d6575e46833b4b5cecfed25858ed8bb3a2e02219a004828a43ad5fe0efb6161b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 01:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_350c5a5f095537b7da2b2770462e09d0_ryuk.exe
Size

2.2MB
MD5

350c5a5f095537b7da2b2770462e09d0
SHA1

04d3797805b687b121f33653b27435294098bba7
SHA256

d6575e46833b4b5cecfed25858ed8bb3a2e02219a004828a43ad5fe0efb6161b
SHA512

eeaef686539a9f02e14e9a96c0d9a21fd333fc0a32fb15fc7f52e51a97c68c6941450a27fe1bf1a18ef5ad9a2459931b363fe8780b9dfbfd7bc80c04530a07d2
SSDEEP

49152:vNl7soq7sQCc1kyG2xHywRfHIO2Ts4bvDj/i3da1YS6ozB:PD2311kaxp9qj/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4104	alg.exe
4948	elevation_service.exe
4476	elevation_service.exe
4196	maintenanceservice.exe
3452	OSE.EXE
4060	DiagnosticsHub.StandardCollector.Service.exe
2564	fxssvc.exe
4552	msdtc.exe
3860	PerceptionSimulationService.exe
4684	perfhost.exe
1552	locator.exe
3156	SensorDataService.exe
1252	snmptrap.exe
4024	spectrum.exe
3716	ssh-agent.exe
3520	TieringEngineService.exe
4848	AgentService.exe
3500	vds.exe
1744	vssvc.exe
3896	wbengine.exe
1052	WmiApSrv.exe
2812	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f0fa36bf2b574d51.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_350c5a5f095537b7da2b2770462e09d0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6AA169C9-EC13-4792-9A6F-B1B56AF54223}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009858aa78793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075f9bea78793da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5545ca88793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a26fb5a78793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009845eca78793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfd1b7a78793da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af0bd2a78793da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002dbdc3a78793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4948	elevation_service.exe
4948	elevation_service.exe
4948	elevation_service.exe
4948	elevation_service.exe
4948	elevation_service.exe
4948	elevation_service.exe
4948	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3128	2024-04-21_350c5a5f095537b7da2b2770462e09d0_ryuk.exe
Token: SeDebugPrivilege	4104	alg.exe
Token: SeDebugPrivilege	4104	alg.exe
Token: SeDebugPrivilege	4104	alg.exe
Token: SeTakeOwnershipPrivilege	4948	elevation_service.exe
Token: SeAuditPrivilege	2564	fxssvc.exe
Token: SeRestorePrivilege	3520	TieringEngineService.exe
Token: SeManageVolumePrivilege	3520	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4848	AgentService.exe
Token: SeBackupPrivilege	1744	vssvc.exe
Token: SeRestorePrivilege	1744	vssvc.exe
Token: SeAuditPrivilege	1744	vssvc.exe
Token: SeBackupPrivilege	3896	wbengine.exe
Token: SeRestorePrivilege	3896	wbengine.exe
Token: SeSecurityPrivilege	3896	wbengine.exe
Token: 33	2812	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2812	SearchIndexer.exe
Token: SeDebugPrivilege	4948	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 3204	2812	SearchIndexer.exe	126
PID 2812 wrote to memory of 3204	2812	SearchIndexer.exe	126
PID 2812 wrote to memory of 3128	2812	SearchIndexer.exe	127
PID 2812 wrote to memory of 3128	2812	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_350c5a5f095537b7da2b2770462e09d0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_350c5a5f095537b7da2b2770462e09d0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:752

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3156

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4024

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2468

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3204
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4842cddab3717ebade215e329610151a

SHA1
af6e5e9a9a2e61d8203b3cd511270f03b0395350

SHA256
0878a531cc9ae49d9fc72d7a61c04f44b9202fa9070346505fe225ae1bda997b

SHA512
2117588f0496cc5f1434210c3a2978e7cc6e6536fbc7802377d05f1472bc5c3d7f64a95399456a4e37cef213a75df368ed6392317c5936ed0a58f58927955de0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a9731b60c35847c4fdc09ca73de1f9c7

SHA1
071883affbd12eb69aa6079afdc0c785d58f650a

SHA256
79ea0492830a3f49f3e68e1a4da505da00f58e9f2cf51d2f9d6bad7311e517ea

SHA512
f9c15c3e8b8a9fc72c208761aea9e17b1fc5e7f11f5a71162c20502e7c88a23486808958f3b8846a7d268dcf0b2d451ebc11f55d169732b9f8c334a2241dc5f5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
43aa9eff1ec54cf770231bb0d745950a

