2eb129357473988cb6fc2f55c00c5319793558c687ff24fe473e1fd08885bf09

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_4536852acb26435baedbe7935d945456_ryuk.exe
Size

1.0MB
MD5

4536852acb26435baedbe7935d945456
SHA1

b89996a979c38224b62cd1d7b68d443d69e4a70b
SHA256

2eb129357473988cb6fc2f55c00c5319793558c687ff24fe473e1fd08885bf09
SHA512

25e0084614b804b8b26787bc6350ac8b921a2138de5b0c2bbcb6d8ac6c68b828d659b7ce51be541d642b26b4ca4edbd45bed722b5428cd9bfa757d0399592c3b
SSDEEP

24576:b6V6VC/AyqGizWCaFby+7ozX0j52pMkuLoiSJVlIL29mhNq6:b6cbGizWCaFbg70jIpM3kiSBM29mhNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4412	alg.exe
1272	elevation_service.exe
5660	elevation_service.exe
1764	maintenanceservice.exe
1580	OSE.EXE
3748	DiagnosticsHub.StandardCollector.Service.exe
492	fxssvc.exe
3040	msdtc.exe
1152	PerceptionSimulationService.exe
5372	perfhost.exe
3356	locator.exe
5768	SensorDataService.exe
3052	snmptrap.exe
3176	spectrum.exe
4704	ssh-agent.exe
1124	TieringEngineService.exe
4148	AgentService.exe
4828	vds.exe
4716	vssvc.exe
888	wbengine.exe
4336	WmiApSrv.exe
4608	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

alg.exeelevation_service.exe2024-05-24_4536852acb26435baedbe7935d945456_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2c4fca87293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_4536852acb26435baedbe7935d945456_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040fe30fde1adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035f066fee1adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e4b5efde1adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e22276fde1adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000080f82fde1adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dc5bcfee1adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf1225fde1adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d77084fde1adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054f9acfde1adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1272	elevation_service.exe
1272	elevation_service.exe
1272	elevation_service.exe
1272	elevation_service.exe
1272	elevation_service.exe
1272	elevation_service.exe
1272	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_4536852acb26435baedbe7935d945456_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	6084	2024-05-24_4536852acb26435baedbe7935d945456_ryuk.exe
Token: SeDebugPrivilege	4412	alg.exe
Token: SeDebugPrivilege	4412	alg.exe
Token: SeDebugPrivilege	4412	alg.exe
Token: SeTakeOwnershipPrivilege	1272	elevation_service.exe
Token: SeAuditPrivilege	492	fxssvc.exe
Token: SeRestorePrivilege	1124	TieringEngineService.exe
Token: SeManageVolumePrivilege	1124	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4148	AgentService.exe
Token: SeBackupPrivilege	4716	vssvc.exe
Token: SeRestorePrivilege	4716	vssvc.exe
Token: SeAuditPrivilege	4716	vssvc.exe
Token: SeBackupPrivilege	888	wbengine.exe
Token: SeRestorePrivilege	888	wbengine.exe
Token: SeSecurityPrivilege	888	wbengine.exe
Token: 33	4608	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeDebugPrivilege	1272	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4608 wrote to memory of 5644	4608	SearchIndexer.exe	SearchProtocolHost.exe
PID 4608 wrote to memory of 5644	4608	SearchIndexer.exe	SearchProtocolHost.exe
PID 4608 wrote to memory of 2412	4608	SearchIndexer.exe	SearchFilterHost.exe
PID 4608 wrote to memory of 2412	4608	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4536852acb26435baedbe7935d945456_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_4536852acb26435baedbe7935d945456_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5660

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1764

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1004

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3040

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5372

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3176

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4632

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5644

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
320e16c7a53899957b8f28bc3a5459b6

SHA1
17483c34750a4a2669ffb9fdd8ba9b2cc0259e56

SHA256
58365307189e1bc33bb71c54718a5697d8d1dbf55f7dd83a887a705114783ff3

SHA512
dc9f89e1d23900c4f3ac6338caf5e420fb3e2c4390d16c337f3d71d7534a5edb515c80986fc60e31e6661684f95d832dd3162f72009e68c35b123239a70bf8f6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
66de81507fb39ddde5583715ac96936c

