05aba3374ff4dc99f946b57cbaa70a90690d3b3507ab0b14f647de45dcd0b7a9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_0fa3e638bf2b35c41af1d936627d6738_ryuk.exe
Size

1.7MB
MD5

0fa3e638bf2b35c41af1d936627d6738
SHA1

f753365ed5ba2041eb3dd6050cb0980744db8321
SHA256

05aba3374ff4dc99f946b57cbaa70a90690d3b3507ab0b14f647de45dcd0b7a9
SHA512

0f648aadc7f97dcb6718659a2db5b0003ceb441964834b48fd4e7f46a8fdd88d5b2aabb166dafe78527e1f82c866bf82d8fb6a3c8531242e2b1728dcf1eb5fe4
SSDEEP

24576:BTgnpwJ+R42JOt934J7Z6bQaj1BvUm9J:d0djJE3jM2ce

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3784	alg.exe
2928	elevation_service.exe
1900	elevation_service.exe
1692	maintenanceservice.exe
4308	OSE.EXE
1036	DiagnosticsHub.StandardCollector.Service.exe
2816	fxssvc.exe
4496	msdtc.exe
4500	PerceptionSimulationService.exe
3164	perfhost.exe
1044	locator.exe
1632	SensorDataService.exe
3856	snmptrap.exe
3748	spectrum.exe
3844	ssh-agent.exe
3532	TieringEngineService.exe
1656	AgentService.exe
3944	vds.exe
4812	vssvc.exe
4624	wbengine.exe
3996	WmiApSrv.exe
4584	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\59091f102ae222.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_0fa3e638bf2b35c41af1d936627d6738_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057a71d9ddd93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001f80c9ddd93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007084b99cdd93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001abfd39cdd93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a14d079edd93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a00de29cdd93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076590f9ddd93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5083f9ddd93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ba0b89ddd93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008aeb049edd93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2928	elevation_service.exe
2928	elevation_service.exe
2928	elevation_service.exe
2928	elevation_service.exe
2928	elevation_service.exe
2928	elevation_service.exe
2928	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	400	2024-04-21_0fa3e638bf2b35c41af1d936627d6738_ryuk.exe
Token: SeDebugPrivilege	3784	alg.exe
Token: SeDebugPrivilege	3784	alg.exe
Token: SeDebugPrivilege	3784	alg.exe
Token: SeTakeOwnershipPrivilege	2928	elevation_service.exe
Token: SeAuditPrivilege	2816	fxssvc.exe
Token: SeRestorePrivilege	3532	TieringEngineService.exe
Token: SeManageVolumePrivilege	3532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1656	AgentService.exe
Token: SeBackupPrivilege	4812	vssvc.exe
Token: SeRestorePrivilege	4812	vssvc.exe
Token: SeAuditPrivilege	4812	vssvc.exe
Token: SeBackupPrivilege	4624	wbengine.exe
Token: SeRestorePrivilege	4624	wbengine.exe
Token: SeSecurityPrivilege	4624	wbengine.exe
Token: 33	4584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeDebugPrivilege	2928	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 2544	4584	SearchIndexer.exe	129
PID 4584 wrote to memory of 2544	4584	SearchIndexer.exe	129
PID 4584 wrote to memory of 2788	4584	SearchIndexer.exe	130
PID 4584 wrote to memory of 2788	4584	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_0fa3e638bf2b35c41af1d936627d6738_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_0fa3e638bf2b35c41af1d936627d6738_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1692

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1792

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4496

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3748

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3352

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2544
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d7b507433fb6fb80afd44de755cccf2b

SHA1
a1abd14a443348b8a5809d9a674c491413c6cce1

SHA256
923b760c39854d7bcf084f01a00a9f920ef21a0bec605ebe2dc338fdd86ae303

SHA512
641ddc9eb955e03e980c490a54dde357e25573cf7666cfc48c0cebe47ccd369161096d83a60ffc3ce0e0d2cb38d31f70aa9c81895f3032912ceb3ec34d2990d9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8b6bb3bc7c1e52b8f1d1f133cfd8c46f

SHA1
f87454dcae653ece2c8ef6f6d28b87c46abec1fa

SHA256
cd374f55c2f7fad8a36a9a7ccc7a8ac2e7f4bfdbad356fca6bc75d46b05b4ea6

SHA512
36285c259d2d6d1cb7a9fc21abe0d1111ef386793bd9b543eddef49b63f9a086ee40e762c28fe9ddca99bbdb746589f1b1835924f522fbd2bc59946b6ffc0a02

