c8b0f531e1709b0c490fa2f979a31072a5e95af7e657291b1ef4c9eb32ef5be2

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_d570974fb066815e3b7ee659f265d734_ryuk.exe
Size

1.9MB
MD5

d570974fb066815e3b7ee659f265d734
SHA1

32bd21d3c475ea6d8091bd8c11bedf295546bf69
SHA256

c8b0f531e1709b0c490fa2f979a31072a5e95af7e657291b1ef4c9eb32ef5be2
SHA512

b953bf2d1f8460a9bb4d7d5702aaaa88b10a9e9ae860d48ac0029dfdcf0f5caaa6c820a0aadccf5e755e6f050f08e170538f64a20d6afef2b26b52f25a4a6a9a
SSDEEP

24576:l6V6jC/AyqGizWCaFbySqMrfUgYbkhqfj8uqw:l6cZGizWCaFbdrfPOkhqvq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3692	alg.exe
4888	elevation_service.exe
3896	elevation_service.exe
1424	maintenanceservice.exe
2280	OSE.EXE
5028	DiagnosticsHub.StandardCollector.Service.exe
628	fxssvc.exe
2344	msdtc.exe
3596	PerceptionSimulationService.exe
4588	perfhost.exe
4700	locator.exe
3396	SensorDataService.exe
536	snmptrap.exe
4656	spectrum.exe
3928	ssh-agent.exe
4432	TieringEngineService.exe
4892	AgentService.exe
1032	vds.exe
3164	vssvc.exe
5096	wbengine.exe
2076	WmiApSrv.exe
3512	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\58277730102ae222.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_d570974fb066815e3b7ee659f265d734_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{78904BCB-E140-491C-BF0F-5887E645688E}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{78904BCB-E140-491C-BF0F-5887E645688E}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a39e49bd594da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020ceba9cd594da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ba6b39cd594da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e274df9bd594da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009037039cd594da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000271e8b9cd594da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001df2599bd594da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ca16a9bd594da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff00ab9bd594da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8e9f49bd594da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f47bea9cd594da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4d9a39bd594da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4888	elevation_service.exe
4888	elevation_service.exe
4888	elevation_service.exe
4888	elevation_service.exe
4888	elevation_service.exe
4888	elevation_service.exe
4888	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4468	2024-04-22_d570974fb066815e3b7ee659f265d734_ryuk.exe
Token: SeDebugPrivilege	3692	alg.exe
Token: SeDebugPrivilege	3692	alg.exe
Token: SeDebugPrivilege	3692	alg.exe
Token: SeTakeOwnershipPrivilege	4888	elevation_service.exe
Token: SeAuditPrivilege	628	fxssvc.exe
Token: SeRestorePrivilege	4432	TieringEngineService.exe
Token: SeManageVolumePrivilege	4432	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4892	AgentService.exe
Token: SeBackupPrivilege	3164	vssvc.exe
Token: SeRestorePrivilege	3164	vssvc.exe
Token: SeAuditPrivilege	3164	vssvc.exe
Token: SeBackupPrivilege	5096	wbengine.exe
Token: SeRestorePrivilege	5096	wbengine.exe
Token: SeSecurityPrivilege	5096	wbengine.exe
Token: 33	3512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3512	SearchIndexer.exe
Token: SeDebugPrivilege	4888	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 2204	3512	SearchIndexer.exe	132
PID 3512 wrote to memory of 2204	3512	SearchIndexer.exe	132
PID 3512 wrote to memory of 2632	3512	SearchIndexer.exe	133
PID 3512 wrote to memory of 2632	3512	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_d570974fb066815e3b7ee659f265d734_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_d570974fb066815e3b7ee659f265d734_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3896

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1424

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1388

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2344

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2204
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fbcdd88a7ae3bb7dc185d0afb5a0aac8

SHA1
d0237285372e4a35f0c1eef97554a8db0dde569b

SHA256
715f99aa3fa068a74c2ca628e724b721cb3ca42ac89bd88fa6e52008d04df66c

SHA512
c5272856e315b8afb152e19d32f0e1cafa59a6dfb5232f968b3401380bf5abbad3cf4b1becbe6d6d0b1e1b9afbf97cb4fc3dca3b76964040930ae242156239a2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
eb1c62b1b71cbf7abfec77b7c6d06a10

