4e50924db0d104b7c37f28e37e51517915e1fb4d3fab3b176db3ab5307d95335

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_7d163c0ccc935970b345e5564bf3241d_ryuk.exe
Size

1.8MB
MD5

7d163c0ccc935970b345e5564bf3241d
SHA1

374291ce1cfda7feee5d56955aa403e8d3a37d95
SHA256

4e50924db0d104b7c37f28e37e51517915e1fb4d3fab3b176db3ab5307d95335
SHA512

73b0ee806873c414d4ff4389e7bbcefccea234c0308d194cd30834c76dc63a36f5a9c7e20af0ce41b7849246856b2a7bc625a99d0381ac2a8cbfda5105c46256
SSDEEP

49152:F6cbGizWCaFbcRVlbnXf9gPTTW7H1GXC:/G5CaFbcRVlbnP9WXW7H6C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4084	alg.exe
2176	elevation_service.exe
1428	elevation_service.exe
4992	maintenanceservice.exe
1460	OSE.EXE
3048	DiagnosticsHub.StandardCollector.Service.exe
556	fxssvc.exe
1972	msdtc.exe
2468	PerceptionSimulationService.exe
452	perfhost.exe
3696	locator.exe
8	SensorDataService.exe
4728	snmptrap.exe
3400	spectrum.exe
2284	ssh-agent.exe
1224	TieringEngineService.exe
980	AgentService.exe
4800	vds.exe
1992	vssvc.exe
2240	wbengine.exe
4116	WmiApSrv.exe
4892	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exemsdtc.exe2024-04-28_7d163c0ccc935970b345e5564bf3241d_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_7d163c0ccc935970b345e5564bf3241d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b3536b8d590e271.bin	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068c055379d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6ea1e379d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053261a379d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f8cbf369d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082d62a379d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_7d163c0ccc935970b345e5564bf3241d_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1708	2024-04-28_7d163c0ccc935970b345e5564bf3241d_ryuk.exe
Token: SeDebugPrivilege	4084	alg.exe
Token: SeDebugPrivilege	4084	alg.exe
Token: SeDebugPrivilege	4084	alg.exe
Token: SeTakeOwnershipPrivilege	2176	elevation_service.exe
Token: SeAuditPrivilege	556	fxssvc.exe
Token: SeRestorePrivilege	1224	TieringEngineService.exe
Token: SeManageVolumePrivilege	1224	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	980	AgentService.exe
Token: SeBackupPrivilege	1992	vssvc.exe
Token: SeRestorePrivilege	1992	vssvc.exe
Token: SeAuditPrivilege	1992	vssvc.exe
Token: SeBackupPrivilege	2240	wbengine.exe
Token: SeRestorePrivilege	2240	wbengine.exe
Token: SeSecurityPrivilege	2240	wbengine.exe
Token: 33	4892	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeDebugPrivilege	2176	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4892 wrote to memory of 4292	4892	SearchIndexer.exe	SearchProtocolHost.exe
PID 4892 wrote to memory of 4292	4892	SearchIndexer.exe	SearchProtocolHost.exe
PID 4892 wrote to memory of 4484	4892	SearchIndexer.exe	SearchFilterHost.exe
PID 4892 wrote to memory of 4484	4892	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_7d163c0ccc935970b345e5564bf3241d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_7d163c0ccc935970b345e5564bf3241d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4992

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:8

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4628

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4292
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a629bb7594d898a57a5f6c861a6d0e70

SHA1
76629016ff6fe6c5c449a76eed1b1d075492eb2d

SHA256
7a14daf8dcf9fb2a9e6368ab465d4c3b9de462384381e960bc7ff8d46035ac15

SHA512
2d2004d6d6ac3ae708cfa6d0656d843e1966e199de5d22abaa21a603978b997728adfb3035ac1ba3bd654404b8009491b91562e1745afd0bb64a5b0a3af6686c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
7525159473d814f50893c3694b7cd484

SHA1
7a346f91d6aa7c3a1baa8dca5f48e72bebd63601

SHA256
474311ecf4214c499018151020438958d6405a14c045513ae0a1785df62cf3f2

SHA512
f160c462367b783a8148fea759d9c602f4a3ad3915b14e5f59c6e31d90bbd14696f63431c977910acc614618412774b4793bb8102018ecd96f671f7bb127ae4b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
4001a9017e416a2f72915376d3b3a065