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
223a7228fd1781ee14920e9a9ce9c6b3

SHA1
0349b6c4e008d9aca7d8465ee6df89568496538a

SHA256
700866627dc6a61dca32f65f4d161e092d7086804a4f1ec933f848c9fac9f925

SHA512
b1953ab84175200c10361c8c2b2f43f1829ebbdf14bed060bb58522a0809c10877940923f9a1f5b73986ca6abb372cb8f7ca77937c010db583f8e5972c5d5f82

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1882d3cafb487ca84e8f10b78ec73ec9

SHA1
95e54b5057e0ae9a3b28f45ac9d99f6b1159a94c

SHA256
9900eeaee7ab32ef8021d91f9097187ddfe7fe29e3e1dd1e6993207e045c79d5

SHA512
1165a87bda653210c2c59dafe0c6865564f3b66faa6c329d20b4319d7e9d01a24168b70b45678cdd458f6a232c2b1165fea3e96986825e2eed5c1a3895dc7686

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
45c1d79d68531ed41790d50cc240e215

SHA1
fb3b1514001756f8211e09aac1ec8665195e94bb

SHA256
3d40034f02aec7cd30a3019619a544ea79fe8fb18df75c526db305197e009a89

SHA512
1392f87f97d4794b65bdad73368a7e7ed0e03bb21284499636432216b94b99534c2d835fb447c324e297927114323f951a8d0646720010ad2782755982ab3b54

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b10e1df5705a34f3aa192c57e84da689

SHA1
b60d8775a60e0cc799b30fc812b15a3d21ce9d5f

SHA256
e95bce2572c4c19e0b757dd82eb9c8e3eb1651cbf5bbce7fd415842040746f43

SHA512
86848c98e035d0f8fdc7273670c5ec50f01a5069d3170660642ad66e9405a14e96001a343d21a2c7654bb98d15c7cda2ba361c66201abfa56ad8a4f2337f4177

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
24bf6d6bafb01c25909d5bdf41e34617

SHA1
ed68e16a796d98e71f210e5f21e6107e15177c89

SHA256
c47606c7fcb73d98e6e5eb4886503ba910582609bf16e2e3237b16a8184be00e

SHA512
b8c80a077b5819ceb6f4b26a8507614fdb0ff99c9bcbb4f4443cf0234baa125eeb05cc8ce3d4b0e1375c36a8c22effcb7d32bfbb5457f4141fdbffe5ed6b33fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ae9ebc2a47532936da953d20db1fd51e

SHA1
d10fad59f8314661712d6ff97ba866e2e34b9946

SHA256
ca1418890f088cf79c7c4188ff81888ebc8da8b57d40676d059fe66b94edffdf

SHA512
276a5094436ba4bd186f021b45b3eacde966c7017e445d6b2f7c6925c87749abd9a623c7eb2c59f8d9f1f36b3ad9afcab50c1d8bcfc0bd0eeda992005ab4c6cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
c661992419f39540b090e228dfb9fc2c

SHA1
bce1f4815a7adde1a2c42418f2822fcd22b0d766

SHA256
c55453a4cd891382db3a33bcd1dbaacc937446be385b41e7cd6684be0f9b999f

SHA512
8238afcc065f80b7facd254e89c6191c0d99969517b7c77687007cb82767c9773a5d8bb9c56c7dc679b7305a0d7f061a5934fed2b24579c74d072b63cd5a0908

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5cf88dfbdb607a35742b43b6f6202df7

SHA1
77e7aa0a726b99b132b4e5b78cfe60f0de760d3d

SHA256
48b0873ebaac152f4a233404e5ef7a1fe7fa953290d41ccd8871897e20a3b27f

SHA512
afa87cebb6e55b520b6253d7ae8eb760a637d08fe72c6e32c9a344fc28df203d792c5ce754468dda6b29e1e1c71920226ac9cbfc54c58ef9e3585726c7d1a7d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d9a999e8b6b5118c729f739c465d916d

SHA1
eaa96f960282f8f0a42576014b76b2cff7e955a0

SHA256
dc817606589efee10330eb1a2fd16ef83924c789df6ef6012d36e41451644f21

SHA512
6f89943a4a8b1a3205edbb726dc8c628bd771a8d9247c116340568947e683bcb7d18be2efc271059179750c0dc810bb393419df979fd6af0358a464f645fb95b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
af893d9eead1a7c684b325dd9eb3bafb

