0c6f5b08fcf83218b8daf0f51ad4631b1472d38f9c2b8252daf013ef3d03b41a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_b60e76928f7c510e0709678815055e94_ryuk.exe
Size

1.7MB
MD5

b60e76928f7c510e0709678815055e94
SHA1

2c8cb32f00a5db8470d84b13c27bf9b4e950d680
SHA256

0c6f5b08fcf83218b8daf0f51ad4631b1472d38f9c2b8252daf013ef3d03b41a
SHA512

e12d790f496061d6864f36fe214f09cce158629147b29232a788ce587002bde862c0d9beedad9eb52f3880b25f14244d53c1d7643108687fc19927e025cf21e9
SSDEEP

49152:jgtHUujpj7AewZdZhRdhEE330REwkTAII:IFh4ZhHnKkT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4836	alg.exe
4712	elevation_service.exe
2616	elevation_service.exe
5008	maintenanceservice.exe
2212	OSE.EXE
5076	DiagnosticsHub.StandardCollector.Service.exe
4608	fxssvc.exe
1984	msdtc.exe
2156	PerceptionSimulationService.exe
3056	perfhost.exe
4448	locator.exe
3424	SensorDataService.exe
3296	snmptrap.exe
4380	spectrum.exe
2148	ssh-agent.exe
2432	TieringEngineService.exe
3228	AgentService.exe
2936	vds.exe
2904	vssvc.exe
1544	wbengine.exe
3324	WmiApSrv.exe
5028	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_b60e76928f7c510e0709678815055e94_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9ccf843bc43e60d1.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000737c09ace293da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a07928ace293da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d0f3aabe293da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab5a67abe293da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5cf7cabe293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003fb26abe293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c14d7eace293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4ccd9abe293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbbb88abe293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000866d7aabe293da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4712	elevation_service.exe
4712	elevation_service.exe
4712	elevation_service.exe
4712	elevation_service.exe
4712	elevation_service.exe
4712	elevation_service.exe
4712	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2520	2024-04-21_b60e76928f7c510e0709678815055e94_ryuk.exe
Token: SeDebugPrivilege	4836	alg.exe
Token: SeDebugPrivilege	4836	alg.exe
Token: SeDebugPrivilege	4836	alg.exe
Token: SeTakeOwnershipPrivilege	4712	elevation_service.exe
Token: SeAuditPrivilege	4608	fxssvc.exe
Token: SeRestorePrivilege	2432	TieringEngineService.exe
Token: SeManageVolumePrivilege	2432	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3228	AgentService.exe
Token: SeBackupPrivilege	2904	vssvc.exe
Token: SeRestorePrivilege	2904	vssvc.exe
Token: SeAuditPrivilege	2904	vssvc.exe
Token: SeBackupPrivilege	1544	wbengine.exe
Token: SeRestorePrivilege	1544	wbengine.exe
Token: SeSecurityPrivilege	1544	wbengine.exe
Token: 33	5028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5028	SearchIndexer.exe
Token: SeDebugPrivilege	4712	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 5460	5028	SearchIndexer.exe	129
PID 5028 wrote to memory of 5460	5028	SearchIndexer.exe	129
PID 5028 wrote to memory of 5488	5028	SearchIndexer.exe	130
PID 5028 wrote to memory of 5488	5028	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_b60e76928f7c510e0709678815055e94_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_b60e76928f7c510e0709678815055e94_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2616

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2004

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1984

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3424

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3296

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4380

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3324

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5460
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dc3dcddc5e8151530aa23aed6c8ae36f

SHA1
b0fe8d07ab0971e84084061800965099e9f4abad

SHA256
f59bf133b2ce25c0bea79d8d486906e51cea672ed5e2ce435107182e20a3bdb1

SHA512
abfc47b5276c7b0b4dffa3e9ee3bbb8a40c533eb851948d2d27c3a5c7c8ec34fa3d3d2ce0f17ca2f6625a67ed778b2e4419d998c33548b0e6953a6425fbbe04f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6e628ea5f0adcae99e4f272056f8eacd

SHA1
458406e66cc6efcb42be952c1975768d929149bc

SHA256
6e39cb2656ec137cae41ddbd4d45d2b9b0425bd32515be5a3c468eea5d8fb6cd

SHA512
a93f8d4757477979c58e7f0343c0f4a98be6baef291dfbf8bafa6340534acf14ecb11c9d4c5e9c68253f5906ad9c844466f10e7e6e14894bbb893c60edcca160

