51f1b87b33f831da193beaad85f942355156850e20d0d821cf580aee422bfb89

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 12:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_abd0153f309e6cc2913ac1188540a4e1_ryuk.exe
Size

1.0MB
MD5

abd0153f309e6cc2913ac1188540a4e1
SHA1

b8f2b1d1af7b707787f30a86f20425b459d50125
SHA256

51f1b87b33f831da193beaad85f942355156850e20d0d821cf580aee422bfb89
SHA512

7d42e9f164a98521674d344c906dee9adf49a5b555948d9dc06cdf937ed12a2c0f84bcbde8c699b3deb65744dbff660ec9e3d0c6e6af615d7122040bd034b5de
SSDEEP

24576:j6V6VC/AyqGizWCaFbyBbl0fitGbna8FLk2m1X2D4brr:j6cbGizWCaFboblI7a8K2mFhbrr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1244	alg.exe
412	elevation_service.exe
2236	elevation_service.exe
4744	maintenanceservice.exe
1844	OSE.EXE
3836	DiagnosticsHub.StandardCollector.Service.exe
2964	fxssvc.exe
1692	msdtc.exe
1324	PerceptionSimulationService.exe
3984	perfhost.exe
4872	locator.exe
1260	SensorDataService.exe
3240	snmptrap.exe
208	spectrum.exe
5080	ssh-agent.exe
3816	TieringEngineService.exe
64	AgentService.exe
3180	vds.exe
2344	vssvc.exe
2944	wbengine.exe
544	WmiApSrv.exe
2204	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-10_abd0153f309e6cc2913ac1188540a4e1_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b44751be90c504c9.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da9824f1c6d2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e84935f1c6d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd3441f1c6d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b9ea8f0c6d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000921bc9f1c6d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004eaf4f0c6d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018ffe8f0c6d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c24f0f0c6d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000098bb4f0c6d2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1e632f1c6d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4ce9bf1c6d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
412	elevation_service.exe
412	elevation_service.exe
412	elevation_service.exe
412	elevation_service.exe
412	elevation_service.exe
412	elevation_service.exe
412	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3948	2024-07-10_abd0153f309e6cc2913ac1188540a4e1_ryuk.exe
Token: SeDebugPrivilege	1244	alg.exe
Token: SeDebugPrivilege	1244	alg.exe
Token: SeDebugPrivilege	1244	alg.exe
Token: SeTakeOwnershipPrivilege	412	elevation_service.exe
Token: SeAuditPrivilege	2964	fxssvc.exe
Token: SeRestorePrivilege	3816	TieringEngineService.exe
Token: SeManageVolumePrivilege	3816	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	64	AgentService.exe
Token: SeBackupPrivilege	2344	vssvc.exe
Token: SeRestorePrivilege	2344	vssvc.exe
Token: SeAuditPrivilege	2344	vssvc.exe
Token: SeBackupPrivilege	2944	wbengine.exe
Token: SeRestorePrivilege	2944	wbengine.exe
Token: SeSecurityPrivilege	2944	wbengine.exe
Token: 33	2204	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2204	SearchIndexer.exe
Token: SeDebugPrivilege	412	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2212	2204	SearchIndexer.exe	116
PID 2204 wrote to memory of 2212	2204	SearchIndexer.exe	116
PID 2204 wrote to memory of 2736	2204	SearchIndexer.exe	117
PID 2204 wrote to memory of 2736	2204	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-10_abd0153f309e6cc2913ac1188540a4e1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_abd0153f309e6cc2913ac1188540a4e1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2236

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4744

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4704

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1692

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3984

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1260

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:208

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:264

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2212
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4cc455b6183fbcf9c538da5a750d03fd

SHA1
b59707231affbc4419ae5abfa16751d79083a230

SHA256
bd4b14a5d2f53ee6b89fd9a25e65113dd589df53e6a6173d5c9214383f84a7e6

SHA512
c77a2375b69f28cf1d9b286381500bbf79f9b1ea77f561f272b1c0816ea58716f77dfc6fca7168d0094c055822991545ba28991b0b2f9687829114d6e6e7a664

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
3aacaa17554c946d439b07dc60b00548