SHA1
eb07120b1d2092e01f6c3351f00b93d43fe4d215

SHA256
cd682dafdca725b3474a13993de1c039cf6233731b1f5e3aa9a3bc4a172debbd

SHA512
d1a710ecd75f0af41a6c7e69252061b2769a8ff2b4585faa98128b3a53ffd57626da99f8291cfeb017053ff2abcf516800d438375c6edb8c929444b648a1e6d2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
9b25105c6eb373a95b4610af8c294970

SHA1
1834aa00835a66a717f8fc16613289618d49844c

SHA256
5a12f689c818fcd51cad84d615509ea056e13eedd9998d73d672326b81943f8e

SHA512
5576bba723417084540a6da46858ae967475e3fd2ae4c8605a14b9cc8ce12bd0756bc9d395daddee16dc50468ff3e124012b0e66695d981461246345848b3531

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
4e061e66e854da009f02d4b8b88bbbe5

SHA1
7519e9d1d32ea51429031349380bd16b671262c1

SHA256
d3dc005d05c8da88ab73ea4c8a2e6d804fcdc6bf0c4053d488ae8fed8a83323a

SHA512
46fdd95468a40f2306aa6174ae3cdba5e18646d5a80f8ea9f26b51ba20714510dffae49a9f7bc49f43181594afb0c31f3c7f7ecb9f75dcc5d99d069354d6b851

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a45f0df82bb54ea4dd625215e99f9a55

SHA1
9bc25c8297debeb1e44e7bc2706f248aa5612433

SHA256
946cea5ad8caf4ec11cde4169df97bbf52c5259b564f257b658b234edf839f79

SHA512
4242b4a2c4edb0f8688454929e84c8938ec74ccb927bc100c5f8ed4cc844eeef3a92809e17b8706d5fd8d40e75107bdf6c63f34c32af3da8281f7e3f8c7052a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
74caaa4e20a26d67695cc6a931c0920d

SHA1
f91c0133301e94e6537e9cecfc381c672f1a0a43

SHA256
9ac1e80420d7e3784007b79c5a1974751a0b63f7dd12210092278d05190b8762

SHA512
2f5e5769fe2f0b4133374d66bfe52bc1c6c2bc77ab44e84c0cb644d760d0f24c031585956921c13eaee39b34fc8101fdcfbfae236c116a4e9aa34ffa6b373b6d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
31fa43afd2a0d2a4b8d01bd242aa9bbd

SHA1
98c11a3663baada36cbd54861a37395ab3a3672d

SHA256
133412d0d9086bfa7a9b6e496771b00a284c244f7f4e7e192cdcf3b48ed3d35f

SHA512
98508f5a6a58af30a5bbca3ecbc47e75a25c39b68252ea87e1d22391f8b5220a677a39f6567c6610cbd777241fd565adb9868e2ccfe77702f51c3bf9ed035fb4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
67352a23334cd3343e89b5a82d79c13c

SHA1
374df9b8eb0fb84acdbc7172e325c230da144962

SHA256
5071dc07c803af7bc837c4266829590207c0b05075d685a246bb53aa37e11ba2

SHA512
9d39271e16fe7d11a953f7e6725b2281c2bd957c46c6a24ac260d0c6a909aac635f97f3b0c0df7a6f6653809c82b56b858e6d2ebeccc732fb3e84eb2d7536335

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bd66a062c3c636aa48aff3dcbe706959

SHA1
6aef1c32ee8b10276fb48ec50563cc9ae3d0b57e

SHA256
68c789919b66f035855e8c3fd2bf242749f1b7944fdc8a39d8b1bf2dff6f3849

SHA512
8b79a35178d5d07eff0836ae2a8eed3dce40b7dd56b5b1b15d225c45b88836341bf1edee7ed44e25c52a3c98a6fa2fd4ab5c9b6dc64413267d4df2bf20e12689

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e98e6def4f9484821a4c2c7e94122fc3

SHA1
db6b6056fb0050445a6cbc6c0962c7052bb55e54

SHA256
64ccf3de8a0650ef6527d4c203e5b0785ad9c08b2919e0e61621be4f15aaf776

SHA512
8831f2c9c6bd796f9d973f7f57c30780be7bd536554674fe260ac21f62a58c8885f3e01043f45eed211d351552d6e585e8a74313e6abf2cea4646205e83d9e6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
3c703ab7c1669aa020a728f4268fa56b

