d9f72e1f0148039409682d6f4516c6c8214f519cd47daa4843eda4737e18c8ec

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_dd9fecdd0aaf57632be8ea6fa85db336_ryuk.exe
Size

2.2MB
MD5

dd9fecdd0aaf57632be8ea6fa85db336
SHA1

d20d60f2b191264d704c09bfbf6269f8f00072c1
SHA256

d9f72e1f0148039409682d6f4516c6c8214f519cd47daa4843eda4737e18c8ec
SHA512

77d18a2fcbc4527d9a9510bb52b40a33891d9a68298785d5d93a50cc77f9dcd6ca1a31c55074979f43dd1b62cb86d3285199f05461981b8d7cf68943111318fe
SSDEEP

49152:dNl7soq7sQCr1kyG2xHywRfHIO2Ts4bvDADmg27RnWGj:FD23S1kaxp9qAD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1060	alg.exe
4476	elevation_service.exe
4112	elevation_service.exe
3952	maintenanceservice.exe
1628	OSE.EXE
3136	DiagnosticsHub.StandardCollector.Service.exe
1008	fxssvc.exe
4528	msdtc.exe
2364	PerceptionSimulationService.exe
5072	perfhost.exe
3488	locator.exe
2492	SensorDataService.exe
4028	snmptrap.exe
3440	spectrum.exe
4540	ssh-agent.exe
4876	TieringEngineService.exe
2560	AgentService.exe
4012	vds.exe
2088	vssvc.exe
2436	wbengine.exe
1008	WmiApSrv.exe
516	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exealg.exe2024-04-28_dd9fecdd0aaf57632be8ea6fa85db336_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c0ea6c0e7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_dd9fecdd0aaf57632be8ea6fa85db336_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003e51af76a99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071427af76a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ea91ff76a99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab7710f86a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af6c43f76a99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fa39bf76a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edce45f76a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec558df76a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_dd9fecdd0aaf57632be8ea6fa85db336_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2300	2024-04-28_dd9fecdd0aaf57632be8ea6fa85db336_ryuk.exe
Token: SeDebugPrivilege	1060	alg.exe
Token: SeDebugPrivilege	1060	alg.exe
Token: SeDebugPrivilege	1060	alg.exe
Token: SeTakeOwnershipPrivilege	4476	elevation_service.exe
Token: SeAuditPrivilege	1008	fxssvc.exe
Token: SeRestorePrivilege	4876	TieringEngineService.exe
Token: SeManageVolumePrivilege	4876	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2560	AgentService.exe
Token: SeBackupPrivilege	2088	vssvc.exe
Token: SeRestorePrivilege	2088	vssvc.exe
Token: SeAuditPrivilege	2088	vssvc.exe
Token: SeBackupPrivilege	2436	wbengine.exe
Token: SeRestorePrivilege	2436	wbengine.exe
Token: SeSecurityPrivilege	2436	wbengine.exe
Token: 33	516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	516	SearchIndexer.exe
Token: SeDebugPrivilege	4476	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 516 wrote to memory of 1980	516	SearchIndexer.exe	SearchProtocolHost.exe
PID 516 wrote to memory of 1980	516	SearchIndexer.exe	SearchProtocolHost.exe
PID 516 wrote to memory of 4920	516	SearchIndexer.exe	SearchFilterHost.exe
PID 516 wrote to memory of 4920	516	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_dd9fecdd0aaf57632be8ea6fa85db336_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_dd9fecdd0aaf57632be8ea6fa85db336_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4112

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3952

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2024

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3440

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1008

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1980

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
65e81f8ea4ac57d0b4cb1048abff3f33

SHA1
38a8390062134fbf706eb89136053773a3d323e1

SHA256
3b1dcf7df109ad2d8dbc531dda5e9608b153fdf2f421120e8d88aa1b6f1c9daf

SHA512
b725fd70d5103e4216db38a9203a79ca09b6a70439b7144afd5f0606db7c0d10fae373fd0ebb365b08694c5606cc393b018a581c9a803b6e937f3c6b2235b51d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
6c31982c781a47a66ec50d7b2380dc08

