1d771c2ed4242788768bde8dce34f78d1cc2de7674c88b82f1a1d1f1e97bb287

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_c17eb63c409e155866bcf41b58a3ed22_ryuk.exe
Size

2.2MB
MD5

c17eb63c409e155866bcf41b58a3ed22
SHA1

4b61c1376a8324c3714cf5a043176d68559be7fb
SHA256

1d771c2ed4242788768bde8dce34f78d1cc2de7674c88b82f1a1d1f1e97bb287
SHA512

7b04cf2587e19a57af2092a82fe2e6184094993d31c66e2f19ffdc5309ee0893ffa05747fa317757ba7c466277aed626a80e0fce0d3442e78285e9dbb683a5f7
SSDEEP

24576:TvmQl7551Usytwm4w/AfbilWeD3fe1mVKebksuOv5cLwKx8PP/KX1COD6icVkzK0:N7T3mwzw/iYlzGQMebksutsKSi4oukv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4112	alg.exe
2408	elevation_service.exe
1360	elevation_service.exe
3904	maintenanceservice.exe
1300	OSE.EXE
1884	DiagnosticsHub.StandardCollector.Service.exe
1124	fxssvc.exe
1184	msdtc.exe
2260	PerceptionSimulationService.exe
3400	perfhost.exe
4064	locator.exe
2696	SensorDataService.exe
4480	snmptrap.exe
4336	spectrum.exe
1192	ssh-agent.exe
2616	TieringEngineService.exe
3900	AgentService.exe
1452	vds.exe
1680	vssvc.exe
1428	wbengine.exe
1652	WmiApSrv.exe
1512	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-04-28_c17eb63c409e155866bcf41b58a3ed22_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_c17eb63c409e155866bcf41b58a3ed22_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f97b11184a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027f6b38d5199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ae6628d5199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c58b68d5199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c58b68d5199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf1f7d8d5199da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000892d08d5199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2408	elevation_service.exe
2408	elevation_service.exe
2408	elevation_service.exe
2408	elevation_service.exe
2408	elevation_service.exe
2408	elevation_service.exe
2408	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_c17eb63c409e155866bcf41b58a3ed22_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3288	2024-04-28_c17eb63c409e155866bcf41b58a3ed22_ryuk.exe
Token: SeDebugPrivilege	4112	alg.exe
Token: SeDebugPrivilege	4112	alg.exe
Token: SeDebugPrivilege	4112	alg.exe
Token: SeTakeOwnershipPrivilege	2408	elevation_service.exe
Token: SeAuditPrivilege	1124	fxssvc.exe
Token: SeRestorePrivilege	2616	TieringEngineService.exe
Token: SeManageVolumePrivilege	2616	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3900	AgentService.exe
Token: SeBackupPrivilege	1680	vssvc.exe
Token: SeRestorePrivilege	1680	vssvc.exe
Token: SeAuditPrivilege	1680	vssvc.exe
Token: SeBackupPrivilege	1428	wbengine.exe
Token: SeRestorePrivilege	1428	wbengine.exe
Token: SeSecurityPrivilege	1428	wbengine.exe
Token: 33	1512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeDebugPrivilege	2408	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1512 wrote to memory of 3832	1512	SearchIndexer.exe	SearchProtocolHost.exe
PID 1512 wrote to memory of 3832	1512	SearchIndexer.exe	SearchProtocolHost.exe
PID 1512 wrote to memory of 1560	1512	SearchIndexer.exe	SearchFilterHost.exe
PID 1512 wrote to memory of 1560	1512	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_c17eb63c409e155866bcf41b58a3ed22_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_c17eb63c409e155866bcf41b58a3ed22_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1360

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3904

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4508

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1184

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2696

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4336

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3832

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
48899cb3cd7be2e459f53d6f1d08f611

SHA1
5ff040a8e2568715b8fae281b6f063a8339d2b0d

SHA256
69a68790950301603faf9a91ee07e34004f415cc31ac3b2b32ce31825c83bebf

SHA512
2fc2b3fe81b105a9f29fe51d6f4da108a730519dc8830f5f3c1bf003227abb482976e545abf9d3cbfad5d2701a848c8a15a1e21ca0dc5ad145376c4818f8d5e0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
7c62dc2be81a75ad3c697564f15cd303