SHA1
5eda25cada0cebe4462b2d7484f7c171ce7adcb3

SHA256
d6710b08fda979777be25e963281b702db8754c62e1f461fbb001e3fb647b7f5

SHA512
79913b732a8abf1b6424de2b3fccb476c8fbac4f0de4e45271e7bce583e43db77ad8a8505269939c1cf02e602d23a07bab986ef258005cc8b69eeb36c79d40cd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
7728aa7ae7b535f5470e11f0daf2e86e

SHA1
5d374df00f01a6205b765b290a676f05ad12bb72

SHA256
c859f7afd59ec288b419edbc55f56f77c4fce307cdbbf62715b52cfe7bbe95d9

SHA512
b36e9b47ef507e1f98cea02b14aa515b1e974ebc9920ffc42ea507924f4344cda5c9bfaf25dd553d01183ac680e1e9849de64089813c5144983cc9962be8be49

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
af7fc065f12cc806eb0b248e9e82400b

SHA1
2e74fb5278811b8f8640627021cebd27f93032c3

SHA256
063bfcb569ce8e96d0ac70db8d483e155c8b7b59678ac1936063219cf7f6a3a9

SHA512
1edf23614c4c243eda4c9cfcec31231ed24816407a101fce9e93d6617ac0e85d73091492766db4d69632a4d885f1b60ac21b463e9f0a68ecbfcc1e84de5a6227

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7dd1a6b70e4469476d576e0e9d5ab929

SHA1
1e85a19aaec7112207831459743f9b01345580b7

SHA256
dfd71ecf7c56b6224aa9668d39dfc2160a89081212618ab336acba988c9b8750

SHA512
5533fb10e9e383cb8d016325c07de4d7e636dd8f6bea7abe99aee9108018ddf1c59e0ecad4ed5381ff339e6636511879ce73760e1891e9ff591e1c8af2e3231b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
2188b5244cd34abaad0b30a272239c7e

SHA1
94d31bcc99d283460e0f55aed647dc5228289517

SHA256
446e6617aa37001590220fba1e4cddf361764d94dfb7f387e60b951f8662866c

SHA512
e973c5a72f5074fc8a2d729ab762b3944d6cad29779c57171d8d553b61566220af6d2378846b1f66690d0d5ce6e24e6eb9667f6f65be8ecb484239b0ca032c90

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
85f8d671cc8ff014775fab9aa53001dc

SHA1
110226c3fa022f8288966c843104411df7224084

SHA256
dfe03082bf1a593f964bd8b018a5f727d411d4a472bcb7ca5acfebe878419949

SHA512
893ecf6eb1c7b1ec1e0b24d79620785e8d88de894287008abf32b7bbd9cb97ac544f5612e03ed1336221d584ba2f83b2f416f2d22da27c2ed25742739012acb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7111db8f052b8d1146cc8b8cecf52c5e

SHA1
8f4b65d796d03e91882eee0c3d2020b292bd8240

SHA256
68cefa7b5335076dc7df7efbf6f332fd1abda53e612c855cacce3d834cf5b668

SHA512
508fd8707f29da475494d8f601d78ccbf7d8bfd0b777356b44173f49bb8b76fc309d37cc7f56bdf6d1b5efabd615b3aca35ded96d6fd945d478e998c13836f9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
5711f7bac30c9d62581dfae266598e72

SHA1
f391e980e8b2b8d1d7302a11df0951ada3fd18c0

SHA256
702a8124d4a6d1cdd9cf885e8125e2c36a4cec42af9c8ba0c50148e5ad493811

SHA512
553851e414a5e3ced2276efb633be01f705fcd19e9f293f87497313346fff296aab5d560be3342689d28e7f9a8034fd2c302d3d8d742913af06eff0f2c0ff7c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e6ed3b6616e892514152a5588c8b9469

SHA1
dce1a19b5cff434e8422badf1c73770d680b3ffe

SHA256
11c6141113fdb7e2596a5dd3eb99694cf3c4e001893be1e0576ffd7968a0f346

SHA512
667f0a7e138fb499b52307c16a2a85980aeb453ff9045518884efb2b8c16b960be759a76d651d57e737f6f2cdda8b139bdfbd3eca315d1cb80f8f9c549b899bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dc4e2c12581175ea733fed0d13d2bb78