SHA1
416ad9980343203636594a60ae38aec445ac4698

SHA256
6b5c10614acb5b763224adc37b57357a31bd98a3112205ead6e07f019f0698d0

SHA512
b112d070729648ef778e17aa0faa62454520de31abefdb3511c2b1bbce022fa4ade42bd295c6514e4d6323462fb3fdf9afc5553025edef3fcb973502de4aea49

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7cbc1b4f0b849ab7febf8cab1e44aebb

SHA1
931f2730fc6ed479f8336791511b5963990eff35

SHA256
fc530d8a10031c4b39884e73710bc1b4cbce31c61bd96c24dd43dee5d07a8ee2

SHA512
425a8a1ec2b5d486a7026871f33e777570d0fc64f7d3ccc0800e7a1b1151912c61867e62e82b3e5b43294497f6f569adca5d38130c7e47cb81898d2614be25bf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ca116b2705aac58e93c0d93a0ec143e6

SHA1
9dd99ae3018090b0b682cd99c8c2261b1c487613

SHA256
d6862dae6da64d6f1859c57626714bd683f91aa29fa31fe4159d42af5b5943ae

SHA512
8a3ec5d4da57402b19e3e1820d4c31ebb7d7fa08fcfa195d01b4ba9e8137033b120fd4bbb64234a8f53d556dc14774583240ac3dcfa62c003b86a08f8d70452c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
53f8699fc212a93d85b9994140f913ea

SHA1
a7b9dd6afb5437321a9cc15ed356edb06053a26c

SHA256
8f9170959c4e341e2a0ec6a8b3c26bb2b809ef4c90f2aed81492dddfe2d2ccfd

SHA512
d5b3927126e61166a8c425877101e5a699fe41c87826b537135bc0449c7d02a1063454bedb7714b47c7e7d02749fba6b183f3c3e6eccd10dcc98cfab8b1efff3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
52e4579d7a6071c60f666c5879c9b1fe

SHA1
8735f869626e5f78de45578aba8f5199d9cf137c

SHA256
a2511563d056669b07819b8eddb73827bbecbe0c1634933574bec7eaa9078987

SHA512
881ce546a2f184049767257d2cddb233a7358e65a260eaa46bfebcb92b9de7f3475e597b4c0a9050c54ef56f1f66fcac725f67d1334e5a23cddc7e122d20b4d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
40ae960723253de4dde6a61d7ac547ec

SHA1
435a59439631c8afb9ffc48cc12cad7dcb21e540

SHA256
219645ca6c3f655dcdb2fc122606a04183c1d19b6c4f5080e5ed158359c639b2

SHA512
5a467ac5d8ed1b23fad58e63f119a098da3230d26a21c8122e1974b4b2b651f3a3cb401521d4c430503eb440082e7d0c6bc3f56ff853f87e6fa502e0c120b7bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
b0cd205dd5d25dd53d51db21fb1132d1

SHA1
139d2ba0ab28c733ca9672fa90d727369e516106

SHA256
6486f695f5a0021fd0ef4584022bc158b36107442dc214256f59264cb294c20f

SHA512
c7502f0b7ee314e264f368c568d89e3df0102f6d70a8773f6322359b3e6959e9c38b130555a6fd157b0dfc163f02e5140ffdd56daea4363ef69f812ef3a59348

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c1580961eaa6916884ae73bb42386dc3

SHA1
acbcaea6e7bfe249764181875da0396bdd7c45cb

SHA256
23bda1ed6140458111cae870dccf4e20cda53b09bcd467b0631ce66ec28e4d5e

SHA512
5972fd3fe56f42f5ee30e850643f2a4d20be7a5f79d541dc9b1357d77e3c6bacd09415c92e272cbb7434f9719f2d2f6089aca2fd2a869dbb0d451ffb65de8629

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc5239171cd69a0119ddc85144e5b967

SHA1
9e74fc4aba0a0f9ed093f1a7619682df47d0b45d

SHA256
22c1ad86836034e9c54bed75e1779455206e5398238e21d77f4153c4e59c40df

SHA512
02b1a868a146c9cf39ee561d5a04862bd966ac9d3e29c80b78502dfd1edee05996e3cc6abfbe4107a9503f26577249fadcd9ba9b479cbe33f9c61bb78ba59b8a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0ebb0d678ddde5b068d81dd78980c97a