SHA1
086bd879cec4478fbcf814d8791f26068f253faf

SHA256
3b6c84445e1ce8f7cafae7f7c84409cde7bb61445d22415f88c29b9d0ae0d3ac

SHA512
6f40a06f40bc6e404f15988e79b27af32753306b7dd4c1d90cea133743b8e3632b76dfee76522980765a04f4c8d282aeb26921d5a79e9c86f1766d1b10064867

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
892afb63e2ae0cf6b4c6e08b66d41995

SHA1
b037f4746e67fd4c7cdec17996da7637d2c36a88

SHA256
0a90238aa21cca607d80d27be59b15ecc9c677784591a65e225030ed48cdcdfd

SHA512
77ce37707aa435dc3d1827c76df326f319726fa34b7ee223473003f32fbb3b9323b14570988ed6613ccfe4e0b821578697f4721049985efe241153111ec0467c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
03b3c49ccd806161aa814fdc0fca1de7

SHA1
300c2e94e68ac636f7ff1f7710e4a6701d6a2051

SHA256
c976622087486d67f635394e5b32c3dedeb053f3f45fcacabbadab1de8a7c8f1

SHA512
bfcbd6880fdaa93417c6f9d16461578812f4d6a465446dee759755f84e39c241aacdd9245fa481e43d77df5558bc0a3a072ef7adbe70238e11fb872d9b2f7e7f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7400a5605f571247f6cad7d9f4a90efd

SHA1
b575b8e6d4856167d3f2e73ebb79d1f055949185

SHA256
a912948e81debd8d7a656d0b6ccb2ac76c133e062243b64b95672d8afeb7b008

SHA512
6b575eab296cd8e4a26a5641ed30f393403c2ae04fd8b3eb6ba71fc5b4cc90026fdb0f823317369a4b49c78a039191da3f761bd6ab9093af203f133978c22a85

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
77c21dc01336f874e1b6273b974645f5

SHA1
d703ee79a0a6d9bae5ad6fb19d376c550405ad9c

SHA256
4e0b06afc1f442e262081d33f005e08072c1102be70ecd6fb0ed2e6818de49ca

SHA512
15ae2f877c014e2e80fb1b5acfc621bcbac255e3075cccd1e73dbc247aba4f19169eec0ff73f70fa79a69ed546443c3e216614db736e0819bfc10b1b06701068

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8897486215233b68113859ebfc82bd9a

SHA1
bc65deb758d247267a5b0f58b5a936ac622c6137

SHA256
860df896e4bbc37da67172a2d8451d4d893afadade5708d4e7cbfc716f58bd83

SHA512
49979d03d0189588382cb97c14e17647dad88d121cc04b6432d9f1e1afdb34e8aa2c2fbbc49ba9784b1783c2a70626712b560c6deb6331be99007988f4b104cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
b42697ea2ed460a446fc2256f3a880de

SHA1
755d6d689891d4520d999c105aeb8adbebb9907c

SHA256
ab136f290b433271be3f88f4260a2c34bd3ff1f3f7ac2c88f55e33cd20ceb6e1

SHA512
959983d0f3432ce6380b549d85f13de395e1d749ed3669b83485fee709cbbc8ab200b9ef1b429717ce0ce788879dd3878794a5da8dc31a28f9ff59d3d67d612f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
963d1b1c85569834ff6744dde0af41ac

SHA1
7f6a474a41867386a1c44a7c92467aeee32a4a63

SHA256
b7d2ace46cf75d45dce00c48763d752e8baeda8761d47e06e4248060f57a95fd

SHA512
6d92de285368d8b3f8d6eb63085c188b47e1de80aaee30be59ead81decaed75723670344cae3a8341b56716effeb2f73e7e08d5471330768ad272005a17ffa31

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
08ca081a01635e4db15af451b63aea21

SHA1
3a7aa0dbeda9a9112dbf945ae78645d264a77d7e

SHA256
79dcb4b4b32338d425397695ecc0c0dfe64f56faace8dbd930e5588632d8a1c2

SHA512
965c99fe223bfb6f74f3180255d9e3b5ef07548c5de001f23b6f9ef0070edafa7f4bd630c73b572dcf7ba9b049e219ca117bffcb18422056b5b733100217a3a7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1cbb8a80ab2e68f5c04af15ddae4f635

