2c0d5e0c7c253bf8a65b1d8180ce55ca996b2d9c296a6c56c6bc8bd869416ddc

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_3c0b1c0359f233fe7f99ddd7c3c29a61_ryuk.exe
Size

1.0MB
MD5

3c0b1c0359f233fe7f99ddd7c3c29a61
SHA1

90e681a4f9e67d4130fd4250fa2ebc8fe3fde64b
SHA256

2c0d5e0c7c253bf8a65b1d8180ce55ca996b2d9c296a6c56c6bc8bd869416ddc
SHA512

e3b7e3629de6b9f3f5ca9547e36bea40f4c82970107e5f49686d6d2e756d8f9335d9b97dc77c80b90ca2202ebc119fd07af60fc97931509aa672736d6675c135
SSDEEP

24576:t6V6VC/AyqGizWCaFbyOSkQ/7Gb8NLEbeZ:t6cbGizWCaFbWkQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3400	alg.exe
1140	elevation_service.exe
4848	elevation_service.exe
2276	maintenanceservice.exe
1480	OSE.EXE
2576	DiagnosticsHub.StandardCollector.Service.exe
880	fxssvc.exe
2368	msdtc.exe
1316	PerceptionSimulationService.exe
2784	perfhost.exe
1876	locator.exe
1908	SensorDataService.exe
3212	snmptrap.exe
1780	spectrum.exe
1812	ssh-agent.exe
2580	TieringEngineService.exe
764	AgentService.exe
1532	vds.exe
564	vssvc.exe
2860	wbengine.exe
2056	WmiApSrv.exe
4636	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-17_3c0b1c0359f233fe7f99ddd7c3c29a61_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dfe935b38fd48cb4.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{68EB25CF-4F9B-40B1-A189-A6F3A6E88719}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_115765\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c38f81d0691da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009349841c0691da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001452511d0691da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fab671c0691da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccc3c31d0691da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003215fc1e0691da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce2d4a1d0691da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009a6891e0691da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036e4bf1c0691da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de3e3e1d0691da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000346cc91c0691da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1140	elevation_service.exe
1140	elevation_service.exe
1140	elevation_service.exe
1140	elevation_service.exe
1140	elevation_service.exe
1140	elevation_service.exe
1140	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2536	2024-04-17_3c0b1c0359f233fe7f99ddd7c3c29a61_ryuk.exe
Token: SeDebugPrivilege	3400	alg.exe
Token: SeDebugPrivilege	3400	alg.exe
Token: SeDebugPrivilege	3400	alg.exe
Token: SeTakeOwnershipPrivilege	1140	elevation_service.exe
Token: SeAuditPrivilege	880	fxssvc.exe
Token: SeRestorePrivilege	2580	TieringEngineService.exe
Token: SeManageVolumePrivilege	2580	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	764	AgentService.exe
Token: SeBackupPrivilege	564	vssvc.exe
Token: SeRestorePrivilege	564	vssvc.exe
Token: SeAuditPrivilege	564	vssvc.exe
Token: SeBackupPrivilege	2860	wbengine.exe
Token: SeRestorePrivilege	2860	wbengine.exe
Token: SeSecurityPrivilege	2860	wbengine.exe
Token: 33	4636	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeDebugPrivilege	1140	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2284	4636	SearchIndexer.exe	123
PID 4636 wrote to memory of 2284	4636	SearchIndexer.exe	123
PID 4636 wrote to memory of 1604	4636	SearchIndexer.exe	124
PID 4636 wrote to memory of 1604	4636	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-17_3c0b1c0359f233fe7f99ddd7c3c29a61_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_3c0b1c0359f233fe7f99ddd7c3c29a61_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2276

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1780

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4224

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2284
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8ebed8d79cdba1e27b930f04aceea29f

SHA1
b47b9db68d2d2db1aaf88934e1b20cfa5c3cac3c

SHA256
c4bb21428a5b6d4107291303357455c0264ba3b86ff76a8f644273d0949f5cd2

SHA512
0274a0f4e0135957f675c88d944cccd4056707805e71b706d53ae1a899768e79a81c39565729a3f9086f7cd8999e6e1ac1ab1459eaac604de665ee8e90eb8999

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
da9a4e9a8265a62c20408cb8047a08b2