SHA1
941c95e5665830971bfd46ecde20cd5ec938c8dd

SHA256
629bbe89d769057da4981948e8bfc840de7e067c75cb91502f7f4294cd7cfe8d

SHA512
a5f8564a401fc9a389fc16ef2b20b34911a4333d6b3557e6ee2b8804d6a9d5b7faa5cdd0b3a69fdd7b2b74284897860342dc4e1d45d074b533a4ddb0c2288fb7

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.9MB

MD5
050932974a9657a6973d1c47415140bd

SHA1
77f00fd2cc46ac5929617e952cac732c7abb462a

SHA256
6b8c60a9cd359dc4e6413137ebb48b9febab8b2300d1dc77e764772a8289a9c3

SHA512
37fd0c5f7020d454c1d19362caadff6a795dc5052d1e8dab76d59e1a109d500d4c507d084f9d9e300d0e830886676d7bdd087a930a6b95cafed871e27f79ed45

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
19c058d1cec76f09d81a9e63223f12f5

SHA1
c4386494627ec219e2a3f486f71b7bc767969d9c

SHA256
935e907015aecc0e24e259f57d7d4779537c739760ed8fcc9ff95e504969a060

SHA512
ae030c8fce3d3dc7c906826fef8e179985050a3cb57fe653ee6da023d9d300e9c7f3e0e5eb5f3abcf8c00d61d8ff99e9f5e07b069a0a567ef318b03b1e33de26

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
4afcddbc3437311513e6a00ac0649316

SHA1
18c052056277e541e604b242b43c4bfe6a70a974

SHA256
b9a59171bf887ad0a1170ed9a9d78b4c754c1d0a2c6b4577cb57347e602f19e5

SHA512
70a7013bc1765e0527e1c39d8e6969b649d2713743042f18d534d25f3509714f121cc3527b1b0952b7827435de654aea75297989117fbe5e148526f1f512ca34

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
1f468b9609de2411c4dbdf1877a2d3d8

SHA1
ad2531d5f1b85e45394e0fb542c605018a5374ff

SHA256
73ba7ef1020e2242bb0793ce0aa002148d85a9b7414a2fcea7ebdc29f1cfb18d

SHA512
3548160b1613522ed374ae41f3b859901469833da80666014c54b8b5f37230a60ea3907f78cdce52d40341a0acef936cf34b2f59ded3c15f76e4646ca3769caa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.6MB

MD5
8ccb070a828bd6990a763abfd4146e83

SHA1
11a06dc1ce570c323bc3ec4da9d258e56f5de7a1

SHA256
c8b27858bdc261f9a6fa8bb9908783fe5601fad7348ee5b47b6ab0109641f709

SHA512
83398ddbeee1599db13ad7c14505926b3153c2410dc69092a2ab87c9d497ff7919f2d8aa19147053979904d977a2a3d93903705928b30487f009a20463f5935c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
5ca5569706e7579f575d06eb261b8c33

SHA1
766ea11d13da55be7d8ea1283b81665f4da621a5

SHA256
c77451394cb7c101cd675211fec2cfd836dbbf07784d7ef694269338d1efc107

SHA512
81e840cb2f61a77f8c35a4c00c32a6cdf1f3083b8c4bcb54ca9b9f855557dd5d4f27ca2eb861964765a1514d98aa54f327b728756fb5e6acd6b0fa916104422f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.7MB

MD5
b99557a58be8209941f0d23490270719

SHA1
ff11c2729fc0f222a437926f64a4067e364537f7

SHA256
c24ab8e71746d917f11a622a5c565768f9ee68863990607098ac9d20696885a1

SHA512
813e429197eeac63ac2e0fd5dc167ec6635b21ba2af1fff284b0af946a46512fb6e6232cb00a8f232e60f1eb02a7cbd36968cf19fba6dd43b9c2587f2049807d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
11124824e908d28b65a9616a31f30efd

SHA1
c43c7752193471cc5a0c5b0f56bc042d1a900abf

SHA256
9cf46018c319f6832584672af3602127159fe715d3c9ef85505349b602321789

SHA512
ada34835ebbbb947ab4f799bd784f22a22ce467e9991cae03b0bc26ee3a02f2e73f906e7066dcf0e1d203474bdb0ea9e9e687c53c1983a89c0fd67989b6f26e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
10ec592d88b15f3f6d04276cf80d945d

SHA1
ac53fbbe32d7e747afce5cfbc3dabb6aa9fe4707

SHA256
fd6ca44799a3f71b851138dc292057793bd30bb1f69034ed63fc0d6c9dad5589

SHA512
ab6078c8a12d0882e7d0ea6c471c115cce00733fe18bc00d0e3eead07379e2e8a98c471561e2860eafe911e82daffe88a181eebafdce516caffe54130062dee2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c2a54c3f3beb59a6744dfc018ee16794