SHA1
4967a3b1cfb61edd9fc8c07a1ed892938aa449a8

SHA256
0ab7876895678ba5471e169b35c0f061eeb7c9c256f2f6bcdbae99dbb08bad68

SHA512
e23ffef8c3d6768731704d4efc6899ec34e77f891c716d80d8e6a570f7b046c4a595c06b4aadc420b55cd3d3d47c19dc07030c50a102b76a98650719e0be633e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
d726a551265305d1283b88e470e7cd92

SHA1
4c441c33e10af52e2537f2631bde83120544badc

SHA256
d8f0356200c9868ef99b6da14945a3046e7bc0b78652a0d4adc47a7e4183eb39

SHA512
57361d6a955c13023f162f23d652080dcb627ac3a8798c16382717e2677e07fab3c97d0c52c3d4863073338854d699c161cc2a5436c1843e1e599c035ba58d92

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
9631ad6e0ea4a05201491b514d555ff3

SHA1
b3d55314f9f70ad0bdb796e2c0769656cc7fd9b5

SHA256
91461ec638fcb2a840ecc1cad8480d03f3aeac525c7190bccec0d9c5a7b75a43

SHA512
02d1c534cc8a8e042b028dc9ea161ec8c3d2a74c26ca50d9e46f33bdca9a6adc87a99df44435516317ac1f35621978a6d777021d79e35857a3bda31566c35539

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
52f9d32fc8ab4b7972f12f03acd46ec2

SHA1
ceaa1aefdb6abd28e54b188f055ab4bb3a4af7e7

SHA256
aaedafe0b4a2790061d54149f32bec72d13f12c13d8cccde876ad495b31eba63

SHA512
1764921a4b14db6e469d169b2615bb3c7b9ea2f281793047a94c993d521fc70d715a8841ecfc210958e3df9d0258b5edc6010cf6f6825f545cb9a7e6e0773069

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
929581289417f4e973a0ed82a3d702c9

SHA1
4a919f978f0d3251e1f01ef6fc92a7f53d691dee

SHA256
2499010ef6ba234deb8c11428240dd233e421f01529872ae40fdfc0c62e93353

SHA512
1c9ecc3de3c41c722eb7447af7139abad07448c47113c9276eedbf37a3336bf85e4459d790d05ac573a9425dcf10d50fe7e71401ca0d2a22086853c8b397780f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
cb7c32ea51459ca803e9bb001d081092

SHA1
463c36874d12442998e4fdb876757683658ff971

SHA256
eecbd5d2f3b271ed71702fde078c8b974a7f943406902f24df926fbb3ea1db9f

SHA512
2ac21cfb7d5ee46e364eb67b95359ebb0e59ed5cf76817549ebcf275ba9aa43e8c7cdc152f780c1ac7e828cfa0c3bcaa8a86179863fd52e3b29ec24875a6f573

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
26815c7a74e80b0b334853d123b4dd95

SHA1
cadc8b772f63893fa0c9613a9d8b104b12838666

SHA256
1f4e5dc8d432bfce97471cf9cf181efa9f060ec7b4a9b00aa8f39ed017caa444

SHA512
e9b011f7db46fbb03beac0a3e0c127711574709074b6f5f4a22b06e089281dd76968ff424f9cefc88b6e4b5ae7faccb5b94f4e5556760835d8484b7dddc1aac2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
31a803193dca30940427c71ba04906cb

SHA1
c4f9e68d4e21036c54f6923d29f6cd78f718a0bb

SHA256
ee5ce9ff8c3a3498d0158347e974b410ed5aaf964b803822821663ee3307415c

SHA512
1c78cf2b519c92d6415a2848025622f00bcac1e62d79dbaa36c0e2e39ee0b7f43d2b49e1f559b3521f33e32b6cb9107dcf6551df4e699d3c5bbd780432b273ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b6a4141c3d023738abc1ceb834378ac0

SHA1
c1c0b7a9e85411555bf0684afc74ec8cc3b9bf08

SHA256
656c1da8f33c548cf1c550b7e9502642f39ba599c78a1abe79d001c98aabc4e6

SHA512
aa69cd5ece912787fe1f1d1da82f88758040c3666f4b727d5b203fb8ad33c0498c0565a8428506b9fb9585e168b1e4a6fb8b2c6e49060ef5eb078de9e511e551

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e5843bd2d9c9acdfe43947b59f1c91e4

