88ff6250dbd0feaef8f6f229733f2d72f8610bfff0d716fbd4e9affd8fe02379

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_d17c0d660848a86a56d20626df6d8e09_ryuk.exe
Size

1.5MB
MD5

d17c0d660848a86a56d20626df6d8e09
SHA1

87030e53362aa8be29766199e623fa698706de06
SHA256

88ff6250dbd0feaef8f6f229733f2d72f8610bfff0d716fbd4e9affd8fe02379
SHA512

b3f5857dbfab3280404e577f155b28c6196c112af2490072856aceabe995646868f67d66a9db6e2e11158f71c11216d928e3c5f1c74c4c49a84988585768ea42
SSDEEP

12288:aObfA4LWOsvAYFT6Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9L:LbL3UT6sqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2924	alg.exe
4388	elevation_service.exe
452	elevation_service.exe
4092	maintenanceservice.exe
2688	OSE.EXE
380	DiagnosticsHub.StandardCollector.Service.exe
3664	fxssvc.exe
2224	msdtc.exe
3960	PerceptionSimulationService.exe
4556	perfhost.exe
4276	locator.exe
3068	SensorDataService.exe
3644	snmptrap.exe
1172	spectrum.exe
4532	ssh-agent.exe
2992	TieringEngineService.exe
4464	AgentService.exe
2192	vds.exe
3704	vssvc.exe
4560	wbengine.exe
2532	WmiApSrv.exe
1124	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-04-28_d17c0d660848a86a56d20626df6d8e09_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_d17c0d660848a86a56d20626df6d8e09_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d615e8e1234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068e1de092099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000213e5d0a2099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001411f0a2099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000868f2d0a2099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfdd3b0a2099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ca6e3092099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
4388	elevation_service.exe
4388	elevation_service.exe
4388	elevation_service.exe
4388	elevation_service.exe
4388	elevation_service.exe
4388	elevation_service.exe
4388	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

644
644

pid	process
644
644

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_d17c0d660848a86a56d20626df6d8e09_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4592	2024-04-28_d17c0d660848a86a56d20626df6d8e09_ryuk.exe
Token: SeDebugPrivilege	2924	alg.exe
Token: SeDebugPrivilege	2924	alg.exe
Token: SeDebugPrivilege	2924	alg.exe
Token: SeTakeOwnershipPrivilege	4388	elevation_service.exe
Token: SeAuditPrivilege	3664	fxssvc.exe
Token: SeRestorePrivilege	2992	TieringEngineService.exe
Token: SeManageVolumePrivilege	2992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4464	AgentService.exe
Token: SeBackupPrivilege	3704	vssvc.exe
Token: SeRestorePrivilege	3704	vssvc.exe
Token: SeAuditPrivilege	3704	vssvc.exe
Token: SeBackupPrivilege	4560	wbengine.exe
Token: SeRestorePrivilege	4560	wbengine.exe
Token: SeSecurityPrivilege	4560	wbengine.exe
Token: 33	1124	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1124	SearchIndexer.exe
Token: SeDebugPrivilege	4388	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1124 wrote to memory of 5036	1124	SearchIndexer.exe	SearchProtocolHost.exe
PID 1124 wrote to memory of 5036	1124	SearchIndexer.exe	SearchProtocolHost.exe
PID 1124 wrote to memory of 3000	1124	SearchIndexer.exe	SearchFilterHost.exe
PID 1124 wrote to memory of 3000	1124	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_d17c0d660848a86a56d20626df6d8e09_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_d17c0d660848a86a56d20626df6d8e09_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4092

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4480

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2224

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1172

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3504

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5036

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
62537b2b5a4de5aa594986a542634e63

SHA1
653106b22e1c62352a625d155a3db930a3640d2e

SHA256
91f59a39e35f7a3fcc81ed62c081aaf80c9bd3bd3762773a8f6dbd2bd58cdf13

SHA512
8c4a2c8f8a8ba927ad01ac267144191404bbc5cb767cb8b9453987d313e5386aced401c601154e4e88f59f3952fb5423271c6eb675f7f522543150542c0b756b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
1ea89c8e97974805f241f1dbe3486ee6