SHA1
2fdc0af54507bf34cad6f846b9a3cfc0655e59e2

SHA256
668fb615dfe259592834e5eb18926546bf1e39a61086074ee8936bbe2862ae5f

SHA512
bf563420063419db249f49b36617f5b17b201442b792e76b8fc6ba58b405fccedf53d0d2a4a5bdfe54a963bd804eac20a4499adb7af877890b46af783cb62677

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
60c1b41873dfdaec13aaf60b07923955

SHA1
2b17ebe30e951d16f6d06a99dadbcf7bdec2dfe1

SHA256
c3b118f5a523c67f835def60cc723353a20cf89cf25a137346cac596ca67f49f

SHA512
fcda9fa2a41fd42eab1346d0af94bdfc7268460da2f3546845ea3ca1a63c9e38ae32231d449a2bbbaaf52eb1ca59ece38cc080482abbdd456a75ce35339765fd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d8b2ab4591f377681f38e7e9aaaafe35

SHA1
bccbb7171937cfb13dcdc89fd97e553ebcc69653

SHA256
a81e8f1b1bbc4a10ad6ecb1b46b64d06671d3f0be48c892ff1fc145304a03c52

SHA512
e3860d5813d86fe3a6776ef70d116233a933f8a0e46905e2421d8a2cfef41b87a693e0fc39a0874f109c109e6b19d07042cb699bbe56fdb2f2c25cadae42ff51

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9e45284ac4605efd14a580c1b9332a14

SHA1
9289f953e8bf064930674dca1fcd1cf491a9fae7

SHA256
14c15ba725bd29de1263be18629d718e8d543d049ba1aed50df1e38983401372

SHA512
755a7e67106c506a4742f9017b6b604e2a9724a8813e47beacf7d5a1cc5b030d0105ab94228e46b16a20a8bad52b92f7a68a5cb61675052b62689c3206eb6571

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d827254e32eaebc8cdde3f4597d7b061

SHA1
dd8d2511fc164506dfe975c6996a33fe7c561775

SHA256
1defa335813490a206ba9259f7397485634bc9a3a9ed88c72b8aa7ae1518ac90

SHA512
9545adcb2e1edd8200d2afa71be94509c50b6c668fcc5b11c41b2edb944bd45284db78ffa2b8fe41566e3ffd4ed2b998f77d1689646dd621ff89e5c73fb80c9c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2ebae799fe169c3b8d14e162f5a85209

SHA1
62eb39be3925df9311e582c66f3237f550a23e6a

SHA256
df9c5020b1ad7e04c724138a09c365ca046edbd1dbafb5873fd65c6c4e4696a0

SHA512
219d6bb0dc47f409e72508eaa97c04652147aabf45c3fcf90d9c3b4d63683b1d0687319667e9d3a7ecd30f17dbb38038dcae9da5967f16a485647ca14bbad040

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9d022a387fd41ccd464f89010dc41e0f

SHA1
c4a1761217b89f0b22b80f3f4ec7ac3463726f13

SHA256
591e32735503bd3eb77f59d3c4972c7fb70835beae24f67e9ccfe895616b2462

SHA512
0d4f25734f92b253fb77fef9ac8517c421db7c2d1d10640ad5d0f5ffffd72bc2826fd9513d64a1156835e988bfd6a2a661e1c6cbce874eb9ddc3b8e9468cdb1c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
52924a85f4baaf1261d2703fffee687a

SHA1
e909eec005981d3d6deec027f2a6bcaccbf901b5

SHA256
04f514cc058202d8662a6acfbeb0216936ae35363e877cec6d4636eebe982573

SHA512
10ca7cc5c7e9d4dea847ad50eb237bb4b3b627149f52ff4b1116fab24fe2c52eae3720e75d685ed0b3022935bf2fc9223560df5ddc8267cbc2e7bcb312846d96

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c81e56aa8acddd8e9233b6d60efe2a50

SHA1
a1f363462d78a9c322288729b8425e41ec55d2ba

SHA256
9d2d67e5bd6400221f598d71ac7bbce51de5e75933c02f0b5b207481cfbe0a50

SHA512
b9b555b991b8cb40f76181d1cd68e1deb202a39e592a99c92be31c70880d1c134495489816f64a43e2557f1d786f752ec1d727c475ff3e0619429e6be05f6021