SHA1
f62e454ea1454acfd6fc1e65efb7df7405a5937a

SHA256
34e46799a5425dc5d538d38d419fea353ccfc0beb5c1b71755316e56448566db

SHA512
daaad794182a0bc45d93fbe00d775fef439c6a8b90c9c54f105b7173b7111204180b0f2ca85ebf8f5ab62f0e07f5de3a353461205d3c4dcd4c985087df3ba71b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
574fd74b2775c2a9fa4493975d89f716

SHA1
a95f7a0b45f88bd1d842c975a1c30f5e19f65a0d

SHA256
eaacef178d3d0164a93ffbfd0cf39427f6586e86e2a21bdc9e0133d2a1c7bea7

SHA512
a260c8ebfa7c2282c28b10ae636124a46f0d6afca57b2904c374071a2b45af69c9ece797419c14585cf06ca614873abd03e191bfe53b6ec7f4a91a583c67b481

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
ba99c467ec72e80dd688223da8da6aa3

SHA1
215ac821d8c9cc52c1301783c57e8bda4a851bd8

SHA256
1a88c123d7a539db331b91e7af7c1e5c1d4dcc6414025ec12220f660aa0df13f

SHA512
732d34043c4c78510c49929b752481bc44fe5ad136db239dc7bc993db85847fa31a817b15f7d82d857d3b084a9e3aafa35da3a71e3f610c23bd12fc56a72fce1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
1b86ad746339e5620dd2d9212151664c

SHA1
8dac1aeceabcc94d59df776c57cecb8d602054fe

SHA256
96c26b1155b9b71cea75e0993b16b73973e9fcb2c6e90cd8a8694c1c0a4f9af0

SHA512
50ac58a29df21eaa978fe467c4ecc3f4acdba424a16766adcda4ec1cba37a93ea7cb01a5807edc7e2b61777fc570baad413de6d3315584fcaac7ed0d66433117

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
bcc749018f2dc87392bfed5be47a888d

SHA1
07395c0ee8b38b863985e28be591452feff1a5ce

SHA256
e1d58df76a7be634b675e59d23dcb8d9b500425ad450ad54edde63c8f410dcb1

SHA512
7373740bf2a3d30dd1c3e60c2fa59e0252936e7626adaa39f6d5cea6f12de06d35f3d9455cfed87acdbb63b6b4d85dd4284a0cc0c1c155781c7497381121c6e6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
9db627abf8dc4fd1842c61791315709b

SHA1
b584236dc99c34c2afc07154dc885260ea493741

SHA256
d912ca11fc9d862665b1b001728d9c1172f4fdf3318f5f7810ea522c1e8ef135

SHA512
635bfe0e830675eda4ac6f7f87cd614591442535af86ee122a1dc10a38965d8fb6aea7d6d8c38138cfacb73f47341c154d3e1e893e077433b6dbc691a6d5a86a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
1e74c6a0a6e697c52a5157e7686e0baf

SHA1
520b53c37b05dcbc363d565ed19d8cf23ea57435

SHA256
e91707e5ca318d9d99bd2765f5141807825fa39ab0ea8218f42e5a5aca2f6867

SHA512
63722ccaed6b5a7e5e3aca872446b2751413f8ead88dccc11638ca2d2c5656923c4064cb3e292da9a7d6941705e1abe3c36be0d0c8af17a0307c2363217bf2fe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
85f6ff590f3d700ebf4eaeed7537dfbd

SHA1
b7b112e876976bc305fe2f367246564dacfbe0ff

SHA256
017dfc0137cc2a8a0dfa848abc0af79a374609bac0200a30ef92723d67e9f3db

SHA512
cfef6ae5cf43943896ed36a0bd918df235628ad942491e0ef913ebbaf6029f83d385c90ef2fbd970d3958761e6292f599fe5946fbc8d0591e32d28602baa82d8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
9d16bbd6634852fadb28cb24c324066d

SHA1
78531f6a2526de86ecd8181cbc6cfc77ac3e60c2

SHA256
82de8649a60f05e21bc48f938045d30861f0bba44976d18df3f0ce8875b74840

SHA512
992d7e16971c8be44067b070f008df225b2c2f53e1790b57f3e790744e5dda0e319f8b54a936231f786f70341ce918124733bdfb7624f0a2b735cd173df19849

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
bdcdf639f75e48cfbe62fa84481d5359