SHA1
adc8e187e97dbe07057057e951ae382a7f2e753b

SHA256
b25f44cd0148ec35485f0739cdf5ecb933c0df034cefa270e6552f5c7f06f39d

SHA512
6fc3ada2ea7aa7dcf72307cf35e447ec3cad44c89d16a79d42a0c58f6166260ab320dedb6c8aaa1ab784a676456dd088f12762111d54509a3425c3319bb92eb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
4f0d1221ec2ef11d02691f0d57179417

SHA1
47316368deb0a1f9237d349ab37ed0732f1c022d

SHA256
60e7e039ec63c5d15e6dcc9bfeb5c4935534701d0275d88a89b79a9cecc19dd8

SHA512
30eac1e09f8912db8d9911d945d33ce1e388e93d03f54b9c26dabdea6f621df918a385910d81e9ed7e2cfe95629319457080ff9642ba8f655b9f5e80c1a61f60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
a62eb03375b72cb72485b93df71f1189

SHA1
a01d3dc10a1be69e9b7f50407a775782a9d5f047

SHA256
0863e7c06873edd9cd5963aa5cb0f92328a95f31ec8cfb1accbcb4f92ad8d54d

SHA512
d464e42240bca123b9748ef1e6bbec239b40a711a04c2faac55ca81219539715f611ac02f4529a53d993c0bbdb819d93ef1de9cbffb894f09709710b9a145572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
8ec289a4d8abc3744791b733ee30f52a

SHA1
6670c30ec31d215dbba534c37e4fede043909fed

SHA256
c5058bf92c90817abb427a94d010c1cf015caecd13a29c0e759cf707b9b0109d

SHA512
9d9771099a7808f01b1354eef801243ddf09707fbfd3a624383840f16167371c46b763d8b89f283587fefc697c1551782a0e27af9204bc5e5e88e63d566836b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
6f5edd6d411de3fa1f1bd8aed6bfbd90

SHA1
ae59e7d363f147e56283f174a279207076a3ad12

SHA256
bd67b977b801ae6a6c52d2a8dc2252edfbbe997eb6550420a24c6f59783a3d9f

SHA512
7b663be49378a65c9941b9a87adff6bd464776744ebed148905c884311d5349c6c73d28f37be72d4ef85dcfbf75a9ade70a302bf4197dca8042384613cbf8305

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
78154c747f75eefc54e8e45e560fc38e

SHA1
cd70cbbdc1b370d7a5bfd0acd15b75d2de1a7f09

SHA256
9df089e91d242bd2af2a84c077fbf3970c5972495071f823532ef10b24e8b84f

SHA512
ddf8965db6e8a890665180393f7455ff2adb8c34c9a42c74fb4a500da8cdcdd98e08ca97c80be144a33d627458002d659df91b07d1481e80f565c0f254594022

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
15d4d3b40a86ef07d8b8ca457478bdb8

SHA1
d0ad3a7d1fb71e4190e4d98126f0349ba523afa5

SHA256
1f9d23d5dc0d2a0fb1d3fbed88a3c48e03434d10943e015c8de880022735eafd

SHA512
f7162c894229df9395176f62a7ca955fae7f60858edc7c2b4d2ed8d49d2f303968d29fba6c40f47d5c8885dcd7503ab60f562c46096bfdd40839c57350708f3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
a2f608e0d994d5c79c4f521fcc7cbb0f

SHA1
9809f889b6717d54ea0e27b76ea7029bf0012672

SHA256
ce7d1783b14505bc94eefe46b77f8114265d9feaceac7449b53b4c64593ed0ee

SHA512
d8f3add506785a88dcd9c96f9a414756fc7a63fd09af38bfd9e8742fbd7433ae2c559bae3d935135da1a20add28243e6b38a2600eed33b48a818134fb74a4ea6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
26a4a8b905b00997065f9a2405634e8e

SHA1
272188ad30e90112bfecc97fd5682461a3e32c6c

SHA256
87b6d303f76f7db2bc32e0def2b06e314e508306583187b31799f8d9181acab3

SHA512
05258068e282c11b0dd27438ec115b609fa462d036b95d09b266d0d6c59a95e21a270371b6c8457fda2db34209f41dca650a07b6cd3ad62dc40d8a5344faa010