SHA1
531514c5e6469a311e2d0409e41427a6e636913c

SHA256
c46b1ca64c8909af25cbc8516ab4f34cd6c3f1f1e489ba917c2f0c3ed2436e42

SHA512
5a83d2a0c7289f37836b67a8ed6c30d7d3877060bc8cb2ed634f97b47d85a1f4b9ce096716c8aba7b5d03b5ee51dc317c64dfd9ce3bee0ba2bbafd88fd0fedb8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
78b8567ea76bf8d5fcb8a67d5b964482

SHA1
b9a76f62612483693f21ce1e8c3032335cac11c3

SHA256
23711275a72dc0cce6c9473c938acea0e9cb7d3fe446e103e7adb93262169f28

SHA512
38f4dad780e4d836946982942eb6d34a82ff30e25afcfeb4cefc94e6d700ca5517da45dba17da8c336973f8598e3cf48a27758fc5d95c98a70486cd569868182

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.4MB

MD5
fef45b1ebdbec11154fe56c453c0b59c

SHA1
68deb2d4b54e48a47ce4c53500b39ac2655f4079

SHA256
3a864903fe3de78c1933279fde2b5d09d883c512b8972570b20bf2a3e6056795

SHA512
17e29585dbc4f6066589a359c27334781e0ce405b5058f4513825207b2910f1428209054611183fb11781d818f42e7844cb106cba0f68b7238edddbc55d1afb5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
ef3cfd2c908794cee838e47b41216deb

SHA1
5ff71491ec3f28c202f03867938f4c8b2f4533cd

SHA256
176233cd2fdeede51678a13edbeb0ceefd7204c5d8a3ff627b8d31a8e91755f8

SHA512
4a6c85f1aa63c14672a2d90aab68ecc70086f0f10f5e4a618abb8ab31f784b6c90aff394b4dc6be1a209d576c650ef8108c2364dab7aa999e6a44d3f34f1c822

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
b30eca11b7785933c39bb8a7a3f2426a

SHA1
cffe6a940ca88bd3c151241829bd5bf7f36f05e3

SHA256
9f8e3ae324a60aacf11a8e18efff76026d44e7f8c8b1bb05e82aa6a72f6b8b35

SHA512
d377ed15fecd78b41d8d21d862fe4ed84ceeefeeafbcb1fea6f2507a9b2f5a33a7f5af962450fa6802bd26ac4d65288e416232b609ea2f0217d6e61aa6fb5bca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
63c27d9225008d2a4e2ce6bfe6afc024

SHA1
5f48d593186d8a7353932f1476ea57b96b3e4617

SHA256
f0f3b3f1422d745a01a6473986ab3b32ac4bb349d22cccc3f5f6d96c686d62c7

SHA512
d49ce66e6d0d39f9d0c75a9df6d11ad608700aa100a763da1cb3319e36d6fbc665091eb46ee2c4b6757aef419a7f020013603d66cb5e3f382df1f92484cba7dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ed546fbda28bc40f58cf87a55f8e9bdf

SHA1
c5643efb461270171ea73202b9884f33f827daee

SHA256
a46de35d168755a09d9d3bdd28a44e26f192875a7ce9ad51234191caef84a646

SHA512
7f91116b1aa73b99d2763bbf42e6bedfd84853c60db04947e37096f4b607f473a54fe3475fbabc8685e472c237606c1d7f866bceb41e98fc7a77df1f9f361566

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
b3adc79d8b8e792e07cf3978ae1469cc

SHA1
dba4194c1c98a7ab10a624db1009176432445bc4

SHA256
b76d00d159e0b6f5632bfe405753d054c09cb06cdacd0d0a6cc5eb3e1b5aaddf

SHA512
bd1b228d3a25b7d6b0f2a26baa33cf09e8ed69d8202db928c67cc3746e5931de0bd68f7abbeec8dfd87e28618ec374ccb176fd2179c9dc09be83a4615c13bd51

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
2d10cabbef7676f3f4a0d051c4c6c3ca

SHA1
989599cb6e416e1164832b60c0ffc075c8ffa094

SHA256
bd9a705598434ea0f345674c73d3199f9b93fbfc5cbedb460fc680d7b286b31f

SHA512
c04b8a3296f5141b2bf4c72fa6c4d01382a4e034f5844b59e62b4d67d87a7cec4ae1f2ba5be06607412ff481aa1a4c29326cdb06bd696796fc03f78346e7a92c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.3MB