SHA1
049183e33a02b37922514de10eba2fed1205dea6

SHA256
0a3ffae2017a2834aec1108330a3487a87f6f737599611d16b0a4c2cf30504e8

SHA512
0c303b1c172f925493a894879abd7ffd5356479a62d1d5f3d75ab8c126c9ada5ee5aa5edbc7c7d84580e9b5192c8265f64f666af6ff59722b9cb6bf56e81a679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
598c0c529013a6b6d017cf464c5e5ef1

SHA1
8334b0f9de1b675a424c6542d2b1a1a5758ea5eb

SHA256
04ffe9e6b6367fe988d9db88e95bb832668a095bda13641a996cf73b4d329efd

SHA512
ebadc4713838b374c8f5b5ba5afc4ab474ab73c8fe4a45b2d1666ce0024f552e7287001dff63936df74c0d9d44f17ec2964ea9cebf7320c758e2ce20879cfa40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
4521ebf8dcdb4db418d12a38790f0e1c

SHA1
642f0fb9d1f749f48c62745e560bece1abfd3178

SHA256
ac1a1359bedd04e33e25e529b9c1567728dc7850ca688aa86dabb4dc9696e075

SHA512
1fc9ac9405b9953d8922ad443ce0854558aebec66ba4f239a2c11ca3b83afc5f307f6d9abf8251d745fabf66729eaf1cfd06c20190b88e15b21c53482d82f92f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
1702ca3ca1461034cf05dbd5a91688bd

SHA1
5087abc4a11b6c3319442364a062654026ca5753

SHA256
df161c9294a499a591213531e042bb991dd0c934716b99052ffe0e7195804522

SHA512
6f1e5960792294eea16f451f8aefb96713370c645a8281c19b37e67177ffb719edc9519fa5119c7054fa8ccdd952355151746f20691c8c731d603950d1aab16b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
a837e08a8b81ee55e2533a22d462af30

SHA1
bca8c054be3965347a9d7ebcc21c9354738ad631

SHA256
dcb7c00d17b9aa9cc37c063cf67e8cd828d852b29c706788df92f14c01cec3da

SHA512
e7fe1f1a6127d63674ffafe0243a62f527a05965822efc9f735e89605de893ad2f5565bc2fe26ae2b70f7a9fc40672f84fe35cba2017bd3006803987e410eebe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
d91e1f3da34937d35fcbe85c299e6a2c

SHA1
e5c7d464094f0528564af99a0ffd5bcad966c570

SHA256
522a79687b6150d11193f43a15adb21ac48dab20f3eb4830714a67be7f4d0dff

SHA512
453b1158590ffa6b31a30b0ae6e2596ce1df0072ef1252eb54f6e7191759d26dfada3095c79a39a80943054e241a498a7feb2648032ee656538c825c6305caf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
d4dabedfdc6e68133780d7376ef2eb7b

SHA1
8984d9106b21e267fe0e1ea20696b2d2fea8535d

SHA256
7eb9147503d5f50f179f1e1ecbdc4cabe24587d3b91b3e0978d059b3c5815b46

SHA512
7b062d59d5f23ed27b7d7ef97012892261820ed6110e1c0fa1fd4e88085dc700b525a94d5d3ae30140cf735a05e0f08eab8f6d1ffe6a0a9dc2c5f794c881ddd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
0c37d6c89814c6e62940caeae4238820

SHA1
8d0398f613fae1146f9aff8afd2b161bd77d3f37

SHA256
4010b422c1ed623af23622e027b8f75963cdf76274f77ff122576a7e031a9f3f

SHA512
36922d3ece1b941bf2dcc16459a5c320906368a14ad6aee5d4c65581833b199ccc81c455df903ef2d19529f9392f06d8feda3ca5b543b0fc7d41768350bf3bbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
42de344ad62563b05d1e5cbeaac29578

SHA1
767e064ab6ed74f0d43448f700d5e7019d2cf271

SHA256
a4209be099afa027e80350ffaad4d70a3ba19fe98a40ea479d91fbc9c64f2e38

SHA512
aa8dd2db36af223df45b559509c3066d2096cd69ed1e251a658dfdce3016714c066c79c013ce46226e910d02a8fb1aa66603d36ca60665eea427f87db698288d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
0b7be242ff6d665c25638cfed638d00d