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
07e6bfceaefcad4228be6c10f75e2b4f

SHA1
328eaa352e9b6891cbb74a2c93b39e57d0265050

SHA256
cb1f430072b4d6241a985525f0abf74998c0e9c760837163c9d5f04a52b93d14

SHA512
86558377205d3a2ae63186174b8347c71401ef01e675584c3dca436b09901dc33ba353a2e5d295674c938ea10d033826a62827aa99a95206fdc29e618c7ed08d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d2a563ef28afdf20e6d836788adad291

SHA1
4b6fd38f8e7512d2eca689d895fb62e4bcf61ded

SHA256
05df9ce5a91d520c5c904ab529a29ac0c2b60d3a3d2ac89b27e3275a1b3f6b92

SHA512
d07d54dbaba6e3f32e610ca1ec29cd7a633c75eca8559dbdb4c3b4e47ad352e86aaf4f1a8e18ee39b517812d83c8b8fd20d36da390325db21628189795447a54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a0a4a02d018e0c66b7260cb9b3125c38

SHA1
bfa57fcfe3ffd0a45999108049c20ecab7f652d9

SHA256
1552508a0040fbe617f43c8821877e416ada2c52ce1499664b798f11243e0696

SHA512
ccfe65dc809ff7838c118f7b505f3470501c25c05027f43f2446945dfb6d6f3b02448edc8f069012611bfc727cc62f8ac699157aa5829a05643b3f6f3abb4285

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
6370ccfcfd969cef268de0c55feb0d49

SHA1
313f74c1c892c039aaaac36e073e4daf39504d48

SHA256
53791cf158388ba83db315c683502ebc264881e5495ea3180510ae77780d6005

SHA512
2572e0cb0e2f7c39dd3ce65018916e482af6907d9adfcd2fdaf8dd72ce93a669c61783f6f9908bb3b957c268813187c79c3d7854b2a0f2f2e4df4bf6b1073bf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
9d255d50c34ad4fdffe3e38231e66987

SHA1
8f89b349e303acb76bf68e41f0ea49daa448b1d8

SHA256
214f0deb6fd9654e71d084b15ce7aa7721bf6635e66805316449ef95d0e890c9

SHA512
b0f60617d500504ceff5008cf4871c1fb9af1004a2bb7df48272a05345d60a38edab8545847f01922dca6b436e4e8b6a95084aaee57856eca69e2f50c2e48e31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
36de8e8c1c69f6ccba5bda1cfe79fdf9

SHA1
371eb8c0e01ed0e340efb35c62b3d5f545b40583

SHA256
589dd3e90426b8ad1c9f352b90c25029af82156ab5fee5d58abcbe3133ed4dbd

SHA512
152e75d8bf206c65258f8c55f5f43e9c1edb81115cfcce710c15ed9ddbd6d93d36e651c0814326360de7a5c5bd46f4b4b186eaac70df9b248775129a3cdb5951

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
aac382915c96ee60b7fa7e20fed79ef4

SHA1
ea1dd714bd5add77bf4e6bf9b5ce8b0cc72f73b8

SHA256
82707502ae4d5dd53dac56fd687c18322ebc8d44ed266cfe2a5e322c8ff94c61

SHA512
7348ff8aea48ae39284792e50b1c494b162afb326e976f11bfeec183d2b17e9e3a70c4fab8f9ed361db705f94f87117d243c236d78b67382efa54ad0b3ffbf74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
a9bcd8bd4e6e95c26629666e285dd105

SHA1
14f688641e1fe6d42d6dc56c74f14e6ac3a25ca0

SHA256
d99a8f95aa3d144e97d2f90727a3bd7b025d25cac1ed9bbb255db387251ace58

SHA512
44da7a276a17f70a6d788dae428737b54b7f6e7d6334b8f75d66db1de1dd25ae53c357aa483556fd9534a17fca8e9f5f2b50fed9f4e3933453b307169e8f5033

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
5ecb4f5b0302cb3a131dbf0ecb0e1dda

SHA1
58f278f04bb1fb6535bc7039c80a0185081be923

SHA256
1730163e35eb2d0dacbd44501f4aed4a4ba686d82f8073e1a04e9b0cb924cdaa

SHA512
b0e3c54712657bc0686eb41da60da2f298025490ed26a36e977ba3f6c051222ec836cf400954ea585c059a28eff580a66ffa1217831dc51a817e3da15d62eff6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5854ab6627dfd03c83df9eee5feec703