SHA1
7ad90995db56b73ee76a6b899f846c60f9d84ff5

SHA256
cd28248aaa27cd63779dbaafc876a69ff4b6dd1edf0f60305f2a092391541b78

SHA512
b5f15a30cadf300251079889f3126fab2e064d67785e465820ac864e531e493823f6590b1cb314ff7de79d70237a3ed769231067a2ce5eccbe749a93517abf90

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
d28be632a666396bfa5d09c7503350d0

SHA1
5beaf5978df222ddc889e2e356469ddcdd215d34

SHA256
a93759ec13be4d24aa09e047f0c486d8ae4fc2e13f55a1adeb12d400f8342c73

SHA512
cc1db92de815860d09ada9451041254764e1006419aba8fbbeaab8723896ee46341528bdec7dcde71f72a09b4f222c90b78dd215fd77bcc07575f8b9055886b5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
15988dc182dc47b03ea22691a67b81ee

SHA1
17cafff9e4c430fee28e069325871631d55ed061

SHA256
74982a7dac4c48a56fc970a739a34248c6f27182a61a98e4d45ab0918c1414c4

SHA512
a310134fe865ea19a3f6194bf195d584280f67f1f6968ee7e58521784318712a4abefff8b92260f6cc87b29d50834bc69b14b788bc355eccce6747d7ce93108f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0295c91de0329e5497bfb61b6bc5d869

SHA1
44bfe598815e32c2b9171164058b2681bf4441fa

SHA256
ac932a8602e4fbc5f177bdc8daa8b3edb0aedc69d7631d9b5f3412649a27cc92

SHA512
eb296e04d3ba0eaf9327598268d2a7b1b2eac0b9d156c625dee548eefd5bf606d2ca52bfef617e34093d2556ae860aa15929ec08a11e0112162e49fe97c0ef19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b464d36150c701d7624f4c06aad063cf

SHA1
c78ea464a092d1af8e8c1ab68419b708784cb919

SHA256
6fe7a318bfb737bb083237d8178ea59ec036cbaba0107200dabee33cbb271f22

SHA512
28af10835ab9b1de097824cac0df16dfb50a71f806e26d2a1d85ab0229cff6dcfd931c9060412e27abcc54def7cfe11866afe76b6adc3388be418b78da0bdeb7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e127508f80ee76d2933a2c76d03911a6

SHA1
585fd41720ac3cc71410caa39e73f15ec6004155

SHA256
aeff29fc7f523c8fbfab9d2cb551d8c34d26a462cfa7291f544e2c86735a40f0

SHA512
6c4352aa1f2065b8636d11655767fafcb0219f1c282d953d718db358b3dbafc4149f52eeb17089b8037fda75225f689f9deca29f1645fe7ce0b0bad20e151b77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e43f2b33ca4a570f22e041523c1273b8

SHA1
d0a3a11627594affe4772691d385ee1cc9c0f437

SHA256
e69a4d653bb40f884bd0b6c79dd895b856847823582647d1d83f45cb3468e4b7

SHA512
3d6fb9251b40ccbe3bf220a3a63aa11572884a24f030f41649e74bbd34faca7263141f38bd3be1f50e9358f19b2411238e570fd382c1082121ab37ec4035e229

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8faa69ba0a2c362caf4f4d52e086246a

SHA1
905d99d898126f09eb22c60ec5330515a032e54c

SHA256
88d8fcfa555054026f639ef71231cb6a4119452d7a9a12528f488cae1376f9b3

SHA512
3e1dc69db80afcc86ec63eb713f3de445daf216c12185c3046b33327eef98e6028faf0f6267daac56ef10d5fb9c36c93ef448151d66f26ee7872381622094299

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5ce41eb5c0cb28f166775527c0e3dbf3

SHA1
1c95cfa2f51a7905b7ea5bfb221a5cfc24ac6f7e

SHA256
446b28e8a6409df9ebb6d447c28a8daebb73eb633bd8ebfc4567157fd686af13

SHA512
07ec97aa3230250311487afe46f0c2716725395fc180ab1d4698a5db27a236b5474584191a08564ca5049afde0a89b12ae20f2776856e10809e228a6725a3dad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a14e72b65608d8fedeb2d9bff375d099