SHA1
0d7e745fcdbbf91cc510077e746af6e445b69cc5

SHA256
7811a898eeb612df7c73041944d37de6901ef7d282f5b4a96c91c909e152e203

SHA512
08a6be8a35f9c5749e1df7c735a6a6a77023901c776b35c2e7236e13af0c4cc74854a73dd29e137734270253d74ab86e3e1f6d6bc8291c3f85b73ccb0890c8e8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ac83dc4f3440949d4c5119cbd1d60104

SHA1
2aa573f166b14bfb35e7569c6a6fecc2b38b9478

SHA256
289ed43d28d0e960d7898ddd40080eb82f8e4c8799a4541d8269fcd8e87f6940

SHA512
b014c9368e37ff33e912ff6593e5c6594e47269e06fc904faecb39f47790dfe342bea78e24c52260789d284f2c8f8cab3de28f791ec4fd9af5ba85ba0811a8c9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
6873f1e1d0c56522c293f9b460916c50

SHA1
9232c0c85c7ee4c5493287bae597cedb73029137

SHA256
005606b3117d97415f41258cc262d9b28210a97917e2e79293014ac49469031f

SHA512
f57af53b65c68bcaa22974ec55bc4623b0c89c500e168bdadf3d4552af38751e2c47b773b1afcaf49b873f1f74c057fc6824fc0dbab6deab22d2af88a0a9adb1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
baa592501153af859466de9a345b0beb

SHA1
bf5bdf50b88d2794453d1e279f0d5548fb057962

SHA256
754f280a106f07ea182949df1e9eb576f847eb7f106559e9c15ff66ba4e41683

SHA512
b75ac4a1fd67f93c3f5dad5c644707c090310eb027c89d2f25ab5165271a1e1583cb0ef0659e048cc2ed48cff45b0bc61784c06a2370375f5db5fc1115bab5cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
835b3791151b28982955632fab021da2

SHA1
6b5601032bfe1f47fe47e2dcbcefaf7c392b3efc

SHA256
ca8462db48f77376bb50afa1173094fccd5059de95a8a052fa767c87869063ea

SHA512
b934a245a84ece50bcdc8830f32b704dfb0ca13f7aa20d1d87b3f282f1949fd21955956553f867fb327f12c2ed464da7e44f0629cdd39cbeafc83c30d876938b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1f4246efbf83fa59c14136aa18bff71c

SHA1
e843f412f6dfe84a15ef003071195122bec06b96

SHA256
7a3218cf24efb7904a733dd4a332fcc9fa41ee1eac4de7ae81e2a72fa090529a

SHA512
d8a36cf44772af89149acb092c5390fb379d0155fadfa0b92dab4cd9df0bb80c8ea512444b0b4f066dcb6662b1e8666d64d8ff6ac5a9cf382feb1f8c2129a331

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f6b7baf0a0893c3aef30606718d2fc37

SHA1
0f895fe09257a7961d4350fd0fdfef10e19f04f4

SHA256
453142a521bb444ede65630c8a98d768ebcbff676fbaf6138d1f40fb704cdefe

SHA512
d4884cfbecad1487b22a9412ab0849818facc477d3057e60d161797db1389ed516e61769f2948e46328705773c35ca05fc90cec2cd851dccf508147f46a67b03

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b3be5ff3342f0dc5590695d42550aad8

SHA1
03a814a8d49f29fcbe4192fc83d6263357c5ed1d

SHA256
f8c0997f692153f68666e750484fdca679fa6adb48e1e8f8852b9889d038e125

SHA512
d5440d2c2747f4a53e7accc76e5ce6218210d5a4e13e28d503ea66876b7c84041bf9ef5da03c5481fd9a09e4e9a7308a927b29eab0045abc13991b502df1a34f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7230d927cefd7a1fb42bdee828330164

SHA1
b33d2490c136a991bab4d766aea5e233267d7d38

SHA256
50de01f7bffd008b6b5a04d0eed434bfb69ab3ad7ac100838ad62e653ae99af4

SHA512
5eadd5aa7f7cc4c35de0c1dd58a964103007e9e0068a0b2b1ae0d931c04b1928bc13c2803f92fdbc7b255bb6ea0b38e2b0c01d13a241df7397a2bc8ad4217bbf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8c85b2056ae0ee6001765afd8ba36082