SHA1
765abbfc30f652fe3cc80eb02ffb4a2e00c9ca78

SHA256
372c45136e38188bda75666d624fb8acc247a0f6a10b8ceced8e762f2adeb087

SHA512
1769f995b4681d2ca7d76180f1ef9303a7e4f00860e8c101158f38838efb02edcf297e391eba4aa272c983eea2ee65c4de693b24cdf1670b1be999a7c0e63149

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
42827805cdee6d178e006d320a76eed3

SHA1
4fdd49e2a00c1484d8ad140353c5183cb8393684

SHA256
1db3fbdc2b59aa06e68e38a16c23be287fa545bea66f93b1bf18d7f943272eb0

SHA512
17892e56dc4880abae13465dc393a587cbd030dc67dc3b4d60be8100b6c67e1dc609ec290cbb807026b1dafca99c86feb486ae5c21bed42a7d37462e1a4e9295

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
6a466c6946df07d90c52d5ddef7f9611

SHA1
cc8a538c79807547338cc4d8a54891bbb07dcab3

SHA256
54acfe2a63c9599a07de0c5df3ef08e70450d9e96f67286b0c7038655caaa6be

SHA512
b9583dd452d6c15f02783ece22c477b84648d5f10e091d89bfeed4337a357bcda37b783dde47ec8ce77712a5b5c51ecfdf82c4cd76a21de98c91ac953b793110

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
76df64f9c0bdc629b7bd081f4dd29b6e

SHA1
eb84a7f3bbc91622f1066bb915e2b951591ba7e2

SHA256
d4273650f1dacca2be9f93e221d9fd8a1857dc8d4cf3911a86e206c885ba13ae

SHA512
dce260c443572fe6dc25840b11867aae52011619cb330f97a1cfc8e49b9d955d2c177aedcbeda9314accbe35a1828f639e0d122bcc511dd6c473e2aa8b5d6c82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f577fcf9bc59ffc08004d9f0dba34c5b

SHA1
e3b71507a51abfad29300d4c939eadb75eac7a05

SHA256
7431ab74a3cb6173356c2e63edf71dc28fea755331c3925e6b7331744fb7aabf

SHA512
d72e45634e2a2b84351bb95809624828f7b8bd311c0ae1fa06b15c9d74013da4e9ad84c4bd3e491eda91ae0b3ada7e557e34ba579f86a65008ad9203ab84ad3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5ba3012b47d62207bbc8ead93b7204e5

SHA1
e912afbf1d387f9544d3c81bf25edb3fbaad9714

SHA256
e06398450ee5e86bae268a3088163891d5da4f2adb1cb16d3a13fd5706a32266

SHA512
898daaf0fd8ecb9a35ea2dc2615e8bbd9d196b2533b269d5661f7590038de46318ccd3fb5bb4bcd0b97674b24639b9a501ede8a80e11f223a407fdf2ea48bce5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
af678df4d4f140010f71b2d8c6e461b9

SHA1
564ceda20b1263ee989fce9e8d13bdf9c986b1ef

SHA256
399262b7ce912ca1eb39df6488814c72aa1b5c6b2d526fa2b06b12b022165675

SHA512
a3031e3917d086f269d4b63529205978b2df8ff7eb03bba7a228408b544969103aa5ca9214c43412f3feb92522bb22ae8d9320ffad674240763e991fd80a864f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
77bfbbdfe3940e9e8ebce7617ca82040

SHA1
c5b8f82554dcae38f0d24cd45fd33864916c016c

SHA256
8d8ad572fab79d18463cff933bad3295f7f22ced15cf14d2af67cf0976b236cd

SHA512
2b309b35d098bb8c18076ce40bb238c5ab3db7cb2f87b1832ad30c49d89da3e74c68e086ad086fd82af8cedadc50daf90ad330156dbd9459cf508828fa6fe477

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
e3a7d5001026ce80bf35a9e318a3c220

SHA1
f5a0b9ba341562a55d15c245de833f419cb78f22

SHA256
c67b7c2893c3a1be2e95a225f3347f3529117c0c8d45ccef27e63ea920d2c6c6

SHA512
1c2f7136d652cc01d0fed26bc1942e6f866aeccd80bbc621540960049da20fe42b8a79ead42d9830a85c041ff2298800369b6f51606a90fd4f7ede5a6699218a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
41177b2e4f0b13ba42251fab1c461cbd