SHA1
4dcc297d309b7043886b1f14cb8a6e5a3a78552a

SHA256
12b5827b2fe5461173c40a31c37f37be4bd95a9a15f2eacb0bc1c2cb0db1297e

SHA512
5cd705e4cfacd1b77023251228994fe817d37347ddb60f9b9f2d4dabedebe354733f0375c1a6f0bd7674114be9cb16e83690ca291510e61b45f71388ca79987a

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
29df3fdd846906175a35bcf72ddc82e1

SHA1
5f62fce706cc4af9aee042c4dc39b5fd1cdbc70f

SHA256
43a6718a6b402726fda573d146bf434e6bed8775dc84abbfa4aa0f7187d33563

SHA512
4e272c199bb78bb49b04e1ab6b3fa881813755b35b5105ae259eab7c84765b9a87dcdd74d05f28f23832234a596e19ccbcaf99ed4493097ea356fc490aa9f76a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
167e04d8f1fa59d9faab925f8b6e911f

SHA1
6c5274a3280350a4a1c6bc01b4c926655da8f52b

SHA256
edc8668159e3eac944b330a8c2fdfad4dd9e7ac339fe5a8e90baf2f37611b3e5

SHA512
83d7587617ac03a2ad1e01f4da63325d6a3b0c2dc063d18e4559b629c9b9a7fd096fcb6b09c8019725a1f82bc30cf8772d6e911852e6585ffebc50251b26d927

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1bfeca9b53158be9f3bdba4965d0a79d

SHA1
563c0a33285158550e8de2746f4a990bbab4cddb

SHA256
5b50e2ca53450d0f610aaff2133a0d6539284b14f7779f3ab639ded073831040

SHA512
ff0762ee9f097c2b8736eee9ffd0ff2d5d96b3f169031f63c6e48eb6ad9b6b4f035b80b0d9008c8df198486e6d6682df68d9aed48b149fac36573710ad2dae4d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
eb5dea41ac6f0d7c473b2765b9a28949

SHA1
75db526170cc04e000f60bfde32107c46012ac8c

SHA256
4013b0a5a026c73641a6a77d9ce4dda7749bf6e9485607081db00be2dbf9a069

SHA512
1eafb1ba3efce3981b98f141f1485a3cf951c6a851a33392957cb39ca1f0594d5f84571c74534acc5df4477b56aff16a442a246a6a8935306d8dcc2e3265b558

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
fd7cc1e1ad78419d4bce6a3529c79fa5

SHA1
b37158d85337ca142473d9140ea75f8386db8d1c

SHA256
a9fe714eb514896f1e1be2d5121e49ecf47b7ef58cd650fb1913496423cbdd07

SHA512
b798cf7e61297846e7a17c3ba4a00c45debf27e0c9c4f56d579a3a643a1525448176941b9ba271d30a17faeda6b22319ef285e41438678e3e669249d08b661a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
52f07986ea565aa3ec01676f32899c54

SHA1
3b28e8e7a42334a0d242d11ba9040b8960120031

SHA256
e1b121909146e2edfdff25ece1b32cfa319fa05384803b4c70d5bb683032bcb1

SHA512
62b2080384cd390d686f6806830dbf05ca77670684c23d711ec98a2f8b78688c927acbf3e63e4a7a2b42a7a8c08026abffbb87d33547d3eceaaa43424727b0e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
0f5e491522ad3222bbb2b77d856399fa

SHA1
75439056be1c66168712963556edd96c4a28f21c

SHA256
51e58bb29c2b0c937b3aac4eca7d543f36f6ac75449380de56957b486e706463

SHA512
acb875e53f35aca634f826fee4ac30b447e7b5d26e48f740db7cec59f07f86fa938acaf77fccf802498ed98a695bec87d6c0a746b390c53aac72066e1c6091f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
2032cb4c60119a600fb63e6e2927d166

SHA1
aba86816c761fb4a9ec1ceff671fd666c40edd65

SHA256
355b25f02b5e694507c3dabf2755721ca8ef489fd1e9f2df4202780959cc6be5

SHA512
85ae7fbd02b6ce5893324b22abbfc25cbfe676f2be498438609e0beb563a489edb03e58694277bc909366c6cb748be866c61b5d3092b795f55faa91ff2d39dc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
708973ff224bcb69e716361f546f4249