SHA1
e90774a5e5e165df10d1f6fd36fbf7701066a23f

SHA256
26b34278c86c2e36b19c4a32ea2613ee3423a337d1e649cd547403e5d5332774

SHA512
2ad98b4f141273064ec791d9fa5ac1695522f234dac0320c0a66724554fd25ba72847deb76f335a4814c6d812379dafbf43b498970f7eddd86baacafacd34e52

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
42e22dd14c5afdcfa6149e51053d723f

SHA1
0978b0e8a6b782cff37daf767cbbd0685334dfca

SHA256
2d1aafc9eb0e76920e29d94f053b9127c9334f5431fd209c0364ffbe2d6c3fd1

SHA512
31f1ebc125427c68711687da7c73b5f296e74970af36a5aa475ee811cdeff3c4f8ec6007c6513a3cd82947adc1ca90de64695b46ec03cb9a42411a39d1e1ad2c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
022d2496a14ccfbdbbf41ec691628710

SHA1
94fd9740e3de61fd4782f4c1bbbbdfd51c8d3e7b

SHA256
3d7a3f8d2dfff5a561c9ff9fbe1c357344a9a413c511ad203ae65faeda1c68ba

SHA512
f2f3a4666c7b789dc7cfa2c2135715aff38994e2812efb8d66853f4f8a9c74ca95eca86a4e1e317c8a8395b6953e04307d22d1d3efe488b610a3250706d7886e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9a9889a171e0b2cf8fad5ff132a6d22f

SHA1
64e007f1be62f3305ec5f219ec4c2f3c5aa4913d

SHA256
c0b0939021b42561c9bd39459f03a11343b294513fc3fbce4aee96ced350362b

SHA512
9fd5d8fa76e942a3e0ed3ca2ae836c9029dd12c78a11213a1b50884dc66380fe6c9772a57846d677527c9d2c5247cdb9c767b1aa39d298aaba1d6442bd95a6bd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
61737d201a8fc7d9ac6fbf4b2ed24c08

SHA1
374d79042c55b5cfc8b302efa739e6ecd2020ac1

SHA256
87c7d1b58345cf3692c2d9566b53068af95a64fb1dc590ef137285bcdf7090f3

SHA512
53a68d393ede93edbc340565da8a6ca11977816abb108b439d1ac27b0fbc3c541d2e47dcc3ef0b01ed87353af1e745701e7d9db426588469e8ae22efb3fc58d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f8af87180bcc493d4bf197839f3c2bee

SHA1
abd55439b892ecd24ba34f981e6ee315a92ab413

SHA256
735cbe794de8d2cfe9f877ca6616f6391822bf40b300223bc82d6754a3ffeff9

SHA512
4e9e1d82b0b0c9ef7aa37c86b7186ff85035915939ae256298086ca4caab88d42b85eee17d8fee951fe620341f4904f4e52e4d17de1f4aa69328b1630ab13345

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d4dc5b6814e62a080d744fe18b623338

SHA1
46ac856d7f90c4dd230b331ddd3cf0727e508a31

SHA256
43b0c432e64ccde065476856cb002249422e660cfe4a04b8f4ca516641c9d8f9

SHA512
61136d22fd612c9e4bded05d3ed9b1b9034fdd9a6059b0b6e64f2845af204bf8bb01913c8e1051d1eabc6e85cff1a254368f8fb0098b247ada5002bcbfc5ddd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
46e566f08e62a4210994532f39ed915b

SHA1
abf1829c5f5c260eade23f86dc634e25559fbe21

SHA256
443cc61a80d3f92c61096c07eb5c5cac8278745d60197ee27c62e7b7d59a6ecc

SHA512
76191c1bcf2a41c393f2958308300a8949ac794bfa973e85130fa82f14cdc6e1ca6fa045cab56e0dfc386f65885d2af43bc74e7e652fc27fe1c6a4696d5caaf3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2cad6ce685bc84da64ab129b26327c1b

SHA1
839e76763702c145972530ecca2d8fc27d43903f

SHA256
08200f245b31e98c5b770dd490311f422fd00d07671c71bc353411c46a9d5ebc

SHA512
de62c847b1cc2c07ede4ddf691c272134da60e4f03611991c6321030b183c4d193a1e6a026c0168bb3d0e159cd4bff034b58fff533ea9fba3abeb62189e5558c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
85acc550d3dc927d184052c1d6ab712f