SHA1
5ddde06769f7af49ee398662a78739514f62a122

SHA256
1d00cb862da665f3724a66aeab9fc9bacdcadb3a525d6de16c208cf7c35b67ea

SHA512
685b4328af3caf2bba61ba4410597988aae31c722c1b05ab3ee6413afe7c9a76246c001acf537bc14e39937c8278cf466d7b867f5fd92ad4cd579e83b7a10ce3

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
aa2029922cffb6e29d5937392cf1cd0b

SHA1
10dc451cfc3244f724486209a7eabe39c955e510

SHA256
b73708ba39a23c47474f614a27cbf5f45a3e83fb0dffe9a964f324468c803959

SHA512
584f775aec41445a372aabf4c8230cc34ec8393421af9e7fd5a6f2d2542f826d823f526022d17a6a96c96a6048caa75a863eca8ef4f6c8b89e311ff11b93391e

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
1de97673e0320a598b6c32cba1a85140

SHA1
25ca337a90c1c0c8363643199a021100de569000

SHA256
23a4e8eb358526a827816107ad90c614fb45cdaab3495c2e1e281b3ebc2da874

SHA512
587b6dfc59eee5205578e789b0becf92de4dfe99c93d5755792f7a63c2e7f69e4f3c76bad87bef8874687c8c4281a775bb82f71102399d3c299b1cf7bed664ab

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
96a4075e087afca63e3610724e444d88

SHA1
0b4579719c365594e7c04f2c25a8552daa829a25

SHA256
f2994ebb3ed4f3e1ba501cab39d16db5598b0ef4b7ac6c8b70e6baed60c89ab3

SHA512
b9f728a7bc8208f2ab29da45c5a5cca677589d2dda148cfb23fd7b940a1258c45eac973bde6cf2b0eb34f07c8ef6a88b748d4b2484510e19c4f9f0e2f828bbba

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
fc4a8180eb8dd4ee20254b9628ab907c

SHA1
d20e2716a39f43511cca3e382d409d2404227d68

SHA256
dfc9be2ffeaa600054291e85b8045bd14e07c037e7002c1c51452a1997b54a19

SHA512
c19a92b7968d6748299abe4d4bf9efee7cae20467682a6eda1b14241a99e0e46eff38be05e25a371b2494f99e3d36e736d4ef9448bdcfe5ae52a05567fc8668e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
9f3de2efcc6b66d80ec11fcca1777d4b

SHA1
4c1049ed8a82b2ff6285490591e796171a862cae

SHA256
b3b4be0426444fac688f069660ae3a2573c51673360fe447a98eb2e5e4d25b10

SHA512
7fa92c65aa918ff4cf6eec3e6714cab945c6d964b6e86c1111fe0b11ef57af340a735f994405c92e86b3f0bc68e5cdff9687e8bb8085ce9a3faac067e6178f99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
ab5841564e2ffffe56e90f12ea2dabc7

SHA1
f296f5a0a4c27770cb0410cca7cd9984586bee7a

SHA256
6e4ba6bd06b52c7a796582d0a8e5d561a68cf14027672cf8df36978105c16309

SHA512
932beb5e5c06a66c8000f15ce172bbe94985ecc0f91ed3c55ce1b62f12563778985d4d51403ad9613b426c920f64e803a67136b7e49cb3b7d638e44da6cf9eed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
02e8e37dc9feb3bc8e6b11d5846dbf30

SHA1
101016d2d4c3975b36f43c31e6266e5bfe667c54

SHA256
6ff9b892aebbbc46264db0efc13af263414c0aac994bce22c5e20d17b39c1d04

SHA512
09bcfa5b531aea6e4783fe189ecc9c3b1c3df9941ca63cafc6e03bd70b3adc7655f1db88af2c965a7a1eb04f17528908e63e4cdf0d1031e31abbad9009956e75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
7692cf90c0a4024e4013c463ca9aff9e

SHA1
02b440caf5c715f44bb1f5ee820692c8d30761d9

SHA256
d2ce999666342e724638f634936a87cdb21405242b3c25f830dae8856d14f90f

SHA512
06aca94260bbb906e00f410a3a8c0c99c9bde7e2d5db568d537a3456ea7d17dc07986434d5ebe87df6a07786e31bbbd727cd47a92d55a8caa893d6bf238b2c81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
2ce75d4bad62ce21dfa7bc0667be8b4b