MD5
899f76494ba49195cb8323204b81cc4d

SHA1
691f070b681bcab1347a2c3935370784ef70a92e

SHA256
4073abecd4c754b3b3f00b11bf957a19b973eb141f8065897061586413e20061

SHA512
173d2836f0839c84a1860e3bb28c1294b5faad0c0f6738e23ff64db3c36eeca0e530b85ec24e3642dfb69809c900b1165e4b5fa59317d89369315cfc5c338561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.3MB

MD5
878fa95292a59d69fcb2685ebff3f517

SHA1
e5956c1d9c2720799a98fffc59b397257d9a3730

SHA256
847c15639841e98f47953d53fa58680918c1a13d160f16449e34a3fe0a14e328

SHA512
3b3cdc2edf9725dd6b074e6caa8562fe2c38a71a5a49914fc2f11cc5716fcaf7a38fb8f0157cbae3262c9512a3b9c073b0e37c06ed2e8b435e72686b0cfb2fce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.3MB

MD5
d85ef579a1ca0ad6c6cbc50bba47063d

SHA1
106799349f5fb61994499053a63205a930af1bb8

SHA256
0d007ad9aea9b84c9c892e27345080353f0ff0adb19949c4cfb776cc3ba57cfb

SHA512
1096ffe79926bd7e03e2492d2bf46317586c0f06bcfb354e04dc45c1863e271a6e4b6f43cb677353648979d55756b4ec54c55a7efd6bf4a68b556d0bcf79fcbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.4MB

MD5
5c91e47067b95c17858627f08a043e54

SHA1
985a672b9697eac12aebe33d1d3b8962464979da

SHA256
67d56af1cb0cbaa1f44b33e0b9d89fc80b878a3a37f4a1b7349b00f22b791429

SHA512
0edb2515c7b08b3b03754356103198aefeb20894061c4f5e21ae346bb2d84cbead2d25f4c394b538376e4dd2ded7fb70495068fadf2c3afc55903a3db101ad1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.3MB

MD5
4ef077e335f800b42a58b8941afd3c69

SHA1
3aa905fd28956a11a55d2b8c08aec8c4b28ddfab

SHA256
714830b2f6f7a7014d6ad5c8ca9ef9ce73a2becdec0c55d842764441760cde37

SHA512
75965c98dc30509629f364260cf9f421e952dfa169d4e524e750e8c667a526d019dceb58c5dc468b4673ca264126052db969fb3df91f597887bb48a5b1d02bed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.3MB

MD5
e32684b0517c7abeb9d7bfc353e3f937

SHA1
7f862c6f66b3cb7fccd500e4932f3919d29b6baf

SHA256
d4c25aaf088bf324eef56a5723fbf7bf036f14b56900d3e0a9ff11482696a2d1

SHA512
29eef6609166d7834ae751f540be9bfd84c32ef8289315fddae47ce69b2c09754d866544716b09d72c40ad4e15d1bbdb0bc3df28061f06adb8fa74a82ff13b7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.3MB

MD5
2d8666b4bcdff4c57857aaadfea02de7

SHA1
2ae9506540641317b55f2f57d3ea9e418922bc1e

SHA256
89b7f9181ccf03d0b4e9ff83ee1c617d04da427574b785342fc1f4e99f8428e8

SHA512
ac22522fe3cc6f05315c4822478f8a2dca3c91331584bb47ecd2b11a2f7a8881effc07f8cafe4117d582aaf9f5f5ea0c5bffeb399d1ed77b5be66bd010af8acb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.6MB

MD5
5809f5998aed9214966c1e3e0f1c14c1

SHA1
70346955adaecf6ff942df9ed6268527a3c69848

SHA256
005391d4766c90cf4bbeae5ef69cd772cb66d9cfe4f3c964479ef2195c26e220

SHA512
04f2d9367aa98e311fb2b40fd80536593e9695e58a7d1dafd2ef48f012578272b8ae614106b8f374cb02dfc7f679236ff3a35b444edf97bd72f71c6525474d39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.3MB

MD5
53fd4ae48ca20f64c6e2c36d61d95183

SHA1
b19782ec9c9acd6148b66a57ccebfafa5719d260

SHA256
85ed837b44314dd74507cfba06626bc6429b52f833137e99fee5a1662f774394

SHA512
7f1da3b2f8b6bc17b6211df5ec0a71c7fc3fe5a7893a4bb0ad3056ce5048ebd774511a82473759734c01374a9313bbd8d8f853180b9aae5f72c8ceff601aca4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.3MB