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
bdc2e4658f426507fd608d01bbd4ef69

SHA1
d7bd87af5717eed5f768ddb1fd0e042d5ba8cbc1

SHA256
a71e7923920149dd1312d86773f13d3cbc4322f7086d56d8038b8b5867b2a9a4

SHA512
4c34e2849b9b45ce6f1f17c02b1e641e7ba6cccbc0a913d7fb15068d3870e59af3a76b6da387b92d0411e670ba74cefc17a5eb7af1f6905ab7f7d5bef937a769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
b467ea026f05f5e82e71f7554cfd60a1

SHA1
8992fab8f9daa81bfb5e86b94c04df0febf708df

SHA256
3fa85c6b53f05f19365e97acc255fad69a176d54f5eb6f065191df6ee719f282

SHA512
b51430c30c0dbde11831a8bfae3701edf6fc213982d79858a1afb58343fd38ffec57a0090532ad724cd356328713397ed6cf851cf26e729cf6c5eb3f9259291e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
1ee15665ddbb79cfbf3ecb51a7e65cd5

SHA1
ced32db77e95439159993eb93b5a1d1be49c1a73

SHA256
9466ebf1da864c7528d146644335ea2e618d2c64499f6007c76f776c643ca54c

SHA512
befe4343db78b75b210f67c523f191e60964a6664d235b48c60a4076da0eadc27b4415b89d7d698e90f47d83120de66491e46225d59c383d54337e63d851118c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
89b1a141fe632ea32b2700ebdc3f37a0

SHA1
fc3bfb27d466e72f14c376b50dc53fbf8dc4d89f

SHA256
30517a0ba566a8be78897d3e08735ead14133a10f26da46b9e0fc75058fcb103

SHA512
f21d529f65213778c1a59cf7ee8beef19c1840c97e59247519362107624ef1ebbbcfa458a73638e7c3aa837ab10adc9c27913b9a9d03f1a0e69d20129ad7f1b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
3ea22c6f9f79b30f6a417a39fd7fcbbc

SHA1
6dacba9c5aeebfb85cc2491604144111e7a1c9dc

SHA256
316a5312025d171669fc7f320139be802446da5bfd15593a55f198919922867d

SHA512
5c3a4ab6ec3b0e818b9cadd3ccb97a071187b3a4fc88e1c189efffc103cf7d9f307c6d5f725fb96c488ee17a982441cbeec82132b27464fdc29e9307f9d76dbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
d6c8c48c7be32496340a8f8e908a1714

SHA1
dee7cb01b435978aaf4b7f411a7f37b22e9e19bb

SHA256
5ebd4370dfd1d3ad301678d44e5d9de13a7a0c811afaa6237db4a982d175c906

SHA512
537ed11dd0c411cf1c3107bb5d046abc4d6d53576de88429ce7a471469eb7da0e2a2fda30cf97add54f6df1c321b80b4366cfaf35b3acea8776ba077777504de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
746ae25fbfe0461a81daa0456ddaf48e

SHA1
9cab98049a79fe322ba61d4b5e4273da4e3a2c39

SHA256
f40736b63abb3fc7db9e4423180c3d7461d3967494064c5747210fe067e4fb34

SHA512
275cc372200595089551b0f9a0dd4ec7211322326035aa47ce03dcfb111e3ca3c13d3cc16e5ce7d221dd94f523d74c5d129ae176631e12f29f9dc304d719cfa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
e918300f7be07bbbdfc18c8d634981b9

SHA1
d96df1537727567f89ead8cbf1db92a27c8d68d9

SHA256
ca6ce2bd523454aa2e4f209d21a3bd2ebd71c5f9414e7ed43c116eb40dca90b8

SHA512
9fc79ab9436e89fa00eaf1d72db90d7af21cf90d25118c2b5fb7ddaa9e2783491b8aea92a88f2931eeace9cc71d1f13b9e1162f2073db5b673c19329cb720950

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
8a522f8c2d0ad9a70258fd9e0a25184a

SHA1
7a019717f86d676db9e97808c4e3fbab45a66c70

SHA256
3bc18c11edd1d1ac1d3d2425d72ffee2895cde6f83d86878594b56202ac0b421

SHA512
33e7c6cc88fc447a52450ccaf69b6e625a24632017856cb56f61a34cb791e1e84dd107d818eb83b88927e4f5f69c4ab7ab4d84e99aa57fd5829b63eb5a1ac578