SHA1
a42ac89ad389502eb59ac7804f954cd22d34e4b6

SHA256
3c67d9714a2796afb73fe6cf781a3a8a002e97efcd607da986af3b17fe6935cd

SHA512
dd539eb9dc623900e2ae7f033637356d918405c8c82d9a92a4a6b311a65045d6bbf277fbd43fda8f1cecc18b3fb7497299da387a49961aa7d3bfadbaf3219269

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
4161181e89b121854b83d7f1e4258114

SHA1
e1187376a35c9483d8c8b321f19cd30dbb5e5844

SHA256
37ae5d1d680765fabc40dbc3b6181a75a4e6b6845abdc0b46d6974b9281c9427

SHA512
37828780ba28f1da8d12ebcebbb6a6442972b77135d21215495294b3732f14c35b3ee886fe27fa83d563e59124cfa47ec55a839b538c678189c6733845f99600

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
db848824c95752fbbbc9c4876f34f992

SHA1
cce9af140e8d362dbac1cd53d6b672d16a615661

SHA256
df616d878872ac6e9db81dcfb1487fab3fc030bae4304e763ebff8ce8b61f47e

SHA512
eac8ce7b6a51b197c0bfacd24cf24000c2664367a83cb6c068f096d76b254b3e22a17499375f8330ff65b611fd716e0b216bf16a2f2e7821f4b9cfdef10cf53c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
e9eaef4d0a26b306b882dd789877b8bb

SHA1
dc274d9391e5d6aa30951aae785a9eca516deda8

SHA256
434e2c880bb76ef2341f563e6455bdb9aa89002ffcb2e795c76593190914607b

SHA512
c6c0e59e63c56cac9079a7e6216702e0ea538c1a49636a1275ea551b0ae261481a7a433ebafdf1f309e9f4abe87926d30580754855e62cfff15ffa09574c0f55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
c10597a0976844b867df61ba72e8d785

SHA1
349e0b5de54df70ad9ea97f8e66f5b113e40cb0a

SHA256
ab3a638afbad2a1181060358101fa85263f7c19e2c4a22163a55654044e92dd6

SHA512
412249a5f35f78ed83a29ae6c7692c12c8b9d558f17c79388cb78a9ff64768619ab6bfa3e21c05e91007a8b5d884971722bec002a4b9948b4364353745534861

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
4e181ef5a667551d9b197e103641e1b7

SHA1
19f554c10de29097a6ad45b115c1a756342cd833

SHA256
0dd22c29bc0abbdaa8320515c485c7b2e9493acb2a67451c50ff70296ec756da

SHA512
0dcce790bf6a000a17d372c76fa4fecd6d79eaf88df2724e99041640a27d74e4664cabc83a3ec8b5b11e2e4f9f73579ce1309b088e5c6fe6d81c9edd0410e7e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
a74b15fb2c0377bd26ade8c889bf2f0b

SHA1
fd1ba6d6cc62af39170ff2834de7dea0d07fb627

SHA256
2d8e32d392ad18dce86ff2f309359c1615bcf9616ae4e366c31ae308efce2c96

SHA512
59d2bbcdc9616b0788b6f72bf234c961da540b52d8ee04139223660f3a8ea79cc5e453861f5cb1a1b06ed64361f7ae82afdbb48a6d0071b844edaa4c99892679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
42c820ec02485ef0d984f5e516c4fca3

SHA1
4b55ba2b074b1add36ce17dd99a9cdcf3c16ae42

SHA256
0a6551bce8a1e7037f109c5140894a112ac9baff3426125dbc63ae574cdd170a

SHA512
2127322688dc721eb33f36e307b77da05913f47fcd25736f3c76470fcf42b24277d12c6af7c30c54d573807c2da0cb60661a68af0478b78da7b9af2894570ad2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
d74073b4fb0e3853c0518c4044e7deb6

SHA1
33492248e24537db7ec41993d8ec5034e5d08991

SHA256
0e95700a1b7dfe80b3a0e8d4f2c969e42ef057493336894a33d45fb2a72a34e7

SHA512
816e186b168c0e55427f7fe8dbf8d98975d4b50251c473a758b4fb5f92719ceeddead42e95680ddaba87be7a0c55257d90663c305289646d84b7b7f5e69cdbcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
753852fc0d6e1b6b48d343d839e06893