SHA1
1eb2a79117dc49a288700b20bd57d932858feb7d

SHA256
ee20f15f4b2d123f73b605ed611e3dbd0d507374c55a0d8a8995d6b7e4246da6

SHA512
dd2e12278673610ff17b4362a717761cf7252a80dcfe8344e74cb2dac2fc4707406f1e0401e5e30ed039c7d9e8aff253909acf288e3e26f395252c124ce6039f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
17e1c457112493cc6485e9588639acbf

SHA1
fe67700317aa169f856acdfbf26112172bada85b

SHA256
833a0fd9f7825209c9beacfe3d72dd2bf7ac57b6387260142687bd4266838423

SHA512
78707f5f71154de59455428df2636e11dc5e0603bc028210307f40829ade3531aa9c6a119102213bbf7622a33a78b42ce9a575939447c8f90b87dd63eafa8b69

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a6fb38627c263eea9b0af9d117bc82a3

SHA1
4ceb93e42e82e8c172643b9d2658d5f55cbd2a02

SHA256
5891d8b31884e09040464d37e54906335bb10466252c42489fa454ba5a6459b3

SHA512
2d53c3d9bb244b3f2f2803335603cef02d8e7d85bfb0a8ac35fcf659b213a105777414dd483dd60d259b9ba5266ff304482c48f6d0c321bb0b8419319da98346

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
acc5c351dc87cbc63b9bda7e20fb07d0

SHA1
d46ffb8a646b3e50aa44b6c4f1daeb5d3cc5f57d

SHA256
9cc1ce245b17424b3e3b155b4457602244448daf19873b3e8bf3cf5810f2856f

SHA512
117714992607624087b958159f71b1982c9d0b608ee292dc68603ae023e0c67313cc7c133d5dea03f1d490fd728c5f4c8e2014b0c799ef5a39f854d9cd0f8c8b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8b86e077afeffe21a9d3e14b65adab54

SHA1
95f25133868560e016c68de25b228be8868d2cff

SHA256
04cb6573644f324d353a8371ebd8189b4a92c54737990ad67e058cd36fa29870

SHA512
78fd5ae52566ef20e07e84840678d2b35d84725f63eda4879e102924d3e3095bae25808512d6f9dd63d92ec155efb0a7a78af3bd1518a960a121b924be247ad7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e4b96299dbb5a8b1c00ef3933de02c31

SHA1
128f431dd03fceb1e220655d5ce4b513c4516e38

SHA256
1951da24a6b78a1239d0b9279512196b90b6eb02df1a3018fe34b159acc69619

SHA512
4eb230d5ca6efe391ef38afecfd52fef2039e17cc388357a954498a32ef9f48c773eda7fed8640f46e3e25a25019a1c4b87394e8aec367f2575edb9aabea4485

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
df1eb959b7e6ce54d9a6a53dcdfb61b6

SHA1
528a0c655e21f3260c2bdc22eccd8c651f60a17a

SHA256
cbfac5e5dfd8c71e9925ea9bb789357a4ef9e538a30956163070d29165a85cd0

SHA512
4435dbb9444f1930092e212480061e44f4f9ce5e8966ceeb952a69ea0d494d76a2ae2f5123f750558fb1e618a3983b215ab08c6bb9eda812447dee4e1b8b4961

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3301214e3943eaecd5d3c5a28b1a09fa

SHA1
510df756b18033325b40a653d298e845dc5546ee

SHA256
99e6ec1806b592eab47d9da6f24589eceb4954cbbbb6aa61725dd17e5dcfec9a

SHA512
c8ce251b8539fbd710a0c07b69dc5cb28a791afc1240a7b97eca074476738c2a37819fdaebc101413b2ee75bbf5110a22dee36a1a1d8cc83a6150e78c2b5fd3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
af225c813cc1a7caffad2a16e30ddf23

SHA1
54fb73654fd2d8f25f8974dae021f15d75a4e360

SHA256
53591924ca080f0f74fcc9341011a3946113a077be05a4a20d5471bfc7c6ef3c

SHA512
8768e11d446fac8e7fdc8ffe0b5dbded4185bbab5a1b546c6cc44c0c081e6f3c29c63a4af8f1245c9acf0e075de090144c726a866f12dbfca12cd7ccc0e3ebcc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
49006e88e1342e7a1e351798c337f5d0