SHA1
96afa190cb4d6ffea8e7fffabdb96d3fe6d70690

SHA256
1f318181a0404016ae3bf7c7d87703e74463f5ddab5ac597314a3c284c38a2fe

SHA512
bfdd6cdf7484c037de290bee3a4a3300c56d26a6bbfa0f68038dd7e1fea4fba5da5408f8f4efa1be1235fe3b38e5d20463539cddf4f0f6c6427539e159564b87

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
b5ef83fec5c438051d5808a128d16939

SHA1
e1dde43d931cd580ef0dfee771f9d5a21f22b382

SHA256
b2d046f7c1c7cf189615e407d092108fce93c9b53c8c7cc91866b020fb8788ca

SHA512
b4aebf971b1e0a11d7d0a4bd20b734a57ddf39e535ae17c4ba6fcbe95da1333f7151902f35009d0fdcf26a35b2953df34be4ae897bce8486686f9f00b5fb9fc8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
e4695a41074fd8774a05a570217cb504

SHA1
e9ee857f1cba10c93cbd321fddb46b4f0ad4a532

SHA256
eadbc77871e97ed4a0b51c0384155e95122db1518b7f6335f993ce5a5acf87fb

SHA512
f69373f1dfe0c116552b938c48d1bbd737fbe4cbf26e10a38d64b8c4f65bbb7da1cba824a166aa899a10abd5712ee3ffe73d18877b268178c94e3f5d397f9e93

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
4bec4d231daf9cd5be88c6bcff762847

SHA1
0684f1cf65eb7e2412bb80531f9171556418da92

SHA256
128d9b87958266b71467c53f9f6d89b149cfed6e93cec082c7294e641f9b01c1

SHA512
aa381c1cb46963288ed91bf1eeb1d63188557944ee739e16eb25660ff4584441e24433e84994c6cafafd37d7d4228e7d084413d6dcb27669b8b91eb611844737

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
a55220f2f11302c85200431f4da1c0fe

SHA1
2792dc1fd35b5a3d2819431265ce3dbf975e3478

SHA256
99516df28195980f2704e8579832be4e0b8e21e154785aa32446b78bc5e9dfdf

SHA512
756a6297e50a7a5634b5f17296ef2b620a45216b83b29221907b88fbaa0db91c164b47804ff57e10e84e84bac3e30e75d06b2995a0bfd5f4a08dcf8e98e1cf64

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
ef180eca4ea30e41242ae32b4153ba65

SHA1
7eff8627958d69c7ddeb3a51839b4b89c6aa0d36

SHA256
59fe9b6adca55298171030793f2afda85d0106c6bb8a72f9bcc3466e747ad74f

SHA512
fe9286b99fa48a51aa379884eba80ec89efec825a93024e3a2b802f99625254f999721bf3380564831313a7ad98f20284f48dc7d6b51335e5d8e37f192591b2b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
6da3cc2cc50a8657eaea0851a462c317

SHA1
d6d3cc82eb56c958873ab4aaab3bf9ac7a166ab6

SHA256
294e4d0dc0616662301fdd9af6f02ef4947da3c8388ab80f63fb40be391846fd

SHA512
27f862bf212fa0a85aae5841636c407a1ea32374a71bbb4739b0643d3e00bf795de996ec4f3a0e49830ebd798bb5fee3943939b51ec847dd0c8fef6055ce529d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
595107c8775098cd5800604be94c0fcd

SHA1
1a615550d199c2e852f7241be6784566ba467ed9

SHA256
d5a51d379c444754ef65924163e81439a0f108c78bf138e62879b141f83c9367

SHA512
9e3fd5697240fe40d79488f4aab5543686aec4169a64d56ab248e171a5ebe9840c460b17666641ec716fef54a546c44a93f7068ddd3716ea649b2999e6ee4616

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
a6f6aa3142f70eadbb18ca3ad0cb3cfd

SHA1
aa1cbaf9fbedbce0d3148116e847c06b4908e993

SHA256
db46dacbd5647002c443f985f1100b9d8f834b9b57cdef8a198f60420c9493b0

SHA512
ceca60da301c38567f5ec4d18129408f74e562eedfc9769d7c02e50fa6cc2eba43edb1f8cda83e77fd377d474fd25bcdcddae47ddaeaf3fa5f928b3d2ee5c09d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
17373568febfc7ad9d2f159427b9665d