SHA1
fed21ebe6a2af67210c02f8328e33736aaa97f0d

SHA256
f07955993e70177005a09afde14a68edddde1459920af4d1971697bf0b5ef18c

SHA512
21379bb9380d06879a5e673ba687e28c30a2f74f8248c9f84608c2eb44edc7c70808d8975983c7faff5bd7145b3d101495ce6305f6ad9add5f15959221fbff1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
d971acaad66ec09788a481f9f1bbc812

SHA1
6d988ddb7928270ef98f710891549582e726ca1e

SHA256
e44486c4737c836bcf52d4788fdc6adde92c166b1ab0e8ec62dd02730e9792cb

SHA512
0b0b941239cdc61cccf44ae87385d34db896ee45c50a51d52f2742ece9aa2abb7755249eeda7d123d31da5982c76d14917d920ed84d56a0f00420bf85dd7251b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
7dfbd42a8e69554e9de7091b15a79e69

SHA1
a12182e10ccf8356c0e405d6a8dcc6247dcb86da

SHA256
d1e828166282055cd4f21107f4e65e613f35046232114b9b2411c6a9bef27d0e

SHA512
787eb9766d162c2b633f50b126fedb4e2896f76b35be2692ffbd43d8b3fd0d335f84a29fb6f4d6a2be7d9fa236535587f50fc2f847edd1f717b4e95035974e89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
4c5090782f700fca22185dc95bdbc922

SHA1
b7c883b0d2b18aa313216f6d40d13c1b7c9bfe21

SHA256
b581f84bf1da65a3827bb05962bef5c86da1cfc8f8a72df89c6ece465dd2af25

SHA512
f6557d80156e76581a15e86f2218a54c9343ec6b012ac8efdd1afacea16eaf768c87792834ed15092284b7851ead17958bfb9ee4842a2cc9f4fe76433f4fda51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
e13e4b20c8723f1e96bc07a3da0b4e4c

SHA1
50491466bfeb04de096495ba5e5f38b4ad90e8b7

SHA256
78585810d54c309cee50eaa7486f95fc4993804c1fcc2df5d3159f9a6514acc5

SHA512
8977803facb6e87bed5962aa8d62aaf8e11b0b8049bba3bc6502f6fbe75874c4fcd1cf9810d7e79502347eb7a44dc8457e7c29509d40a7fea2096f9505b5a441

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.2MB

MD5
93fdde56b4658f902b0c815255e351da

SHA1
7e59a8d0e0b64797ab832abcc3166387a1075fcc

SHA256
ef545a8e688a73a8e7456146056930213d63c2c34af77c267d102a82d0ac4635

SHA512
a50215fa61db5a4594fc5c77f801c8890647e06cfe6bb7e731d042ba9c5fad1be20d856a96f91c49abb842fd053c20a8531dc376d137091d402f914c9fc7b141

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
5f3a8f23db42c301f0d5f236a2bdcbbf

SHA1
7d7906a94915ce62a8bab9e5aa20be74013e02e8

SHA256
8fb421098015991e0a9ee0760f3733fa4cdbbad49a2bd51790b3bbaa28aa723e

SHA512
b9585f2de0176f72f9ca7edadb71c4696a682200d1388932a83fc439759a06aea3c2658a17a2719847341db13700af65e87c51369e9f5d403969b943ba2cbf5a

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
afa11ecb82fa783c7a3f4abecae400ec

SHA1
544d93b342876a9c769e3d09f2e24b96b69ccd03

SHA256
b3586f5317bea91f3637910f966c1c182d2770fb5faa98c34da3b0f7f31c9fd9

SHA512
187fd9edc42efd9defac123bbd2b6ad314681db89f9b18d6a1a00373d6f2116a818a386bf6ccf1d3774bb32dbfdaedf3a8875963a51ca4dd557ef4444a1d7046

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
bee8ea8bbe0e98b23e91a581ee3576c3

SHA1
866af4ece2a5e0e9dda84b4347242ae36ff1070b

SHA256
21ed458de2879d840e5585fa1fdc69bf102a8bf5079c7d4acc80a90725bc330e

SHA512
9e216dfd7577deede306a92917402bfdd29f20e699c80db78b710b83c3ab465dfb53e4705f310a1d3ab3fd717d4ecb9e6120b103525dfca818e04d37ed06ab8a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
bb3c181bc2840ad3f9adadd314e84409