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
d1428153515b7ac0f44dc5974c1b5fc6

SHA1
59b58369e56804927d0847a0a1d74821ecb99a67

SHA256
7685f0cd075c66406fa1840d7179b881ce977497d9aacd9f2eca9ea0b244883a

SHA512
158d900510e8c5b1f37d0980c63a26d3f57aad75cbd8ea9ca7f074fd5cb6a1d21506a9726b057f9504da33aec292945a8b63e724efc8e64cce70c863cd709548

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
9eabb22bfd4f55b7b7730bc1a1c1c844

SHA1
5e8f676d6d2e771aa966eede9cc1e533e069284c

SHA256
9bbc6257b881151fd0c868b5f55b38851d5ae9088bf9823abf40983171c1f72a

SHA512
35592090508e3398dfdbadad20c607b0dcfe6b24734379582b9086aeedacbb30a0b793e2f0a3a6f588ce7784f65266525070e40d5af70b333aee4b2795812134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
25d45be6b8efe6fd17af9ccedb02b556

SHA1
eb60c273cc728268209fcc319662c3f362a3da09

SHA256
63f97d13e9421f645fe4d0a2505efad378323481d895fd96d9f24a6c088cd67c

SHA512
0c20aab7bb590a32d655c1fd52284ad5143f2649811b7f7e1929a92d440ccb98f7253c3dfde122940440263da66d217c656889d2b573c8189e8a1fa49c70cd8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
ba1e00d44e8d243bb727311343e24831

SHA1
65674f9420a9d11b561bcc65a3060d84b3d21fc2

SHA256
62fad1e7217bce43a87de2424e3df806f45e11f759b1fc67e0e0d25aa8a7a44a

SHA512
fe6651ba48a7135665c8ee18e6d6321c85f54f7d20264a3a144cf7cc91a3d31fc282fdb16640d6578429b0c03c6f2008cac15e0dc39d58f0bf5568c208611904

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
949cad2e49b15da4ba51e9cb9aea559e

SHA1
e4226fdbde2a19f7922dbe1da26b486f4eecc8a9

SHA256
1fd17ba80387f9244c3d7603043190d36db424289217848ac6b523a9ffc95c1e

SHA512
e417b6139fd4a395ffdec935a6f75745fb2a2a5a04346d69f4192c3a5a0afbbda0981c5c32a6f906ff729fffbab0f22942f4b814001952df516388c90d19da81

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
99181c14a1c33b301d0a8990993347f5

SHA1
56fbd1b7b2cbf87dcc8f71064631fbb639c5c097

SHA256
28f2ecf9829a587cbbf21e5bb17396f012d12540d527b7074d52b86a56754400

SHA512
4d4096c87a017d76180681cf5d145804dfd31486d7a5a0e5cc759f2c6408f1a427812333a81b464709228b1cda3b076de6e35b7f5b942bd8897e5549f1ff9e0d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
8173019158470250e90adabf27b601ae

SHA1
b9dbaafc7265bc1673a8f47987f184e439a18f69

SHA256
1709b6f789197e2f98546bf0d107724ccbb96e0c279ebde5277bb39b6a843742

SHA512
62830881c66de90e2a2d639327da8a89a98400daaa6ff8ba6f7dfc5b3cbfd5ea80c56cf93e2fcf5df9e87fafd937761b0f7c322af36fb230118312b3b5a9ba1f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8f514b3ef4e71296261a082333acfb80

SHA1
6aaa354ddedd8c0c29065894b82f61b0c6d11850

SHA256
b3a16fcf7ac517a29a09e7bd4ae0b193d690bc406b57f58383a3098ce4ab937a

SHA512
eec5b7b920a625d646ad28261cfc1cc80e4ed1ffb3e742a7ac1546642af24515e34070ee868f24b413549d9eaf050b6511c783859c117877c07515d7e2059421

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8de0d97bd1f41d1754622d05095ee837

SHA1
074688460efbe5a9d078ab8392e8b98acda08158

SHA256
cbbd40b352887d4acfaebd53486862b0445bf23d900af8347a18bc5611667b15

SHA512
5275c9487d055a1b11289cc3ec93baca34102605ca48fc445c25ed213230dbe991bcfa9bcd08c0daf39d6447526e4a047d61dc5bf7ac5b084362714df65dc186

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2c2ee0aa0070652628d49e20c4c38e90