SHA1
c304bf967183a72a96e292ebbc78c49f598984e9

SHA256
41aee1184c900007dd9e5227b2c92b10bd0d5534eeb69309c35d9c26caf5de0b

SHA512
dbd73d138997da4fcf93354855bcc8fb48da9695f7d11da92cdc32c3c0296142895019345e90e0826373ea84d469275d5149cda37ce3df94bd3e5490928b0633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
7a953c5dd86420eba63ba6151a93dd25

SHA1
04b147cc0b2fb092915386898fd6e1a5975c3bef

SHA256
152eeb14273df06b845cb5a11dac96297f13c0307ee681db6b77a263bd93c4fb

SHA512
5d312985a3cb0809121b3a17d897c27b914ede59995dc2e69796097ce525943bbaa926803659f3bfb0652b45ad64a110471f3a327bbbba4953a9365a8fb6a5bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
1788148a60e18ec73a789b9878669bde

SHA1
b8be04f9a15ca41210ce117329c0f47f41e78015

SHA256
a6f360e997b53c0ae7b85c1792fcf13e88b2249e325f42eee2af7d8fffdc8615

SHA512
5d89f9b089ba49cd4edf3befdeea1573b7601e43f459c813dcb54b5b74898dc8193fcaf543c13cdc58261033715eb88b6226fe94f23db426f7036cf7d6c5cc3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
fd53bd95513e521b356a5245024e569b

SHA1
0f70d29f88b312a16ed8c567b3b2dd211aa69e43

SHA256
e37f9e7bb79324203faa2446a5ba6d976cfd36836ac170334ad3f23a9ec0589b

SHA512
1e8a3b1608dfedba9750e154bb8d6bc5244cc1d77fe25fad18ba130705bf8ba7fde6f4cfee38fa7f6ee3f20201abcb390ac0ebfc7de55f6b639a6fe21740ca68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
64fd83efc98acecff5f3c9cceef8037e

SHA1
e0bad29afb4b51f58078ab85e74770081ab827d7

SHA256
a5f42a581be0e115d6a4d4fe5caa59986bb98a000ef3e0fa18e66ec01766c392

SHA512
e6f72d9b86c18d1de4d2a2df0ecb7ad0ca141741304c75e7fe07afe5a81b6777e986771e1b81740a0503a62b7237bf5b5046c3cd1c33cd1ce466302de451c1e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
8effa7c7626ed10478f2147608360ccb

SHA1
1180f454af739d567afe980db5734647e04e0125

SHA256
6c01c3b21748258912165ae8971693526b8412ce6d3d66bb07fa0c9a912202db

SHA512
687b24c321db31c6d17a59ccd38a52353feca899b85cf26b638498a7b9cf534d9c657a66d76e46a1446aa6557de10809ac1ae279207431e79f809135ef9d3498

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
4a39e06a9670c304010eb4996ff936ba

SHA1
d1547b8810448fa66bb7b5cc460d24e7d1793d9e

SHA256
1b105bf66439c3ed813db4ba834c7cd96b6d489d90573c08831cfec301379ed2

SHA512
0e6cdde62e7edb4e2438d6b3ee94b298b8929587bbfd9dce6de0c427232d26b17866dcfa6e866166e91dffcbb08d87ee98c81129fddc5f11bc91d58ec62514d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
3ffffefaca14dff9dcbbf5cc5e5c2b4a

SHA1
bcbb61ed83867bec2eec471cff318d89ea1d0549

SHA256
c16a345341b348ef819c4a019138db2b80f67f460af18ef9222b644c21dd702f

SHA512
144f9bcd14b6eab456c6feb3b8d119bf23d620a0dd561e408b28d0be6587954b0e1691934a82254ecb6caacf11aabe0dfd08f422595c0ff91796b36208d12210

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
02b528f91db68bcba147e9c03461d011

SHA1
50588a923187172753c8ca4c5f85be1ad6794766

SHA256
a0e8eb5fc53150103ba970d68154727ae9da30f7e0cd39027281e0417a597f3a

SHA512
54c882a9c333fa0a0af3d61c9213a822400fd6ac873ed3a69aa1d5b6004553798935323a7b988975c1a83cdabcbe3b7f363a46952ccc31435189f6f9b1bcca77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
042fdd3f86bf5fe56410c9c4cdd167bd