SHA1
04c52bf4b537b5a87900e4c65dca40411b9ac84c

SHA256
bef1a65ecd1fa8dbd0028330d4bfd1c6471aa171cde07043e5d0ba478be5ee8a

SHA512
09fd0aae1e9944bca8f7cf1bd17a8105d9ad35f0c1a04b75db8a8bdcbc5a0e8a157462154dfeede4671ad17887c8a9a807fb3dc6bcd3cd79be1bbf0fc74dc3c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
e887bcfb2d01a036b41a96ce55132330

SHA1
a0d954b4b5a9485fdad47fbf420ac194739b5e43

SHA256
fef56a6823aa505e5a38d91244e9ea7fd39e600925e278a0e4551b4ad293a844

SHA512
f8c1e0c918721ac38a920f251bfba0197e328589bcb9b90fd7e4f76b65c2e2b9f78abfacf80355ae7ac877bf5618f8379cfa8bead28c1c63e942d6fffd045835

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
53ed83f8301f2b9bab009d1ac4f31f4e

SHA1
c965d4ff933d5cce91699e1e33e790651d848dc5

SHA256
a225ba4391c3a17e5047dee3e6c19f495aa4f3711db727353919db4f8d093467

SHA512
e1b31106d8803681188b6bca5074d3d0d0adbe3240568f56090698aaa4e7338e5d575bf1fcc759afb8c842714c93415ce3c49ce7893024aba4962f06503eaa64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
0dc515ae217aa3a75b1897469586e7de

SHA1
345ef690b39aec6b40cabaa3b1f50f9318f6df23

SHA256
701f17b535566df2a3c6023e3e1a89f12abde74359fb4a20014459da1d66bb95

SHA512
c081d0d5923f55f5ec2f906b46b20c9e46bb8e9f5d681424c142d2239c01c2883ba41569f982019eb4d7402a0e05a3b2ed4893c139a0c3ec693498fc2aabc28d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
0adeb19c6e8abbb0f305f3fca2e183b2

SHA1
b4de2300cbdb910d51bf747218c6c0c5bf0d0a02

SHA256
e2d9da5f75e97a2e440d0059b50a21bd62196d08ba36e863bda6aa0e2149876a

SHA512
f3a4b6523f5b6796faeaa44767c786ad22fc5b78372e31c9d348a3be347790164619ff50ca61e93d063a3289a661ed7d5a1b7f1743493db9f400f5aacb2f0903

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
c2d002d6aecaa9a5d9ec6eff74b172bc

SHA1
6f1df38bcc31a20fbbf5ce727b1bda055446d121

SHA256
0b326737cfdf765ecb1271ae593db5fe43b215c841dddb7310d9ff0de47e0aba

SHA512
be0895eaa975c38804875ef730c9ec4d7e3dcb65ec513ba5b1a2006e137dad751a8144b303ce1003b40aeaf1dca6e417a47281f03ed173255008fff141552d8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
1976998b5f233d89e8a672d9c217a5d6

SHA1
6d9541b188d9ecbebc4e4d37ccee6cd0f5a9a3c4

SHA256
113450bfd131d76550cf74d853ec73f31b77dada8ea68919eacd8286314f4f54

SHA512
1b072f9515d2c5471bcadf22e753f3fb0167356d1e3bc4d22d2efbd5b898ffac88000687a16e4482071fd09500f402f86c384685934e11fe978f7cc74e795a58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
2b62f7957d3cdb7abb671972da11ff84

SHA1
40d72c6d1181e01e922c9f1df05ee9209639d666

SHA256
d0f260fd3ed4e547edc27e29986817c3bf598d5cc47b7732a5f308469fbea96b

SHA512
a4343dce1a369a123db7df83c15672cde9bec6362ea9aa9c79a554501d86b9f846e55144b34b133a736a52f90e9f9cda70168722f79554dbc476ae14d9625181

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
2815454f77902858f8d63fe3fd643c42

SHA1
dbe7e24d29bbfbaeb085401ca6d186ca43e251c4

SHA256
683ed9a456fd155eef765e793e7cb9ebeaef2932294740b1112e407da536ef5c

SHA512
0672a39fbb5d99a3027e6b48deae9d36fe4ccb39c864ddd231b0c4bf52610bcdeb6f5ccc5008cb0918f21274a23b498458cc4b40a60cd51a356c1339d08f4fa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
2af98a4f0b6f2ba19ec724c4276a3eb7