SHA1
571740a4a7e3ee326ca13ff290e1b22481e29921

SHA256
eab3432dbca028999fa1011bb125839850a8fad7fd2c42857793f7b1db74e8e8

SHA512
5513db7ae9e9bf30da89f150ef343252edcf172e0bcbe452e481740bf1052ac8bfad9fd95e143312698fda8d281701061e422fca52e81cc72c0d04395d998a02

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
18a5b332d92bf7ac75f39d214bc87097

SHA1
4f0e9782ddf78e136dbe35ab508fad017ab52636

SHA256
c7b47f90ce3423051d9eb11a8408cea6e018084ce3491d9e6821e24764e00630

SHA512
88a5a80f0860083f69e7bf1ec5aaf2bb6a2332460b6364b4b401a54aecb7e7bf16d8a41849d7431f70b95c78f4512122ff8297800f8384b35d728cf7b4f6a62f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
62e8ff17619eb013fe89029225e24014

SHA1
e17ac6eb6a6db6acaf1cb227b2a7141de7faa786

SHA256
c0fba8c5bd82d330200cccfe39e1c6db06b550ec0c2012114aa90183dd6f2683

SHA512
add3ae79d13b47cd6623abc5d2ea1b6d046428cfd5baa5047af201482a83d7312c52756ff59d9cd57ac484afe990d43cb42e9ed28a7aad22da81596ef4e11f47

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
73cda8bc0bc70e2328ed2c19b5fe9645

SHA1
a1003d9d762b575db26b5e0e5233254acf0b915d

SHA256
56cbbe1d4273c4b334bfb156809a48afd2935a7cb24ada38ab4d0674fca50ea8

SHA512
1fbdf5726b7c62645349627413a326ab535ccc3e27341452338b686918345cc9425f075f47eab37e4cdb314e44ad7bce13bf6be8df6aeb62471985bada0f7985

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c27d107fb9c8686579529e5cde8daebf

SHA1
49a67b9c755e685918e878f697a0be5861460536

SHA256
3c86dfeb341404c873e1961b46821b28a9b2aff5b0050d034fed94058126d0a7

SHA512
4b3391c9b9931ba464e864664513c0beef9d1cfc62d23d71d8996303fb2f851ddb40d402af340c5bcd31015518392fa896581e475adc7f4e8961bc1d7dc3e677

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
e5b0ea686ee79ca99f40f8b21e31348f

SHA1
a984ec7b6656f032e81d60634df472cd476ffc8b

SHA256
cdd679f67b53a2d395562bf9f582c6219cb950590f30bb77b43fc7299b038a08

SHA512
3c0aa45d9d541e1bb82932d3bf2541416058baaa5355757f407446f36fbde5505d9578d52302534a3223fb454484c41fbbf41c2e25d57e577dc59ca26c71eae5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
093cf430bec70905c67dd7948f6cc5bb

SHA1
9a457a9551723406e72b740808d5f5c1ae2f7f8b

SHA256
49c5709d0b0493a4be07bc5f1c5bcb4064284e55ba14d23eeae8cdaa2e39ac41

SHA512
b6dfd6694fb8fd1f85d3f2c69615f76e667b3d57dd896f2228ca9e231c609e6bd0c9c00641dedfa92c933543f7ce061873b29873887416db52656155b8cd977a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
f5404e53f0f0b15c4c5c27133c56ef80

SHA1
c1c1300ed3d87166fee0545063f9c42b23cc4216

SHA256
4191f2c6bcc0b6feb731f7e7919ee4844a4d26761cb20b871b05c361298a2379

SHA512
495977bc753b20072fa3c1105178a8750c487684fb3a777fbe882491d292b0562fc1081a82a5eec0b7cbe5c3d7846ab996a80aeeb07b44d9a6e41a270506d8e8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
83cc2b942ee2d81eb213f8304cd02ea7

SHA1
363b7d8b0c703233de1ebeffd3c9134e0a7a0bda

SHA256
b00755e2af097add6e13d74cd32f8376fdfd86704ac3e9bf8416e5349d7c68d1

SHA512
8cb15d508e87b7a9a48d9c661019575eb166cc00be54dfbe7e6389d8f8a18ad9ef940c897695db7e82c3c8414b64f9e0d6eff3bb6f55dbf87c2f2ff9f298cde1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b01e104d3321fdaea58fad6e5ced2754