SHA1
d141ca9557d11a84fb72742a34c6830ec6a86ffe

SHA256
0561b05d1f1b67d3a000ba1e51d5d7409edc21344a4cc3dc7f842038558622f4

SHA512
6bdea30f356a4db8f75347018c80709276e8917845f4ba65eb5a1b12921a0a2b66bb98bac1cb46b0f3e7d59973dac2a6032af6f3574ffdac0995e63471e4aec6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
c998348549f36918cdec3d8753f93bc8

SHA1
e5dd81d3b60c6c23ce3c1f6634d11ffc3ee0178e

SHA256
589062e01e48013d48aa308a77f18928c382aa6bd49f0ee70c183efa04c3f77a

SHA512
aa82bf3f43f8e55a348e03a1e7aacc8b1f90f8933cbf12cdf81d223c2bc074fbbecb3bc5d55a46e78c80ea9800cfdf242cea4f93beb517b1742e42ff804eca5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
169ba44177b8a366b27dd8d32c4c521c

SHA1
eb9314ba30f91a60fd2747172e084aacaef3c72a

SHA256
de33ce6bdfb64bd3fd20eb5ffa823c1b373cadaa2c9196b140d78fe22182b3ad

SHA512
8b2efa31b0d1211c5227f39410c306291733decf11c840c86b6112acdba8305172da04735ab7ecd9fd2228e454ddde6ce40bf65467ea0b1c1f4f4550b57f44b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
73d92ace80b98e51e5ed85e1d405a607

SHA1
bf5c1d2ddbe6297a5ea43ca6293a7c4d0a6f7212

SHA256
66d7878775277e967590697fdf50e8c446bf527ada92467096ed54fc11a7e9d9

SHA512
2433b06312e12ef9ed6c7643a00153352ae5a29a902e2091fbc571a4c5114f14bf41d5c330d6287989db26cd4f6818155eed629ef8ae74b25b9c185b00e27924

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
daf639151d427feed52e89d9e96076ae

SHA1
e44a2f5e7252913d4ce3b963fc7dc3c8c8d738b7

SHA256
842129823313491a80ceed154c06a1c2a60ffd224c3575dc3bc66707d783a38e

SHA512
4eb9317942ebf2bcd400c6e44aca1d057af3491c8a35b22d4a461e500b04a3e051cd8809c201b0b22777f2438b2d9e994b7ad73d54848f1c6dd537549b7c78a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
2507bbfabc4726fb3a1777c6858fef72

SHA1
0a8e5bc4743a1609cc33f275a56487f8733a6fab

SHA256
1dcb34b0bf81f86aa9fe286ef447d66964508987915b36aa59899723f200bab6

SHA512
1f43dcc4057f661157804fb3056465a60d57dd336b212381d0e5be0d90bb295f716943bd4c5bb18b9db6b6827ddd777cc49a5f29ebf0ad9f1261f054f6b3701e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
ea371492d048097dccb5123b789d7158

SHA1
1ab4466ebf38e4eac997126f331aecb7ec6c2d8d

SHA256
3864e0e9be201608f96babf5aef6af43314ccb48a371a4c6e426b7164dfbdbcb

SHA512
5bf28f85db583e337a372d549a06f4f7b25fe85bbfc439d09cf460aece8a039a2867962652fb25978438da02ac982217831bca8ce3bda29c55ebcdbd447cc374

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
ee61cb371f7cf207f4f906e5254e85ab

SHA1
5aa5b1796d88c2fee3d62b8f2a836523d6cd627f

SHA256
a15896f56b7f20ea9f177ec83c35fca274d238adda0e4f88d31f25fa630baa0d

SHA512
b44d1a078dd23bca7f8af183d44ef610a8d9dd2935d2668e3a4b4ddb349452a0934d87ee84c02d3ae933cad71bdbe8681c6f2e572a551555e5433759f779fa14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
292fd0370911d0c7bd3e5a2982c9b7f6