SHA1
73f50205c8fbb1538fc575a4da0bc9f756d46d7d

SHA256
a8b1795f98176255055bc99286a6622a1438dce9a2b676353e1154f2e1a3529b

SHA512
6e113d93bc4ea9fe7111c951aaecd1226119e068db3ad809cf169570a49017075ea8d45126c3f011b43dca05411f3e7ea8c9f81a0da4930520fddc80c51c06de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
5c51a3017f4a15cdd00bc6cdb295816a

SHA1
ea2da6c550e6bf4b71ae315eda7c2cb95a6b92e2

SHA256
175f7598907137e11747bbd043cffde95d931bf4cdfb8876b80649808a74a5b0

SHA512
b36abab6fb62b7229c2810dcea68091615866d767feb049ee1db000395ee33c72e830c9f372034a78a046cf5f5c09fedfdd384af7cec21c1f8d4b9067d40908d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
31d5069f0655b0907e27d73c953fa260

SHA1
703e80bbe3c00402a551f94097f76c7233d181a3

SHA256
e14f3d65f4b2825c185e398378799e7355fafb687f6cf07b87e84eace129c745

SHA512
08602c36167a9a10dacef193cbc7aee7af8afaa514f1860b6d3fe1390fc9bcafd6270615cf62140eb88bcf2c35cca673ca7361007ef70b0038e81eb87eade43d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
0e2f44ea568a72e6f9b30384fb6d14ea

SHA1
ecc78cc08d54d8304eff8f576523dcb80f4b6931

SHA256
a37d923b5e07123a7c4618a271ab39e9fcf3f1c082d0ae3d17cb202ec95c978a

SHA512
a1aa797469e43366cfc16592c44322812a02dcf35537d189fdd395a8032af1e627812033d6497f0d2a5e0b6605e13c018b304fff2e91dc71a67e4e1391dd7a29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
f98248cae757f1280dbcf1d305f6a1f7

SHA1
7276d77c5c254098a7733e0025bf3d69f4a2f96c

SHA256
52b1b8ce57d3e2ad533602309c9c4f17e2a4ee6928ad0fb29e63b98662ac6e24

SHA512
f207660e2bd43fae669d89aa13d4f955a38a1a129e9d338dee01ccf0dfe59f6383b542c2ddc9b7ed4cd4b64a45069ce912ee81a16fea6bdc6a7239fe2efa52e9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
bc775844d0c316e552b56fbb6289081a

SHA1
7be0c89168d1fe799eec680c11bc71383b48fbe3

SHA256
080051475feb461e628d852b91cee7cd2da4cf5d570f6dc0bfb54a5538ce72b8

SHA512
8158131cfc9b0ab431b4cd2f336806327f0993b49fc7c8dcdcfc884431baf0f619d6f6c6bc857735c1a318c1a7d85b566d5390475b7c6021c7e526bc35f0dbfb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5e37971be1a0df5d758f3585e89d5678

SHA1
f33f356dd687b1be33875b7d1c29a00847063c3e

SHA256
96e287ca28150d71c88900e6e2076d2504de69291a1b925e06773f8c58ef68ad

SHA512
b6440e25cdeb5395d49bbb4c740bab192609382b9a3bd22cc78992225100183024b74593ab620b6be191d5fee4ba2a6c92883f3ab9f68719a5bb874295d82657

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e35da779280def92194c9cb2ce6e714a

SHA1
ee695b3b42f5f76f3c565ba92690320aaf138a11

SHA256
93fa19a7b4e46e66d11ae2f79b05bbeb4a8004de93ee6448bed05c00601954c5

SHA512
3178792fb39cc43d34fb33a78163c5900d7fff2bcad03994e19997a56cb81839ec6720cad156a4ff149d78b17f57db35e3cd3ed88687351bbe8dc6cfe28404f5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9fc62f4868cb6926ea852ab6508e2b2a

SHA1
d64eb2a270866ecc4977d8a05e8d9d2ce5611778

SHA256
aaa346f8e1d1b169bb5b904cd85c118f8d2de39d91237bc96f338e7e998f2793

SHA512
073bdac082a4fdb0f0330e4972d0420e4278024ceee466ebbad11e75ddbd12893d1bb8c6d8ca46964534c526af5d3107b626b51eb80b96db7462781c56b683f8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cc7174593a8094c106c671663f92bf96