SHA1
c0b6a28842225753ec1d78414fd26d3a16050d16

SHA256
ea505292dfb2ea1c7da0591c30d251619b88956e8097c4708108060369be5837

SHA512
684bec87acf542981e5083e73bfe60abda48bc77cf5a5e9b34e0f48a94ff22290ebaa4e35f579adbab572cad0c56fc4eee641b771ee28502a3a834376aa8fb6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ee4624000c18ed217f7727b8039db317

SHA1
535c3ac15f77636640a51981a5afa194747504fc

SHA256
ffc0fdb139dafca2f825f5b3ba1d6fdb9d229410389ccaf216931343f81722cc

SHA512
978ce1d7fd97ffdc438e4fd5ebbb32920bc6f51241934e85e0b0e533e7eb18ab9e2d37a0634d5ff1a70ea619d6faa64fe229c1ffc3182083ffb007d96e1c5b83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
46b4722dd4388c606e7bf9306c63ed63

SHA1
e2ce9b949c6c4553aecbde239758aa472f8da1bb

SHA256
c19e2cf7afbbba5cfe711a316276d4146e24d04652b1025aeaa08b190cdc7d2d

SHA512
d12707be57062681d42f2f6e68bae4302162094b47e9b88b8d996dfd4e1e3dcaaf0d50147be59611e0cf950a77f8d85b90c6297f3b53a7ae8767fa04ddd5acbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
fdde766603256c789b97216c9ae1e2de

SHA1
37d1b8af192ec4c91ec4c89fe87bfffc90dae9f5

SHA256
6a40bf4f9f15da82be1a845b0f9d52c2ffa991281a6ab59fc96c5b4f46471f50

SHA512
1ab66f8bf4cfbb8cee15c1241f4cda96917ed2e6b27fd853a6cc3270b237af9923891824a7fedb90157fbc21d670ca2e2021c1ee59ba07b2843810407afc5c54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
838d54d86c061a3830bc399d9cd614c1

SHA1
f1f9d0597ca8c80f9896ed998f07e34bb7c3b430

SHA256
5099f7385ad5352f2c4898ce06571fa765e10e6b84ab8c80a8729cfdf286223e

SHA512
d05bf4faa42fe85ab40404aef349f37f4b442a2a1f47af2b77621eadfd5b6155d01e0b2b5aaadc1c429073f3924953676fd3804a7c85b3a0f08f3d8220e26a44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
24032ca5ccbc2326c861aa77fdd5b6b9

SHA1
b66476ad35b2fc4634425e0991c8a1ede14a3f03

SHA256
22e2138794bb142f412e67ebc591c1b12e0b591139758a18e51e947b2c0ef31b

SHA512
ed8cdee6cdceb36cb661042bd5d5a75ac3917d0f80282ede560e9cd362c7311ea4f4530b253aec96915443e430b7dac8b472321b29aa666e1679163e63324d16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b3a31bfd68c2158007e21b4dc7b06b78

SHA1
f413900a7b3f4e2e6f3fe5f73a402faf82517d1a

SHA256
82fe6053b58c1f85ee729f0fc67a8ac4525eb2e8832211a38fc8989cd7c87d19

SHA512
bad848a6725e944fb53203074e6264217285bf5fc088ac5bd7047280e2a9d086903c2be525d1b295112a04c4bf1a208d1b243ef008c00275c7099c77b33afef5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c3716f2a3ff937e398e5126ce2160bc0

SHA1
94a25b886b5267df6a4f45915b77fbda4d669f70

SHA256
d54d51bbd82f770e66f91a804b856d486bb1514c52dadb64c8187a769f5e6b7c

SHA512
b2b603c10aded97d28548ef7980ed14b42537e8aa57fd120478534c838c4c72b430d58557aa6529c7880a3c84f0cc684490203af88654acd8a8f044ac39772cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2d4f57fdea851a157653171c0aac0fe2

SHA1
64e735aacaf04306847a79220a36702d9c315d38

SHA256
bbe78dafe029c59ebd0faa2895f57fe1fe6e2cb09b2613647c22b24e8105106b

SHA512
fb1b6172f0629bdf580c27e710c447f9e11bc1bf97a8d57bfb7972af0694c90f66c053a56a04523999a273809d006011c147526052bfb0d67df9e4bb44450c34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e333a66db386eb8be70a0def2b437dbf