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
743823b1f86e3299e976457b9e1a98b5

SHA1
594f958a20c8d51bbd90d75fd5e0ddb047fad331

SHA256
ba2ac6ebe6d4e8d899c46e2cbc157c08b25ca1f686006b48c27717288a3f7ccb

SHA512
51f017a2971ae54f73b5b360691f4c9f26566b2b8f172c9e667f173ab945e69a4545b3616b32e382e081838a9254f27a5954b01189ae7ede5f309dddd777eeee

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
408945c0c0b099abd0cbea66024d8712

SHA1
bc3c67c66f8e5ecfb27eec94f3247a488c8ed23c

SHA256
f8d824be1bd16e3ba6a504ae049c7252392520ba7b459f4ed656e46e3e05f31a

SHA512
1393dda806c5ee36db2052dbb278d0d81400b3052b2cc6ee50d0202108bd4427e3cc014d7d3d10d40126918bd6d14f49d556eb32f63820cb8bfefd43e9ec3230

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
49f52dec9beccbcd93e678c478abb3db

SHA1
505e3dcd20a7baffbb8131a130be4c596265d489

SHA256
34d664e04b471a88e270d8a36bf7447d15514aa87d80e8578b30f65808cb6327

SHA512
82de514c5e2ee51102bae8d28b9d816c1bee9905d8a5d3988a9f707cca7bcd4af20084c99ac2e11844a40435ed6c79ff0daee8ec6b9194525b145af0ed442c55

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
50c180db025e4749364102c191367476

SHA1
eea231e7251de13064382a78ce30bddb80225242

SHA256
e4db7469f1a21adc0bb611babd680a611de9629e94124a56213a2a644fd9dd3a

SHA512
1083a99ef29c5b8c3f93bed569563321d7ab0f05fa5edc1be94d86a557c257884681f24fc83a97a8e06fdbd6550597ec7650312e1b2e2bd0deeacf9e38f5c265

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
15ee195c692458942634ae58afa2c673

SHA1
f6cf78ba2a1b42e6041086f8580f2ab69999d388

SHA256
1c17b63c8902490c53f9c9173e01cde6160831bd7f499ad1dd7a5255fe622766

SHA512
2b80c41da468dc87bb55dbb1e377ecd64b500d9884acca3ec659b49bc6927beaf095429be712948f93bf351359b94b80a41697f55baa65a934972cfec3281d1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2c635f25693111e78dd5e279bbaa1a3d

SHA1
55c6fb890ff3957873d2cfdcb901703748e5ae51

SHA256
da27051e5d3a94e2f2aa8f2759cb5d5906b064690f7d82831feab65959f2cef3

SHA512
3e1e1cd47f5c84f9a5c02ceb409de43c9444e81cb54569596d36a3614e8352e51481c9da829d8409b00e8c9327833a61b97848180deeb9651514a1cb59abdc99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ab3f0870700a6fbcc63ebe9049a1f82e

SHA1
042fa39dfb9029e248c1d8143dd08e546d1e9e80

SHA256
50eda2233eb0743f4f75235506674c4a5f5599aa0d0208701c7d68285f005dfe

SHA512
4866cfbc361cb39d0e40d21dbae9583f1e5ee37f00b4c83360c58c76bfff6c8f8617ee2a9a71821b14463e3007d9eae03c0347907743a8311053e50b1f660cd8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
284e8f8daa732bfdf81240f42fbe4597

SHA1
985c4ddfc82ac6de39c9a9fef59f71b6bfa80490

SHA256
dc12496ab3d5a9b8a90b0e8943ec5384b103079ed93fd5e4270152cfcc10c94e

SHA512
02db1dce9bf4a6569892560de17c7b7e7850daa453be01f9c8d514cae5fc8902e98254829240cf3e049b5e80a840c728a1b5b0892636e48d4302a95037e29eef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f08c2f16c0b710bb5c75966d9facd2e9

SHA1
4ca6fba82b9472e129f8a76435e3d8ae1f361dce

SHA256
31d3ebef401b7fc4301bf8c77684f419fe66f705d496e105a757679bf08ab84f

SHA512
ff1eddc246a5cac32f2790e170977b4c76766a4615f4e76785dfb75ab4a9263f9b26f6b4565910803c0c515c7d6b9471f4fab1175945cfe705ac6093bbe76a64