SHA1
cda80f46feb4a549867a58a76c634f05c95fc089

SHA256
ad2d8ad20613424fd9a22d2169b3fea75f717ab7d57eef40587c6376c343b86e

SHA512
3b462c09a46139edbfff1ad1380eef651352384c93cbc0c04decd87c9fabbd6dc0027c75c6cbf73458daee721a2ec845f9b42eb678a0609522d535b001268b8f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
63d9b1c60ca7692684ba37e041d5dd32

SHA1
2e541a6c58cbf076ef64336073c352c623823bd7

SHA256
84c25d1165eac44d87dd0bfe178aaf2df964e22d0b547616df6fc7fc9133d77f

SHA512
25c5fc0c4ce108392e7918e86c07f253616d5f72f8fa9a7e5bba9fc3c35dba988ec5d1eef061cce223080e149d8009a2dcc369532ca94a86ad058e4d3d7338ef

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
ceef72271ab696359b952452b4c3f2fc

SHA1
b85da640380523f6614cad7762880a9778370018

SHA256
cc01b778ff206a053f9355c4f85aef6ace0e63574b1c258e64ffa93eb5a2dee3

SHA512
a3ec5cdf218330b42e4190880880cc8f8ffa88439e7bda4c0cdd8cf3fa46ead89f83274fe587b4a2726016372436a1f4786de1997062fb14628805589fce0150

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
fff4492371c502a064292a2a4894c39e

SHA1
a1cc70bb8607fbc3e74ec56accc18479e9fe1b74

SHA256
3b9f9f2ac295f48c2924608e8c18fdcd511d67a15338b15da3fbd99934b2d71b

SHA512
d7c4994f3c55d73ff0d3c57fad12b9bbbca7b3e671694c649eaeb34ca0ec48e09a1fc88bb241e5b2be29f3c9e7cf0e692c5fdd1abed15ea826bdc276393225ad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
e69f76e0c816b7f4e91d5430adcbf31a

SHA1
979b50b76358f54401312390dfd853ad80f1ae7d

SHA256
d955999f9801815d1d07a341d16054528e23be263c2e012c6da701c94bf6e974

SHA512
8af4b64dbbe6ea58059750a93c98e72054a281bd34da2d5b43e0d12d94d2bb8e2af54b4e2641384a70ad84788ff0744bda3032bce04170e66556c372ef1bf225

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
f8db7e3ce052740356d59863141792e1

SHA1
2be1c35f50bcf833c05326834b0ce715a1835528

SHA256
db0503553d4d7dc5d8b38fce8b2a35d33ad2a9598e561db32c750e95c71d28e4

SHA512
6db148d2796e73fd84d31cfcb67c9ebeab7e7b58239d52059194d74f0202283ba2a845ad53fe6f6d971c0ef8a66a5095a6c714b8f40747db2a54672447653764

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d34487a1f9404fd2004919eface8bfef

SHA1
f6e8ffdf5a82468fa38412fe987d71f4d019ae87

SHA256
1a6f82442eddcb9bd838a01357ea7a90e673ed5e625f8bce3c49da75e0ec42d9

SHA512
1641abc265edbd5233b74bff92b534451ee7982d68aca245c331bb96c211ab79c2bf7a2588d7cda191f423aeff412e68be002d10d271073c8fffe2ddb03afe00

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
926b3129b4c82166b72bc3f1ae71a06b

SHA1
ab92b8b2bb2279d02e429436981705d7ad45117c

SHA256
ba59dac63620e4e46821e066b433dab5cdd501abb3d373cd2999663290d206a1

SHA512
64e852d0156639c9e9c211f166a5fcdf050372cc5d27c56fb13e97b872f72235f6cddbda183fea184601e84fe58efbc4a13d47e214b699b06e373868cf94d54d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
4ae93773063c5be24d8eb18b4b20a0d1

SHA1
ac1b917d28204ef069eb6458fece25662aa8fe15

SHA256
f2137196cdb35b4e84a1a791e8875f3c7fa482f150de70ae0ac784f3811286e6

SHA512
d2c6db07ade5a2ce63992b752dc4be5ce5b5f058022941b4692da9cbac6f6cc68646b287f234438b86c37f8e3e360e6314abe889fe917a10e6d235da0f747a4e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
63f78c4c60820c4738fb6b44f7f05b63

