53c456c2dc3a417cd49bd8c5c25e5168a84ca0e3d427837535676189e188eec0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe
Size

2.2MB
MD5

6b969b0c102d4bb8765f79b66ed23860
SHA1

12a05b3eea1a2af01a8e069e4cf33fe9fa7c8dc0
SHA256

53c456c2dc3a417cd49bd8c5c25e5168a84ca0e3d427837535676189e188eec0
SHA512

fffc299c7a0e4861c7a613306113fad587a3107b2a9fe045dde6c5f7e836de9571faf788589a15355e00e69ce0a65375b3d5533cab4cd8492eea198e0a79bcdf
SSDEEP

24576:xOObVw4TaN1wdkukCba4oXtgLhU3wEdmh58B65gcTVjUCs2Vo2:xOOh3aN4kuLbegmtGQ65RjUV2Vo

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1436	alg.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
4324	fxssvc.exe
428	elevation_service.exe
5008	elevation_service.exe
4468	maintenanceservice.exe
1600	OSE.EXE
2764	msdtc.exe
388	PerceptionSimulationService.exe
4748	perfhost.exe
4388	locator.exe
4516	SensorDataService.exe
3220	snmptrap.exe
1808	spectrum.exe
3384	ssh-agent.exe
3924	TieringEngineService.exe
3152	AgentService.exe
3468	vds.exe
3544	vssvc.exe
3092	wbengine.exe
232	WmiApSrv.exe
4712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ed061be78beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000381d05e5f5b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008af33be5f5b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5a08ae5f5b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f86cf4e4f5b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9daa4e5f5b7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000225da3e4f5b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4820	2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe
Token: SeAuditPrivilege	4324	fxssvc.exe
Token: SeDebugPrivilege	1528	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	428	elevation_service.exe
Token: SeRestorePrivilege	3924	TieringEngineService.exe
Token: SeManageVolumePrivilege	3924	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3152	AgentService.exe
Token: SeBackupPrivilege	3544	vssvc.exe
Token: SeRestorePrivilege	3544	vssvc.exe
Token: SeAuditPrivilege	3544	vssvc.exe
Token: SeBackupPrivilege	3092	wbengine.exe
Token: SeRestorePrivilege	3092	wbengine.exe
Token: SeSecurityPrivilege	3092	wbengine.exe
Token: 33	4712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4712	SearchIndexer.exe
Token: SeDebugPrivilege	428	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 3296	4712	SearchIndexer.exe	123
PID 4712 wrote to memory of 3296	4712	SearchIndexer.exe	123
PID 4712 wrote to memory of 8	4712	SearchIndexer.exe	124
PID 4712 wrote to memory of 8	4712	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6b969b0c102d4bb8765f79b66ed23860_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3440

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5008

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4468

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2764

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:388

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:732

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3296
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
42a0b771b687883eb6655ee02aa3a5e5

SHA1
8d18d4e596abcea1a1c0dc8f82c0d8ad206a44f6

SHA256
1e98be3134add5f649b088f78a493c8a307fe9452586be984d4d8cb864f0815a

SHA512
e225674f0954121ccc22f90f40f9204325a7ba0ea3f1b01202a33dab86a2e0686c8a73662f3c0f61c6e9353da0b73a18c6747950b0988ea6117662ea8279fff0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2b6e26406a39bcee2f483a6263289870

SHA1
819fd3781871e5c420f1d96b2046dfefca903ef9

SHA256
71455883af430831bcd7373b89391d1e8a8c8432b713efe58640c07a56ae2560

SHA512
59bb1cc3a1c3c997c45134d7a755a3068eb2d7bed83526a2691bcaf1156a1f1b126d7666271f2bf2e9fcc491b5327b037cfac990f8a452a0f80e912731b2ed3e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7ad54e4ed2d845b610bf658efb1218b5

SHA1
5a8749520fb19f196e69a1c5fa66b5a09db59652

SHA256
ae7fb328f05f79f348ad0ad904715b99644a452e541e992ba520c6b0fcfbf7a2

SHA512
4f339909f8064a8c169bef8cfef4039a467ee9678ffe459459d88e402b3620943b8dad0255a345d3f5aa958316141b9cc378a9197991571d930f826022696de0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1c3b1ebeee20a1945ac8dc96963551db