SHA1
84112430755ecabfc271112036ecb14b43ac3202

SHA256
3d3ad9a5b9b4637bb45455a4f41020cc73089038d5bd27c4df1dd57d2c7dddfd

SHA512
408476f6f680bd6a429abdc7033674a05f6fcfb4c354181bea355922d723f30d39338952a5af5e8a1c4047882d811bc3f7b429842adab35f6a179b58c0f4dd13

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
543a8d0185dbf51712f333b6145b79c7

SHA1
c2699f8ed6ededa88885c141839ad0b87231433c

SHA256
89365fb535bfeb09c2a54363c81db3b6c0f54af4e44ee5f8323a595a98a86cfd

SHA512
89e5dc2ddc70642d4e1ddafc60fd9ddab443d69595bc0f6616495a5c1e1fc76edc72bb17623214a5cadba4d2cc730abc9a8004e6d139397dcd556920ae4f45fb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c7270bd4b897e131f6e4f473dff9095e

SHA1
e4168ed9d049f3c72decafee87b60544b124489c

SHA256
a92b34aef15539f3e9fe0a4f28fed9774cab2d6090e114485b557923e66d48f0

SHA512
1895b56f8e51b73193b0b8949aa8f93c29f333cf43c54576b35840d5816130ee4fc69ef2d5ba2ff699d09218a652073883ff0ac0d31d5b3c20b4d4d4fd5638ad

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c731cbe435d5a13864e12e32a6436aa0

SHA1
b1b60009a6d4b9cf0c9f2f273857d762b5a54172

SHA256
6ea7f4eb88f84896243766186f76dcc57ccf703746a69f948ce6b6e88fa40f10

SHA512
12f08ff40b4874c683d8f34a1450b29a8d7833da7bbf434e3eb2db1527917b96ba09ab8ecc42510912a1cda213683d35889dfd5d1b7dc004cad51176cb9529c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
02f9d99716861e6db6afbe5e7ce153bd

SHA1
7f8a5c89c802a29cb7ab9f68cfaec1d29f80237a

SHA256
c66263db58f022269779fb830df0e7b60dff6cbaf8800a6ed3183e4e45a65593

SHA512
e3e628d816e79eb3bf5e5b2844b885f370f4be0788da861ead9ef7689fc068f2db9111b817564ff92f7aca9071463b2058349eaf833784c2e834d3377fc09a32

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
adcaf783560b0e04e42ff6a6f7213188

SHA1
edc2dc5f9fde5fa7205e0f2084ee72c3adf34497

SHA256
cf7e57569b1b6916560ddfaca82e72b32b671e6c6bbc5c24c24784b15a86022d

SHA512
57398b6d1176bb57b0a650313138896a1e31654b8f2cf2fc850a8329c5f79f0d2b445cd31b910db2820fdd491b4308ef7b41c916f997637d0cfd9c8ef4a554b3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3baee1343d3ee53740924ec0e84faaef

SHA1
b56de3b97b9a68179041e94bb66e0f58212d4623

SHA256
ba9639a9416442fbe11429e8716d00abeee88117e6e3236fce8fc2ea169035a5

SHA512
be496fc2c8a8ef68c5fb7e6f48efeff9284cbea70a878e68f89784fccdfd7a7f989327f5dbe009859041820fc148d24907c5589633659c5efd0d0d2441b23ff4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6cbda5cc6989c5981acb535acbd191ff

SHA1
c7f30b9f504bc05b3e77a922a268900d35ed87fd

SHA256
337af2d232b6d9fe751bd6dedf194a1427a89e948819d588d3207ee3fa14150b

SHA512
fb33ba08e7b5bf63f1fb9daa9b542715ae5c07079bdd6de52c313102c1c37fdc12c1288537fa2091997f3da105639767fbdf91f4b0a48c1ab4bb76b27afb39c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a910802e2cf4d5a26ea6c179dd570ec8

SHA1
38b72d1e816f3b4421c55e79bc240dbe070a4915

SHA256
8c504b452040a1ef2b23222d540eec2590d57add0e8714893d44eb4f8524b014

SHA512
c40b8a6d2162fed255cb992830b926205e13131a37fdd18b6451e62a66eb6ec5c127fbab6e4334303215e7606c948f14f1b937b4cf3f7b0f206bd19c1aab85f6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
26615ebbb4c953224cb1e1825e1ff53b