SHA1
07d1bd5ab303c2eabc537e47b0f26f89ee56f081

SHA256
df263bbce616ace8d2551c52e970c14e7b33c19320de004f3f0fb0111f871a34

SHA512
411fd2182290532aa807a24def818d90e399a8676845dae0499fbf61eeb4aac46acaf8dbd8d6281dcac0bb894216402b8bf0ab46d56ea409178051bec66a2bf6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
822110ef4c47377e1bb613d073c95d94

SHA1
7090980a688bdacb0415326ac0d6a051901e7451

SHA256
c1f37cb181a4179c090393e031679e03b2aa6af325e112737b0eed0224025dc7

SHA512
866308543a33d7606e8654d30c415304a3d0f8fc824ac1ff57ab4518c3eb889e3aa7f7c97e8c3782e543f7625b0939c3ab656b978b2bcf3434e7ca75765eaeba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
85f4cb30d31983ff6e37bef7a8c91a88

SHA1
428564f7daae1ad9fe7aeeb2f9ced8dd764b68f9

SHA256
ae93b0898aa89e856435665ae4813a9ac8d4001667f6d0bf7430201e30c405de

SHA512
efa20a7b274d047e3fbf3207446dfa34c17fd37fe9c42d2985bca2ae1f83a0dc8be768b0319bdced59bb65e36ec38f979be21349c3682874a85cd82db38250d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
6498ef353b06ebc34f625881f1d13153

SHA1
52121d428f91c599f8bdd0239429fd3b962769b1

SHA256
ad37c3048a2234e37301acadbb09381c34660c694fd4541b3e2333976aeca28a

SHA512
21e9db794ea45ca2ebbee1def211ec7adfd186b9a03ca35c38199db2c30f62e7988e27c5fd572d46181eea33a28feca0c23eab0cd809898de60dffe6629ffef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
9f88a816a058978107f469dbf86c7bef

SHA1
7d0bcd6704bf4965d2436d322d4df9a2569def0e

SHA256
268e76b75001f8e6a595929bb03088c3a86ceb8fc7817a6788146a682437f674

SHA512
d9e3372aac43aefc1dd57f3195c5394d306e5ad9b241a13d9afa283bc8b6c324d6bbae558b4e700a1d657a7a3a0873c4a7baeaaff5002d760a4aee139b70f848

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
03c874ab004c010dbf757cd8dd06c52f

SHA1
24f41fc5b57aeff2370371303790ccfcf16998c3

SHA256
198db15ea6430c79e5c9c8e9ef0ca616be504d6ee8dcbb0c40570bb492402c34

SHA512
8b8b0c7020a86f4768f22e59e90e8b2fffc934e245584e97a0c8f6d5c50ff743e10d45d306a4ddc1fa9782dfc07f9ba23990c18fbd5ba592d425a46c628866db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
5d52d2ccacc69b7a5dc1dd21fbeb1676

SHA1
92758498ba471e8dbd7ee2d9dc8ceb2eadfe24ed

SHA256
0ad75c20dbd103ce86a009467bc6f8afdc0af928f33ee7d73cb1154abd53ac7e

SHA512
859ca8532b547f14c378678c1a33dd92a02df4830035e9df5dc71fe62eca8d39661cffd8a503d3bc6bcfb4a7a71f11356a07007700477c286a5ecab820c342f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
79f1a09f6902329b942592b234924e18

SHA1
46e55dde8f28d248035ff226b78d8cb7faf5ee7e

SHA256
cf3ef74addfc077e1446094d9f68a6147692ba83cf1ae063e88efdd2bfcc1240

SHA512
624eb88b52c7790b12b27d8a988a4e1e74f8133be4e2555bf6e0ee91001a2973b0245456a6b2e3b763dbbf5faad07265a28ec9ca3cd5cf50059af07d0f1a9b53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
6d089a1507793c6b4db2083257869233

SHA1
04943037b1ba5ecc8ec0a32bfbc093f8e7971d44

SHA256
7e43d2a2901b86753480664b566d94f9d38879ff3b4b79e85f8dbf15a4d5ab13

SHA512
c7543d41613c58f2c0978078e30a52f23351b371a29321882cdf13e5cf3fee9f833213f9e433706c09df2da651e46f7ce390c7ae4e7ac6e67fcbe7ab1fa5b79c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
0ab5e27fae32558eae0eb7e8130053d4