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c2f3a0b2bac4c9990292f0b78df44320

SHA1
2cf6748df74c711b7d361aa3b8384f5bffa5099d

SHA256
07766ee37ed12cf79004a62a4d5f8e35a16d421f3ce8c21e7aa6c61a0315de84

SHA512
522d53df604fa3f96c1892088abb4d0db0f9e2febb44efa8ee57e119799fbeb8bea3de5cdaaf78b69a7140053feaa7555d545d2890e06eb93965e43198124054

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7bb9e3afc2b3069462415e13153776bd

SHA1
2c5de02bfca32f738f8816be29d6be26fab9bfac

SHA256
e30041725d88cc919303e792f8256709e2fc4f33f2e804bd3691794e07d13497

SHA512
7002cf13579992effb916b6a9abbe26cce2e5e5c1556fa9fcf65b4e52fb664172404ed34167a8b8a7629fb9eda1a0a267e34e840c1ea0bc81236427ff7d4c0cc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ec4c0525232e5228232b1e0c12068540

SHA1
e7741dfed895a69562c473039a71163c73d5e70f

SHA256
bcb1c26ba631f65f0964bbe390e795e41530382280a70df701a7ba7a3882720f

SHA512
0ab604d7a829615a803a97ada1becea809ef1ca69fc589b9c59b5eb7a537b11655b351263ec3db5d5c0960a64ef1eb4ce87dec9f0f65550ba6acfbc3366cebd3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c95f71579aedc4d1430f3fa033288891

SHA1
03ac7742f0b7ecd1b93715d8071a63b0677f9c92

SHA256
d2f4906f408c84a8f5d071bf9181777518ddc41b160f3f311dd93a589cbf2fd1

SHA512
fdd7a49c774a2a25e7638918258b4d1ace71f1a7b0e69fa38b5ef855e76eec9bf06b39d91584e24dd86913d33b3dbdb5312591a5afb8257be4991a729d091fc5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a20ad619831fd24c75173f7b205a0b82

SHA1
68b1ee8b0d3d3e8893bede6f0a972e0f9e0a715a

SHA256
188b30c69e2864bb156381dc524789b4b0b4835bbf74fccd17f5b15b28a81432

SHA512
dde77b5eb7fe356f58ccb9df847840227866c6f0d990b7c03ac7e61c7a4017d7217de187f4bf3f088a91a5faf1f856948621b290d26bb1d921b5330d0ab10cd8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
dc22f3db43d0e5c7e0bfac522aa33ecd

SHA1
a57f1a9e8eecc2c115e50c786a9088aad75fad73

SHA256
176c7952cb94efec3b2a87d49b62a28644cef04d891cbc56662b84e7bdf46d1c

SHA512
e27a225ef377f1fe6eac4aaf83c9ac1cbbba3642b4f0c8b3c7854428abbd65691f01730fe7031eae970a363bf508c1e6c9c84dbc817e74d13f176430037dab2c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
775922dbad329a0d66dc7cacc22b585e

SHA1
9314362ea0b07d327f707c248179df3c4a8e82a5

SHA256
291a160dc53b34a50f6094802a7ac47c3ce816330abf9961674a5a83ebf1e09e

SHA512
02db8edb294c128c7ea35e3e892898d2bb11a6335cfc5d6e1824b5e8394038b2c0cfa0709f005fe42bef4a991f5f162cacbf06bee9d85034c2de0bb83f85ee9f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b7abdbc13f1096f444a81b66bb43d1a9

SHA1
b63af15e3191e8374f68b276f7dc01485e71b147

SHA256
a238d4b1a45424e6c50bcc0f9cf837d508d57a825e8669d5014121ce45ea04a4

SHA512
7f65a2eb4b6f2fd7aa871fb24ca26a08400e0c57036cd0d59bbc041fbdf04e709b330ab6574ba2a38a39f86ff33a68580a2b608d096123134cc5deee9629adcd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
daed519707237272486c013888e8dca7

SHA1
1609a859a891bf7a387b7d340d9ce17d1315e2db

SHA256
61efae6323b55d8722c6ed0969950bca3ce03957fe021b0f78cb15c04f2932d6

SHA512
1d1e52efe8c3184689a60472c81f1bb2d36df54706222f30c81d3537fed31ca9bdab0c0433b3ce9bddb8639d591c2d62c4f8f32bcce9413b7459ac5aac7a42c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bc141564ffd24056efe4d82c07c80793