SHA1
0bd2c2370fab5629e8c401cd1eaa7211261f886a

SHA256
e33d93c5d932c279059f40eb28ce469948f43d4e0e19b815fbfb9dd03cdc2818

SHA512
fb75039869a94bb74420eb8bf414f571eb2a9d04cc0640ed7d98f9b73c208e9836a5076e463719a71f6ddaca5fdc0bbc945e0244548161590876927c671aebc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
42dc99127b51b1b9797d2326132a2192

SHA1
5bd85f279961da84bbe8922d5e62a4796e2263a8

SHA256
31e965304443559b84a3653f0f5c21ccc86b996784d42e272a6f0983b40ce8f3

SHA512
c65e2b4a212154184b4bc818b497d254a1c309f35436e44789b58e3f5cde12dfe87872afbcc006b3111244020287891f6d5fbb1ac19a9e9cee8872a0287485d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
66fb589333381760a5f4334826bace52

SHA1
a0d528c11a3e14db47b77b49570a4018b02cfe79

SHA256
fef806f18058404718dce186d5ab04e713c61a4782679647d4c464d177173078

SHA512
be71179b05ced4a8c29dfd44aa0c709a54fefa2a211d65ff65a114c7e65af82936259d8e62956395d44adc9483edbae88857e91c1fb9133345521220c1672b87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
4a99e3a93ec881d189ec55f7c2f3d701

SHA1
b485f9ad742309fe1f08bfe8f1b624cdb5337702

SHA256
4a5f5076d6216a038649ffd19b37727bb8aa3924fa3d0ac5c7a4655e2114ebb6

SHA512
bdf0c33e683fa3df89e8ccfe131a709e0cc867c65fa6c1e1ffe47221c2c3d69b8bb2aef1470316e8207000e88089af1d3aba2f80820826b585d21333b22052d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
5171714d285fa8092a0510459f5d16ac

SHA1
221f53d53cca739679da88a7603cc540db77d7dc

SHA256
4648e3647d77b3bf0e0afa646d3753852477a288b1a603b8cac8f80adb2daecd

SHA512
adfc775c7824bd2ae4c4e5e28d515351f46df911b5682d87193520a2a32673d756fd64960814bca833604ffb441b22bc935980d1d43cdf033d38b8d661dd4145

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
f3574a32e442a600d6927aea931fc8d4

SHA1
4bbddbfbe3cf2f6cd40969e055274e20e48097fc

SHA256
8ed16a9bbea69aff218fc0179af2fc6b3fe8cae6e27eb4319d9e4997e8af3a9d

SHA512
f56d275effb6da2a034f3d8aff39ae25640d8f5bc1dfd14fecc635e82104a056635e106a5a9d43f22d30dd9befcd0e6a7d570087fd0776e4c0c543315b895bfb

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
8e16d821d461935da2e8d61125d923a2

SHA1
18f9ba9815d4eea8a5f4f945e6b14d7fc9cf4a6d

SHA256
222ea01ffccafbbb1604654c0d899285c553303cfe051f80e87fce61f23abdf0

SHA512
b2f75b2a4847bafd84969559289b29695950d2210839dc51960dad9871d26ed9d1da6a233389451b2b013f5964092abdf37cd7f7988c0babc8c74f63ed723019

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
ce2cbd453c6dfd7b0b41f2bcaf42ace4

SHA1
b5e7897c19ffa07aea06837511c398d742cf9438

SHA256
771371da1f854093710d7e5f7bb4739b84199b602b164d58c07fd5053dd39328

SHA512
9b35be0916f18644397a14853981a7fec257b35e6846b1ff4232eeb87f02d20f9d8d5901bfbaf1e7b90ef9aac0093b441450a63217ca6426eee732e2b4c7e6e3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
69c28899c95619a205a79a871d59282b

SHA1
16d47a470089d9c5262975c78ff69a9af696aba1

SHA256
a8adbede47359a91ea4951ee6260a9ea19d559cfcc5363750450e92c551cf21d

SHA512
cee4e97b04bb26c7970434d9b51ef8ab3636bf2aa81b920d9c99b275390188c972a39b3b1385b137a631c8c5abcf03785d4fb34ff072c698076bc443be79f57c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
6e1c4d4f7ad280358cc611dbbc69f947