SHA1
a0b8fabde84b6770ea3206650ad74cb343eab4b9

SHA256
cc691f9dbfc4f6bd0cdde3b72aed201c217ed1f4b27e8c3a1a9ca95d4e0afe1b

SHA512
2c3cee009e589b1c8875ae47d1819789e6fe73c492a26667f31cb9932967d14a55dc5f01f910b0755c5e6afec66f3ffca9408c840158a30c36b7852053c59285

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
0a4870aaaa5ab520dcfdc0cae87cb6d0

SHA1
370b6a9aca78554162f11943cdce9bb94737e7b7

SHA256
b3d07d10d7f08cafd94fd5f0ed2757a5130265c8ec0797f94a43aa2571f0d59f

SHA512
bc90876eff8ecfd3c84ff40e81db5ca96e2d8d07909fa6b317b6854593eb59cb83a54439378bc51b68a6f48ffd45dd7f4673d164fd9c5bb504fc55f194914a71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
b9e02592c3c119aa4c3ad22ef3a22c6e

SHA1
4e04b779cca1a69eb40f562a61d6304182bb9339

SHA256
c8931777c096ab82b96c706d86383081de8491abb721386ee0eae48c12be6005

SHA512
cd1d117985d61f101232ac09b8eef563a400d1d44debb9820f1217617bc7a0a58809cd181c2f0548c3731aa9383b2f11838334097e3fca675ad320f5862fdc54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
e0ff8af3d1a0235f44a9de06d0be5dac

SHA1
9024de33a216c0094e92abcb81ce31c350d56d9f

SHA256
920df62fd042db817a2b7208a869abcae50efabb73895e2f4ce7bcb533f33f68

SHA512
4c5b101bd1d605f4f2da1fdde9777c8923c4f4e21a161fc6cdd41d0804dd998f3744270f9f46eee9947875fa16ef3c3f7e108cc24c151b29bcf9198cbcfd45ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
78492b0e1cbc019dd493e2c76ba3e68c

SHA1
001481bed81ab18477823cad7bc6f31885847285

SHA256
e8046ef50ed291d479c54783d2f2044f3e19f6ef2adb22537c5bd01bf333d26e

SHA512
4deef4667c87bb946c4c8cdb9cd896f369e4ce618eff5d802b40e91bb9872434a846b4468fcb7eb136aa17c12563751a62390e1ed2fea56b47b87716482e6d07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
cce83b25826c38d1357905c8f0970718

SHA1
19e556b2c451e2606bec0b098000188b42279c42

SHA256
d7f4395457067fddb3c1f9864a02330b49f6e59ac0151e40184e19cd5a3fb30f

SHA512
2e5732c3e22afd499c64df4f06546d6bae1011dc7b4da169766fff460029f31b06e91fe0c9a59de92f23400e0d94e460dc319f9264742a07f9b93dee74eb047a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
ffd7b8e19a623e1d8b88778c1b5e38ce

SHA1
71a6438825064f62545e30aaa3fab9e1e561b8db

SHA256
7d25bf7d84284b608f7b4da7ce495022a196904ca94c6d8434e7b38dcb769037

SHA512
d29d8ab8fb4f2e3d241a6ddc4513c50071a4ef52707a725c1e3697f37a6e31d268517a9b5188bdb47a5408e0736cf86d3913c1830dba1fe94493176baa030486

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
472854773e18c3d867985497a09022cd

SHA1
0294ce153e59e15e96ba89badedae45ee1b051a7

SHA256
b60222d7a3348712b14c84e0020ed25c43bed33ae8a410fe7d844f00f2739931

SHA512
c9f2508ba14dede88f9f090724a8f2ce8be1468b6443e8414ac6df04e3873dcd65942c0d398cc26a857671e41c02e41f2e57f89591ea9ac154be22c7923c7da2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
5a468a0a409195adaa720ff6a58b0a3a

SHA1
b135e59a14214944bcab31bbf40bcd43d2a238f8

SHA256
78e3f2fd0e3bdfb74b7580722d4431110f51715386cdf122224d0a814c41aac0

SHA512
5ab0ec24f9d27304c8402b1ba61e7e74724fc2354a8a13321c0ef5c82f90195bc36001fadfc5fcf684001725a5f035e32a62a93629a02dbf65171a02fc3ea526