SHA1
db8c6b3971fe091e6f2e9e669d97b5a26f36ab42

SHA256
667b2b5c80edba1c3df0a47eb86a3b65fefcfaf9128377c19265483757a89012

SHA512
fad55a596b6e004df3bc8bf004984eb626e5b00cc1aee34d0553f134d85f8f70e3fbbb82b19d9bea8f9aaad6f62f5264c88d4aa55fe3b859b5132af20292e633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
86766ad2bb0f0b9103dccb9232565173

SHA1
63f03ee32af8ab4abc7de258573cded0dadc8213

SHA256
9ebd8928a63b3ede21e28aee1af5a17ef3413313989053b4fbf65b1b363e0d67

SHA512
32e723eed57ab2d9f006f8b4d07a887249d3a22063d9cbd3608570caf6c7fcdb9ea4f2db27c49e84ef0bb1bf7fa9e0797b5bce74bc47e8b93ced7b21772b6d27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8c0e742186a874c542b9a10baf6eb554

SHA1
c9b1a714829e314b1ce7df522a2c5beab17fa784

SHA256
43a0351fc9f63e30d7d9721e36b0b2fad0456fe9f2cf12a6a07b365e1b39a0b8

SHA512
924b45b31e7342da831610ae8b53632cee3999e3bb1e017d3377852a6949e0b7761f1bcaae47e6ac346df88de3f4887c1b443748014e410b1beef37f970ee891

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
81b152f2b4cfdfcc553ec6329fa2e331

SHA1
68a5e8d5a563c8572c92e7f32cc1a6c683316c25

SHA256
0e7022b79158141cf3ed90156005ab5346b68dbaf25df42584d382b5004329bb

SHA512
0d831350f36884254b0f83b7f506fc5bc1bb8e195831a39d88cc5076f85b6d8304c9b19e68dd90b05ab721e69e6d240c22cf076a753a106ba552373f29323d9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
d627468127eeac375106ab732428ad67

SHA1
3a27e34cb0c768d1a798148a5fb445dcc7c2bbe6

SHA256
646843da88b961cd7c41d76f03b5c555e4561771d5082065f91b0d6fcd53c7fd

SHA512
5e0b00ecbda86c8d50d26878e69f1451002b13e45f87644c432679f6a1fb0239efcb8baefad60892551d8edcb8aaa047377a401571cbc9db6c7b81d7fcad9231

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
fd12e4eeb5a495b30b81c17d870d0a6f

SHA1
15b28939b65017561403ada4f934e33cdbb81165

SHA256
0d51d1ec5395234230a344717a0045c35674562682d6dac50d52ad848bc229ee

SHA512
f733058fdcb80d66ec696dc864fe5230cdb73cf75d5f676651222c4014570c3ce91e974fc9b90abcb66f5e57d914b500c3901baffb10a6b0ecb779fe99b08376

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
96b901c1548073367bf2824fa253f556

SHA1
64989b5d14912a8ce40a5e4ef8944a5912704436

SHA256
595b51289faabd31310a72586d1a7045eb71f05bb3651f19b208e20f70f2737d

SHA512
ff7bb92a04dad74f0546979f674fd9b725d235c2ad33f57861b59d0cb93bcfb3207f9b36520171ea4113f1d60636bf72172ed51ac021594ff3ba9250b4be58cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d3fde4ba6d864ae2246af42e094eb257

SHA1
83b4cea1828702845696e0b48fb775cbfeb76032

SHA256
bc850d63db29498153baa1f51d58db00875e06f368e8c1ed10eabdee3074237f

SHA512
30402afcf526fb557a713a9bd2e5a2251b9e9633ce1f38f3cc245b3913632bdd7d5cf72695834e8f6219599f09dbb29d0e7d43db46bcbd4c07d0b903bda8a0b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
bb80483c2413164f0972eded93a58af4

SHA1
34c9e53a3a824b77d6f26548ab2788e75fb72ee5

SHA256
82c6998f5a028787bfaa6510230ae268bb695896eaf378e6b06e8aae4bfd20ac

SHA512
f12bd2279f9f75b31dd9456eeb272455a841dbd192ef7602997a0da5f73ae8fe9a218861a1b6376cda85a6f22c9ac4528719a92ef18cb79209c4af29d3debc9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
110191995341fb80da106b5de185903e