SHA1
80cb6ad958be4e4b2711e5d26f07d7a85353042f

SHA256
9fb388c93bcd25119104585e2646e017459313be1bf0349c33a748f9cd80d888

SHA512
7e0b2f8424c9bd977b9426be373140a21ebfecff5137933a8cdfe71d2fd1ab8a1845c688fc0b3b4d2b69a3998a4bd9a177954ccddfc0f589d2938fb6c29bb801

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7f81b506972b19a264e5a2b082e99b0c

SHA1
c63dd33273b3cca0a1f65839cf266d43c1e969d1

SHA256
767f2b218ab16481de91874d359a9cfa438690e43c20e0287e091508d8058311

SHA512
7373a20f7898cfff77e779d3e6857da1785312090759b8f042cf8b3ce82eb530510f128b747a77d4a9b5ef3650e9e7211a0a6bcd18c6c43d8251e382cfef76e9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ed3feaa9b8e8f88122f1ecf67bde1dba

SHA1
3ea7b89f8fa5d0826a8cc3e4d3a8e0f660f36349

SHA256
c0a8439fb5a8eb41d244f51525de05fca51d1b08a6179c5d56656f4973a4a060

SHA512
545e7f1e6ca99b9fa3643b557cadced2abb4ce98e3718f11fd23675e39395d7bfc547f05914dee9b45138a3369f3a45c36e838daa7adebbc561bdcde085fd623

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
30a3e34d6829be230735d910b7645fcb

SHA1
f2a0f98c56479f9c6fb1e18362b66db6f8211ac9

SHA256
22fcb44c05452edb806a024c73262f4a53d96e88efbd08e9e0ec9f59c240ed67

SHA512
c717d1fcc88e683c4a29df37ae09ce225d478a57ee6f6131d303b6e937c30a56e548daf55eae74ceeecbb216250c03e9e2a8accc3170f32598db78299a61ca8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e34172135c4c7db2434a72bdb6a9b55e

SHA1
66ef21d9e26d7eace6be6240e577169ce0591c46

SHA256
121a27ac0635d7a84d6dddc088af809b68a57543f816ed2c2eb2a587cbb502ab

SHA512
68f786106b5532b673e1d8552c063870df407a9d3cd6a86ec49d68b95b5f3cf756bc54eb5a26ca7aad4e23f34dfd923fceffa8fab012b340e249a06f63145010

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b98572e828591a7235c36d12d7f0cb85

SHA1
26fc2384fd853d4f2bb6947b9475446a78cfdc03

SHA256
9a415c58486efeeef8ef0ffcabcfd6b4955e825f4b61d28e85b320501d3e756e

SHA512
3d862aee36388fd990924788b9e1f69ff9fefee0ba01b7a470cec33b2b8b4f87f592cf1438e117c2aa807cdbd8211fd3ca26906204f05c740904facaf7e2ae02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2017f24948b3331515886ffc65aff323

SHA1
e9fff2a17e16658ed8aaf7fa29b1f254edf3ac5f

SHA256
0742e3c22b10d90498578c4c07e7f1044a455b22fa1469e8ebaecd90da7f77d5

SHA512
ba888c6dc847913a68a7ab71486dc0b4094032f74405165d40a8dbb255ce5379360957670655417ece40cc9cba80b4a33e402a1d0e11058cef0245cb2558d74d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3d65150ddfcc438ecb1c2bb5ed7de440

SHA1
ccb067754be19d50c77a720da66ddf7dd452b57c

SHA256
24e90e016e00f7c016d95717cb74600381cc2153057c3ac5ca7ed7d8efa6fd34

SHA512
5dc4766e1c867a420db06b1e523c6ace2d10073f87c62e8e7c7441b6b051f8d816e464fd1b5f57d0e621e0a4f3999bba64b4500998fef87c90bbb11434f8ca9e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e43f554009d800136346d8a282df9ddd