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
21ff88c36e82edf5bb59f2ff7a78d3b4

SHA1
9cc5fff18982181003f866030eccca8ce2e5cdf6

SHA256
834d93fca751f444552a0d20afbd896600123b8df25bdd2f4942c54c15c0c1ea

SHA512
47b940256c113adbeff9c84330334a55f5de89d072a41a5b4bd033c534a969ba654aa6fc4d05b3241478c6419525cce24d48bb074bcf86e42871dcadd01313e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
cd2f4abfda8c0193f457ef90a64aca2a

SHA1
51ecf858654289a57771dd44883cfe66083f5001

SHA256
05009df01e4d6b6ab8961bbc1c8467b3536e445ba83123207325bd9134909c5b

SHA512
cf83ce6bc052610fb637275f4f0c1ca5d7d62164a6427e228b16655cf59277494919bc400d38548dbed75cefc7185a5626917b967bebb568a651ce811e80f723

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
ba23878404e80c0c4251a0edf4304128

SHA1
4a0ee5971ccae64796001fc07a60e42a4069b24d

SHA256
982ba2c1b36b7c8c05092c3aa01d742ff5209c2f8fd36aaf98fb74b155de6a62

SHA512
b265570109ffc02da807751425f36e0eb9f9e0bf94fd3d9c4fd4506ace74079beaa6ff2f06dc0da28e970620def0634921be79bba11fdfda38b70860cb0da0ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
27d5ed5ea2b914355b9d7f0774e8e4a7

SHA1
662ec3940735df81dc240292787c2c9a7657b708

SHA256
99182430cc83e1f5ca966b81d9d21b3d37a4c513ef51ae27d6dd664fb4b1c87f

SHA512
ac036d389d435c30d4ef035fff4f244ba20f5cf2cb707f812ba90e60ea7f115227d540588ad2ad78f624cb7adc6a47ca1206a06e898f525a52c9c885c2b7c9a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
de24547f150b075fbead01a2dd643f05

SHA1
8f535dd710b7e5708265d29a873733221595e113

SHA256
9fc66fd4d866ac915ccd02364eb429879763bd5c28461bf23085b8d69660e510

SHA512
c90b0ec75600b6e8ccf80d7a4419cd2513cd21edc5719ed10eb09280eb484123a6d6f7bf12893c21106cbc37c693dadae03128d07bdb4649d8ad4dbac3d57dc1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
799525ccf91fb0aa4dc492579bc91f24

SHA1
2f4bb1a7a71a6ce5ff857d17c202a2fb3439bf24

SHA256
d742aaa8d70634032e344ef6325cc49363575663d8f24bfc8f46802aaa6a1669

SHA512
bf36b39fb7d93c57776f9aa5115231ba76d70bf1dc6308ccf6a4e40fa9907e0e91aa00c27456d13b0f5fa2a389a6715ba08e89cc1f3037fd3ac843078b681dd5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
7cabdfef9fe0376c979559731815b42a

SHA1
1a932d47b2fb2e7f6324b77823cada037cf6f519

SHA256
0974ead4c3ce7ca7d62d637d10d4d8108e343e6a4bcfc33e975ee5955ea9c20d

SHA512
984a3d93b00be5ae0950bd9c99d8b3846cf64031cc0fefe51c92b566072be21cd4998e9b37ed7a8d963758443b78bba1b4399e4787ba352da2c188e6defa57ff

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3e7c85f9c9c9ff439503f0961c84bad2

SHA1
8458e8cf93bfd8cd762f429811733bab846621c3

SHA256
66a0aeca68a60fdee2bffe2dc998b994f39aebe0646d1886a12e57e9bdd2f9eb

SHA512
93ff7df9617fb0609007d6385fdb95a3c376e6cd35e7d867f278ad50ba3b83aa0f032887746581c4609ed7b8087405b642dc8c30585c8bde1361a05394c176a4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1460cd8715028404941ae1e7e77e5fe8

SHA1
498a301ce432ec98252e1340f671c13772d68f57

SHA256
06b516d5bcd86b501c3a7665cd18abe7cfa49de236218bec4e9e61c2bbed5954

SHA512
dd7130eb377fb9683bfea52a3e09da2642a9cea606684f5d5658a787bd9065bedfa91e718d0eaa007ca22396b8071988ee4104bf653f474c3c24116644ab3063