SHA1
ff928fa9c65c39e32dda95de8fcf82563023ec8d

SHA256
9aa2ac3123e335951da296f9828ab259888ddb676eaece6e659118231510c98d

SHA512
55188d288abee0233ce90a68949d38b02f9a8d7d1d76918ce47820b6e0a840442e54a0f0e61983c4542b0e388527d7a038bc3c138287a265d5ba068a1eebd8bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
b2b9be552a72197f17cc5763aeb167e1

SHA1
ee8cfc1f184f7c296141fa5464ba289b29363776

SHA256
8048dbadf785082f84ec28f9e50799af543f02cd2629d6bc7ab9c3a3cfd49b9c

SHA512
3199f45329a82f9483593ff3e83f0533f8172db6484f429a8a31c9fe8d540839c2cda1c1ff2997835067453a28744b24da3e2cd0908df0ee67dcc3b8da2ce59c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
0aa769bc97079c1dc604148bcf0d20a4

SHA1
252dfaabbbdfd2b300ef48fc838b585862365bd3

SHA256
3a359ed5f6e4696de7c4fc0af90b4e5950c6e05c8aed900845875b1a6bb040f4

SHA512
4ca4fbb42176cc4ea2a95225923d68ef289ae1704cf3c043d873d4023b41c025cb78b36b6e8b752188c1625f5c8c379a219c683a1dbbc0e7edccb7d14a3e5bee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
dc2e36ec25ea763605555ba8cb8590b4

SHA1
476105e7a2ae310a3384fd2ef902e02dbbef9336

SHA256
378c010fe0588c1e2ce9f6f649ff5723838722d3c9275799cdf6e77abd3527b6

SHA512
1ff8568fade1db20acb3faac332ad0c052dfaf6f38f1c6696df25b70ef5b50c35c3e782edf192007f1cd5a10aa835a584b07de2afd1c3373723ef69696976200

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
344b1ee72eea11b5c0b99bae25b4cff2

SHA1
41975e1b47c9f1547179b350c82e3fb42fe0f44f

SHA256
58b2136d84f32d53e9dece31675eb8c24a88eb06d09c6a084d9c0f84cbf392a3

SHA512
93f115713a9bc827682dae11e661a81fce03f069ea97bac68fbf88894b77f11b10271df6b4e17b35f7aeed8f83865adca72748f58b2b4bf587024194aadad3f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
0a094cc285f39f0485292ad824e25cf0

SHA1
acfe342debf0a5cacdaa6679be3af5c7326094a0

SHA256
8e1177ede0293d86e3664a8851ff0175f153b536f5a2b74d58a1dbff1f2c53bb

SHA512
0261d366f2d5ac094e46008838b1e4c0db40971672d9e8b63a612a9d6077b701008794d9f8161b65d906cf578d4a620fa03227cb4b60b97deb2c71caa4641365

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9d0cc8f78ed705faeac642e0b7c9d5f2

SHA1
587c6b6fa5f24034befa2a4f53f5c9eb2c3f0ae4

SHA256
84b4b837ac3951cb13d0b242d004d390e2cea9b9859e7675c8144347fd8606ed

SHA512
3fe4fe6627293272114b7a6f0faf688b62d6ff434654477e9aaf27955a3e7241d45a0a05aac923ce6a9a78039160aa70a5be03204b65c2d970fec7ce40639674

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f2cf92e53040f01d9a548733bf5d7f21

SHA1
55742bafa7dc042c9f21d9ed7dc39368545cc653

SHA256
588f3ee2fb4f2dff9a599f2ce8dc5cdd08e42efab80b131103f507113b7fcbf0

SHA512
e0c7092265fb432589264585b274815216a759003b099530b51ca16727450021c434779ca2eacb70494d47100c0a26f7aef6486f859cac552d02601449a308c2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
863752bd6dfd3b098d7da7f09235f94f

SHA1
9f7cd39e90920b25c687f59306d9f5369a5d5280

SHA256
fb8c33f237d7249ac03f6ca787178be641fba35821109d7d743b972d7bc24825

SHA512
789f3e2664cd89f69ba1c08e2f5ca0589ef7a536b9600c73ca5109f8aa95cfef46a1715a9c9e0ebbfc465b8787d6f8d153d26216083a6b8ffb546b2da2de2ceb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
002f20a5be206a8d806983356f14e086