SHA1
adf3665f777dec2b1e64ee9d5cb96155354c31fb

SHA256
5d361605b01caafb6e0fd48bce2231fc5cb033e354915c5cce4bfae5e3d59581

SHA512
977e2420b928e2b31828133af888e46cc83e31a84455a9f862de160e5bfd535a4ead6529c56ce7d9873a08fd43c816e89b18521bbe8c35a217c8ebdb5228dbe7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
22957360396183ad1653aec944cea1a6

SHA1
58c8eca8939e6bc3b020d7295b4442fa64428535

SHA256
4e10804a67b5651c0b4424d2164537f04d385b91856d73adb06f356eedfafef2

SHA512
7879d23134143cf036a7da04fce1e35ba68c89c96ab0804aeddac13b8723a40a6ea02f427b183baab4e9a34087732598b6194b0be2e1c91681607d101f9b3c2f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
667e3fa0524accb6485e31416413e350

SHA1
0ec70948da5b92b4186b3a1dc0553e279b59bec2

SHA256
7fa58a8231de8b90c0b3959d3207a1ebf78d0c6630eadead3f7df0104edd0d39

SHA512
bcdc7331303774625e5995467d5d982ae3bfbc97c9641c3a6a0358759c282ed06662c2ae4b4dca8de2ba85ea1cb491a6f554e3680fa5b5393b5932d7a7523f23

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
82ce71cc62f8a607e6bee2f5aa6b7ca9

SHA1
c3c643f540fedefc49ffbb2db8f009eb08998d56

SHA256
cf60f1f8843929803c55d4b9bf035f7ab05c93873dc06757e3c6a3947470ef05

SHA512
b5f885fec0904c6840f460a4eb5b09e5ed842e78062f9b202cd19d06cb5f1872b7b76c65b4a8f532338ecb15807a975dc25483d780fb8805ec4a2e540a40668d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ba6de55c690bdfce44121ccb95aa1432

SHA1
6562c1c6a3966e80d0687fec8345669b6b6fc6a8

SHA256
05deb40fb71b42b4c598215dc91d18f0eb8788c00c795f3da5d41e1d78f0f3b6

SHA512
b9391dba08ded28896edceb2bc062a20115118544182aee8e4b1115b30c6c6e1354588d709fec4a01b4b4ab8a2da8a3279002619df397670d538c9158201f29d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
92b8b75cdae777f4d218013d099a575a

SHA1
2d6948a32147c0e2f52381cbbe2710ea126726b7

SHA256
c0460e93ce22b623b7f52af45afd64494f597ae74c861678eaee323bc2f92a28

SHA512
cc7009b67060fb65aa5a1e9bc117bb3ff8187d6c15ca325b9706d35411750894b377b939ef236c21b3e4796f90d06fe49c56c4c7ba38afa08908d32d7c739f81

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5ba075b884b1daeba86bfc43347a888e

SHA1
5ed91bb149c2ab0efacdfa1109e5020a3b250023

SHA256
17876be1c1912d45ab212b378c29499d1e7ffec5cfc3d5198e3b2f00b93b6f79

SHA512
cadff1aace6dbf0c385321748eb8b33ea49a62d3a67b41745d0570e0d0794a904ca884f67b1733d14312ffbf906f51d08d12e973e449ac4b218e12e48646a326

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6c36ce8f81c713a022d0d7549d6fdeaa

SHA1
c902e4f60104cdba2fe98c2e83345df13cebb4bc

SHA256
e384391f2406bfd31ada6b882ffeb154adeabe0edc7b835f91a293a59c5122f0

SHA512
7c2212694bbfa6cd3e3138ea007b8aa6fd6ea528f1645e091c3d459ff7a239410ead996c3a6b915904d7ac73f99f7b0aebb7fb0e056c09537dded762e7cf0f76

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7e864b2260689c51c5b54fdbc39a18fb