SHA1
da9e2c4869e91411a94bed17cba39eb0b5148d77

SHA256
05b82e9bd18b00c4a2e481752f6f93ff73ccec72ec10a3ed2a73ba4a17ee2094

SHA512
0db2c3818bbfff521387dd2ff2f8c51346422219680ba196c2b5a86b8f43f323df2e73551362653f68d87a0254a1fae495a57876d75b074a446ee2b843ca785e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1a77b7f813bb35edcd74c15c6553c720

SHA1
11f3ff4894753c6cecf5ef76d04116dc83caf318

SHA256
4d3d3b2ad116453ace942ba2e10c680f06aa7107c5eb134928a866001bf00ca9

SHA512
4ad2c0623555f6bb95617d10ac4fd468f1a74d76260743c4901186d0b7acb5c9415e82979e24726005f5badcf57c1472970d255d95b9aef1e79dbe8e4e7d51ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
57e75f5b65cebf4f7ab77bb2a89b3c51

SHA1
80cab6d1b36433fc9e32d757bdf9163edc77117d

SHA256
6a9193adcdeb2e41c6f8d8f49d27fa2ec9192a1ad16235020db5667fc01490ff

SHA512
adf6ba10856634375d5ab0025c8aadcbf700bb83e2516cb5cec4512aff8f4e578b69f7e5504762532402a80bda0c7209c571ffa419ee964a52edc0125144c0b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
49e31a928ea76dfc1a5e84efeeb5b428

SHA1
f13190a42730928e1898eb7dc7f7e5e5454646a7

SHA256
d494fd773e5a7ef67b3f3aec54b15adb9cd2693e26fe86c8aa9279251ad13c27

SHA512
70713bae5ef794dc6c501fe46bfa5fa02e28ed256eea6007d2eae63998905b566d2d0bdef6378d077d01adaa236de105edb10ab12690814b8ca3af31b6cf14a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3726b1799153f945435f690913ece4f8

SHA1
7130ce49a752718690976cabaa3363201fdbd561

SHA256
0391dd5288b4b83aa8942d0f2aef9b7fdc1b6f6f532b1ff3e403cb3063707c82

SHA512
a097825fe8b62e7692bed37ce86a62242f435ab06d558266cd2723d9bddc3201de0322cf58fbbeece2446c0c19587c5e0aded04a8cb9005ec05a814056994524

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c47a4712b72802d6fd6d044f3747ad6f

SHA1
e4fd8d339ba9e33f1be8e02fa2a49a0c62548680

SHA256
02faf0bf3a5f9561c556be283d1c0491a8b34c0dcfc0c487745aea74b66b1de8

SHA512
165ffb94fd90a4d7e2ddb7846bc158e0b955c9b0c3794355e292c536df89f33fbdae3bb201dab83449c7b6d4e99a8c30593ecd8a84f6b001ae1497ce2fa835ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1060c3490de458c2b1c38575ce6aa1ad

SHA1
3528f4bbd073e6bdabda0c222c531cee86724022

SHA256
4ae1e5b03ef85c1bc96e7949d062885ae2b1cbe62a6eca003baedbd577cbbc61

SHA512
e5b22af5c0d3ab2b06313ada50e501001b12074c9053f01f95620130e251096e9494f9f0a236a3d9ba439ff87d4371badbbc24c2e77df45c52d58720d58dbd0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1379e900d14a99b63c4b54f33fa505be

SHA1
768fa8662c2585006d321728655a9550abfd2de7

SHA256
5b0a102a868aa4620028a4d853ebd101f8e93d6448aa788ecdf181eced89bf19

SHA512
704745291495cbb59924725c86a12b92f6533070a35b4127d69645cdde8b03b0693bf587cc93515d3b1e77f633cebcb3f932b259d67750d7bee6ab01f883f88e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
095c50b8290176369417e19be12e6e14

SHA1
4adb84f8af8a4dfbeb7b4f2847f762ac35358ff5

SHA256
c2e8555ecbe7217717e04f885cf1e349b0ad55430bd36f2276e025251d82dbcf

SHA512
76d918acea26cd5111464cd4ff61191574665b640cb1a37693153762218e1beed143d76b22db9f274fcf304257c1a4bb03da115d409227eb2a5d7a560f6e2884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0103879e40cb9c74ac738f087d22c230