SHA1
b5f8d15b6408bd1be7f09c58eb9decef60fb37d7

SHA256
538935f9d3a34f69f1119cfbf7852e7f9e7117b5475fc5e111b64477caab2c98

SHA512
1cc77aeb0a40c48d2e011a0b4f0d88fa93d0231cd4a28a062c82cab8b31b2dfa5112955b298d9de7a8f8ade0e4e12419c4e8d4fbbd1a73a4fdc05b2daaf17598

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4ca4b159fb9a74d8d99bc1984e8418ab

SHA1
6dcc3e86fae384175e084e1c61deae9551e91009

SHA256
85597fd14d95315bf4051478ffeb2c12b8eed3082f97f820c698d13fb004d478

SHA512
8aa2611ab5139a25ba2122876affafd9d2e043722e653cf22dbcbd783bd26568b6bb3e7fd176b3f4f7660fbc64b189c3b7393ead3f5372414411f28c0ccf5aa7

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
4b3e79224385dc125df29599beee7768

SHA1
85a269cd68d6a7b1c6528ef9edb7e55807c410a7

SHA256
c994ab7ab395251c2dc251bdd74a1b1656acf0aa8c8969d651836270fc0d6696

SHA512
d1c5c7db57f8840654092be64337a5d79bb507f4271f53b36dba12cab0aee508eb536bf9301748c7be5d142a76b97d043df7b3cc32fe9e82a17c786bced1e588

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
ae2c086307e0688fccb17b3942c0c855

SHA1
8dbea3f6a2cf6c4cab27c06744bb9d60722d27f0

SHA256
de403b8f17800208b136a6cbdf93b949a735f842cb4ebeef627872492a892bb5

SHA512
803e70c195bf5e74f60e6739397ac02137c09bbb83044b3a540b8181e2301f80716626770afafdfaa2788fdfd893f0706c680ce62607c36edb7db6b03380ecdd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
6fff4f588c3726334707f8fa993c9c23

SHA1
3ffedfb4e45d7ab688b2d2d9b17dea145c9806e4

SHA256
529fe0f85d2a00f9a99f647a74b8ff84852160abb71c1c002d0aa519e4964aab

SHA512
018169cb56b52928d75c9237bf9efad12d10ef3fb1151e527ac5c6ff970d07e06d10fe4b725d64702639baddc8750f268699a153896ceca2161d650970980cd1

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
25f69b69d46cd222f418ab2489c9afba

SHA1
5e5b8efbe254d55e948059acba35fac3f27d3e21

SHA256
157fcfb71cad5d565bbda9cac89eefd4b45b3d627543dc5f4eeedabc329cb9a9

SHA512
1f2137ffc75af994d57b7a7ecd3517f0c73f65d83494b944cb796236bbafa46ed6c0032ce0d2bb5eca9c11369be00995f2f14b714758728e4b5d3e5c84e9067e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5e7ca1333c7b10c455238bbfe589fc35

SHA1
4c6bbf71f798c634d9115d18c68042a7aa22b7a9

SHA256
858923a794e56be30be88c356040aca4284112d07ebe7b3ea3d843324a320b25

SHA512
0e42533ab919545a40a28a2085e4ccb985ff28b18daafbffd2015f156bb4feeda822545650499d7646e7747d796022c303f4a907a9635459d8b73f6d3a408ab9

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
761192d8d4cff3105346fc06c455d498

SHA1
37519bbe0ee7c60b0a6a65c89162a96763edefa2

SHA256
37b0433233ae88f591ea276665cc2369dfd1502d831663d65921329835736111

SHA512
2cd8ce59316ca546184ecd2f4bcf4905943ae2b846939c9a5e5bf7eda310faaa0bdf9b134882851c6cfe4a78f10be7759d70959a187cf4f6f6958f318362438d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
5a5b7dc096c5622a9ab056decc65460a

SHA1
1c51a8c917ee3684a8fc3ca0b1b2d599765ab352

SHA256
47e81700f311795e28d18fde455acef1d460c23d1d2d9208a00b87666b5d01f5

SHA512
a21b8cb130afafad197fdc056f216fa80edfba68254f893b9dbdb35486de007ebb8a680fc3bee296c117e8916cea36171e70fee764c43cf1042d3dac07306ea0