MD5
fb1aabb761a8705e0a8ed430d66de669

SHA1
3b2a75b762cc28850180984423b6f0209a36ad14

SHA256
081d0b9ccf1c072d22d2c9ff289539a4cab05eee2e44d0df821328dc1d4958e9

SHA512
1e8910d08f437955e8f39a86def1f65bb4fab1a5e2e3afae22104931933f4f34f9fae0acaefb22e6860b6ceea010671729775d9df5ac7bff86acdd5be75b2fea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.5MB

MD5
54f7a4b63c3f4e4103f71af5335aefaa

SHA1
723038932de587b83f9c233d8bff065cfbff1860

SHA256
4cf89fa2499a07c62ba884f5b8c2d1775809820cfffcfcefbc045cf85195fd97

SHA512
696961450d6f85effefdd0d55689888cb6c03786c8eaa623085474764f56c7e41309a184fd46f4e162ad9308e96cd7be680074512ba1cf36001cde0247553a7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.3MB

MD5
c8a1d7243a93efeafef13ef9c821c42e

SHA1
80e4b43df4602fc4756601b43afe98364ffd4cc2

SHA256
8f064c32153cf77a3c5fb4a28fb334f7928025b3f3bda3a173afef648a7b3c9b

SHA512
baaeb3449a1180593b5412e8d23474ad2c1f02e356e129473abb0aa2ea22b4cc6be75f6e4df53f041edc2498d66d685bad2d120f1aa563c0150b2016bc50c4f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.3MB

MD5
3ec855d318c50c3cee0cdcf161b6b579

SHA1
2232033b5c504fb2fb65123e31e03f7283da63b1

SHA256
b0cc316286621587eec5530b238618e9b6ad28b4be63e91e9fecdb1451870939

SHA512
17bcf4aa9d8e124a7280f91e37a2c7b0e1b91a73d0b227c5967fa91bab2254bd0324bc68182ae78ab25ea3bbab067d4c6d79951db354b0c128033e9e3f4c1cc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.5MB

MD5
7dea2f68ff4fa970eca6affde777a46c

SHA1
dc268d2f16f99ea25c928275c02d96cd7d42dd54

SHA256
fca975db0f1e913e1d2ab92fce0a8908be80f1a6c3de1891c1ea12343ae0da89

SHA512
7beafa48beef409ccd142124adad70d9a7e4bd673ebfc82dddab7ce6bd52b980700380cc69a17282ca7fca874274fa262414c64326607edcd82110361f87f71a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.6MB

MD5
24eb775aa769ddba0526d796f5ec6265

SHA1
605c381e84a6297be06f37db80a7be3309513520

SHA256
e03b4d1dde4202423fddb21565f5b83463ec08ccb692bdd05ab31c488654d7ac

SHA512
1ec27c7d4ee8ad20fc349b6144c57fbb1519b7c9d7046edd9bb6f7b5087c9017ecca3b14065b587d1ba021edad7de9a6bf46a59fd0bc9110530bb20554df3dd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.8MB

MD5
c8dea436659f9266910a08c3baea8589

SHA1
48928812533fe6e8c964f0bb5d1133a3914a760b

SHA256
25313cfc5284b49691373d8d42b8e3cfc59e3d0992213d2f0012cc46104574c2

SHA512
06eb49fe7e84719c7ce14e0c614af15a6dcb7f78f4e817387610b25c6f0b94704765a73215e933d340e4482a4d38f8a636cc467c55e01d4d17218c8543b46687

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.3MB

MD5
528f9a6979c198f0f9a1cac60165b548

SHA1
0001011ce8745e7c1ba5f8b168f180acd2b7c0f7

SHA256
ac16c3ef4aea3ca92f17afdfdae1f6b7cf56d1f29fe8c63380c0d773182696c5

SHA512
21f6c58ce40b01cca3fae5dd08b996495b97d5705b0c00c1e3d19897d49a7077f7b85a4d5846a276b56f0b314d5ab811a5f21adb8c49ee980641993294ec14eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.3MB