SHA1
cca86f6599d6d595fae5312d3d177917bcf99aa5

SHA256
408d3ca43d2232af7c226da0742817776edf41edb78cf156d7265bfa948ce5dc

SHA512
d31b16bc518a64963dded7975636c6b9a54053fdcdd3928980da487f53a1c8ddb066182fe985285ba4c3a397ea41bc65de099e5eea941d1da2f645211f03880a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d4fc7c1a9e1c42e942baf60b77dba1e6

SHA1
b3145efd1a24db316c10208c9143d17a2f11f5bc

SHA256
56fab9b44e5d29927e31e023f3581f823df36fac699700aa39e1490c03cd84c5

SHA512
6d02a513ee8e93619b85cfd8a7cdbc947d068360f51a3319ceb73e6e99a97b7b74b71a783d0252b52abc5090451b2639d5ca62c85247dee10ec5b76e559c27dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2dfe9cc9205b9ef680a23f11e4d7a18e

SHA1
93ef588d70f7f1cf6eddd0b86d16e7a796313125

SHA256
e398c89009e11db93d3b05c06ed1fa8043281551387905a61c92e63e97573a4f

SHA512
a679b0f7e4ed0a8a60cbd460c6c4a9fef98044956644dd565b5e4398797af2c68ecb57dfb9e7e2e7a0da364a8022dba79d811ba2b90fb5177f165eba575c8df9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4a7186e07131b17dac3f5a06e9f08890

SHA1
68f7f40078998cca201ee11559267d37070f653b

SHA256
3cb5298549fd7b7f3dcdcbe203fbaf903a70fc6b08ccab3129acbd7ad38b7dbe

SHA512
6ff634d33e762ec29e066d93f015d3938d86ba2d155b4c6a2223a6ec254e7fbf050e4b36d271e7e31ccb934e59d8e4908ec46fbf7e60e689ea39667496b4d340

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ed5b38c44f85991bed687ca73a3789c2

SHA1
0e6d683129379d1eacd94982a28eeb2b452a3712

SHA256
1b2abff253c197d2d491e941ace93a3223e32c473c8364173329c1cc94c5df11

SHA512
3aff514c97477bbd1fa555c5005c48bb13815ea45ef8cb9b9d842c0d571b4c965ae17e1ffff9feef44855363935d5e307d80cbfd668f5e7ff855dfb828a6d909

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
cbd79a3fbf88ddb065cb585146f778dd

SHA1
ebe241f11697474bd6e6684b25b2b0365ce0357c

SHA256
dfb65b756b947c8588da8a602d43d601738fd40434b4954a620f2559b13d9083

SHA512
5837abf9cba613b95817ade7ebdf0c644f340007309d4f29c73363c00c95fdb0dff254392580b02b02d70fad2ccd1a0857a1326f78c1d6ecc81278470e0bdcb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
f7df7d3e9f9d270f102d2e3d4dc70d31

SHA1
faf8863482f1120cba7a39301484113969f3cf7f

SHA256
36e8544ea550e17ad17d2bebd5a2f07c22f08bc58d5fe985017f24e95aeec0cc

SHA512
a1e9c9d843650a78e56a144b52fdbbe20326d5390e929df26af38e740813d7ddd513cf28465bc8398ec8e6842a089ebf4088090f72db6b4d61409e5d97d8c72b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7216fa7192c880ee6198ef898bcdc85b

SHA1
fbe16a19980b741861c593387ef284001f37ae2a

SHA256
37bd03344207777619baf0ddf40087ac8ce35819c95d35eca76bd078fbd801ad

SHA512
63bfd68469661fcafc5569d3444e9e14cdd864337b1af264d823598b9406c6c6d993a34837eed28023dafaf6a28d57c0589bd4e8d6daa9feb5351fef7542df61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
27cf68deba2a76b280fdb433304e3bdc

SHA1
83f99514a25e1025554a74f53ae56b413f6bc353

SHA256
a4248a6ff0b4b1b37c8669adad1ff292c180d4a634c88c81914e326f96637266

SHA512
c10587d3200a6515b17d1fd54e0f0e4e4caf460c5fc478c3e776c815614a8b04521fd56898aabab71f0ad3f5395bfceabf68e9c15a9e68a3c00f2ccf67bb66bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
6d8a90675e2b06cdd46f4d8b2b0768fe