SHA1
41617fb35cfb71c5d15e01f1bdd9d91428e82e4e

SHA256
53175bf89c5831ffcfa939a6cf9bb4cc8a10614d345706088d1aef1ea16d6d0e

SHA512
165a61ccb6f855e77c3a729f301a0b7bbb79506224ca03f3166aa1d3869399528919aad91bfb39a4977355a7254e7c6c92b86a058f3a1545ce1cb55e7d51ef63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ba134a5e98693086a71df63bb3220b48

SHA1
99116ecd44eb47946bc25cb998aeaac9004751c0

SHA256
9f50b6f8f097316e5ff054cd4ac427108cc62980845cccdcd0a7067d76bd8dd9

SHA512
22108f75e261129dc193f3ed8228bdb2457fa1b4ac3dd91bc9ab8c998a0d5e18670bf01625c4a50f9aa3dfc32f68fbf52ed5d5124dcb843cb92da084ff315c15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5b0cc8bf611907c5dcaed16a64786586

SHA1
ed2add606c200d3236a4c23921ea2f1aa6f562be

SHA256
e4bbd28308fca472f928e4d70642c34b7e8fe0030a4ce30a5f8966ae7e5e6c26

SHA512
9b86819f5a2b9883b0a5d422f93d59e003b25109d3cf096e860d2ca26f4effc50f44208eb8f7e28c45eae6e49c79aefe6afdc3f066cdf9be7f476dddb7e2cf9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2d4cdd39352792bfcb249d8e287458ed

SHA1
3ce769be63cf6fd828ad7e0572631cd5b386a628

SHA256
d03dfd76f314748637e37f828fc6dd322baa37c14e94fce1f66b54e25d2fcb3c

SHA512
307d78768a589ec0bde63538c4dfe099897dcf00a6886a0399a972944aaca7191dcf790d56342160e0f7957bdf18c8921f0be1d5a27333642c00a3efc87eca50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
311e65ff36462e5515c3d4d39c9da449

SHA1
8577d1514e70c9a49108cad3eab03683c5e9ade3

SHA256
248018289e14c22c7a9df3c94f54c63e540d0f393c46e0cb7cebbff572c24c56

SHA512
3df98007089cd5fdf4f4b5b6846fbc9609ec4b351ed80a98d186936b11d7f5cdfb85ced3d403442f5e720275dd18bae0a2af80449d3ca1cf28700fcc6348cad9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fb4489782d94f79cf1e7a0a5c82aeaa1

SHA1
bfb93583c44fb0ec1d4c003292fc0c47440b952f

SHA256
7da455675a160c544aebb53c3ab378b5d9d966c453bda2d8e2399bba3d26ca4a

SHA512
778f3d4309a17891e018d4d69955b4afeb061a634f3799f5bc6853e96773c01bf4e9f7f587d5658657001b9720480ffdcd27dc3dd9621b50a50798b8c0e3400b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e3b5b058f9b92d51c03c02fdb51a7064

SHA1
90fc7edf4966da3619e4e79ede0b3dde24f5c855

SHA256
fb02caf2dc5db558e25f46aa1d32bec1a0f380274a6f9f28ddafca5b0599b355

SHA512
3644a0dfbc2713c21b3d93a9de47ff07767696ef6c18dc2b0fc06ce9c96d7b773fbbca8f8f817df6ce5251b57f0f8d6ee89f50c6ca0e9c8dd22924d157c9be93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bf87d91f403a049a709a63060f4f4dc6

SHA1
341d82f375379219f66c9adb2af38ac83f7b3094

SHA256
d8c0106503e9ed1bf4f4ddf7555b628181b97583343609b427d2d3df5bc4a522

SHA512
3cb8caf13757db9d30a7d8cfe7969ef7ce3497906533fc9fcc508ecec1acea8d2c361f2de6682a9216f78d2a1423f2ce87468cce2c095fa3be313a3de97bb003

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3bc050a49991cae6d1c98b304c6ab7d6