SHA1
93193dca6a7c482b4e8f342666b55493cc4d5b65

SHA256
d77ab079577937a5894f78d4a66c26d04182f1b3b810c3e6401cb16f2e178f4a

SHA512
c95cbfb1fb7d6462c0603b0f635e5935d8c02c55fd19532a853cc180c84a3af5fa52ba9f84ad7f94a8917f37855b8ce77042fe1534af9a584850b718d20a248a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
1fe5b4219af3ad29a1f064f8831516a8

SHA1
8d9d2ede1a31bda65e4b563f9a4fc3fb0bf5087e

SHA256
b209ab675a5e2a4062090c06049afc495dd96abb24cbda302e644e8df0176b9d

SHA512
f5a9367dc8a021d5ec6422090749f3e974f86a56d7e3e888f95c9ac98766306bf91007302bf6a860069a8472aa730e21a21495c0537bb1a18d72f6fc40d22cf1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
7c5d5b28f33a48e6e744e750ac390138

SHA1
22c586607e900ebc004094e1e94075df505e373d

SHA256
a16199438522bff46434c86dbdfb00d0178aa70bd55a317b05e150d202b4e1cd

SHA512
fa1a545578d7f5935f0e23f55f4a9c06ecec592c62099f52eb2568204dcefe48c25e4689792368dc9da60645308500bdd960c1566247ffd9adf7ec112ca4ea30

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
0e48d317623934057c780412f124fc80

SHA1
3a8aa427226d5230aaa76a751bdc49f74c1b5dfe

SHA256
48d05cd4529ae760f1085ef302dabdbe416db2d013a45e3a56411d880b0f80e2

SHA512
d9265019f7c643d69524c2e7f44b46f2768fb439bb050f1b22ad55337555d974100f37b7fc5115669b77e77f168c97f7de7541f02d1e6afd0c7ddfc60008f75d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2ddbfe0255fa8afde887131e25d73db6

SHA1
38d468830985f6f25fe1160d1d01e14155a9dd78

SHA256
03a5f182709fbaff5463433146fe64b92d8cdcc274b6831c82c8e2f8dc3f6c06

SHA512
28e03aa1164f86f2459d8430be6a6ef20da990d4b9acd5c492737f37d24aa6de2911d7e3a0af5f3d5c5c01a03cdc941e62667de4186e0895066fefefc6fc0270

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
828c77c249f8830f7d7f58709c7acffa

SHA1
add7651338f8c16da5e646156a310479c688bc90

SHA256
fd7f3b5a813c627b45f50267121d7035b569b1009c9d9746446e6324108c165b

SHA512
70957b21860c0fd5bbccc2c0e0fe6de997584aceb414ff3e1e0b616589e3194d4724b1822b2ee122fe1fe23942c2418c55a4c0a967319aba0aea251d8d051c8b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e4ff598e8e4af11d0f5d97d7079d5d36

SHA1
5063ebc47da2977ee5f9191b8cc525ac0efdc133

SHA256
fbdf1abdc331f9ca58c2a3602332301b5f2835e1c32379fffae3d18295c234c6

SHA512
923fed5b1e2473edffefc458408bc6c194665bcd17bec5e99006ba4899599c5602e98eebe700d61b5a9c427b5e5863a8317d258ac1c25e719fbbbe7491337471

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
ee9386f181bf712eec0e67053dc8b451

SHA1
ad49ed907e087e627a85888de7aa718b9b7aa606

SHA256
94d8def2fd1429d091d638be18934c162c93abbdd78162cd8fcba95456e4d5ee

SHA512
e10233175624df6d627af758003c6bbeb94a386ff7f2884fe6ad2599282498bfb7174132c2170d37e885580a6ac7be7ee7ec664e93b456ad59bf32a81a4c881c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7b881d4e6982012f23a05992c0ffd404

SHA1
d8953e5b9d5c2affad11a586001724184c24828a

SHA256
62c6d3a780b291f0d964e3d3be0ddce99a660d9e51a4702baa36c2bdbe0c1052

SHA512
f6e4cc33da61820a7da1699fab044d9f0e8bf6cc2d2f3e99045c7d112921daf21baa6a81f844de220d9665925fa8562864b6a0cb1e0f3bfde9e4eabf28dd9be1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
02f89021d472fa2a0e7e11914a06e4b4