SHA1
6bbfd3b81bd454124e735b5e5aface4e364e4ffd

SHA256
3dd19426ddfea761d1d2b850bb0391ef3b567e94de6d1d7cac43022e42001eaa

SHA512
16a07cb2b947f5a3cb061f99db7ad2fa2ba3bf7be48e898fcdb473b05191fe353548765666b9e9e669972b87d729a8e8e3b369553ed05e7e81ad0bdac07236b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
814fb5a235479f3c9d1705c6da2ffe9b

SHA1
ae740751755c0706d472efb586b9bef842dbffc3

SHA256
a6aba0f3f5cd6620cff69c6dc78281fa12762f247e514873916712b6e4ccd881

SHA512
e2658e91b88de0e8f833f8e2b703cfeac8d52c7b068517440aa60e56085135cca729443a57299822555435ab5696acfd998608d28c5ff116458f9a6369b0b606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
16b5b61a66efccce0c766e49b22166a3

SHA1
ba2ad891159376cd5c00593b0153427c9a60f41e

SHA256
66b36775a6365b4a69499d47f51b200c91395b12012b24d5e86c8ae961079398

SHA512
482aca9a69c709a5b45dd048a0ed4ce777c173233b6243d86365e2aa64511ae163030de4a3bbe35581714a1d8e909fd42e276aaad060969f577510156973db21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
da9a5c70134799b229c8dc9e608946dc

SHA1
d0d743d9a1bffe4965e081d748df25388d14dee7

SHA256
42d532e33b139ec00d4eec5e21f3ec8180cdb44a5163b0399dd237c16681308a

SHA512
62009c9a39591b5f2b350d0cd57d6064f9c1bd07d9a6f9ed3cec269890cd54483ffd88d5a7033b780429ee942c4236bddcaed3107b97abce553e0f30d7ef3e56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2bc346e62b7f74038deac91b16959b33

SHA1
48cb32f4e58c4c19d767ff303f2df10bb99879fd

SHA256
d26e38489973d6825c059eb009f3f517c765f27ce4243fd5b834f48ae0670bf5

SHA512
17122eb2b224b7fa99004202b1d4bfcc0e5cfc95091e51ca72528db7fca8cbf8445c014f06bb243a2a377b991e8eb7753765332cf33126397cc9824eef6c2819

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ee2d4fdc523720e1b74065288e3fe00d

SHA1
b89c00574cca071857e80f5e10979ce912378237

SHA256
cca73f9126926788c31d9789cea15b669b979e081c3b00bac8140aa02733336d

SHA512
4e39cec02a7f135ad36a15e34462664e947cfe03d6fa50dabd6f87172bf62dde76b34cd8f36ed50d6b519220b52e7f5a4ca41dd1f4ba07d3033ec27ebc438ae4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
15265cd0c21e4a23429935437327c6d1

SHA1
5374f082f3461ed06b784ed48beab75510eedb0c

SHA256
239a7f775edb0860a4aca7045f0651fd92150869d41bb9f6ed85f8bdd8f1ab36

SHA512
39b850940ea822535d7ec07277de4465a8c98f0f5b68e8acf09fd44529f5802325e4553642c141fa2f6bbad89ca078b09cb074905ec8c03b814b8af94f804b74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7fecf90b18a6290d9a74c3f44977adb5

SHA1
cc3f3c5b75fe24cdd7c417ec782ccf5527498a3b

SHA256
1f53a18f65040686288759807048ae54a8e7f18edd8862b26a4848d978416a14

SHA512
26d23abe43c6157a87f1a32991f62cece9a9bfe4841eb39905444f83f351ce775a577beef09af1b17d3f5c194109d46fb31749d2b6ea56268615fe01b44753df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
025fed8b97102f4983a087f1d3ec20a7

SHA1
4ce45ed4ac0671ac7376f2b6085f16b63fe82ffb

SHA256
6fe725991ddcb39c4e1daaa3e0095c75f9dfbec05f857d7eebc4dfe758247ea2

SHA512
de86ef5fe38380af205f446608c0bda81a3f6841804809821cecd84884f5f94223d7a614663326bdf5ea7ea04a0142d01442b7e31c292054da578a9a079469c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
80a35b9beef6f7429d381dd8130ee995