SHA1
c19384791331f4797f74019b59c99c6c4ddf4f0f

SHA256
177db6a1d467e3f76cc7bf6e22ac46679fac03255c9d0cf370925fbeb78e4afc

SHA512
fe441353b82535cca961666640ad41415e13f99eebee56f9d12f1781e6a3ebc48f4785b89b702f2be1c2ae2e40df990c591ea434142489e1a78c77d2299d6a14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
660435dceb75777016470bb2757064e2

SHA1
07b09ce90cfdbcea4c719b28504c5dd191c9f1c1

SHA256
889b40eb55b2a08d55ba0218b947eeb2d003c2a9266519d0fec5be61e6ba380b

SHA512
9d61548ca454fc5984857e18eb24171c003129b0f94fff1c9275cbdaaaca3664b973acf068381509af06f3866a0d96acb5879e39e77b2265e9012ee71c7b579e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7f7507e4eb113c5b015d74b2a11f74bb

SHA1
245c7edac471f906ef7f568731d16bf47f7545e2

SHA256
cd374a158fea1facde7a5ae8d1cfb4542e2dd431b20a3bf39a6a7008b859ac75

SHA512
d922e6fc7adda69bff120785049df25655ebf0916d109cfd12d076f65b4aae2d53fdc6be6dcf4b05cd08aaf82fd0186859dc3f6b132244d15d0343ee2015dd2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b7c2fda99d3c75b4501bdcee057e3dd0

SHA1
6d2fab471122ea23abfcfadf3fcd8a81befdb5c5

SHA256
66d3876ee9af3d66c0ec9cefe28087f7ce42eb203ad2a2269120ad55379b99cd

SHA512
45dcc65ef19b07bf07d9c5d712cfb5d8ec469eb58a62248d947c731b0b6a5a59951d6fbc40e17ce2dc5d26644d188537f41399dbfa25cb5a418a2a2167eca2ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
dd6f4b141275acdcc454ee8025dfc67c

SHA1
00a82ba09c4205ef1ecb412649d9d90b2bde0baf

SHA256
e96beca2b8ba4b99b0c0c35492b29ad03e97c571d5d25d7b92a3e62b1e86d0a7

SHA512
b610b4decdbe72626a993ea12f1487b6eaa85bab250ca3b50c70ae8b8366df0bef6dbe2d909c611eadf3017e50faf2addd1bd717efe62e0185061c374f5bb063

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5e78848cb20b19c2dcfc501e26183307

SHA1
4ed7d144b14ec245a6abef499e17b78c9ea6fa8a

SHA256
b36c75130e2ecec66e28a1098dafbbf07dafe66ac00fc4ab26ae56dd42a28178

SHA512
31ba85066fabbdf17c692b22b93c1d8c05b8ad7e8d491e27aa94555a4aff12001d7bf74201d181de845d8f59fbf69efd07b6b5cd936f9ca0d7c3b555842b19e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b9cd8e45ac64e4484eef0e4728590713

SHA1
efcd68f8cf08b63cc8a5fb24770359cba193d179

SHA256
6187b54975cecef348de09e04f0a6ef09b1351b2f7dd46ba67e0917aefbfcb5a

SHA512
6c26e27ae428fdd45a8caa91f195a3fb0dc6e6e9166eb694099762be0df9de797cc5bb01ed8c5329bb657f0b47a3cc78ec883a36ca092f81190fe92fa6ac4fcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
fef90d7c6b7e79ea2acb561463cd5b4f

SHA1
a51195c5088d5878e6d80130e577189998a6e958

SHA256
2e0ceb5442cabf14d6a42fcabf414bab89ba8f0f38f0d7c2ebd08529d7e86cc5

SHA512
6236c6d5f49258ad79d44065e6cc8c97083108795c4809d258890e50cf74cd6a9d4f8e6480aa74f7eef656c785d9a6585cb1d745c9ff0edf7339b22650f447bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
45cdffb2229a2b707fef024cfcd28aed

SHA1
07f23f120633dcd883797ac9003458af628f24ca

SHA256
c9ce4cbb5e3c14f508095a15675aa4d5daeb2f5b95808b19d66d525551019fc2

SHA512
d39438974d826574d4a4a7fa25f12b972d3e9b94bc40ee433081de7d47e914f230b60c554703c74970145ba3d0c983a8eea755c92e23fdb0391ed43ba1042e20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
f8e3dfb2848429efc75e213f2590388f