SHA1
641d516b878e75bc4f02ad33979d0f2b93748c22

SHA256
95e68c891e82fc4b951c2d60e047e1ec646cf3fc6222e4cac6f1d59ee2b37692

SHA512
d2d8b56d2c8c4c62b477e42abe52a82a095abd082b8b3049ebf111d26bc6575caa40bf7c040b1b64e729ebd8562b1440eb8d4206fde4cbbb5a3cecaa007ad3a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
5c11e6b7d78379e39ed50ac21a4c99ed

SHA1
d9e0e24173d6fbe6333eb27a9b7a8a0f43c322af

SHA256
5a189de3b20d3d343a674e02b345cf90e6ea25ef08c3c63cf76d8f20e9155be9

SHA512
bd3b4699e5544bf30e7579fcf2d9caf19206385df5421c12cc23df945113e19c72e88315dc34f890fbdfe9f51d5abe3b7155cab791d7f3f91404464bf249d98e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
832e95a8ad2dcffd38c05d90048f89d6

SHA1
c36a7f27e9e2a60f4f3ca41fff2b5a32c0051095

SHA256
2297df827d1d4bf55a8dc63544a2cca3a9b6330c33ad3494abee8a53a433eca2

SHA512
e9bbfa527e1d423f4377c0b9dde826eac9049bcebdbe0a02fdf8a44f322b4b5d4a206dc226fbf8a5d4e04d5d885e00026a3b99f8359b2987f73a95b91d6734ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
0c6c798e6fc1385be80df8ebe0e190a2

SHA1
b34903915c3ace8101692f6d9740629c6f8d8ace

SHA256
4fac64cd565d56a05219bd4107ca1627a5f4f7ee59e2a0001a0b87bd7af7dd65

SHA512
74204d824334dac350e80040af993fbaba6e00ce6c34466145959db3150cf5c0ca20b15cbad3ae69a62dc573ba300fa455647a6eeb0907d1046e112d453ef261

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
0b149b44dfdb4079f53720154dc67b79

SHA1
26b4faa90b4194e7846c89fc6b9660bb651396bd

SHA256
673b61c9ccb0de89912df99b595a614ca3e58da24b7df5c5e8379a923733febb

SHA512
bf75219bf14343dcf762ba3c10744ebd3b3f2c73b62887825b043d766b6dde37fd97502ef119b0ee60392e2a7aa2d5c71bf2fe1e9dc81b2220faefb2f83eab37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
8b96dbbde8c81495fb8d52461ef8546d

SHA1
e75eec58c1b5bccb05050ab0b50cc6a02eb6aff7

SHA256
8d01d9eb253c35d3447a5597e99c54939bd4d23654944dad9be87568b6f9e5fb

SHA512
50aec2506b4bb27db025bc42066d0ec7bf758fb534341335c19eae7867c4524df6378f613112695d74a4b4ef7fcd10a63783ef11b6509f7c60eac1fc6ffac083

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
843adeef879d7fb542f48679ed1cc333

SHA1
f4b8738a2ebf46c47ff66d58f39494fa52b8cd9e

SHA256
4905d04aba51ed9a63f24f0eddc9a8f716a8e83ba7c31260ab2b352bb7833aaa

SHA512
77e72cef8cca2306591fe2c02bff90eaf590d20707a1530a673727cd40f217b6687825708728b67e653fca51a71600f7b975bd18ec622ccb968c85dbb262d9ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
e81d857677ac2cffb9f600946aa5821d

SHA1
5ad24d14fb6115f78c2fb5e18b335751451cb4e3

SHA256
18479984ae2a8d22fb63d63aa686d91efdc063d8fb04b588ff0c40d7c226475a

SHA512
f5938dce9f223fb80a4a4b4f10534eeedba55fd3a4230df09d6fb849bf9a0be881bb502473ec3d95bb046d0940413aa6060fb7739f74ab5e51cd7bf77652860e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
82f8294946c9bba40e7d099dde92992e

SHA1
53e1b6f1bc013a2eea6c63baf39c925ce4d018a1

SHA256
68b9bb9bd078303a436ebae7ed2e2cf7cfc685737fa1c4176aa781c056a1de65

SHA512
983d4c44f210288911f2376aa879ca0c745c9db5059dab494e202af2712b0f3dd648d6ceab04b79a52097eaa42195963044d6775b2a4e4b86c285ca495e77b67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
ff66e6941fe178f7d6bc04227368bdfd