MD5
745bbee802fec0dc72a2a182611f6313

SHA1
1f15f861c80387689713ec4dce6be1f413f56160

SHA256
d07a0a9b678500b77a4c2e75801872f92df78eb93421c58557840e188ead4fb9

SHA512
6d62b20da73e19cf793e387cf173c62a2cbcb4190a9b0b19b4df21a5717ff4cc0dcdc5dd64f4bf8a9db6bb3b09091a018d523cd0e185508620dba63b60e68e13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.3MB

MD5
f6c896033ed2f1b47ba2704f1fa74af7

SHA1
190a794dc4dcb9667646e832157cd9b631b03af3

SHA256
65524f19252bf3a90637ac4a2463e972a9bbbfe746f4b987b4be53d4379da314

SHA512
7e0e47f73746675fc8bd8898292e219eaa524a2f7d5f079c3039b20ef0d4e58a601b3a7546250709c6cc2e46d25ec10076efb299355adafe7f6e18a1ffef9207

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.3MB

MD5
fc0c4b01c72494e218a67cdafa37bc95

SHA1
2982e54222c534a88f4e08084b4bd035429d746d

SHA256
f91331f617a72bc02670a2e44c3749f43e036f5555f192da5bd8384cd7f0b0c3

SHA512
af6a3ac4a38b90127485f70250cf1970107e657ade5f70036e3a8d36bce3635841130e1e14a0932d4765608a4ca119a3fa2caa9ff42297b750491acccb4e390b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.3MB

MD5
228c04641a643aefe3d9809b6ce97d11

SHA1
a403a94f8930dc6abad90ab1c70e88fe4f34a0be

SHA256
6988a2dac46c83fd24dad0a50f3c2f219d65df67133b71481ed02bc11bb7e832

SHA512
e82beb047583e05a39bac2ae9eff73f62702be5ceb6617e26322ad9b774730387c6e06830c9f8d4ece7d493f5ef9923d774af369cf2238e39cc94bb7674cfafc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.3MB

MD5
3e3551e1a4e445db8552a05403eeb62c

SHA1
99d32a890557d2f3f08a00add3eaa2835e22c1c1

SHA256
0a33c5d90f9f1333e5b139f862009b5c319e76dee75508d920fe7561cf10ddf0

SHA512
6f698a158fa5fe64d30cb572e60bd70e292b34669b1c66a8cf204b54e2e14bdd5e42012df7f45e8339eb71b86c44cf75b3e3cfe3c079983a7aa111a738dfa74d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.3MB

MD5
937da9e905b5ce822660f5079004f2dd

SHA1
2e75b6b7f9cf4b7e7f7ea999497117033bdb2798

SHA256
a7cf59df29a2d84d2a51b21e18852e4c4b13aa9197a85cabea6100061f42d449

SHA512
e43a0c7640f1509a57ea7a98e998bf083680ad41007f848456b2791e28cf43a415c99e9930d9e57b389084388cc7c423b5d4320b0c04bcdc0389a65802afcfc7

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.5MB

MD5
321dc013849ecb5e868693bff42fedb8

SHA1
74e1656debd08ccc3661c1b6b55ec67f3375837f

SHA256
436ad680a223508e272414ca12654c95cccc142f449ec678ab5f65fb3a3c256d

SHA512
9bb032d84392ba90e63989b3c71cc783dd3b5b3e5dbc32c32500509b0d553bf1c9835e76e4ea4d4450c80d057c4cb099bfae745eb4586a9c41090ffadad937ff

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
82abf24a1474cbf4cfae9a97c15750c8

SHA1
e12231ca977d4a162ec1cff77a19ce26fa9e4f28

SHA256
74341498d922fd585b50b25a6bc00967e7d4241120fb663721c96ea6393e9e0a

SHA512
e0af4663f52126e5c9df78bd12c0c5f98784f01c6126825ec5d7dd154729488b106774b621c73bafdd18ebe73c9962e400e184315d6da0b01c8f36d5b34518d8

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
1b7d450fb695f41ac39c2b137afd2f63

SHA1
1806c4f4e6e3370810e1f6a7ecb74cf4d1872ef4

SHA256
d863ca98adba488bbe492e682f90b77cf8cbfd4931dc8c9aad2ba43d2c7a071e

SHA512
a4a3f9947c0b6eb2196523a5e87c1638d1d152330bb61bb55a74202e03dd5b5e6a18c65e5fad4589aeb835bac94465fbc2af79410914306c0fd478a821fa9d7c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.4MB