SHA1
fea538d6809e9cbe81df487359c9e35908468d64

SHA256
996cf2ce88a3c4ab7dccbfa08bda327d10d8a9c2e2a1807efd26440788ebc95c

SHA512
525ad904b1135e0ad97e3ef21b18c34c6b394dd8f3be9f3546aeebfad580618790b35a04e0db4f7782e5b114a04dc1cdd68b146d6b4f5528257e783f7ac09d95

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
79295378c5f07791248a4677acd38220

SHA1
20035febe1f071570b2252ab0c954189a3d0b55f

SHA256
cdef9819c4ccc678ea6349afa7ef768ab6bedcfcf95179475ef5d1a781f395d1

SHA512
0f166eea122c3561d4639f8ee8f89dbae3e70ac97e77f0011f8eb4f52da873977be29799fdbf89de038e6d24c0df44145055d5250038bc5b7b195a5dae38a159

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
2aa2d66efdcd8266ba2824efa1ede6b8

SHA1
ff0274b3891772d67bd75930cd486dbf9c9da2eb

SHA256
2777a037b467da8b1f563380eb913de749cfa18ca217b480f56f214ce80bb0e1

SHA512
fd248a6a7c73da18d14ef974d1c51375e0761693b31e04de1f5e4ab2cffc649a89b6e8c7c8bdfbb89b54f2ef909c67b02774609f544716bea6564d42c5405535

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
1c69838035c3a221eb35c0c88597b9f4

SHA1
20b5a46767e136b286786a04bbff92dad9e41f9c

SHA256
08a78823a50e4e8785ab4648e8dc7dee06b2049d0e96682383969584cf77a736

SHA512
d63caadfc2caf2a9812a59e5ce401644e6dcec16ad6f4f0ab4106530d333ec5179655b0c028312db29e64d2d971ee89c6ffebc2d2474021a5a962d5e4e499c65

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
82fddba897da12c0fce0237ff399def7

SHA1
f1c2ce91c4ac6b8bdfce1b93095b2b7aa666ab3c

SHA256
aa0765c4644ec6523c028ef089479e05cbe5429d34880bd8d9f5b36795a47b17

SHA512
6965c5d64da34e553e63e39a654ed6205dbd345873c1ce51c0a6d127e06dd7c15805fe1450d60b9de4749356bbaae9885d516572c6b49afc7993463477c2e161

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
22579a49b56e6f1e96aa9823f4910012

SHA1
ba394a87ba371ac6ae1d01abec5d9d8aa7a5e90f

SHA256
d21372974c527e508319b348c7c180c9c46d54975ed2db1843837ffe2fd42bc2

SHA512
d9fd06b11b32cfadbc39c5b48840f926243e36dcec9af61bfbe25ea02d9d078d075d0761755ed154e0f3a42ab4db8baf2f6f46de0255ed543c4c7dd2138a4a5d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
e49fda8ae684ab3a04b26ac227475582

SHA1
5735a27b6dcc55c01d591f9f1d500f5620070682

SHA256
7a178c27b7bdf66a434bb1a69842a2e85b05ffcbd70cb6ef6573e4425179a542

SHA512
00ec1df531471439fe124eeb7ae43e9cc33c738e842e2f69d0b9a19ee586955d6cec8ce92cf89d26c8a086b5fe6503884b5fdf9e978c30b32d5c20268a6f0043

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
be0f7a842f13a18884e2508e408b80e0

SHA1
b804613e8a7eec10c4ec9c42d9371481a289e88f

SHA256
c9d0c62d11709c33510c553be1885a43f382573a0afa03c3ccd05ac0f7d65388

SHA512
bed1e57b4534349858a91bfa918bb99cb0960739b4f0f3630d3eedaba2d05a8ff64a5ce67e0b1a7228f7be22100b2145238dbb3c8b94379a38c905d550732f87

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
e8ceb1b300810df15c5ffc661c2cd0ed

SHA1
cdd97637accf1b66ffc563577f69422c76c13e3b

SHA256
32ece8b509151641344ee81f7283881f995f9d3239ec89063157336ed2f0aa88

SHA512
57fd03ca856f2a1ced0ec280b17fad84565c8cd4ecfc58a2bf0464a4b66d4e4742ae00db6f3e6329781d894eed4b55264d7662fcb19bbaece9c2f0d16f65a5ab

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
cfc98505802fe234225118f57513d1af