SHA1
7dea336e6fffdfc88a9ba8b891d1efa4ba793227

SHA256
afa03e464dea6af34f79dfa200bef2e5d03ab3e13f568865ed3818187cafb55d

SHA512
4ee2a8432fe0b93a85ae3c0e7941561d60ce1dfe2ff2f0818584291354785fb10c86bb48ca242193165d675a349c1735f5f421a65c1e33f6065b4145622643df

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
35d01aa76625630385826be633278917

SHA1
92cd4910be4bb3660be9393cbd0422059c670e4b

SHA256
71b4e779f2d0bfbdeba151cc7225984715a32ed0f87ac4553a7847626286c0d1

SHA512
ec740381704441e7afd04173db9f3c890f6c49a659f68a663547255c08760b5dc4e9b7d38aac170e490cbe1763b3950561fa063066c6b9514acec6273e51fec0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
947921214667d75489103a0045793234

SHA1
48e3eb59fac70118fce09679a343de13fb050282

SHA256
f17cf5e0a9a23078e558d018ea9fe8871e9c5f690ecce53054af730d813d3dcf

SHA512
5d53494b737242d3397f677c72ffa7c2dd8ad71753ff78f76355806221cdcdee285c3c03303f5fe88936419031fabd11f035a43077eee1bbd2fb2ab2671e16b2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3d75ebd8e390a74a9f11fe422e52406b

SHA1
db9e9a575a17423f9157e8509bc96a6c9f356239

SHA256
fd656c724d1d1eaf218cadbf9a2925dc76becf6f0c2a7cf2fe7176547b86a63b

SHA512
aecc21de2f42694c0fad0344a30cc58bb84ddc7efe361000457eeab59ca2d6343912a6a7a0d4451564e0fe65be2b5406c43fe74c7c9067a62562d7eb51c99c4f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b6432378494c959851c2c87872ebf30b

SHA1
77cf2d74da8ad4106871a9a4066aaeda8d7f6895

SHA256
126b8641840b106d49038c1e395da1ffbbe19d6ec924d50f575e6ce260403482

SHA512
c9ccc5b59c6c316f5705a5b3dac61aaa720d0cab5e7d6db4d9c131178eaa51b624bcd8d3f93ad038d3fcda9efbec376dbb8b8ec358ad97cf7c9de0b9566416af

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
808ca16c41e04e58ba714fea3b0d1ae2

SHA1
b1c4b1ea286dc3791923faf1ef7d97be6c9bead8

SHA256
be90f25ef48e520442cacba360aae204098ad10d1e8825656c7a9bda879f084c

SHA512
838dc6137528ac00370ddfc3722476e9ba1f43a7f16b8de4bc796419371dd340cce15f6386c6e0f1603265a948a811bb816da00e23101a78de2d91b107131823

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d05e4ed27a50702a54217f42c78641f6

SHA1
fad03f2f4d1ea5e54d61fcb388cdb98ec154974d

SHA256
953e84dfdda498a99ec766526a5e3803a48af14a86edebb91e51931826ebb3d3

SHA512
3f13b9e1ba39d4308b6c63632b219e3a34f13d6e23574297ce8e1df283fd9ca5316ba5267eb9551ffb4f753c992d4b85b8bc4cfd6d80916c126b0e9c855224ba

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
87dff48de5978da8b3ebb3ac5d921c68

SHA1
5d537df5d9a6ca6ec856b33bf7c0801117e07316

SHA256
e491dfadf7619cbc7606952a333110e1f17f943502265fb07e5960f430c3849c

SHA512
d4cad5d8a9e43ca7614027ddc69569cfb40a3f24279c861ea7e5c703fdac414864bd501a6a8fda726d4934dc7b8eb9c496a41106084cded67164d4b52dd80397

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e09daee8a408daa26a1e1b47929d0774

SHA1
0d384d7adbd36fb44cd7e677bdf313327a56050e

SHA256
e5b358061c268394ae12e086bbf6629e95b737e15240d28940a1e99ea69909ad

SHA512
ceb6d89737908a09525304cc6ab48b4bab40a3559081c67d6e5ab621df90bd36d70e4917b61e1601903f6194f9dd4d1a57105ecdab960a47fed0bae991fecd59

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
29710693a22d35a974387c40396eca9c

