34b53b05b9e4220f7d2c1b86e2b3b80dd6ef686c0f726161b172276f3140d42f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-04_1de48f92b6315f7d952f68837141f750_ryuk.exe
Size

1.0MB
MD5

1de48f92b6315f7d952f68837141f750
SHA1

c22024dcb44ab9cb9f4c8011e538fbd2f1291718
SHA256

34b53b05b9e4220f7d2c1b86e2b3b80dd6ef686c0f726161b172276f3140d42f
SHA512

30fb73a97b8b1f02d55892040e15c02169bc781c0d8186614831bfb379728f0758a6cbe4b801025865db0008616244213c62415ed465e1835ced35d32b3e622d
SSDEEP

24576:c6V6VC/AyqGizWCaFbyJ+L6VMRCPU6CENltmVVdpx7fLrQWd:c6cbGizWCaFbZ6ZU6CENlc7dpJLrQWd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4704	alg.exe
3268	elevation_service.exe
1920	elevation_service.exe
3272	maintenanceservice.exe
3808	OSE.EXE
3752	DiagnosticsHub.StandardCollector.Service.exe
4880	fxssvc.exe
3960	msdtc.exe
3680	PerceptionSimulationService.exe
2880	perfhost.exe
3564	locator.exe
936	SensorDataService.exe
1472	snmptrap.exe
1556	spectrum.exe
1908	ssh-agent.exe
3536	TieringEngineService.exe
2208	AgentService.exe
4992	vds.exe
3664	vssvc.exe
4416	wbengine.exe
2812	WmiApSrv.exe
4228	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-04_1de48f92b6315f7d952f68837141f750_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\904143daad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3e08dd2f49dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009adb09d3f49dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000618e6d2f49dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000534c7cd3f49dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000618e6d2f49dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000726a97d2f49dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4848	2024-05-04_1de48f92b6315f7d952f68837141f750_ryuk.exe
Token: SeDebugPrivilege	4704	alg.exe
Token: SeDebugPrivilege	4704	alg.exe
Token: SeDebugPrivilege	4704	alg.exe
Token: SeTakeOwnershipPrivilege	3268	elevation_service.exe
Token: SeAuditPrivilege	4880	fxssvc.exe
Token: SeRestorePrivilege	3536	TieringEngineService.exe
Token: SeManageVolumePrivilege	3536	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2208	AgentService.exe
Token: SeBackupPrivilege	3664	vssvc.exe
Token: SeRestorePrivilege	3664	vssvc.exe
Token: SeAuditPrivilege	3664	vssvc.exe
Token: SeBackupPrivilege	4416	wbengine.exe
Token: SeRestorePrivilege	4416	wbengine.exe
Token: SeSecurityPrivilege	4416	wbengine.exe
Token: 33	4228	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeDebugPrivilege	3268	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4864	4228	SearchIndexer.exe	129
PID 4228 wrote to memory of 4864	4228	SearchIndexer.exe	129
PID 4228 wrote to memory of 884	4228	SearchIndexer.exe	130
PID 4228 wrote to memory of 884	4228	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-04_1de48f92b6315f7d952f68837141f750_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-04_1de48f92b6315f7d952f68837141f750_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3272

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4008

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3960

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3680

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1556

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3088

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4864
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bc7b1dbc5c1e8bd8a537abec1957a780

SHA1
ff3600365e9d7da411a653713da0dbe60fb5a18c

SHA256
19718d126cea8ea52c3fc0a4c868bf8dd1765118349cc3d339142faa528fecc7

SHA512
742ed1babdea512f772f13a1c4091d35ab013c4415b5a51e36f22994466fcb681d25a5be9639392420101cc18e81739c84c8a973946074f5eaa4435eae419fb5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
eddaa0a9287f4c1ccb90ea2b78049c53

SHA1
6c82016e6ef77bbeecc1d8040ac637e14a7c2c44

SHA256
7ee23d7ea28970651c552723ed3459cbb0ce27cc72aacb9d154768f7d98d77f8

SHA512
1ba16851b1375575ef9a47f6ef43231876671c07fe8243e61a51fe062bf4b2fca203455587664b7d6d30f89991cd2687d0955d92b6ab4cb857161efbdc3b8d49

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
df60a2e1b72fad81791a3fb0b3902051