SHA1
115c90b6dd6e4ce506972f14c5a2e8e47c9d76ee

SHA256
d76e6694d47662e873a1fa158d36511ac6b469a3f03c24e98c6c491c56dd473a

SHA512
f3d8ad50130e2f8a6560fa8a60942f3388179342483ab11944c4eaa47ce1f938aa8bd60849a21f4ff86e43c2af8d2b1fc85ff34d55682720a1c951c34f5b049d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
534d558dc05e1c1609c74d75c8de3f2c

SHA1
55afe61961bafb49d5eda760010f44c74cdeeb5b

SHA256
19e0c07eea521c7955a69e481370e472d24ea0cbd19b16f7e83b16c9af6a3db5

SHA512
58a06a9d6da8439e40f69d64011835abd588e110b2b4668e655ffdcdb3f9dc5f6d7b67bcff53e538633c50e3dd64994fd26db242354489d7837c10e81e1836eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
6a6a1f2bd9c603de38c043ccae67a5c5

SHA1
3a16597148f1f9d8a26564ccf46612c498a88ecf

SHA256
6720bfcd47e11522fa3de7fe4954cc086dc74d1497e59a0fdd22a5a9450684a7

SHA512
a0cc7ba577f4ae8e30c46b14350cf3b2f7e2f0cca3528a50ea1905f49b2c8bafe98417b55fa7ffb6f06992a31340f0773b5ccac0514400f0a28808b59c4b93bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
7f280fe9c3e5fddacd9e5f6665e8caab

SHA1
09134f48e44374e7de312c0e36f95d4a437f1495

SHA256
aa50de73b29469b1ab08ade3174304f61c178663fab5b4b6cb152278ee5316f6

SHA512
28a0a5177c4def1f6aef44e3171e074c5730ef87b3d0c7724084bb492e4c2769cf9ced86a719b1a2c19d901187fa273a74aeb213057d1ee1169abbedc324d267

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
0e64ecce54078a4f3537ca8505b23d65

SHA1
e13416e039109dd9d54ad7a88534f5c350d50c07

SHA256
f8ab7399b5ad830132e6d2bfbfc7b4c6a1f0d4c3dfc497dc257ad98634dd81d5

SHA512
d836ff034f0e747557e486a6527201a00742f6e47a7a7a17034adba96aca2bf9a3898c8f77016e0c17e164552ff04b6b60e2789363942f896a82dc92765159c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
95b97400df149903e276db3989b2322d

SHA1
0c0a19128694612efb31faee6e319c66046e87b9

SHA256
b03b94597be09556daace4aacb7c24e92fad18be80688b797a2b571f0a4ba7ae

SHA512
949b7e3178b0ff161504a93d7ad834e2cac0fdcb4b387ef5f4a2c01c43839faa5c8fbe7b42ddf3a633be823f2c58b55c0223bf69425aab0ecaa9fd190c43524d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9a8ed3e086e91fad18d7e2d6cc14db81

SHA1
04b739d16bc3513308cf8d026fd12371d3391cb3

SHA256
52bdcae2e5685879b417815dde28e467fada301225c4e4ea058c561515a8825e

SHA512
a31a595fe3ff03c8bbde2e3348ad500194b2504f3f66e26f33cfee69c26711c36f74d1bbdee845fc3f60c625ac88624126c91b994296b0db300d76983e776932

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
30131e5483696298dda4b2d52b59b158

SHA1
ce283c2827cfa38afc7122261ae0ea645db9931e

SHA256
91411be1f9c3f53d67a5782d716e79d03f2f01a8e2d752f9d532b37f062857e5

SHA512
49e454cedfd3ed68da6caff4d3b3b5cee133968601faf0da31dccadd972bf1c277cad6c4a937e406fc01de9e01ea2747f5b33e368d1006f47f751c2f74971637

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
92a4d430aa0e603290da2b11227f4b81

SHA1
2c750de1e51cc77f4d8248cb4eb4ee9a843ac18e

SHA256
4a058a912a56a44287c75d99a01bbdc2f160680ce92887832705491eec55ea77

SHA512
268558ed6a5bd554be29fc8aea9fd2457b29ffe37dd3e1ca889af0ee46fa77087b1b7e84644c3784cbd0e8bb92877c88d33cf094ab7254d78dae0e14461111ca

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
890dc27c114766976bb9fd5ff942739d