SHA1
2303a6d3c9094403ad82e4a2c96c8166f2157643

SHA256
1719206ef883584d66ceebf26739d2f00f5c87c8db9a1f735d61df1107dab6ed

SHA512
3332222e0f2581427620116da689cdcf76e37d5ac5ef077e1e2d61d14a5f2d67a6f26ba50f4e8ae7ef1a28f8122a998749d5c83a28ced9ca3119ad49ff5585d2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
c50226fa825b469064b46f9503c53232

SHA1
29d16c062b73a201cad1d52df484d7f1627c72e3

SHA256
52f67c18e5b44f28f0e255150d8d5927f25ad4e2d963e6637f6b20daa9b03df7

SHA512
7f8f62463da282a89d990f93ac8204f4f4b1c02f10a442bc963304788f961254f0b7897a0f877eaef015f005c572690937451e7b518e7dd1829b5a05db458229

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
05f65509d9710a35ddbf970d9ee89a18

SHA1
7e2bd94f98ce9c81c52f852253c29f17147ca122

SHA256
27ba30d580a7b7aa44aac6ea58b816257b5256c23006329f077a9339bc43aa28

SHA512
8975cd34c240fb53df070e06df3a39063164acfcf16e9b826fd4fd8bd6461cd90b12d9f33d8c40f647ba38fcec6945ca99acfb1a0ae61d050634a14d87460a65

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
53959996baed62854e8fe8f75b4bed9d

SHA1
83d7956962dea57bcccc96e3a10299e4b05d5a66

SHA256
b39321bc3d6133c00abbe6a3e7b433258e2787c6aa265891eab1859948315ee2

SHA512
1fcfaaccf9d8df9f6fa356782e7c711e7a2a4fae9337d5454b71325db8ed1449daa037a033e0f7c21ed14b2f2e2ebd3ff0315f7d0db66b245a772f2fb8b0d8e8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
974f4df09a2fc513712d56be8f625163

SHA1
fcf6b8b3e017e1f90d61951003b127ca16fc282c

SHA256
b228ae170c209f87f22cfe5c6c19e7e346f73d87265e9d013d657178ac36c806

SHA512
b7ec76e1d5f77a8e512e638e4df4daccb1e2e50abe3cfe53fcf13372282952bd44bd60587775b2e3589867cbef35b42111ae3a8c8e2ab55bb9da35da0cf8bd15

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1d7ef2679372a4c9f5a8c9dfdb143dc9

SHA1
5cdf798922add41e29fc58117a7e646b6a0eebb8

SHA256
d19c9abf054c55ea148ac36c25161fa2771641d56613133578d72e0ae5160631

SHA512
c501bae9f133558ad30895deff8cb8f2a937bba1c5dd911d12ba1360e7ff6529011ef2c186969bf4cbd08b5e016790063f2b2273c450e46b2de7fe696162e338

Download Submit
memory/400-0-0x0000000002D90000-0x0000000002DF0000-memory.dmp

Filesize
384KB

Download
memory/400-7-0x0000000002D90000-0x0000000002DF0000-memory.dmp

Filesize
384KB

Download
memory/400-11-0x0000000002D90000-0x0000000002DF0000-memory.dmp

Filesize
384KB

Download
memory/400-1-0x0000000140000000-0x0000000140295000-memory.dmp

Filesize
2.6MB

Download
memory/400-13-0x0000000140000000-0x0000000140295000-memory.dmp

Filesize
2.6MB

Download
memory/1036-245-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1036-312-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1036-244-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1036-251-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1044-319-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1044-314-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1044-378-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1044-388-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1632-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1632-333-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1632-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1656-406-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1656-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1656-404-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1692-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1692-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1692-67-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1692-51-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1692-52-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1900-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1900-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1900-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1900-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1900-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2816-276-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2816-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2816-256-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2816-264-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2816-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2928-36-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2928-34-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2928-27-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2928-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2928-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3164-300-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3164-308-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/3164-365-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3532-379-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/3532-389-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3532-447-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/3748-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3748-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3748-360-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3784-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3784-15-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3784-17-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3784-227-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3844-434-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3844-367-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3844-374-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3856-408-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3856-348-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3856-341-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3944-417-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3944-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3944-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3996-456-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3996-448-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/4308-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4308-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4308-69-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4308-239-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4496-279-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4496-339-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4496-347-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4496-270-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4500-297-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4500-289-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/4500-351-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/4584-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4584-470-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4624-444-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4624-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4812-431-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4812-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download