SHA1
33aea9facf1b2354dd99864817c1ba7e4b1224ec

SHA256
672bae4f3f0ab3d36b14b5d3b7f2a2d5c7baaa7f3be7faaf4a4e38576c067317

SHA512
259b0f04f8bc0399a285b89c26e733529bbf94b3c53261f78b198c2ca4ac1d9845cd063756e76d2abb1e30e8fffe0e174b1213b3c999e23bbebf57f9dbab7f4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
14b1f3b8187ae0c73d1ba9affa77a77d

SHA1
b33f32162c343141ca8b0dcccdf487d518b7e165

SHA256
a7dbc41cb1f9158d71cb5d9a57384390c207b49b3c6bc561e7fa294e5e93a89a

SHA512
f3f984240305a6ab7312b1b00df72b9caea57eda8879bae38a2455ce492157c68187b34f259721805d7961a84be2a976e4aa1b1a3a28bab1a44c455ed51466d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
3b4ea12d057eedbfcb2cf7b68ef664ef

SHA1
9b975c52d487f4df9004fac5f95077053fbfa437

SHA256
32915c0a6a82e25bf98c9c246e883ca283294b9d16718277478104ef5a18bf7d

SHA512
592fd60aa82d2ac9ff4923be64d6712cbad4bbc1c990e6b2a2ba202012db6e64d75ff428cfc01931c8b12ca970396ba3768bbd638a34bde4b379d385b460f208

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
fb26b2d30a739f0424a0b6a9d4747300

SHA1
d3641220e2b328e2d2ee6bcc5610550f155d43eb

SHA256
5283d5cd23e595b2eb488fc14cff719eff5c5bc37805568063d17f7e8dfa465b

SHA512
1130413472a0ca7d106b36e5ce4e8518275cee118cb396c20d2e65d0cf10fddf7ffe1207c51a5cbae0d8e794f5bcce5d6a3256ccdfcf1695b162507a860eb040

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
7e544b3745f794423a56c035d4b24348

SHA1
b2b3581430c1bec58f93b2cd78bd6f7bea5c9db9

SHA256
0f5024af5f3b8315408daba6d6484bce1f09d7b2117fb4c85bafca6af8f88013

SHA512
ce639478621c102b08480f51ccbad80292f79546eb315a431a5e38baa140a2eea87bda24b269c71df971cc871739424bbe97dc4336d5d94686130b3446c282f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
e78734aee3bcd727dcc0cc1b7ae68cf5

SHA1
088d9c92e6fa9b7f0414786008a7142b4a71c2a1

SHA256
24cd166e4c5b4db7b09099386b48ddff4a949987355befa9f343fb2d1c42458c

SHA512
ae1d14738ce0426f9c910d0f0438b0ff7e7117fd49ad3dbea567c9551890e3942c7c5cfdf343906620ec8db25d315925c117a3c04a2d8ecd76362d384275f3ee

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a1875af23bc6b899b55017959672454f

SHA1
708be3a531cd4438b90b71d0a9384f560aac1710

SHA256
f0d68bedeb0e5db35469e665a51179fdaef97826b7f3ce893615aa9249238ac1

SHA512
4ffbf1c6e7daf70dd4af62b8284ec64f6eb5e502b1ee42557a7b43d653d6591bb464447b7467518f0afb7f08900bf75c3eef5815b5482c578556813bf145f0da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2c85a11341ff8d40be4be01f587e3aa0

SHA1
b90a4444dbbef9a8cf90cbf79f5d6732756b2c0a

SHA256
da05bfdc7b90096646b81554ff9e2d867032cb735f503db17bf759559cd7ac36

SHA512
f1f615697fd32496e7f1cee92da40f88f133bb36b08ae089dc235dfacab50ea63743e1cacd30a24ce033aee651fd719ef329836572a6e1767f73b6300a58a4df

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
250bc19d6c4e7709d33474f282feebaf

SHA1
f4613d1dc4756befdaee939e602923c1b442c8e9

SHA256
836f1a8415de0c9a611384d1b3d36fb045786aef76929feddab87006e3522057

SHA512
1597864b1eeb7cabb6ce624d8fd549e0389fd0213ec4d986f3a19beacafaf09f7460c3d34245b1ea657c7351b7b46a78d114d940432defa22cfd38857cc8036e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
79616f88b6e4a4716542e5f954dfd3d1