MD5
6639f77ab7462da338e999b3099b45f4

SHA1
5c3b110697aa463935e7f5fecb7a7c546f94ccf5

SHA256
3f08b5f35c4d288e6bc8d0eea8d5ec7a8ca4396abf7643109f26b70100c82d7f

SHA512
d231fca331155038c774bb6e41faab76ea76f68fea02f84bd92ccfe257a8aedfabb3083d2e5a1e12a0807a8d0010eafc5089bd1eccc3153ac8c70b9a3a8df8c7

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
695e1c0023664ac0879007db4a589461

SHA1
ddb9011cf4aa34e57e437ad59386da70b465a463

SHA256
62595ae57af775609c5e5663ba58a3f9d1f51b07674184922a39449e9dffa5c5

SHA512
492aca45304a07bebc6b4977d2b65c2f778659d8ad65d062d87e448c3e47003e5c4847384908959206eecf4fa2d3588c5a5621892b6e4cb54a04237242888706

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
ea56e04776406a5d7376568be6e53953

SHA1
4115eb5ed502448dbb3b587b8aeec77cedf121f6

SHA256
e5d41c03cff8fd09823affd284815e667ffe909a43178ed13e2bcf963bc3a789

SHA512
e02b2217ceb788cecd1a87211315f4ccc2bd68bb03d914a04180c6227d9c29751d74e57685746f11ff46f6a8e2435827002d776ce1910855f41f5a94c8650ab7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.7MB

MD5
51a153f05331c41b95abd767228eb1c4

SHA1
be6c5ff20d007536ea99dd43f07a9a8d90459405

SHA256
44281ea7548bf4274c6812f9c326cefe1239d2a6a7b703f3570ca155c8553fdb

SHA512
cfcbd12f1818b52bb9ed24e86f8c30b864b611fd8eba465c1f027e140b8c37eb187129be3998e7db32a834a7823702654d4e6dc44ae7ed2a21d078ee858f4a28

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.4MB

MD5
cef5243ca4465ae42aad509a39fbb7ff

SHA1
2f708a72587eafd94021c800806b0ccf2c53f9d6

SHA256
0382d8db300cbe2680b644eb173e4dfa47e6281033f72f2eed8c8f4c1b7e1f7e

SHA512
297c9bc992d06a584376747ef5fc2880968615c9f7a514a890a5cf6fb09ca60abfeafc75614f33eef2d0a8a4d2b58561d04be5ceaf6275bc0bcb1fff762914c8

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e221b35af6df5189e5169e93e1bd698e

SHA1
40823ced869be1c14c0a99e3577b86919050f49a

SHA256
4548d38d07ff6bdf33a472dfc4a229ae4cba5a70b1d773f66709bad0f5c0577c

SHA512
6873becd371d6f4fb2ca6220e5036e2936c0d4e8eed4868c2a30f552e816a0f3f65f4273ff1e611b8ba1999eccb3f521ef4a385f155245e91ad8ae454d31d3d1

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
6b99f071fbb202d3fb406f659989ce5d

SHA1
f00314443fad15f191fca09a0bf608114b0b3502

SHA256
53eb21750243d00fc1e29381d9385746634fa089b9b99be0aa9c65de1857e28d

SHA512
3945bbfdadd9fddc481bca68983e88a99a70c1f7b5df0af0b82692982729cca9e540e35a0be7b6aee6f129e67417fa510c0017f7003408f0aca04f850555f634

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
176e97a92bb219548526e8d1b4011949

SHA1
bbb7f070caa19d11cdd29cce993509db216e9c96

SHA256
cf199ea9d4eb33699cfa211038821bf2d47469dad057b036eb9efb4887541896

SHA512
b182fd6a6d457a7b3d88b86b6260f0369c8dc439c30757458d1594f30e5537e0192f76879ab2e538f081f65ea2f7734c7f849d66175eddb7761b43324609687b

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.6MB

MD5
746dfebd6ea66957bb0073b0de198aa7

SHA1
fae6b807c35e7ee1efc911094e348ed267c3312f

SHA256
e91c2ad487b707d5e97bb38e2abdc6a5a065d86ff79deb3d14d98a888d454941

SHA512
f8f51371a5a6c2328dc1df99f96677ad844621feb1d448a8502c01f63990527a3b764e4a392ff24cf5e5975af39252b2db257884b95f9952fab1408084ce27d7

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a4f352a9eefe3c879e6486cc266789c6

SHA1
29cabaea376cf18a9365fd5717e9a630fee6fbda

SHA256
23591776c93212453183fd1a0a1acb79b2500567d13b2f83570dc9607021f575

SHA512
4118a74dfdf301e49573b919d0e27001213972bd5a69e78c2bd50d39e4b3ff65ea6422bdccded727835424c8b6eb5515ae99d8936af0a235fc09c4ce24439502