SHA1
f4d54054dfad106a39e809d2f685349e76d1923c

SHA256
fb3df368e8615c49a65abb74a7f95a592b58ca8d48ce8ff2f09c4ba1fe5703e9

SHA512
7b3149ba54b4d6a682696dc18bb01f6c8f08668bbca43638521f36afe7c0d6068dee52b1713bd32fe906caf8013931919f356172f1db3e82c8c4f0cbb94aefef

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5257655041ab02ef10f5780b4d84988c

SHA1
5b6feaf5de03e0a21b344226a2684d6233419f5d

SHA256
4e89ea327004ed5cc455d310119b02a23c92c2aa2676005936237e66322f7372

SHA512
0c296ff2eca70aaac2a65ae9096d139442de12880f368bd415db906024d7b423c36e839d663af41d10f4d0fbfaa4219ef26aa90b941303819f8a90abbb48bd0c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5d098e4bfa9bbc4a3d20a6520bf87d7e

SHA1
07ff7000e15d5143b44d6c91bb92ed36d12a16fa

SHA256
0ef037b344963debc5b2f6774c31d1245dc446a265f72183298634feb0a9a654

SHA512
53be5c378102ae083c711f303b2dfd27b54dcd04cea58371ac60a5e9e7ef885dbe114b07c21689e918ee063d1f06f5a78d55e2a98f856940482e7b862e0825ca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
00b4ed325d474a591a0886a2a2e61c46

SHA1
85fce44727f6dee401b386c47d97102d0488c1a6

SHA256
41ae3bccf85b30b240848ff849bff26283144b4bc97cecbcf0968b0d6f8750dc

SHA512
0898ece23b2484f44f28df8ff849b1f877a551ccbddbd0da83ac648c4affb5212a32b5ce6de612cf201b543929525d5b8c2ad5d21f8dbc8caf5754049fe097f6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2c88c8cc2410ed8127133aae2b525766

SHA1
ed51cb7880d2c673f2bf5a9437ffb74ddaf48759

SHA256
6d5fb5906e62b73f339afb7817ead09654cdef8ea6e6a864d661abbf9a6e855d

SHA512
2d41973616b6e05a86933a48d881f291f340f92eadb1cdd302179f845151516cd9628baa0847801e017bff489880af6a8344a56d274c252d795e830354ef9dd5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
51e0b9ecb6c4d9b6f48a51c064993911

SHA1
81c64ee02b79cc25c4c951140096a57d1b42a8fb

SHA256
a699d7780a3d486b0b30eb2194daa1429b3986c6d30cfd21677bf63a82a79e74

SHA512
55a4df8b07576de62501e42aa9216f477ba9c5c35393bbe9135f23ecf78cb29b4fbcad1333b7487afbf5565b20311bf8b73df8b4e971e1fe02fb8941d746508e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6444da5bce47ba82d0a0071b915f3cd5

SHA1
9fd0b560e9de8fa68afcde65713b3234eef0bb31

SHA256
3d44f3547535214e61a9707b43b626148b145cdf21a551e40cf566709d83efdb

SHA512
32f9470462db5fc0e9af3ff328407fa5ee52f66befaf1f5910fd04008cee5e6b8332ad7d18ec7440426138dd435895724d58505c3c041d40aacd6d98fada2967

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d16efef8808d9c1921f311dd51e71002

SHA1
aea52b13f074c3decaff2ef60d1c76929acb8e12

SHA256
446725c4227f0ef976cd434dc16e58dfa06779b63ba31a2ee8614de8ecf9eefe

SHA512
fc384140a0ea32789d387aa333db8a60826a1bd9ae8b489841f36a0edfecdb1e5ed05f69c6462faba2111685d2922d3890f5ee5f1a16a21a3dc0e9f584c36b19

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2e4289dac51d2a07109dbcd188bab75f

SHA1
80e4bad001ed09d56d4cc91c85b8f3c34780375b

SHA256
5bd3173c25d8d9eee971cfc918fbb9e4ae4de019d9b2d6a4453b989744c76d08

SHA512
4073cd2fbb52921854b2199b57df154cbcd144d9d7c3208634856948e0fcae952680b27b9b2d1091bdcf0042a45af62dce09f078121b9bcf2fa214374da4fa72

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
582886478faaa095ce54bd8ad1d29768