SHA1
a8509280d4e765b1f859b14eac0c8dab7ad925a1

SHA256
53a64de19b5f1a21a91971cfdc1840834d72c9845acfe609c38b0e196c021c55

SHA512
9ff10bae69f6f19d977c1188794f40d7a05d88b07b170ab62c657c554668c46776a948bfb3063bb522393e597187b945b02f27432a75baf1a81da1591fcb8c0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
554a5ab8220f329db500a0b85b594eec

SHA1
0144e5fef705006f19b9745279c0601a27a2df18

SHA256
5b18f992e1cd3054966de1c69e96c12e915c5fc502035f0ee8c63d95f68693d4

SHA512
e35c63719019278b0b9031af51b8355cac12add2cdf596c8d1378d239c2edd9dd6d0ad2cb2efc14f5d449a6e816e353914682ba8f5f1b1d4b75b9e558828c9bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
65dad32db2e89c2f884d6beba43093bb

SHA1
be7e55d3472d5739dd6539d7348ff23d5abae228

SHA256
3ff88dca053f3feb70fef691eabdfaf8a86866b2e4b20450f67cc51b3a4f9a47

SHA512
da7f1e0af6eeb3afde083b526b5aa4225a7110f2594f97da1aab577bf480d8cad339611c78ad3fa76d49f5ac93c5e01b49f4c9ed1cd8c56ad5d6bb5b924291d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
a802e1e902d377cb583293872bb96bc3

SHA1
142e0a7da368c4ec8027c7acb4758bdc3b8eccf1

SHA256
c3020d9332e77bd944ece2f72154d9da5a72612bbb6669b2e011ac084f36fcee

SHA512
cf70c6c994e79743eae2c036a532448d87f06d512b7c0b60829b81bf5b07fc65ab53feeda1b1e3f35f3544964c4d7b79f0840d03810eae31afa9b48db2d3e589

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
9c7314af2171f0a72c90366b987ea87b

SHA1
2362d4a238a5d735a05964499bbb13f4884a9ccd

SHA256
21e0a8edc03783c192bc7f1e92d1254750ad4cb64044c19c8361d3c841db5e2c

SHA512
4130cd392c5e2f0d80c448c5c1a7ef236696dfd77ffeba7cbfba8de720d627b36a7a6c657d59d47369919d1dd85bb1ef0cb8be2d1c899fd75f8e07eba1fa5852

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
435eb7ca999e51aaee0e0eb2796446c3

SHA1
b2488cc1ae77d4372ab23443b771bd6c302b802b

SHA256
b1192696737eccef0b5ba24c122cf4a19827f742d5bf597a6b8d9046fb9b7d8e

SHA512
1382e9e903ab809c54633df9050965ee45d4fc027478d17eb559d9243a006b67ed3b5252f1a1f07e9a4f458a353f761c68464b3ed8459923547f9697f1a09508

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
e6f52a9c2342c3589a4f6deabe55abc1

SHA1
ed514800660212fda1a32c2b53548a72055a1774

SHA256
bff6d932aea28cbeda585ba2a2142fdc2a9d535cab5296942505cf11444bd2dd

SHA512
9ae4a54cfb99fa1c92cdf0ccc931d897d2272bc787ad7dbcede730e44cf39833ae773d6707d3de1dba8c728dadc32a64de3abfbe807e1bb597f79ec96e6c56d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
5d7ead9f23ff49c000ec5618f27e4d94

SHA1
058906e99cd0ed3f54b3c1f0890d57df0cf6866a

SHA256
3db6579a8931650a079afa9418611f9df4084cccba8560b5fbad7a86fe559eb4

SHA512
66e9c2e818fc5c66099060b6b8e98cb37026920fb97b07dc814f5f860ec894d47ec1575ba390df598f430acf3a7e0d0ca10b42384e5a9f175df6c51ea988bbe1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
9ec1d16a3b59d9e22fda807d3abd558c

SHA1
8db51b65a9a341e76cbe4ca502bb749289f146e1

SHA256
a57bd5481e39d5c6c18a076b75cb84a7bb9bb1d05870fcd86327d3aff2a05604

SHA512
dc4e577201ccdb1248c58c2d3e45c251e474f1f1eb8304470c5d6b542e8f06fb9e18adf4f98e2ab6fe1d64d7202ee50960ba47b75867f217a76cc596042fdf65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
f46cfbaf19dffa87a642ffc6629b8348