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.4MB

MD5
f7bb67e6b7d2be29c48dba839cef643b

SHA1
ab00b4685f2dbfe4861635ff1e6cece8772830a1

SHA256
62e3ab260574380866038ede5f67a93567bdd78efd7583e6944ba0effa138bc3

SHA512
ab3197b568c47cfb7349e7f51a6b8abced18fcbc196182d96d6506d25788cdccc182e9509345c0ee5cb0f7a2f4deb99811ea86a473c67fc8d54ea486f00dfbe6

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.5MB

MD5
fb82b6805bc767f0730408d88b04dd72

SHA1
b8b91d1124c0dd9b283f053d1edeab7cfa8e268f

SHA256
8ff78a11247bb1bcc085edb3ce5e428b598aa51d59c48b3fc2b3e4e2e972a780

SHA512
ecfa24a3af761ffa67f2c60b52abdff76e3381ad185b7f173920cc1eb573aa2d4cc9e440a254bc77eb7df57416829497d13745bb186308777ea85c5006ca7051

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
d68abff8985b653eb91f8ffc58b2e154

SHA1
c2f3fefe0ca10be8a6706979dddf969edfdf3cb3

SHA256
b607d7feec26cedada47f226fa576245e64096057cfca153c014cf83e00660e8

SHA512
58926e8a576633e08a9994427abbfa4654448095ddbdf43e826dd8ca16a434d1f8e1d5bf01d183de68e837db252c67c0dc0a3da3c1f311576447fd052e7b9ed3

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
2207f208577e9b3e5b82c0d31c7edb1c

SHA1
338f2bd2c4f491502629932c2fc862164ff79537

SHA256
be6ee955654ab0217dac9c8c992d83c3eea6ea6562ecf9a27b86dfbcea858f0d

SHA512
70853415c66371e8f0fe9e18b4a8e122de4a09064715599c27a38d0f45ccaed231132445ab2922920730df06aca122ff19033ec3652f9c3f92f842441d92462f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
793ddf4d3055ee5a7006af2b6bc76cfd

SHA1
826d6695089505ee117688d88dac76d0b8667ca9

SHA256
1f1b8b6284fb06bc30755e6c091640f9d927e988f8e9357c88eee1894381a896

SHA512
0ec77b947e085ab724215a76672b1f73c9fa3da701226e309ae4fd6055fdc9192d6873881bf34c137d255157c652a8922838eed525a88d8e52bd102c9a7679ee

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
1f5fe0ae74d30fd66174636e4e67cfcc

SHA1
fcbdf445cb173ecebfe79fae96f61ed372190292

SHA256
6b9a715d3c0314c18ae21e21c96c15a623fef7f9e618751a138c88e424cc3a00

SHA512
b6bc3269c26caf165f1bdc5a2af684f6956e1636d5c92e2a9b0db00d33422285a34091c45e09b89d6b90516de20e6a04b24fb3fa67f1569d668aee4ed768b2ad

Download Submit
memory/1124-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1124-255-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1124-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1184-381-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1184-269-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1192-352-0x0000000140000000-0x00000001401C8000-memory.dmp

Filesize
1.8MB

Download
memory/1192-603-0x0000000140000000-0x00000001401C8000-memory.dmp

Filesize
1.8MB

Download
memory/1300-70-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1300-74-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1300-64-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1300-238-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1360-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1360-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1360-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1360-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1428-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1428-609-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1452-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1452-607-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1512-611-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1512-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1652-610-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1652-418-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1680-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1680-608-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1884-251-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-249-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1884-243-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1884-355-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/2260-281-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/2260-393-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/2408-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2408-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2408-35-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2408-29-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2616-364-0x0000000140000000-0x00000001401A8000-memory.dmp

Filesize
1.7MB

Download
memory/2616-604-0x0000000140000000-0x00000001401A8000-memory.dmp

Filesize
1.7MB

Download
memory/2696-602-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2696-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2696-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3288-9-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3288-14-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3288-13-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3288-0-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3288-8-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3400-295-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3400-405-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3900-368-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3900-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3904-57-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3904-73-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/3904-61-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3904-51-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4064-298-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/4064-417-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/4112-25-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4112-16-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4112-24-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4112-233-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4336-599-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4336-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4480-598-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/4480-329-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download