SHA1
0a4f0f136569783a074522dc62679ad3087ce6aa

SHA256
538d4abcec355cb82c5f58a116c48cfef5b99ba5cd949e04c8d2f96ccb2a1f47

SHA512
4efb6e552ed2fddff4ec7f05d7aa7b998e21975b231add6bcccf530a75d7285052ec6c7123548882e53f9fef44753066ff1c7996000f198fd7d66357e1c5dd69

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
774ebbfc45f836f96c662059429c9b0d

SHA1
825c750c2f92f145d88315179860a722b414abfa

SHA256
6c5f82adb8e3a90b9cb4742c1db275d921455a7accc451aa3754fc91a068a838

SHA512
ad2c882b305c61e609949fc5b40736203081ceb27fa15e8f5e8a8253f00f5e2375fefa5adf7d2f275381647c37e2e0a6152a90e35fab8bb44d863661d5029105

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e5817cc90581321fd5a6599f7d4b88b8

SHA1
faa49f94f9991fa02299c51d4aa2abbae7514bdd

SHA256
701f69a0b02cb65c3de0480b526852107bcf67dbfd4496c17fedb070ba84ed75

SHA512
569ec03965b02fdf1ef02068ae9e782038e09bebcafd7c0dada275c2b874f3e7b271ad8715e81cfc870cc1b3a9eb2624622e7bd732cfea837280dc68ac130a74

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
521fe2a448bf371d1d59be44da4f032a

SHA1
5d2986eeaa3934bfcef13a2c9d77a53ab4093fad

SHA256
89e2400ecdf7efa242af0b0a8c5c421100b5bfa03b9f49e4626985e46a7995b4

SHA512
70d3808283ca5e9d0a48d78482992c8c70eddc188b9c43b18ec890c013ae26cb3e436e1669e22b8bd7884241ee09e152537301de9e6c77cc6a6a56bae7195fb9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f096d7767e30b0896878cd8cc903f7cd

SHA1
92f60de01fe5ea56155314a8c747d7eeadcc330e

SHA256
bb8e9e7b12abdfeae4e795fae89ac1995fa977010ea7fdeceb2bf88128dbc828

SHA512
0bb6c6834c581eed2cb28313e3fbd00948e4e7f9fb56d84b53efd58af5596ff45eda601553282eab3c1b101ea87396ff654b949f6bc30e4ce8509f50d0afc4b5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d8eb1f402a85e8dfffac0b44ebf104c3

SHA1
876c3da6302e86f09382ebe8ee1ccadd31436817

SHA256
3f144ab72ad016e3c6bb4ee5b5e3cf3089eef5467d5879523743a642cb51a3b6

SHA512
2468baadad81eae03c7147d365c75858f7353dd3dd5d9eb27c575ff1c72c27c11ec5122012d0308a75f1e00b947938a81db51f4a51363de4f00c941cb481d0ed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
393cd8f5ecb9c48f2d9b174f33f7f3db

SHA1
0d20413bed517dc3a3cb5bc1aeabe1b7937a1b02

SHA256
ea058b636e5b1352113167c806b0b8883ffef4ac43e15f4a5193ae178b50abc8

SHA512
1b96febe476217ea42bbe3c8e118ecd8f8862278950f0f75913ccbad91735eff9357c47fceb269dac083bbcd31e823e5c34f44bd131b804d7b5d60a07538f13f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
50ba5e2451dc932f86944917f2a1c192

SHA1
8fbbadf836d91e6017ab9b449c6b34f46213d639

SHA256
7dd709fda1a6288f9a98144e8489fddde9f7cc4eaa1ed80cbf5233077c67dcce

SHA512
50a44b7532593e03e1266480d68404a24ad4bc6ae48a307b960a2e569d28627c51dc3b1d970e9111332acc8663c4c77f28bc0be6d19bae79c80ae2ff1a732af4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c7ab84094edbee3567999c87d2ff76a6

SHA1
1f6704f87489a734308d12e824c8949b82a3eb7f

SHA256
0a30cde0bd906bceec2104ced721ffb71cf8cea216129fd7ffd47ec59364b2b3

SHA512
3616e59dfe647be081aa4a5bc10c59b68135c428acc43e187bce9f37523e10ec5d3cd1fedeeaa96f4e9ca85ed82f919a707c3b52f2b99474c0729e9ee71bd7e1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
03e2ff50ba6b2ceb8bb5c19389642427