SHA1
9b193a9bdb6934f030640c1a2ffc5533b29ff84c

SHA256
1efe327c17715355d2de1b0e1770894f2655882c11bc260bdac04fb390bc9eb4

SHA512
1ba7bad222751f3666e8e847c517fe1125781cdaf746647714030eaef9da224a85af45a9754b4cbfa312748ba58be5ba69a6e718e53834da5990c96c33034ad0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
11f70d524a70fa0e931bc233b5f31754

SHA1
815933f568bd2ca7236d3d7909333c5b456597df

SHA256
b556dd8c9377cafa84ad002edb194172e72a6ed45b05da3d13f09e09fc1d1ce9

SHA512
7e590215954887b66d8a98eed6e7964975655beceaa0e552b3f6816c750c646992d1d14f377d15f66f405b0ecc8e8c0a6990d3968b64fcd8f207403d34ff0358

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7103a1a224b3fe391e681e164a3a516b

SHA1
2076d44ccec994074be5258a23206954d5f116c8

SHA256
9322e09418a9de1b170c79aa5a49aa223b7082bca1b56a60aa5404e5e2f6b49c

SHA512
755861dff74fe0cca35fb3b1288bf0847ba72ed6dfe2017d64423b8a6a7541f14a6343ec6cf157fe7125ef08d26f1bc1425668921da234ce681cd8a5edd04722

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4f18da71e45db42461af2d88f900d581

SHA1
a1d83de20260c8135328d07d84c3f2a45b9f6f41

SHA256
5ce291bed3c60853abfeab99246d7fa59d3fc4a073ba5869fa2da1c2e5df9c66

SHA512
7f81d594b31b5bbac47be821c9f74639ae61976b233e33d9714f3bb646a24e0a9a8084bb1e6a61e6bd8dab1429759280f87ae88cd5c10cc7dccc5f91b848ff1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ed20db2c08c456c82eba58fe531d785b

SHA1
d353b0a706422605d153314e14ee7ba87a18e1bd

SHA256
c52c95373cba8fac4e96d1d560352634f2210bd8cea320a3eab01ee4423d82a6

SHA512
d1dcbd8ff6e8700199a16625c6d7b35f69825ce9a67a91640b4a43d1f7fe477d13f50ec485a70239f697ed75ae5f615ecfe0e3975a50cea1afc6bcc5b641d9a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
cf2e09c5d39b569de709ad46448d5696

SHA1
b5c26b4c3b1329ac490c9b9645e61bdefcb00dfd

SHA256
a39ed230c565224e8f33196f4f8f7437b9b6e154a50bbd70fc1f774a73ee6b7a

SHA512
fd1f28e05898c6318614bcd3a40b0c725be21adfc9287162fa18f95fc4dba92a628ef944ea5203fd2e8a73f086154a56e4c010f7f9541d1121fcedb924956c48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c1dcf7e7e70652dd1702f80c0ff91f20

SHA1
69a12e3be800f178be1e47ca4ba73a583a8fe893

SHA256
b4d8533b29128522be5521b46dfee36777c453eb54215f08e3a42833e22e921a

SHA512
dd27532eac5a8d78b5f83578a50f72aa76eff4edd649dd2a868215cf98b76d1755ca07d5e6d966955b8bcff36af9caf4e2a893aeb15b99f2baeecd059c052d55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
bf9d0bd3b471cb918d621b0db0fdbd7e

SHA1
bd46199b4a4ed8d4ff6a668a8901da52c11ea6b9

SHA256
b7d515a8341be83a144664aa8bb8f6f50da547ad32d74a560e30aff9b01c2038

SHA512
c754c6df3a3b51ad133918f5ea42a6eb24cbfa95939d20ac46c39baac02dced7a53a13da3ac157ad922ea669d65cf236601b4113db5ca6c460bebb6efbd9da1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9581961b6877768eae6b067a98b75e4c

SHA1
594dcfffa09cbbd307973c2632213e2eca5ea1a4

SHA256
9eb8bddf7847b4e0a09dc7a8eccadd91489d105c5a738863680e7b3c3c71ade0

SHA512
cb1ae752c64e359b77d50639f4fc245e469b5b879cf09d8943a024167d5b9a7dd160fead4b91cd029f54cb8e0298768d3163b1a69323245ec9d87f17300a0649