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5afbf6da6252534c0982a72ff68f4752

SHA1
aa8fba9bb1df4934ba3bd1e8d5db4adb57edccac

SHA256
7591165c37460eb5368f5bffe1c6930c5f3a7eb0887cf7c43f27fe33fd79b1c7

SHA512
b43325aaa4be61193577c3d69aa76ecf5303e215764162fae680400c35cba69a9d26ff12c511957d9f072707bc7ec1acd234dd73acc61b47c1f4c1a4c1fc8f81

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8ea3c21e57046963b59db1afbe3b23e4

SHA1
1bbf27229775e6636e9eee5c116b4f83f41be0e2

SHA256
b0d11407b4f82a1c1dc874eb43b9ca41f740b1496ab7e7539b50d68df5071813

SHA512
510fb3c55d7020759db130ac3ad818e7423fc118eb7731fec8a1d933cbcb85b3e6afaccc23b672686143681fdb20ffa9852a5f58c22b178dc19eb91524fa88a4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
1011e3431335caec33e16b3f0e5d6891

SHA1
8b1c460ba6c434226b753a1ed42b926af0e2046e

SHA256
376d7a6713ab0dcd4c040b75c0676ffceff639e737600f975db78e1513753666

SHA512
cbc894d1f6984cfc35ff2e3bbe83f4605f166d9ea010489413a80903dc159574d750ec31c60bf0773dbb1c4852336055406b414eba5da775952b236af65eaef6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b7b10371c01ed84668b666c3f2e984f8

SHA1
c0fc72b9fcc617de5ae8c2168f3f4122de6bde76

SHA256
878153d1ccd46069aeb6fa5d9aab4607e0ee8d7ea673c8a18a0181373d1760fd

SHA512
ac60fe8667124343248f562f8b7d43c993fabc1c37e54c81d844d089bd02d49223c9f03c1fd9173b29906fe91bc8dac9679dc7e74631d336296d3e90a3114d1a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9c3cb575f7e801cce13afa0867256d21

SHA1
48040349f9a0a8355a79250ef4be1deb5201a000

SHA256
396167e4303fb92c7ae45ca65552883b3b3c4f62aa897fd40d5c45e74523ceb0

SHA512
d9d75d328b9d38ed9c3b620fd8726467e96d4a6ce8b41c8c31aa8f611c15a2f5b6bfbf68b84dc6168a7cda9d902d18a251f17fa131757dfda31c5fbf6ac1fb33

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2335a3eb6485fbcd9eeddb56ee48e1de

SHA1
c9d50c01a96ba7f333db430308aefd169282c2d1

SHA256
52b68ca0ad74813cfed1f1db6869f1919346170984df674f8e22cc2985cc0a88

SHA512
a4409f6b7f7095fc3960c63e53c44949fab12195525fa6fc4751c4b083662ed0ed65129feccfd29ec6e1b7643ed64f51765415c04782545566c8e684e55eea8b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7d88c4aa146a05d1db19b7a4192412a8

SHA1
9490b257fe37e6580ce168b56cad7aee46094a3e

SHA256
75e43ec090d0ebd8f05c7c65214605a1cb68e1b03ec6edc3922db911a094a760

SHA512
3757169ee566b6458253f8221bdebd053398af74a0caeda08372a938509b8e008544d79795af528f2defef7328d7158abf98e5ed33bf84e1564c46b029c4f1e3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
232aecfabc47ad10d47b19034c50db68

SHA1
94335b2aac6ad6001434542123feb8d540dff18c

SHA256
faa7b2f616b3b45623fb289121edd02c9e793e0a5db8bb6567336efba9732f11

SHA512
ac32f9d760cf844b5d337912811e8f30ab27678be4e1473cba5a83b705b50369ac43638348c0156b25e6a769506b760e18f98ee407121575decd47fb2b1d96a5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
64d373f9fcbc7ace8385e3854da13b80

SHA1
188608b43582f129382ec561541e54faf6cefa0d

SHA256
c6a3b20034b45ef3f6a0af56eff7ae372fbe29e978c0761fa28f7f619864247a

SHA512
f842f65dc8b5eb684b364b364d147c138fe7844857732f5fff364b6bd1e8228afb3cd7d4867641cf037105b248a30e6ae2a8294e1229b5d7a61445e3268aaf78