SHA1
dfd364a36c403cf5bc6b48869823dbb75b7ae0d3

SHA256
0ecb99acd4933b75fd07cf23e69aed630f2c84d0fbe5c58c7ed19a1656d61c90

SHA512
5cabd035633c03d5104fd04483f5732c04e9ec344713791542e310bd0457a555ac1c172c9e991b4715605f6d15053967f726b58ed1f52a3353d9e6af1d2523fc

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1bfefaa61460f270ef7765211e76e5c1

SHA1
033c033501ae7d9bc5934709fee84ab4323fa483

SHA256
1efa44780fa9857192d2138d464d1bcc3acdbd86c9e146c7853da330a6a82f33

SHA512
ac9dd0e3b19e6ee9c053b5179cfc9bda6c001092dbc43a12259dc7a920e7684ef2ee4b4c6501fbdf98731352362b9f548595ac9d289ce62f7445632538183e6a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
617e7949986df6d78456e314555ebaa4

SHA1
bc28ec54c2b04eac835a956b2d8884305e43fd67

SHA256
3fadb9dd74a02faaf1cb0bae7a5dd490ba64ac93c1186102ab367607321444c4

SHA512
6f69e70a5393a958de1c55883f776abba03db30c7712a1120273beb63528d2c57dd5e0a14179fe489b512906a470d5a9e64410fc5bbfbc7d1734033452fb3782

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
25b695bca553ffcb7439b1e6083ae1ea

SHA1
496ab3f7a94b81a97dc0fab7307579adddc7525d

SHA256
1883932b4169c80b0bba5d89fb565bb9e6185619454d9acfdac50ebc31e5152b

SHA512
4a4eb24aa33713bb2b525e14f302e7d61b1636dee067c44c15387ec262ec1120a2e7af4d6f20cd3adee8463a421a3818c1e6c92eb8d42df17173365620d02330

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
87a6661bce197d30b578ea64e78920cf

SHA1
4542af5b30201467b515d65fd189c7a4c39cc444

SHA256
483c9be8f01e7f5d5f322d9292e9cfebc16e375b21374ecadb7cfd4d81a7a2b8

SHA512
7e2b35f797b05311f3d8c7e1df7137a0cb9fc302c59ee37f73eb3a554b16316a52b1c12928b4833bcfa771f3be9cfd65debfd97464648580ce196a0d25a315e9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0671374281a50b56e8c089728bf2eacb

SHA1
ee015be6c8345309b7e7c4118af25c4434de3f6d

SHA256
66a4620fb2a16524e33fdb086a0d4283791394d4d52b6fddeca2b98f3c290edb

SHA512
d163ce251973972fda919a110027a6564ddb93c0acd95b20584119f7869fc039e88cb4b5cd57c8f76f599422252884052ed9260e716787b72b5c91ae404daa4d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bba2fc73233c3468a05d0c136dd8d6e0

SHA1
40bd0df6e957c26e7a853b5ecdce1fff9391cde1

SHA256
ed5cbb5a211409c97e7f72cd1835fbaff0d7c45ac013863ff5adc588da59f149

SHA512
a3377ac636ef6112dd2189d719d054042d23617fa560f85e4afe9508b5f83216bcdd65c0eb8b1936eed685442f82016961e8622ea413067523b6e7d5850d0bc3

Download Submit
memory/64-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/64-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/208-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/208-584-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/412-236-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/412-38-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/412-39-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/412-30-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/544-418-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/544-594-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1244-233-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1244-26-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1244-17-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1244-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1260-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1260-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1260-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1324-289-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1324-393-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1692-381-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1692-266-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1844-75-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1844-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1844-69-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1844-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2204-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2204-595-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2236-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2236-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2236-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2236-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2344-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2344-592-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2944-593-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2944-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2964-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2964-255-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2964-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3180-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3180-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3240-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3240-534-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3816-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3816-588-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3836-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3836-250-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3836-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3836-249-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3948-15-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3948-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3948-9-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3948-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3948-14-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3984-295-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3984-405-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4744-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4744-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4744-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4744-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4744-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4872-298-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4872-417-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5080-587-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5080-344-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download