SHA1
482d78b7179731187ec197d32d1b1977489d7029

SHA256
1a31ee4be868299ac323a2759e0a61b9d0d0688e6d813c88ac5980ed6fbd3053

SHA512
868f42481d2404f95abdda5885e870d80e041006d9e7dc3a1fef85dc88d46608b437bfe04f5c2386612f8b9b172580ed5f3a8b34d3f8daf5c806973aa6334a0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
30978ab10b4d63d45a73e19724777879

SHA1
f052732b2718d1bd5b5346ab757f193408824fc3

SHA256
5bb11234d9f2f3814508a5504ca89379f9c7d932679a6a55eda5e34f5b3e7e92

SHA512
e42aa60b5216ca87088a430449f52e5b2d64825f804b4ddcfe319b155a57a53b54359d8985f2ad14cf5c0693cf3ca1c7adafef314e91583b3e4102d008170316

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
532e4c58ca74989b970be27bfed2ba1e

SHA1
2c75d157590c048e9b6d7f5ba150e77a25d8808b

SHA256
86cde9622e573313342a26957a91bd11bce16047595935d587ce2d76886c13af

SHA512
82b7b2ab065b4535b707549601d20948b4793224a0e6352e6995bc4c7c5cb451e170f258b89dcca4416f3d62c4399441bb189bb3404d46c210fdd8f9c199b51e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
d6a0532dfbc890448d55d90abfa5abd2

SHA1
f60224cd230e10e26e6087ccc148ee7f80c039b3

SHA256
10760a1d2dd8126b64b5d15d781dd792084bb10eaf83a5e7bd66bd44638ec9c0

SHA512
1516a590e2ac4e6cd5caf5ddfdc380838e025a10baf3340665c1e9644bcdf95499e800ad9b2620e781a440a7c3d975ac4097e67b17d1130d58e6bd14dafe8dc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
0ccb20503844130a1fde44663c7f6307

SHA1
4b3ae30acd572f654410b965584417aa923b1db6

SHA256
177e7eaf1126a54b862f6d5d39c6df19e0af18e6d2ee586f388566eb78237d22

SHA512
ba5ec3fa4ffaf4f58b03671286ef9417b20ede1c3a530c812cddc48a40dcb2fabb03327c7d005d4610be9eaa00b8ce3ad63ee157d0f572cd2c37252082890787

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
b4d8999e3f3647c2f24c3d7c32990a8b

SHA1
d14dcea4f903fbed09494c2898ba9c0b039f526b

SHA256
63636341daabe063ee23795c65c243673ce6685efcf2e8d82569c75345a50c4d

SHA512
6567d980a362277cd0b0694b2032cdcbcc53b5d6564b6a2883fb1010c3c0b825ffc1a363d91bcc8f5ca8cdc9e5af94dcbf64c96602846763746c46bf8c8a3939

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
596725e650a1a746f840a958c097b8f8

SHA1
2cbc12666e4e101c8f13ec9777c27e370eb3a325

SHA256
1bf3c80892dc249714c46b772a91a15348ce366c4c7aba00b8b6679b09b6b084

SHA512
12cedea8a0eb460fd0dea4370195af43a9cb0624bff0ec84013b8cab8e464c0297cd17ae62bbac7f1709649b62b491624750c109182aeb1cb12cd6792738b5ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
9197ba5dacaf46882fb92bab7d87e88b

SHA1
bc94a6da7148ffbe217b850f1ef35280410cfd1d

SHA256
407a55210fac429bca2fb443d1858731357dc7a05f69e214dd3156c6b689ebe7

SHA512
5afbe06c60b702f2d2ed03a91645e2a2d9042d64f30f3e9931d06691d3ca235041a37f2f963059cbe7bdc8250fbdbee303eb87969acb2d0627d1a3bfc0e9c6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
1e21c62069a9e5c4b2aa278cd47d6b9e

SHA1
fcc5baca359319078d82af4f86048cf407a0990b

SHA256
b1e25322c0cd4cdc3cb287f34e0260f0650f1bb1b60ddb6d78f84242a7915ac4

SHA512
441644839ac9ad2739f66f112fe4690e4fbb0375e9170aadb4b86ed65dff04fdac56d3072995993f15a24db51adbd276ccbef9364bc91f32309b706c7c5e50f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
b07089721d0965a785e3425028a52d38

