d4831e92c9145146bb3918116b12c2a05e

SHA512
99490d71d20b3a462f92f93d9090e65a608c51ba3f3395b2a6a6479dea5f955c3d056ed89279b307e8742e94de5c58d931e68e3fc31a2e0acd86c1b637965b4f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8be5888503b70e241d2d53d63546245c

SHA1
0a4126cdd5f2f34d8d09efd3dd82d24bfb69524c

SHA256
6c362430d0c1d3ed65a38a04478404eb8a25577f97ccca4a657aa9f81ee00cfb

SHA512
3cff63d11723f52aedf843448e57ac992361b501e853644910bb3c18abdc6aa702309990fec4a45b124cf159bbbe6cc76c021d11b6af64f3281f42fefc90b4fa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
93f1f727d23f099bb72189827ed38223

SHA1
91041a879870203defe1ddfa50bfaf661150b5f4

SHA256
4591cfdd229c90f7b83b18194cac6d60944de2fa289c2257137d1ff49d5974db

SHA512
7a5c246a9191f881ff244170e1b7b15fae5fba8ab4f52684ee1977bc37e13489ad3a752c01c5cca8e1f9efb339ea4ba90450049ccc46ab61813c6e3ece968048

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3254bb8555cf96742e79a3d978616ed8

SHA1
fc909c90b51047cbec1488280a0ec8c98440ce37

SHA256
77d3c478e6b22f8706ae18e9a9c19a6bbb66f43888d90cff828edd1a75e9e49a

SHA512
c191549b5757871db8446eb922775035e23d238bb0360b88d1c6c0d4224e2750a5d13f6c6863e8007f2d8480d4805e42a47d4057b24612b2152978f24212c806

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6d2978d7e2475e8fccb982dc546b2e2f

SHA1
544a5ed4078a09595e00fa17abd4b5849c487e56

SHA256
ca63d0283000becf8d30c4bd4fc4eb965f15dfc98d5bf7647e1369db333d008f

SHA512
12a9d941148a56a2631ec34d5a185d6d7578f5ba9c6abd2a0773d56ece81d689822218890648487c289a2d7ea3b5781c4fffe18a2b379def191f6a1cb88a165b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3d3690ec153050b12ee0b51fc2b91ec3

SHA1
082ecc0b788640185dd1800a7fad4368a109cb54

SHA256
ab36cef603639f4fa1eb3342c1aab410ce170a469c731dcf2ad7eb80d3b658fe

SHA512
3eaed8252308c7eb3b7a75f477ca3a8ff7380e0a49198e6328b31ee934f3da14162bee086c1e0bac672ddcda6d472a1017fc1a23340c2a918327e78e6ec90504

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c2a0ad629749c95d801d8b7293914e23

SHA1
e559895acd7fd0ef39b524af2b1c2d0b47eeea1f

SHA256
6278fc6785f42c58e0b685e613cac0ae8fdff618301fa1584142279795368f10

SHA512
e8609e78c058e7d74c18506e69adbf3db82a5aa2d5c7b850c483c4570f5b6e4cdb5f5e8d0043a9684914272d9f28345229c24859ed1528fde339a5ebe934e48d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e9a1da2176ea14b7d66449d346258634

SHA1
d2cd3f5fa09e64d19610e2f3d0e19dd438c001c5

SHA256
d33f49e10e8e4197e6cf28d1b06dba3d26f7b444b0c8d6aa43d98bccb6bb18d1

SHA512
15107a276343e129d176ef87144b6eaf23ca6c94d0850f8ee0186c5afecaecd4f982db88e264f680000a64ed00ec64561fd68bb65f46d91b1ca07994a9226408

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9895c1df34f17b3a27216a6d991cee7e

SHA1
4852a4f3876c392424a3b48202251a6840f42c65

SHA256
a602ea1a53716c008f98281fc17b5721b386e2f46eecdfb3b901f8a8c4d5ce2b

SHA512
5ec7f712d5e8a9f0fb213c543c152f18dee6d0554543193fd79c32b7df6acfdfd2c15cca57cb271b078b5b1bd2d79ed9da9e14961fac8eacac053dc14acf4f92

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
75b37674a0f12879207a95c99b7e7ebc

SHA1
1781c0dcd773fd92375946d5039d88d12aeecb22

SHA256
31ec82ac94f024a94b9ae8a4520b3ff62a7cdbd9d701be78210036fda13af79a

SHA512
e933bdbaef0052c82f9b132e6c982e8567fae64e090f27ca170442137ee217cb91b7a37eee4fb8fb8e64104386b8770bca40477f6f0957b24d7e8d782ac4462f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ba91ba9d2e8b0461b37ebc37f06ebdac