SHA1
4bdd46ba346e14e4785bd680bda66ddf6cff88ce

SHA256
4d6456916f6c1c47a7ca472b29c6ab6eae4386de19b735a31201e865248da8ac

SHA512
6c9cf1ba0fb4667e6d8123284ba41d8dd5ab9a39f231a8d6add2447acb0ae3b557aabffcf0c8a48ea0608647210717a0ee020521d5d5d2135df846b8007e1744

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bd3d3bb9d7447862570a0e7e1732ce62

SHA1
6f0159d801706595921f65f0e01f4eff7694a0b9

SHA256
01c2ccf2a95aea3a4bd31780ee599ea02d50267779f5936a438f211d068ade3c

SHA512
eea06eb7f1a38c2636912635dacf6ac2b6da402a09f22e218dfd3ae69ae342d61d2245e59eb5ddfcf8b6a9d67eef3810a3f8b7c84d332a1deb0942fb808ade1e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2aa2f0bcad303bd623b5d533d50a2021

SHA1
6cedd76739cf89930e1f5ea77b5a9b028061a75b

SHA256
53d071cfb8336a4a34eb4b7f071544cdb3ff152f83732e186f1c5fa708fbf202

SHA512
f15e315351fc2198f455db39c27999cf1a5a5694beb8b3eb621c91f39905aa9b9fc2bd2a1282b127c52f149263ebe5096e18df19db60ff62eb9a217f596c05a3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
aa0f4f75d7060129757142bf0227da67

SHA1
ad11711d113149ecd35f2b9108f63dad7cbed145

SHA256
bdb1009541a6b9c0a611b704fae359e4f26a0225e634c0102e17f0d826da8d65

SHA512
797b11ffdfacad18cdd084f1141c61d600d2c631c1207106e8625df2dd5e3df98d627547248edb84328add90977b8fe4cb0e64a40a9837b987a5640cf9b72688

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fe8879b91fd813e338e5514d329cb582

SHA1
2d2644eb42c1bee7a3aaa390a71934edf3e2c06d

SHA256
60ed4decfa8b2600e54350aeb6f6a5c5e3c8b7f2b0719d1644df1f9caa5f2681

SHA512
be1e13bc854634a24d088ea0f6ef2028df44415d3cbefb5f269e58b6082625079fd5ba9d2050509c9dc6ee201b7c16b5f0574eb293bd3e5c6b249efab770c0b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5ecbeaac373beca531bd8375e6eef92a

SHA1
ca6fcdba35b7cb0bd7dd21c5656654f0e7fe8f82

SHA256
185ed4c70323c61d9e2e230639bc713bf62c7d1d088740a8838e63e0403461b5

SHA512
58a3b279acc56b725f6b0b7384e8a7214693824caa6032676b8af43e38f580de03f1deca1cea24918cdada2f3ddccfc773d2a51e6c20fb2f1e85b12b2cbda5eb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
435abff70ed4b8676e9ac5ada4b386d4

SHA1
b45efe02b92532980e03114c4ceb912ef4b64cdd

SHA256
bc9f09a738d41a40d3c91c5441c36879a2538858805a23d3e3b1f36a08b7775b

SHA512
361b8e23a48cc6dda170197a8ad2515c1b001016ce98966f6986cf16eff94d3bcaf9e90e50c6a4212ffab278d510cce652b662a1ef3ee2410eb73802a68bf8a2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0109f8875b37c936084af2de9e0d9c05

SHA1
eade82ecd0f2bb1a2a3ce9311d71d9b70ba990c3

SHA256
adcb96a773efcaea2f20dd7338e6c0a13c5092f0090465db1944aa3f3ab3fbe5

SHA512
31897aa82c88452b2d7d8586d235b74d16ee87798eeb8268fd1054467d8fd9808b7b1fe5ac682ae7a5ae97b5cf0ee2659281e3bc8853c27eba1a47b9e2d2c4b1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3b4fa4b5448b56a8e6f2b36804ec1de0

SHA1
68c32dcc329e5cd87785eb5cbb302bfcb3513de8

SHA256
4bfe47727e432f77b9a56c548bc0eee8f8e3b96a666219ed696d094e70c84937

SHA512
044499564dabd72eac3e58f4a2d8dd1e851bac007565ee448f6613021bd056964683b6414a9df8c030ab55520300c0d0bf72b1cefe44571fc4ab8421df5a513e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7b3318a7756db793df773ec77df56c54