SHA1
e29972010084192c788b11ecdd7ecf4f4d0a4f61

SHA256
c1c0516fb78121e5a3b8fd29099c37e2b24746bad611f068eae59b11021423b5

SHA512
d29a3c077f810c59f3385720001fa1ac7b2e5e1e75c59b20eeb697c57bbd4ca7b32c8cfabcce4d67307f5b5d0d385aee3146132487cc856410c42254d44ebce2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
6ef388143c7e2e3ecd31e367a8561bb2

SHA1
9d9058305cbadfaab136aef8f420d855e15f9454

SHA256
e74dc5823ffc26a10f8ecd4e6504d0f5a7c40b9fec0559d23bef6fa22f7fa641

SHA512
89d5841cc5360ab00663e5afb6a207388d90ed07bc7d2f6a85fedf06beadfdebb1fcd77b973b5104ea8dca2800748c2b484357973b9b1523611dbb44e798e7cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
c2848f90400f5a6cd12cd5f2548b9c20

SHA1
1bedc28ee7fc2ce7a0e462f75cf62890ae773417

SHA256
a2f6afbd90311f47a6b099681a2c14f03d1da264538538b45a63e50e27ebf408

SHA512
b43429c56e367032173731860e2f6d435ab60f8debec92f6e89a4f5335fbb2d4cf20c0cfa5e69f6335e43d4d6d08620fb5560eb786435cccfcbce3f45cc0ac4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
262b2bd8c6157c5174f1414fe6b04475

SHA1
7d671230ec3aed58000e75dab55135f00518c492

SHA256
9259aece4684e62b9301a9fcc6d882cb9104bdb52483f7481a88b4b9100fcdef

SHA512
2142d5acdbbb53c6c521693939f0753d221ee1490904418ac352a416cb78fa20547e3a4e194fd0bc68afcfc94adf39cf165548d9f2a9c0416fe052b6e8e29181

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
784459bb80fc3f3fd434274940e018b0

SHA1
e503c256d21b8df048447edabf49f6be998f18b6

SHA256
1a541b26f468e3ecb86a462f38d4189020db93ccf5cd2e03653e18767c6c895b

SHA512
6354e01400e1f51b76a3b48856b81e3bf6bf277c3778abe028553ff346d1d62973299f045175d505aded77595cae062c738f9d7db1cb007e168840a7d0a35fa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
387f973a7c4b17d9b28b09815665e7be

SHA1
04a20898fda789c821dedac81837c2433787f834

SHA256
5e944481d210587d7c4e64debf17442162e5c8113eb80d35d5c4b3c30ef88a9e

SHA512
e536fdaeffd22338e8c8913f640854dc0865dec1eb9507f00e2303695c2b869c3613824e5b084ffb45a4274a54b880be8eb0c043a15539d1660781bb8224cd9f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
3d13f95c85fe6832e8bb007af956d6a5

SHA1
76b4ce12c06876ea10df3a7593971790149d5738

SHA256
8764ade53efa9738fd8960014a24c2fe41303e8147a4b936ebafb482eeaf88d2

SHA512
93eb1383118e8159bc3a8dce62aa98dec76847afd6034be7d20eb8d4a743874af19abd599de8a810a9d4edf7a7537e09e72d05ba7e5efda3069efbf57c81dd76

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
800809578573e2876ae65677b04fdb8b

SHA1
1d865365b8ec3c4419ee022c2a32128df29a1373

SHA256
627e805acd0214819528d94f68fa86229b7b8287633bf99d50a82f42e8670e1a

SHA512
1b0743003d545fab03a669a36d2dfbd6b31aa8b63167c6cd9c84cc437245a61977a24fe7282b434abbc93eb2eeff45ace59a6960f9a9ad88a582439e649bb16a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a5447fed3fd0f68e08847bb2de2b86ed

SHA1
6a752567178949807440ed664ef2263f486ec6fb

SHA256
7f7bea80c4b6924e9f52dbeb16f40ca57f0dac421eb40c0b5d2e38eaf6141e85

SHA512
28075c6d5d5e37bc52df72483d46eb157600bbb25dd5393dc0c6bf059d3b973ef59cd33bcdff7e08d7d1da193941b937bbfbbd56172b070edf71c9dfe5eb44db

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b477b024d724472bad53d0e8a662dce0