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
bf25d632781c1fd06a9db0fb32a15398

SHA1
5376dbf776cf96dc26ff30ee7fa4a519e5e44f47

SHA256
f328e0b1fb086b3fadf537913425135a5f670164d4fb794e726e96b36a0ff298

SHA512
be377d1418b65633ac7b150d6ebb1bd4fbefffda7b654372b3b2f026f31463f170c1223aa10a46721d408a70c053930c5d865ebdea79cc4e9a4b96255574b0f7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
9dfe22a292f87e8a485a255977c04145

SHA1
63df0a99912bc93f3fed6511fe256295556a2348

SHA256
c183deab44d726e08417d81ec1dc6f3553c2a6036a8d306113b525886844755d

SHA512
fe3e35086eb59ca82e90eeec3619a600fc19fdd129e67ef8da50cebfd4547b356e74c794a63436ed3a6a5a0ea183971559bb38904639a0d322e86ec275be8822

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
526d1c55bf94e3504affe89b1d9cd315

SHA1
6fa5081d2aa1c6fd63bad4e131ab40c55859c274

SHA256
6192acf7ab25eb9e2d0eb7c7abd99ef26e3e49721a3e7fc77405106cd7d67e10

SHA512
8ebfe9ec006b0dbe0d52ed194f95352d0a356bb42fd4de9623f4d8111b2fe4967aa1c0567dcad2eaf75e37511933e7c5339a8a8e9c4aa8e64b79641ed813ee6c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1ce8826f68b2f293340b4242c4ecff42

SHA1
3ea91ab1e39ffa759b2916cf299a51b2e225f99b

SHA256
05494ac637c9c862b5ba6f965af7a5115b0395c9a589fd23a26b0a119dbe13a0

SHA512
3fc00014ee9dc9d30b16f436f443b3ecab6f19aad4ea0b18b7d62669dedf04fbcf198763c338826634b2e1c7ee9a103bc3bd14f54cd027178f7817ad27770f67

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9173b9714cc9e662da1fe6a48a1e6a75

SHA1
1735283a18c78500e850753f822d0ec0df640f98

SHA256
86a9bd836a516f32ef59d27b618cdfb1d53d86538ce458b67ed83b7644600c2a

SHA512
48382e0868c72bcc4261370b5338905f636462c2db4dfe65c83ac3999303948a9e081dd222a7d8447334639e98d5a3aa1e05f3a953b2227b7719264cffaaf56c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e02e6fcfee7de7e18e736f495180481a

SHA1
5ec6b67586ebb25b6d2e9ed2cbf5592378daa357

SHA256
6a4aa8eaf3881590a76ac1db81638eafe80b9c30566c4fc9a83bb1919720300c

SHA512
c48916bea9e0a33d5d41bf2b7f7b2fe11ceb09f9f933ae984997850abc91ce96e51071e0e931e9cd0217d72f40810adf63001958fc73badd3a2b2169e4130d2c

Download Submit
memory/8-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/8-576-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/8-442-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/452-411-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/452-295-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/556-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/556-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/556-256-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/980-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/980-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1224-370-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1224-578-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1428-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1428-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1428-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1428-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1460-66-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1460-72-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1460-74-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1460-238-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1708-0-0x0000000140000000-0x00000001402B1000-memory.dmp

Filesize
2.7MB

Download
memory/1708-14-0x0000000140000000-0x00000001402B1000-memory.dmp

Filesize
2.7MB

Download
memory/1708-13-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1708-1-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1708-9-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1972-395-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/1972-269-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/1992-582-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1992-406-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2176-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2176-28-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2176-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2176-37-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2240-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2240-583-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2284-351-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/2284-577-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/2468-399-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download
memory/2468-291-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download
memory/3048-252-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3048-249-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3048-243-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3400-573-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3400-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3696-313-0x0000000140000000-0x0000000140238000-memory.dmp

Filesize
2.2MB

Download
memory/3696-431-0x0000000140000000-0x0000000140238000-memory.dmp

Filesize
2.2MB

Download
memory/4084-233-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/4084-17-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4084-23-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4084-16-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/4116-584-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4116-432-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4728-572-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4728-336-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4800-396-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4800-581-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4892-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4892-585-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4992-58-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4992-64-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/4992-62-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4992-51-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/4992-52-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download