SHA1
da01af1f01ca2434a54e07a05878c50aec1669b1

SHA256
e6502b6aa8570217343d48b3b233377afe9852832077b541bd14aeedc733c1c0

SHA512
4842c6ff2359cef3c7783b072f7abcd11fc89ada41bc7280c93ed541f25539bb120b0125694999ec8a8b86e63268a9638740e2a97fdd2e690c6b3f6af6f8c1b9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
73c1fd5f5be37f36ec466c74f7089943

SHA1
a75b78014dc4f249e87b7b72ed0a20528a115146

SHA256
6e499eeaadff3cac446c51d34e26804b754c55f303f4475d59c60df33cfeb513

SHA512
78feb8e58323002070e35a9b76ba18665237685a5262c5709e2ad8dbdbaed9fdb2439919be85cb2c5b7896cd2df4ac17cf1b792463645eacb36538a88d13444b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
997bf439557ba417e63f963a14a7b205

SHA1
2648a069f93ecc42239771c5356fb923199f3670

SHA256
227edf31d7761ac9784fe94420eb1683e6f02cf81d07af83decf6a03e8865e2e

SHA512
838e417d398d6cd2bf978d42858310a331e02a2d375c71a2d41aab2782dfafe22d312000076299eba6a2e3b2155ef277cb8fcab39742f711e843c8a7e155dea5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
41633ecf9aafe9571339be32ce96bae7

SHA1
9def52132e9eb0b11f948949508f89dd0bf9600e

SHA256
49bf82a7cb9dfb725d5fbdb1c9d818295ce143dac0a3f33d6a2e01b12d92095f

SHA512
687c7a2d6ae7acfb05d87fe516cf9bf82861bbff4ee11d794af5ad2157c749ac5d50b745abc0a74b9f4bce34c01462849a6075047631737a73dd584298128e48

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8903e173031bf99c390b02d758c088e6

SHA1
954f5de13178ee6a447abb338e34f1e6939d3e58

SHA256
7469c7de52b375ff9b8891940dc15348db24476e1b6acc5652fe8024662dcaa0

SHA512
81de99655956d3501bf2f3cb72e8ee96fd6ffa9746cc8b19d00f8492e927d179a6685bf153e0368add8a75c8d471346451bed35e4371119388ee2e04f40983fa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
41107a8ccfd8be29e596f25497103d11

SHA1
111f41f915a119b3c53ddde1cc9149533a5b8b99

SHA256
85149b116b934050158d8d74fbff52038021399b333dbeda20f62a535685b74c

SHA512
43def3a3a1eabcefcdb0bea7fd3d274e2b3961f8f66870021d40077143a6d1386e03ccb24897bd1abf9d6bf233cf718ed660d8ea208256f1bbbd5ab2a8f38d35

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4ea9abbc2d8d69901a22a22b5f811285

SHA1
1d3d712dbdbb4855390ae7a1f9ce499e03e34516

SHA256
1b8773266cef89d3f65f85e8cbb912b6438d771ab16b4884d7affbfa87d4041f

SHA512
96d768cde10bef87f63016ce970e14acd55d205703328e19885fa5dc3cb552edaef06180c94bb85037f7b1362236abd4ed3559bfb20d71ff0e1ecdee8e9771fb

Download Submit
memory/1544-441-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1544-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1984-335-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1984-279-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1984-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2148-374-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2148-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2148-432-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2156-291-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2156-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2156-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2212-65-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2212-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2212-72-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2212-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2432-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2432-386-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2432-445-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2520-12-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/2520-10-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2520-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2520-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2520-2-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/2616-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2616-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2616-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2616-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2904-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2904-428-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2936-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2936-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2936-416-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3056-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3056-304-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/3056-362-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3056-372-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/3228-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3228-404-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3228-399-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3228-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3296-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3296-406-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3296-345-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3324-446-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3324-454-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3424-331-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3424-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3424-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4380-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4380-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4380-357-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4448-319-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4448-376-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4448-310-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4608-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4608-254-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4608-261-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4608-271-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4608-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4712-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4712-34-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4712-27-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4712-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4836-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4836-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4836-229-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4836-14-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4836-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5008-51-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5008-57-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5008-61-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5008-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5008-50-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5028-468-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5028-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5076-243-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5076-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5076-249-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5076-309-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5488-548-0x0000029983AC0000-0x0000029983AD0000-memory.dmp

Filesize
64KB

Download