SHA1
ef01d7bbb99e66b9411e02f831700d0cb71fc66d

SHA256
446ad3e8ce631bd15e56e46826a4c6c85681e6b684af96e625bda36a6717e84c

SHA512
4a91d09eb16b588b64cf9f75888ce3db1c90b5af7268ef1e0ccfdd83b2e83ce89d8b708ae4edc7b509258a12f6980842b794644ced10ca4b143a292654b2a845

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a9a0aaf398614cae3388c2d75e09a77d

SHA1
f188f769327d252eeb00b1334002515b0a3dd8bb

SHA256
ccffa708f54e4bac728876e927bcb0e07c7973b408b063658515f1eaf7dee870

SHA512
b5cf1b00298ae809a39fec622aa766b221a0851644c44a12f428e4e150de9fe48b082c7a8a2d81d4954fdd6e42dd82ced3f4d55a732a7ccd5a01290130afa925

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
bfe10036877ae2b7084a92ab7b031fa0

SHA1
d36bbc757c4c534ac71e85c615885dbf74510a0e

SHA256
d489fe25ad23bf260c51398212f0d4982ea649e4ae92a5c1320760969aac24fa

SHA512
887257191f4ec5eb1475b068ebd128bd06b30921d60fa32914269e21286e9d415b35be3f819c842f994edaaa57ae702e8e06b72dea9c20ff1c76dc787f8fcb00

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
ac540d8655f79ee388584c0888eaef26

SHA1
c67a808ff8d07396e5d7301bfab65997d8fdff3a

SHA256
14357b78b49ef0334c9366c000f671438c45b5358134747c3c4cb3b8c0dee89a

SHA512
c9a93e6fc0a6c8035b840dbfc3acb566185330d89ae871ba4555aaf25878cfd38d26d86ce5c12a51fde40d3c92bb423e514900f329870344a4502fef58ad7521

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
5c9391746311cb190abbefea4202fc33

SHA1
1ad9fe06353c631f3a6325e90fce3dee74f63165

SHA256
ac8aa8831e2a9d081189e9c90191bf27fd80306a608ddc1e86d47825e64274de

SHA512
bef41933fd022f150e283bc7f67768e96cd83c97f82ba02649a70cf1d50ea106a9eaa879281d3beda3ebbb305732080ad17f5c4f3840d9f360647ffcd49a32f8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5357d56af8ec42dd7e56fc71367bad56

SHA1
60ea8ff4f17be1ab772a053475cc86274a5903d7

SHA256
4785e97123d2a361f82ea8bd0e5ae11cc59f2ffdab4d186332309046081bda55

SHA512
a76d399f60d838da08a307ba87358862d3e426d2e90dfee0165141235fe2fcf16dd5dae73e3dad234945c0f3b62cdbae9b881c7ca363696f10566a42b2f50377

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a68c056d0fe5ae7804fa3194287bed09

SHA1
d2e08fda85f8d66501bd3929b3a78ca1ac1fb20d

SHA256
3ce00c6466caea1cf424cbba16de17ea653c6df7ec4938fce71b71913926668a

SHA512
f4852c1579293705bd5bf2d872a5ad59f3c2fbca2e1f15f0d9706977ec716e6f3cc925fa9c9a3797ef9956b5f77b8499a3692ba08a08d1b4dd44f29fcf7cb336

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0a4e20baa87dbf464e942e3edaadee14

SHA1
0c82bd2677ef666ff2859c20849a35c356b5bc1e

SHA256
dc271bd613a777cbaf1216e45c25ff8d5f726ffe11c587cb3537e917918c439e

SHA512
7db26310887ab30e354e4be046ba46815793c90b1b8628b54c736c23a86054ef17024072531de3850420a5ed028501339275c99323919831785a5042a67cd076

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
31988336bd256283ff4e819edb16394a

SHA1
4d1e736c0622140dabc4dc84d3a02e4b93762962

SHA256
db6f76e5e851a4f72311855722cdbd9a046c657bbdd2957b04e80a831e011698

SHA512
69ba55215204d480663be55542dc4bf65433d3b96bda3ba0b188664c757973c6e8513d2948238c83572b7c60babe79a10ba392ef50a6392e909e07a580e0306a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ea53a4f42934c3312de656616007fd59