SHA1
a18f4700ea90b6301c70e0ea9abce1155ee877c7

SHA256
f22a24905714158b05506dc598111616794463e8f9502c67222f13c1a697c3de

SHA512
289e366d18f9443368cb69ac25b6a4a1d9edfc04ef9c09932940fcbb3de65e7758067f86e0da3d7202fa9e7cdfe370614436fd4c5d350f3a60dbedd9da7aa2f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
5a0ca94bac1d26b77a6b30ee564c6858

SHA1
27f6ed3b4f7c9ed0aa78ed68a75adfc7a8717dd4

SHA256
31b58c04946663752fe1bab5333a1e007a298c99afdced87a1b8b838eaf4fc69

SHA512
65138b72413d1690337ac6867f6baa260fde24a60d8955b65037e1956b0da91d66e019886885e0fa30b4ca14ae4f1cd731ec8bfcdd12b7ffc31798991e8d5fd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
c1ac54df1050ec228fc66d39f75f804c

SHA1
674ea4be6ad5350fdaddb3cd97aebef2aa2f0fea

SHA256
6473804e31871cde64bef393d3e226e04726a4288e1c8dea293c0054bc57cfc5

SHA512
c08123dcfd36db9246eb3669626567374762ff6689ec7686365e1b60d2dfbeab2cf52355c0906e138733387426dec6e193f1ea9b3eac7ef69ed4dd38b291d189

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
49dc769f356807e99c3c99bd4c13173a

SHA1
fa426e3e06a108ff650e6f724afbd9b6f6f1c166

SHA256
6300d071afb8b5a8e47b4349f0a617f1d1d63eb440fe5cc3e28f7228a96074fc

SHA512
2d7935c668eaca61b10a2cf4ef263d0284bd5d8e5f04b2526ab734b2ec2cd688220dfd021f20d908350e1f7a6685634c11723a9b6f6fec5d7bd7c0f303df92c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
7c151babddc39678bf52be4bc46871f4

SHA1
f981f5f8fc3d375935f4994428af7b1fea6a83cd

SHA256
0abf886f1604882459036216ae2922525a146c60b240c4599e9130ef9209d64d

SHA512
e1d2041a98bfec4c098a8bce38e86d63cd5852f82be1e91f9148bb7aaa5b8d99dcfa6fa7dfaaaf0a0d9b387d4919dd9b4479edecca2d9fc7d04f9a19bbb6fe61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.2MB

MD5
4f0ea9a288997dd28b69a1a121785bf3

SHA1
021c1254244f2d0a166ae54e0a62c540a815c091

SHA256
726e9db9fcc652f3509a6ccc99f21d0f971673748f97185e80d644376cf50a7a

SHA512
535d759c1426323ecf82bd4730de182454dd617d24484cf5ad36ad8028c089bf939f49f8ce9c194a837435ab113638101d2c07a4e32e7e76fdc136520f650437

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
d575027df519344005c014f5e1f5d006

SHA1
b86371ae57bfafa76ef67cbbfa76bcbb23c15568

SHA256
8bdb5c6a9f88d065164e43450d686d1743f18a8a358731561cb09576adfc7104

SHA512
51d06e18784abe0b7783e7a551ed065b16b3b5ce692a46200d1eced1dd9516f2efd955f0678c5cb94d221a440dec564021d6136b6b248a35686170bb6b7751bc

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
930a734bdd3bce4a9c3630cde5b682f3

SHA1
2a1488cbe82683529eaae25336e51889dfd5b30f

SHA256
7353e880aced2a96656082fc4289ae5d11275d8bb95b43af717e62ab9f9f1dea

SHA512
5d24f394909fc8f6e2fedc1589b72105c40b656e00e0d0cb3885ab7376c01c07788cd41b3617a1e03178ac46456f628a304d7278c42828817b91b087e6d370a2

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
66215bb748008630329c7a5e17aa2b8b

SHA1
035aef28bd2cc2fbcdc540a6560586559c756012

SHA256
0b1e28d61c6b1b30372bc6e8cd4be2c7143279a2966c5b82297d501366714de0

SHA512
73c96d69475b0b8718ae7c2a8d6343c9a498a19acb48a73f603e8b655a30b4f9378e6943298af6ac370fdf0c86d77977e0b5f5bff9b3321260fb0e5e9524758c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
03e1483dc85c4c8e5cb8c6dfbb098864