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ab38303fae8a6edbe91383207c1f08c8

SHA1
ed900c04a3a85fb74705d2207593721f9af05841

SHA256
6b3e8b56f757395a20279b50b0aa754bfc815474117c60e280136e08fafb12fa

SHA512
f31db8f4b5c1596fe93419e7cc3707695c1f9182f36165aaa652b9776a44b8178a860774e47244c400b2c6663db86f8a4d2e2fe5b3853bc7e334e76608613088

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
4e748c375f433726a08760e6b43b4637

SHA1
3ba2793cf9e9c743edca3d880fff0ee3fc8dfc4a

SHA256
36b4dd58249205027c297df334a31bd90d1697875bafc2cda818f88a9805e8fa

SHA512
2ffc2e5d5fa27a311adfbb8d8a7dcc35ddcb1346549ebc7c1b01497c1a2c9cd84e23b9be52a56461c161d5fdbc33b780ecd8816e2299eb2e75e44685f0032aad

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
a4dce0e2d8f87c25ebfc989b357e01ca

SHA1
2df65c3d8072fec3d84b309d0b5fe575cd5396fc

SHA256
8ddab61ecca6accae133a86d4902fff26fd36fe53296bdeae50cf1637873ee03

SHA512
9eaff62eb05ed4184d304119cef0595bad9a82355350e4f24f4b28b0e3dd91b92296118755a8c45443058357a651fa0cc6410cc3ad1a16389a93cf9e1e517679

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
82bd700c971a52e2e77c0b1be7f0e892

SHA1
b4dc6d180381d47997d8835e65731f5bd43c1d0c

SHA256
5b227969634c9f4fc67b80c9979ffdf8735ef7c2ba41673849a7ce6e094d3330

SHA512
abc9320cfa9273d186129cc9da2ea7fdf11f7fe723d0cd11f48802afad30e6712fd6453bfcd907e0b6b7d86833ae5491b2b202079ffdf182bc39281b61f494c4

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
cedcf25f3d803d16091387fd73630187

SHA1
e30a1c36b31625aaac38ef7cf657f4f7bf5485fd

SHA256
c0de1e0ee4ca32f94c5715c08aa7c70b48025470895179501938171d065452f6

SHA512
2e2d105790d971d62ab58cd6c1d63a56049dc98d6c920eebcab2854b1a8e8bfa8ea347ebd25ed176e071f33e19c7ae3b0907e5e089125b0a72569d5c75514cc5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
7960495fb4be89acd4465eae0cf27239

SHA1
ab82c4c826efb84e752250d3a4d3e8a4efaa262d

SHA256
adeea81a2da0939f57aba415a19f26547d3a5c7afda957fb5e3e423fc5590955

SHA512
7b951df8a9aff562c5d3398d54d508a9e48b3e4419816ebc9025373f4e4f5058e8b6abee2a187f3d5999f8347bc947de795662c729f2cb4ea86cfac36de4a802

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
0bd7b45a7b2738feb233414a8f63209e

SHA1
154ac77b3f0a765715958e00293b89021c5a4cb4

SHA256
eced6ec8045a49da246a1590511e7d0eed5b0f33438d846944144d62ab2bcf06

SHA512
5e02587561fc1ca7a53c83ee99011cfa15edd735ea3d8e746eefa2f38139ecbd2d06d5f378052221a385176e9b54d2ea82e11cd6cbca5a06791f5101087efdf1

Download Submit
memory/516-431-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/516-561-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1008-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1008-560-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1008-255-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1008-426-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1008-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1060-25-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1060-22-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1060-15-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1060-233-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1628-73-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1628-67-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1628-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1628-238-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2088-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2088-558-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2300-9-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2300-21-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/2300-12-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2300-0-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2300-8-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/2364-289-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2364-393-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2436-559-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2436-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2492-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2492-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2492-551-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2560-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2560-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3136-243-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3136-244-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3136-250-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3136-355-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3440-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3440-552-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3488-417-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3488-300-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3952-60-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3952-62-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3952-52-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3952-64-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3952-58-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4012-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4012-557-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4028-516-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4028-329-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4112-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4112-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4112-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4112-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4476-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4476-37-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4476-36-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4528-269-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4528-381-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4540-553-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4540-352-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4876-554-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4876-363-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5072-405-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5072-295-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download