SHA1
4c3b66410eb46033c2366680de29cfe43a744866

SHA256
83641945f5b247d4e21ca2f4e55f90d95b646f157d9560f12492cb51ffd87e03

SHA512
4785449189b7892c7c059c53ad4bedce4edbe314591fdf64a8c302ef208665af314258815c95d5249cb4cd04a1a89e82b249ee1061fdcf9eb288a805c12d5174

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f6153b797a1dd95a4bb4638f7c8cbfd0

SHA1
693c3e5f7af3a09480d06c2615058058f3b15a3b

SHA256
878398398cec41b5d42fd5bd66d5090e9696b31dba9ba5f278f5dd3fa86a2617

SHA512
62501c968fb248d4f13061478cdaf8d315344e07611ebcf06207789b0d1aac5c58223ce982fc19b1270b6adce5ffc02eb58c5386eb7dd99b61de60badc50562d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
21ad5d7ac2f76cfbbd896555d76ca9bd

SHA1
ae319e6d019d276544514fad3c0d63f86f20dd7a

SHA256
95051c68ba91a2c6b116ec48df88c17d7a5dcf6a63f98fcea4987e6e4876e3dd

SHA512
b123eb145f7098df39782d1fa2be9bfd428a86a162655a5670acff593009f29abb8fb3de2d50572078280fb09f47205d49b1f3f6af21206578cf54ef69ee9442

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
f66768c62ec18ba7ba0808d23925a8a1

SHA1
d78d6bf1427bd592633400e45624642ca828efdd

SHA256
d75bd0d589edb8060425b72fb6af14a014ade1e2dba91f3f634c469b983bc4c9

SHA512
c61e9273487da98720909d91343634585f65391bb88e516ef5672094145a65d8e6749912745963a645acbd5c03ccfb9588084df3a8435dceb0e691d9d87e46fe

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2a3c676de39b3e7a612d3e1ed04642b3

SHA1
b8ff58bca5e6e5ce19c9f297611e84480098e74b

SHA256
d5f7bb7adb69663decaeda02b8961f1d641c9ad88bc96dbedb0cf65184c0adee

SHA512
1c8cecb3cde8d8ba5e8a77191e8659eae6a6f70a3f38ba18af7fa322d6da0141c4bd9544362a9ba77b2987f1dc5395fa9fa1442ee4f66b26325719b23edf7611

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
ed52a4ffcff32882d210acac1d5beb12

SHA1
87eb709abf4510064fa0fd1f00186549e9576f2a

SHA256
e98f4c0f259f07a8e6f56b9fc6c69e380975c9141a09dd4fb26e343640fbdd94

SHA512
e81c71e2837c1d822b6a84c0d54939b95538e2c12034a5161ddba3562c8a040c59b4364658e933c983a21565c5a14225a8b03b0784338cc7b887d52f896808f6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5ca6318014ac5a19c4cf80b69ef850ca

SHA1
2cde5218c1936474cd5df0e9b2b25cefc5e2c24b

SHA256
d4d62b0fccd76274861be7f908111acc9bea298d0ab3ed0aa93a1277a9f0a5d3

SHA512
6ea0e925392e4c69bbb802e2a1c9f8e4a7d8f00d83b538b96e3122947ad7a2d59b4c9ee0e21da7927567317c888f91eb5d16a101835f83bceee1660346960e07

Download Submit
memory/536-339-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/536-417-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/536-345-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/536-407-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/628-270-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/628-256-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/628-262-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/628-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/628-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1032-418-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1032-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1424-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1424-63-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1424-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1424-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1424-50-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2076-456-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2076-449-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2280-238-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2280-65-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2280-66-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2280-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2344-272-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2344-281-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2344-338-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3164-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3164-430-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3396-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3396-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3396-333-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/3396-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3512-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3512-469-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3596-289-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3596-296-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3596-350-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3692-208-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3692-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3692-15-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3692-16-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3896-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3896-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3896-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3896-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3896-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3928-374-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3928-367-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3928-434-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4432-447-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4432-380-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4432-386-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4468-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4468-1-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4468-13-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/4468-0-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/4468-7-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4588-364-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4588-300-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4588-308-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/4656-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4656-359-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4656-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4700-321-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4700-315-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4700-378-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4888-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4888-28-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4888-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4888-34-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4892-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4892-399-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4892-405-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4892-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5028-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5028-243-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5028-251-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5028-312-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5096-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5096-443-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download