SHA1
21ea4e4e078d4c2e2ccd9cbc414443fec7df27d4

SHA256
0c0f3ba8e58a7a12e26e90af9e31843b2d734d46b9783eb08718a2cc869eb15d

SHA512
3bf957c3a087a4b63ee8239917da42b6a470bd414c0b14c4378ee235f6be1a2cdd2fdf93f59c928e67a4aa498814fd6037609902cd6b02246826e9e51a2a546c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
6308932c59dadad6e4eaf7da66980085

SHA1
28c316e074caeedbcbe84b0e4d88d541c10a121a

SHA256
58e001b53f0cf7345b761dc3298a062b2924e9ee34d6a19b6d7126eff861fe79

SHA512
373d623d3d5321716c5be1eb0476bd0ddb7f464d90ba0b3c59df55472d1e8bdce071f887e045bcff6e64dab555e1e2b46f6c0a10a4f2266f69312bba7c1c3bd0

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
cf737d31554f688085d45b451e42c694

SHA1
c8697df607c21ba2839ed270f6174a54d730ad30

SHA256
d8ea8b731005ca29b871042d2d2ecc21ac5d4561de3fe9e4e86c20a0cef7bd7f

SHA512
13fce95f32d224e1151bb6cc150375c02c90b80c5e14088dea604d9536d7d8988effec28272321a9dd5432508cdea0a759cb5c219cc874284d1e6a113c6facc1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
009a7dc4e9356fe288ece2e6912da706

SHA1
5958b80d0f4d37b299c509ee574228e558dab84d

SHA256
971e8ba847366182a5d9ed127973cf86840d28bc41b2943bb03871cc6dbc72ac

SHA512
3e033bae0648d90ec614ee89b322d2c59810ca6809c82b41075c2b4405a137d6264e835a65612a68718e77984d71ca1b26ea073ad9c826d2865b7c914b8af3e4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
374c7e9590b6d20552938538e2299c7f

SHA1
5683f56d94e72b51cc0584b4bce2073e90951118

SHA256
e2734f256888859c865ce53a5279af9f364f7f9e59e232d9da009ae413f342c3

SHA512
afeb41e04e4bc7516b7b4bf6755b772bf26cda859ed2aa9732612f8790b92fa55cd1f5b0bbe645b285918028a62a120804378731ee7a4c9b2ca8a368eb26a6c6

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e477d0afae1627597d880d100e4b27a4

SHA1
e76ae2927fe98de938fc41023b5e9646bba1aa57

SHA256
b383e491e97cbc5068fb5ef7d27dffc471be508de2f4470d9ea3d67735f194cc

SHA512
69e2cea03382931120823692526da7835103a8f374f73e4e8ddfb81e39786cc05c7a5b9b7b4a07f748af9aa4b05872967d28ee8a42d72b4cd659f9385443eeda

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f3e9c9567224a4739055ac1e581b2cd7

SHA1
ef0701a0f33dc10f8cbba8ea1ae551541039ea68

SHA256
e0a296abdc7ff58bd8a86da9218ff294c7da606240605742dd6cd773371c041e

SHA512
384fc1072810ccbd48281d742733cb10b0546522dc20751e95c233a75033a1413c34fcb7b1caca91280dd627eddec44016fc1800c2602a8ad20d4b0e45a39f93

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c8d4455d07774859ba9be7c895bb0d85

SHA1
cf90af0f0ad9e40d64042349485d8ee3e09c685e

SHA256
3a5fa450703398c55c9e6d3c84ee19a2e0fd93f69cb3bb556ca3b8b7d2f56c26

SHA512
f708bfc773a5ce3d97024ba7733f77c92814c48367a6310a263492e4c251be8d845c6ac42c53bf9ff29b964a51954b24cb4314b30eb57fdd3dfce6bc72a9275b

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
80eb9be522b19568120ef252d97ec2c9

SHA1
6dfe1fd9b3dad0b60784bdad6a5a5f54334bd9fa

SHA256
4edb99f8fcba58ea6442eaf9886d1769ddf4c39fbd9929449e6dd7db5c1ec181

SHA512
8ba4c3826e53f8ae920cbfa77bde377a5e04b1bbf92c714c28e32364e240b518b46f5663f7ead68fe67b269962273f7731172779574526f4a5fed3a75bf10200