SHA1
6e62938608fc247d86e3bb892a94b2137b69499f

SHA256
4982b881f90e0b159070d66cd03dfba6707218b1ad07b4ef71c49312b14a9e30

SHA512
b52c6118233eb80cc43584c09bdf7775d2932f31d6d9298b485edf56508612122f6120a397d4a4339fc1da9a88ddd66f40103218534a9f270ee83474e4a90dcc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ac8a673b9b4c8c2abf3a81e0bda8ccf6

SHA1
70f7dc6c07adcadc4d88123430a629624b677e1b

SHA256
f3f6282743e129f8d8cedc91002f8aed5ab4e6470f6187278ea9ef0961c5fbac

SHA512
47d733b456f538bb6a62e21b5c8af78eb64c77588891ee1b19be7ac78ad318107fd0183e4c062559bcf872f1a24a10d9a81347eeab8b961c851c42a8b4c558b7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
037a7a929e2e1bd56a496e87b7e607bc

SHA1
26140fe21f5d17c415ce843f9d95e43d13d1d5a1

SHA256
6b393916cdb654151ebf9ed353963b93e39a32066dd2f7d80ec7498ae8e51b36

SHA512
5e3abf2c537c9f32d9a7776e2b41836a6fa40342aedc48eb55f7cb9c5061e33a03d1a1c64b6dabe38fa248212a252365dd4cf80f0e2ccd1652a347357d3b91f8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1a5541e1817dcca501be668f6e299d3c

SHA1
c71556d69dd51af257589004b4b4175b6eae24a9

SHA256
a4fe173b3233e78a8cd56f5e39f24862957d587a1ab80d0f662aa0a7d0f2d710

SHA512
de77c5410f8e082110e870ff6e0feeee49f0f40a089cedc87967f5177f0f9ea2c1a4d4d91e83299535a8ef806d882a742000996a61568b68c56fb27ed4fed4e5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dc3cf2b57a9966532a4d1b1158bc6c6b

SHA1
8bafa1919d5af321209761ffe019db508254bdc5

SHA256
9f8b6f7226b8a7b0fc4fb73d5cf0fd892f7b20bd1e358bb69d5e05f14e2035fa

SHA512
6dbd997b7cfab31275252d102a11e49f31447dce7895a08387fb7f3eb5f9cff060382abe29d588d9d163214945f6eed0bc7c504ad0a00ee2870849e57e157ad3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
63f712a1d693715f4b926c2d390ff0d1

SHA1
b83e8b9f0899c77fdc1ff4b03c68967955e6fcee

SHA256
7b90015a3987bc3e049e8c1577d90c63f9f508a41d07ddc1656dc5a3b9e1f277

SHA512
46575077b1edd111ec846ec0b76d70c5f849bc7eca447ca62493a159cbee9cea49b3cd18961087e865479ea497a4d750e76ba1e05272138de1e84f431c4ff51f

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
fdfc0502835e4796cef5ca8afbc86e24

SHA1
38828cffe13d6f2a54f97a579bab698de4e89ccb

SHA256
bf241078d41db94f765bc0d7115d90cb35f1407be17c2d7b67f3c4eda84e21eb

SHA512
2c6ead04e9ee4a45baeac7dd592c1184ac781180c5c3e6d7310ea5a36a986f92f0bf11e53f5ef89d6bcab03975b15fa5af38a943baef1941f719f7333fcefcc4

Download Submit
memory/836-325-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/836-473-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/980-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/980-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/980-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/980-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1052-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1052-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1052-84-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/1052-67-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/1052-61-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/1376-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1376-287-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1376-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1448-33-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1448-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1448-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/1448-9-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/1560-256-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1560-324-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2128-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2128-244-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2132-479-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2132-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2416-474-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2416-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2964-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2964-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3080-291-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3080-433-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3128-468-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3128-312-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3252-284-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3252-336-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3440-250-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3440-71-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3440-77-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3440-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3484-477-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3484-337-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3928-475-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3928-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3944-275-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/3944-332-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3944-274-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4304-270-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4304-263-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4304-260-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4304-328-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4332-249-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4332-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4332-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4332-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4500-294-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4500-466-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4580-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4580-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4660-36-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4660-45-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4660-248-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4660-44-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4712-317-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4712-469-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download