SHA1
52be0c98b5c7f050941c858d3606297c51dd7554

SHA256
9d356ec45b50aef2b9fc1c5028d0e73dec4d737e084fb3d4799ede4d494f3068

SHA512
e489a88197d65fcb5d7fb49516652b89d66eb94bf2f7e0b353d3ce96289cbfbe0e61343aa60cca7c0bd86fe7b9f819fe6b9755a5790243e2c91f0ef4f1edecfd

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
152fc83f1a1b2e3ea53922eb2f95cf2a

SHA1
97fb02a3d8ceb7fee7f665e4d2b925bf83bee690

SHA256
844efbf7e9996b15e557e3c9b01fab9643aa1aabae61b68c91fdcc0eaef131c3

SHA512
6761ba5cf879960150fc67b41dc930c677fa8e5e21477110fb84ebbe9544afb8d23738e5a69e3a4344255ab120d9586f8f1e7dc10d0767e58b51383f5cdbfcb0

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
1a26bb428bca840db3194fb4ca42b5ec

SHA1
2689d4c70df99a01a1aab4f905ce39f05d4ecc95

SHA256
85eebd7819e6e98e9bb734291c111beb7f476fc3242182e8763f6b9c25033cb4

SHA512
295c0ce2007e83eb21e6cc011940ae1831a89fc3bb34d66d521b4348db66e57534cdbe7198b87b303731f310868c00414620c3cc4a0dec22ab332d2522b733bc

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
411c9d304a92d88a59b93c94f8cbe944

SHA1
9d260937369813110d57031d099ad6c019f4e1a6

SHA256
20306822b2543da18918e66dd2c63769710b44976d32592feef4d2c704adaefa

SHA512
31e6389d9da5c370638ed5d052c22265a7fe280a3ff71e8d9c7109f0e8db412b61f8b5e146e1052bb5bc1c8d7a515e70cebf168a2f78de640a0e2ece8f28f0ff

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
8ba887639ae88e43f54f29d7fae63b90

SHA1
29fa25b763e3b2765f8993134aa0f52c2d0504b3

SHA256
b74efc23bb6af4b51b32139b2575893fb8fab4aa6e0f78e488875fb22f0350f0

SHA512
cf53d07051748c58d8e3f5c2631f5c568a228ebe2393c9cab051bef6cacfb363bb90e5a1cd99c534ef17816f6dc493fd3fb90b10cdc2a40598152dd0188a3631

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
fad00a7a27b6934883f19bc307a861c5

SHA1
5e647bd094d40866676ddeabcda50e21949dcdf0

SHA256
cdcfbe4651d184ffb9eabaeec19918243c17c4c2ca4ca55422d94ace99fed02d

SHA512
5a5dfca0aa2fea1c4af335556b68b3d3cc1eafd3277d9544d89247f70b806e4dfc8e6286cf18489f52dc61b338a3767ae524de4611b4728bc0402554e48b98aa

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
dc21c77f9634df8529c98778d32eb5fb

SHA1
197547086fd5b89713a27833792f87ae50dab982

SHA256
0c27dc0bb6f14642a4389dd1bb6b04056d328cda2754db8887a66e0312465c4f

SHA512
3dbe7b9d1286d97fb0bef75fdc8fe500aba439a9d1c4cf539ccc808a3133680c2bbd5e0ac37444a9fcb55d3784d563e2ba8f660a60653daa1e0f0f5571ca1d2a

Download Submit
memory/492-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/492-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/492-258-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/888-673-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/888-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1124-668-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1124-359-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1152-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1152-396-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1272-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1272-30-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1272-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1272-39-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1580-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1580-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1580-75-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1580-69-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1764-53-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/1764-65-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/1764-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1764-62-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/1764-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3040-384-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3040-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3052-324-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3052-518-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3176-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3176-599-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3356-309-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3356-419-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3748-358-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3748-253-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3748-247-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3748-246-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4148-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4148-370-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4336-674-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4336-420-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4412-236-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4412-25-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4412-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4412-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4412-24-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4608-676-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4608-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4704-667-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4704-355-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4716-672-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4716-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4828-671-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4828-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5372-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5660-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5660-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5660-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5660-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5768-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5768-618-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5768-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6084-15-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/6084-14-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/6084-9-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/6084-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/6084-1-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download