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
fc067277c92b4bee8a3854214988fd7a

SHA1
a4c513f85a329ed392b1295bb4e77c7f9ed7451e

SHA256
4cc98db32bb346be8876224cb6fc7cd2d6c6b36c1e2f4eb00a33b4e1415bccbd

SHA512
1d10307a96a9f9d8f12bbd0565fab05b4cda4fbf8be7f9ad00b015d5f022ac0cbc5d087172f66b7453b5d4da9e98b66c48adb6fe5a2615a51813dfa5eb33c0dc

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
29b149a5891f9a274285927c4b760525

SHA1
7d735fb0ff3bf063e06ac49e4ef6df552c61efa6

SHA256
63ea0dbdc0267250f8a886b4530f034af076ace9d06a4ab730b1c3dc138361a1

SHA512
3a920947c28df67868ea2fa7dd20a813e070d75280290862ff5c493778e201cd8bcc05cc5c52ad98f3c2967c66fd8a580f5a3341302215c99ae90d9d4c4723b9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
6185596a5a9b707258e5db03da4a3d25

SHA1
76c7cc21416e091ea144027b27739acee30909f9

SHA256
0e4207a2713a10c84df71b1a2b023fdc2ff4d0587f6a1db5a92addd145700200

SHA512
2071049b868bd3117db3a70d9050e3f88bf6752d0e02e5817452041ec36f31f3c3bbf64d65dc32a9caf5cc7a8b0a394048e20452face4cfe9545c91bf78cdbe2

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
1241ea683810eb88e2bec6357089c694

SHA1
348aae803c814f9132c64752efbdfdd319ff28f2

SHA256
f6a0a406d78f46ca4bfdc0dee7d373a20c55cde86dfde97048f001ff4cd76de5

SHA512
3cb0425be70ea12b550db64638d0af6a85e3238102f6784cd46b8b6d32832b3b8f2139e1da55edaaf8423d253fc3532e7a404a9b3d47e98ce558468a59fb3fcd

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5c2fc7034feb6ad332dec65af7e5dfc6

SHA1
cdb8f0f213f09a8be4903569b2be4c354d407b73

SHA256
5856b8f28d1297e91dd8a802b5db7e49023fafeb666d23dd6e6e1572c782f4af

SHA512
92329badeabcbf6595898d69a15a45e03a78d2aa9859fbc27364ad9707fabb24eef297ec11559fa582d2cf825b14cedb1f1880fb1d381964de8b8bad7be49fce

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
0154c93ef7e82e24f2788c4f0b68c1dc

SHA1
e85833b5c27b745a64bee5e8bc1ccce04e728c6b

SHA256
42d27d5b1bf183bcbbc76a6d56876b9df4b7616a78e5ac7290eda014ce566fe9

SHA512
4c327dde3a3e9502944d8fde4bc337559400e78e1892de4d6117ab2c20a2c159d5dbcdf34e0a0beed4488b2a723a12c2e58ca86712aac6b4417f68101a15a906

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9d732a695af78c354d90c3dbba4f39d5

SHA1
eb653d4da282fd12a236d10d84e59ce618b185d2

SHA256
bdc0435d2a697dcc5a876ad45860ff44746b9d2a98eada72aa96eca0f45dbdf3

SHA512
20efcbc81e163628d454e772f4879cdc7919b9adeef22b86761d12ddf1721214630d619ce977385d669e7b478aa3cf1342c0a304f80071afe41394fbd7b65b05

Download Submit
memory/380-241-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/380-353-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/380-242-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/380-248-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/452-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/452-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/452-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/452-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1124-594-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1124-429-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1172-584-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1172-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2192-589-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2192-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2224-267-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2224-379-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-416-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2532-592-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2688-72-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2688-118-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2688-66-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2924-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2924-23-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2924-234-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2924-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2992-362-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2992-586-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3068-428-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3068-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3068-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3644-319-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3644-522-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3664-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-253-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3664-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3704-590-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3704-392-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3960-391-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3960-282-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4092-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4092-64-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4092-59-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4092-49-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4092-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4276-296-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4276-415-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4388-36-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4388-27-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4388-35-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4388-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4464-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4464-371-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4532-350-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4532-585-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4556-403-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4556-293-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4560-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4560-591-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4592-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4592-7-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4592-12-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4592-22-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4592-0-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download