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
8b56aff7b16db7f957c5a5e420f4acf5

SHA1
9e0d8cfdb35796503882616f2a3ba82e2fd2a8dc

SHA256
2eb4d0a80eeaecebff111e5fd049372b8e3ecdef130aeeefa4b2163e3e6d3868

SHA512
cd05b42bc7b9c7b112acc64279bc1f29eeca8bd7b5f687d5226999d3b0bc75a326e9a1f3e378823d2672cc2f0f9bb2db0af9971ad5405e049741928c33e0abd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
08395f2e98e1f515a9ef2e5cda5421aa

SHA1
4de24d0f67ec948369fa0713640237841aa0e63e

SHA256
2eb485aeef310a81e231297c988418399a0e6f30b5dfee1372eaf3361c845e6c

SHA512
ac0d0c4c44feb3f9c5491384f08e7d161856a8ac56902bb2849c280833b4f3cd3b3bd5b5be648de73e5de640bf755318f49b61b30347bb8ae42dc1788eb60cd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
5c451104fb6d87088d1978b7eff9fafc

SHA1
1a6569c1b4bc1f79196711747e567a47cb4b359c

SHA256
cc40c8ddf0581b083071dcfdeae89836e187b25007b6b7994afc7dddc24e4d5e

SHA512
8c936110b442ee7a7d0ad13b81e5c594960485a9169499f88e08d9e23a4a639c92a641e519c71fe8d8312c0de4ce4223e325da40a6936c080b613d186da20386

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
fa792788bca9089151a99230d20ceee9

SHA1
6b48c4b486500016e44cba495c72e98d18e154b6

SHA256
a8cc5a479ec00231c31f6f152f3a07ecaab5db50f34f73b2fc9619b61aff6d17

SHA512
1ec3eb20050ad44e3c309447d6574993ef5250a3dacebf0e18b7bb524cb45b3d6a6557e54824950adb7758d4a94c7d39b632ce1a8f522520405cd27e66b0f7f0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0f5f2be064e43cdcf29d0b4f522dfa5f

SHA1
a845e5625698aadfda4f731e1ff9b16e7918aa21

SHA256
ba74c66c8ac7f0246f5b813295fac9598fb514b0cbd9de238dce66e52ee1ad52

SHA512
61d67ada09fae8f4c40082edaac054c9db90c54c95eb4bc8e76baf1ac2839ca3f3adea1348817710df26b1a86ad4cdf7b764d4713cdb10442e8c7790b228355b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bd3437c1f5512a3cb6e858488523105c

SHA1
a6c6daff8155659f1c6b8f86c37fe26a40a5ef8c

SHA256
e0b98c7336599b55d9a6eefcc44d0ddd20106406ff8df2c02bcfaf82b0cc3e9b

SHA512
6dc90bc183d0a174cca9dd5576b12d6cd8896f8d2b15bc0db93e01fca44e5e827d0b3688588851dbd8473b9281d8922e0cebe9861a8ca20d9f6d55935af68722

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7526f8f99bc0003f786b9b0694b20277

SHA1
ddacca1ef00a63f5ed8851f1a0269aa871c7280a

SHA256
6c6a4e04323fcbdad816abfa721196bde1884ea01c281efb0d85b57c88974038

SHA512
7cf90ecbf05b2f8756a4f0a6e87df202169d96ed70f49ea3e3adabd5a58e877869c7c0f023b213221dbd037a01186dc09407764e3b6f9b26cc023f58b7a3cf57

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bb8f7142789b08892f759bb5de158e78

SHA1
58d882ec67997083f3b7d6a3567a0dc188e9ccc8

SHA256
f126e48e719b25f59e14550b0e369cd726ea1f306f415d9e0a8afeffaffcd203

SHA512
d6ca2b87bac81a21fd52820907ed4bc1fcbde2875cfe106d2f8df7dda041c8cf532a0fa9308d8ec3c460080fcd633cda50fb61dcdcf77528556e774890de64f5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
c5b6e1f8d6891d9bb433328081d3d18f