SHA1
35f7350d4cb5df064d3131a5dd7cadeb60155642

SHA256
50d24ea2201f2031eaff15f3f1c1ea7a05ce78fdf023e70cf40c3a0d9c03e86b

SHA512
fc9b38b5ea381c33dd906726d70530073eb70ad509e3181f0818769eae65efdd510fa2ee9d4d793c22503bed6105022e83e0d76d934bb7605737f7395385bbb1

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0d5cdc2729d221445155769dc40ade38

SHA1
d8b1d8348e0f2ebb04d0844ac1ad9a13bb16653d

SHA256
f42386ce32a5496180f60fad17bbe910d5940767dde41322011ca4d0729ae5ee

SHA512
baaa2508986ca7e0e924fcbea3a565b40aed5f384a0915f43db8ff63ff4e0f274a0a675c12fb073f402096455f7595c400d4844f19be4e3160b9febd9e64c5e6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cb40ee2632c403f5231f086196d7adac

SHA1
ef03cd37ee35fd35ab6595601ef410cabc20be6a

SHA256
cce79a4536d63cf31a05b31db308d25047ef3de6e9e4abde5caef1fbde9b6a14

SHA512
ef21e2f5ed9d40d6e0cda20fee0fb4dd84b453d84c802b344b0f62f753084ca0c0121014a82dea52370bf82235d533410cc1e03d9b74586c52bcfc6163726646

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1d84c1ba796758d42e1c00bec8c55a12

SHA1
d4c7181ec71e80fb2143876b5d64501ea2589bb4

SHA256
6b3b22bb972bc585fa497ec7801c58499726e8c55031c1767b5d0d0691c6a39c

SHA512
bd6e32e06c7c51ffe76037c4d8440bd3deb9fe24a562bea83ab2f05808c7e1bcba2af8d55e59da08bac1d89999e27f8e87cf0b2bc02e40d4bc4c75494a8e889d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f151469ace8842364bac4bd89ea763d9

SHA1
893bd7236829ae00ed4e70d65c10ebc87e3a1f2c

SHA256
b47e23803d1e3f6de0a2b96c422908bf397f97181ffdbc0d24d92d8c1fd64668

SHA512
3e36266da94edbf4565f731fd0f9c197330dfe12636a1bcb1f773e77d69c2a635174bea7068bea16779062e9e2e9cc283abaf79613b5bb3c765faad126d864ce

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b9321741529238cf859900dad1e86fbe

SHA1
41e9d3bbceab3273190ac452f2d40d6f72b65519

SHA256
967bef8e712cb17aa1ae6428673476cf1b50d655615749a23ce8103da62bc3e6

SHA512
6d837d1e377c969285320343fa934209841f03bdca0b8a9fb892bcc2bc987047f1f61df37f05c43e55394c6f1a93713e555c382f0ae9341b4ceda296932da26f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9be30f6bbdf9c5e4bdfaf7c45375dff9

SHA1
425f95b576458970fd02e12e57adb7ff641b5889

SHA256
73dc1f6cad220b58c1bee906958c73509d1e626f4b8a2daf5654e6dd63ffce49

SHA512
9ea7d50a2533478f60cad7614644219654598b00fea85d78524c577f86a8262023de94436b4ba0f6a756cec97d955e4cd4b3b777e4338448ecf509f5630eea77

Download Submit
memory/564-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/564-432-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/764-401-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/764-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-406-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/880-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/880-276-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/880-264-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/880-256-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/880-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1140-35-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1140-28-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1140-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1140-36-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1140-231-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1316-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1316-296-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1316-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1480-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1480-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1480-67-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1480-74-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1532-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1532-419-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1532-468-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1780-417-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1780-360-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1780-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1812-366-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1812-430-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1812-374-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1876-386-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1876-312-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1876-320-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1876-377-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1908-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1908-334-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1908-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2056-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2056-457-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2276-59-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2276-62-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2276-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2276-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2276-52-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2368-280-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2368-333-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2368-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2536-1-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2536-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-7-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2536-11-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2536-13-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/2576-244-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2576-307-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2576-251-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2576-246-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2580-444-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2580-380-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2580-388-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2784-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2784-309-0x0000000000610000-0x0000000000676000-memory.dmp

Filesize
408KB

Download
memory/2784-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2860-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2860-445-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3212-408-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3212-346-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3212-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3400-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3400-142-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3400-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3400-23-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3400-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4636-463-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4636-471-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4848-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4848-42-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4848-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4848-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download