SHA1
d11637110a3c1b2fe1b35fcbeb26f19821dc45b2

SHA256
7cb434327b7a6ead1ae1f2dc7c22d2cd256f324312b2131c34a5e29e837662db

SHA512
2807eb870dc2f8dafdef548c5f7c3bee686bbe73c38c94598992d08d1673b2c2fc0855a90f5892b4f0933f0d392f2a0d99182097537f9f7d660fb296b1fad120

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
44450ad564d3ad44d76cc28beee2f9b1

SHA1
0ec55942179cf6375f170b59a8d0fe1928ab0148

SHA256
e835ce1866fbeb8137b321bca7c9fdb05d3532cd9cf4181d965a1bff4bc3dac7

SHA512
e9ac541c43ea6f252a2e19d73bebd3688a82d278bba667686d783e560d5fe9d32a900b26738369e434c991a197eea728f2dfe02258368df64ed4762221b13e71

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
50cef488f28730dcbbbf50f40df4371f

SHA1
c8fad9344090375957714bb3d2d28bed6b553e99

SHA256
a2946f2eeb3daead92fa6432b5b3b00447cb670e9852e0b3e05f98ff1d34997c

SHA512
08a2c02c0eccc22c2e1d47100f3e12e06327298f0f42c3baa91ca2df9232af329f15a08146b402429c7669ee5ca7a672bfdb57a73c3ab61dc3f505ee610035d0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
61b50ab7abcf2092c2718f0a59317dc5

SHA1
c501be6b8caee464fbe8c2ef3ede8167e11ce53e

SHA256
44ebd74b45f1f90a31c0f48b1dc79cc1474b37f448df0e0bd0b8c56d25d502fd

SHA512
803eeb41336ff55ab48e4fa70d7aee670cb4c23c5efd3a158b0c99cf2bb8a2ef4897ba2b1825112f2c4cd6e92043dd7710c34eeeb0ca8aaf2acedf5495dc9c2a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
af64a14611a4adbc1368ecfadd0ee24f

SHA1
5a7f6905dda1277bfe0cd264519276c0051cc78e

SHA256
3fae432023decd7f485ecacfa07743cd35f1e2eec28827e9d282d035e7e7e096

SHA512
4340cd38118806066d39e39ce1ef5a9ae9792eaae98f098f290227dac142770217f3127d9a864b9f3639f57c9754efe54866fd921b874a6ee26ec2ce462ad039

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
04a948ba26b144e384d65dc1b193a757

SHA1
73e3d4ce9b006b10865750b33683cb0081262431

SHA256
5a12b9ee686b8af9430e87c67fca1d34023ebf35b1a80d7321ef2a59ec9c4713

SHA512
85b1498fb8c510e2389f1e0b41ea062c120b89e183140ce9ae898cc80253e31a62f2e42f92896007d617b9588ff9ab8cc7d868439feb3e656c89e223b5a331ec

Download Submit
memory/1052-437-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1052-443-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1252-335-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1252-395-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1252-326-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1552-365-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1552-309-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1552-300-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1744-553-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1744-418-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1744-410-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2564-252-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2564-266-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2564-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2564-260-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2564-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2812-449-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2812-457-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3128-541-0x000001E3761B0000-0x000001E3761C0000-memory.dmp

Filesize
64KB

Download
memory/3128-10-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3128-2-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/3128-554-0x000001E3761B0000-0x000001E3761C0000-memory.dmp

Filesize
64KB

Download
memory/3128-0-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3128-555-0x000001E3761F0000-0x000001E376200000-memory.dmp

Filesize
64KB

Download
memory/3128-542-0x000001E3761C0000-0x000001E3761D0000-memory.dmp

Filesize
64KB

Download
memory/3128-7-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3128-12-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/3156-378-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3156-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3156-321-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3452-70-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3452-64-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3452-63-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3452-235-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3500-404-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3500-396-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3500-540-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3520-435-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3520-375-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3520-368-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3716-421-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/3716-352-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/3716-362-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3860-347-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3860-282-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3860-289-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3896-424-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3896-430-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4024-408-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4024-348-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4024-338-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4060-308-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4060-247-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4060-241-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4060-240-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4104-224-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4104-21-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4104-14-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4104-15-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4196-61-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/4196-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4196-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4196-48-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4196-49-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/4476-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4476-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4476-232-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4476-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4552-268-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4552-333-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4552-277-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4684-296-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4684-360-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4848-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4848-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4848-393-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4848-388-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4948-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4948-26-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4948-231-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4948-33-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download