SHA1
9e7956dbf74265322bb8938cda0d6701a8699495

SHA256
3059ea9f327882d3806b91947f5764ac5944e02f7626dbaf67b6767399da4fc9

SHA512
c81089da9aaddd8808de3b58ef3b1e51cb8ba897bece9c0ba3201eb950f7542c134b8cb0c0abef59eac94178332b9300a35bf8901d9a6da82f434ccf372cccec

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
342f81aa0311e20997abeb2425bcb3af

SHA1
f556d5d8704f4e83d1514521d850a6c208e6a30e

SHA256
ea5469dcb74ed1343534b629073495f97508d3050665398cf121b6e104a0c29a

SHA512
d7c3010670ab51a9ef358e134139f694a48f19431070eaa3ae9fc557d72ed188a3341eb26be0ca3bf7aaff905207238ea666b19ea0de90dfd459bb447f37bc38

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9d053aeb9bb1de87c41896398a7ba5aa

SHA1
a69788ef560a8ae8de395beaf2ad75d631b3f93f

SHA256
c2e97a78df593273caa4cdcba4e669b04e2a2f15dd2b2fb1a186686aace67dba

SHA512
73025cfb85f5f8b07bf0cb9aff6bdace18e0c453fe9e8b8334ecb162ea7e4e63003176084d25542e6655dd761ed180d32652a1605814d572cc6163723791c683

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3c070191c4c5e959bef5acd62afd5b0e

SHA1
c31a2a7ba8f35d2c7005f066f7fea1c5324ecd8d

SHA256
f933ed03014b81d63c875355dfff2f1fbe80b706fe4a455b1c5cfee35e148aff

SHA512
c376450f62b8c6494ad79c76cb1b8fa59f5db0d2b05a8ff93b282c4cc21c314db3f57f1ed72664cc6fe26bf7d17273c5d6b91397ea732587a4641fa38a1cdd14

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
623fe793e6d76cd3a2986b2d461068a6

SHA1
b414d3819a3355566154cf24dc43701f5ba46756

SHA256
0c5ce42db8072cfb9df8b8ce247c9fb6d3ddf94473f8b01b383956fbd8c1cbcf

SHA512
26dbb2194fc8f0794f18dd7978c367f74b93183e809b5757264477ed2e8da1fc2969f6dcbcff828bd66dbccd9ecdaf0daca654cb35fe5f5c9915c83721b1d812

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
83bc2696acd24f6343ee5895793ff19c

SHA1
4275bccc4cc43788ec3f0bd6c0f3f32dae59654f

SHA256
87648add7756f888c39cfddabfaaa11122cb1e41bd13aea2f0769e78a4d62c48

SHA512
119c64869c8f62195a88223cd205e300bee20b2e562f8d49486d962e3588b15b49d5d7c93d2b8e3ff46e34266aa037979df28f65758fa2d60a22c2b0ea3be62e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7c1e1e7922f8629c6fbe33c382eb1f8a

SHA1
dbad857e59cae38b1dceb5f9de3a130831ebf632

SHA256
54ab6c69ada7383ed2a426b7aa1978703124ff7edb66a8f57b6e2bc0acf36644

SHA512
1f41bcf82bed1e9499a3dd7ede3af5d729220fd81aa748db7565b13b2072f2eb14b38be74e48194dffed574bd74989996c994c9435cc9a1d9d0b0c09bea7c5f4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4217ef21c54513efaf030607f757c0f9

SHA1
30a0571716d5ddbb1f6bea2c6092fd3b0f908c5a

SHA256
95b8b849e5eeb1f1a672f6bcdad8720baccaafa9486f644dbb73612153c45b10

SHA512
dd70aae2bd20e73be8fe99aff9d0adefda9150c6b702da0d589ed363e3362fd5660b2828158a2565685c460eaa41d04e50955d1cbcff8e80eccdaf85c2133e38

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7ecbb558bb9d8c76f5f118874c52e073

SHA1
23cee4b818d513c92283a4ccdbb74f08b854e409

SHA256
43f3fceeed9314c7e66f2f51637edd258dbd850234fb7a30d2c4115e181535ef

SHA512
13d3cabdd4126763737b5f73e61152e77938faee4380d3abc3dfa1e97236202db24a92a686cc28b93e2b3599a952a8a0b92de95fc5fbff7a0f5f90f490ea13b5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d33a3360ce32d4e60f65d06629a1f5c1

SHA1
1d4560be4ccd9c2ea2997d2f64f0577bab0c2ae9

SHA256
94426197cb80ef559b8e41192c4708dcbb143f63400d72df329f5b9db74fc48d

SHA512
32fbc83f9ec56292f776b37338a7bda35e6fcacd46ea6215c5368e86fc99a40d8abeeb9a90255eede596f22951c6db209460121ec68a8350960be64a2924f20b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e16e984d7d427278741880ad7112a0d4

SHA1
3349654926b57f2687f75f30f59d01052415adee

SHA256
250a9aed4ffa0e07ee89a5a4fbfd95af3e933af2eee0039e021379f0ed56a735

SHA512
e9266a627452c2a6ac27695cb8e5088929f118b04b0c69486522baa68b0cf94bfd5a67965e379e7a29713c4788a7e7b1b6d8a4b051ca627ee7577dc62093fd1d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c9bd0ee7a9b3dfe76b64159e97093d0f

SHA1
63b06007ab20cf4d6eda5a1d429f2845a9998dc8

SHA256
f8543d48c7875a7e3f5a3d386036e631c29aa20afcb8e7f83219f143b92a6a1d

SHA512
fe0bdb523dee8863fc72c54b0066e2f39aa5ce5735b3443c029418c856a2fe73bb9801df1a698b4b9840eaaa3cbd7ef021832b02450727e036ca2a4ab5208bec

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b33c50b0f835c8e6d56c66cdd1ed70c2

SHA1
94133c9712e90f3595775afde5b87c9b07fed8e5

SHA256
7e29f767ce9b0ed3f5e513192d92f1265236557242ef233695557a106fdcd615

SHA512
7cd2d16b28da216a9ce639f6141c80e16bd01682f8ab63167ad1326217ea46aeb650d15fc9ffa5d1cf337f68b4e8167d713eaaee2cca6697552a8a07126ae61a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
163b6d60983628de8eb7e68dc980ce13

SHA1
c0033d85f0038ec8da54fffd7c0ef15fc901aae0

SHA256
d633cd0d9dfc3c34293c11489dd118763b08174510b886e983f85e5d11375ee8

SHA512
61f8517c85dbd6c7a6ab3a1b8cd5ad927ceec38d32b0f6e38582671a4ca871fe82ca2bc42eb8e8246cdc85ad5dda5af03a975c3f893d6befd11c53c6c0c73f05

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
007535a75629c9c4238efb2bd3fd8575

SHA1
f8b13c3ee60392f47de13dec4eaf0c08926095e0

SHA256
f57ceff3bfb4930d73edf78580785991a0a4008d2cac91ee5b8a37428becc320

SHA512
1db442ba4320752c0f995a867bfd2689aacd218c29d6b08e2becb4405918327d6445a6290f2bd7ba9d1918d1872939a07bde570c3db45065b2d37e8b91edb6a6

Download Submit
memory/232-536-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/232-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/388-266-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/388-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/388-260-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/388-259-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/428-33-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/428-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/428-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/428-39-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1436-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1436-242-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1528-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1528-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1528-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1600-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1600-81-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1600-75-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1600-247-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1808-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1808-527-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2764-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2764-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3092-535-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3092-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3152-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3152-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3220-464-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3220-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3384-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3384-528-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3468-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3468-533-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3544-534-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3544-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3924-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3924-530-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4324-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4324-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4388-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4468-70-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4468-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4468-60-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4468-66-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4468-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4516-346-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4516-285-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4516-529-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4712-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4712-538-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4748-272-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4748-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4748-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4820-0-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4820-1-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4820-46-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4820-7-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/5008-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5008-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5008-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5008-57-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download