SHA1
9681428e56fdc220a5feeaca95733ba115beb489

SHA256
2e220d8bb56dc1579d93c2330b56f8149861e7b7822ca63219ce07ac4710307b

SHA512
bd6117647db00fdf020c2c30850043ee4216f4c9a6ccfd3da4a89333e454b993a0936d0f4405cfb912c734a600f4cee4f39abeadc19d1aa4e106919ecfc7b0ee

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1af1454a304ca72d7fbdf4414c6f4eba

SHA1
93d66e100b15837535ac2079b198c44c534c86e7

SHA256
c990eb0c2272b6c212f335b01d7be480a65dbd7033d9612c523847df82ea189d

SHA512
8e4535c40f2eb952e141aefa508e22bb748ecef9f8fcff2872655395ae2ab94666c9748bf4ef41f842c5057096e44e89cfeb14274591fba64a67de48a405afe3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f1f768aa92be28c5795a51e82fe4cbc7

SHA1
19afd86dafb60bc8c1356b9341a1d0cb002b5541

SHA256
b1809167eef03ab352e08c7044ae1d2b1eff34c5befcce65c3f3cf480731a603

SHA512
0e57fe05f63b8cf130162ae1c0148a666d91eb8e7d1e3e21449a381173d1bd73035f808c5c8b4be6279610c8cc26ee1d9f4eacbe5e60df035ad775279471b081

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0dd46188a58f89818cdb065b1e46722b

SHA1
a5c5fbe2f65badcd0d1cdb5b44037cfcbf2e2d53

SHA256
48098e7a426c12937dce61fc757219e0c49fde25c2742a0e2207fb57c1cb3491

SHA512
3b15cf6af05ceef53ecceafd76b7aa17ad2d61627522af3ff23bd01ffe9b33c8963d97eb2e8951fd8fe1737b22be0d4f6de3e82d94cf2ef9a1507207c5af7fa3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
92cdb668765def4996b77b14dfb1fa18

SHA1
0c4e1935e55a46ff57c1b209504b47996e9d76f7

SHA256
b4fd98baedb4648389c05821b26661e01bb1a92c9f9e212c457ddaaafeb405d6

SHA512
98b992b392225af32f0d56ee62a8db238ba81eb5e6d6f06646eca537fbfcbd1b749695d5b89d23b0b61af102c4249dd3f5c90e7f22212d2caff86f8da80220c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
29a592ef5b1ca659c7ed6eb49ac2a77a

SHA1
c238c58cb576c0959ade432f393dda49a19c0611

SHA256
3443301a9e02b0c909a80348c9cd5e606d7313f48a110339aa97f679a6289b5e

SHA512
4994e1ecdf0253ea55c3d9ab262eeac361e3feb45aaf82ba81eccb7b4e3a72973235d71dca78bfe4f6907c9da37c2be4e998fb7899e1daefe1d1f6dbe86afe72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
69ac8aea1afbf9d64748146808240a26

SHA1
d46e38921fe4e7ee5e5655d37ebb9b78cc0b3848

SHA256
ee4cb63d2e98cb7022bc8811c9da8a8836b2dfe04b080691a727e33631394068

SHA512
a69a5f888a43a4b0c82d5ab99dee0db513bbf487dd1e4d9d9decf5ae606a9d2ec5dd0e4c25e1c2ce8e72db422b56d29a4ec8200a27dd47cb9106272238232cb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
94846976ee29aeca420d66cb8cec6293

SHA1
f302e22b15930f0a4145dcfa9aa2e29d36d6aaf1

SHA256
f08e530ed82b82a3d21a0eddfad291bb647d8e12e7e805aaebb87dbf6411e8cb

SHA512
a991bfbbfe112f09db0572fe27b830a0dd4d49cb42178f30050c9204004c337d59a2c9917518880bc332facb2ae10692849944bf9bb88ca362fb6f0fffb71eae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ac3c063dffd9db857ad39cc2b1e050f3

SHA1
7ec0f0a5abd927a1651a38777452c702f8c79c5d

SHA256
7413f3f73ca03bed2dc6233589f0418f6ec25822a22f4819e05cc7768a8d9ff0

SHA512
b4f3f4c65770f33842f6d5bfe34fc576ffa9ff7318f4c98264461670ca5762b9a4190fcf8fe80da7bb872f4f9c0b6dcbb53d19cdfb8b765840171f5a1dd661a1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
019f405481ca5b259a9d99dcf68da10f

SHA1
b30c60aed319cc555be968a5946f030c5a7d15dc

SHA256
42a4e8a017bad3d75318aedc6ae2e1f6918e0d78627e0ae6e241fb0e60bc411e

SHA512
2a31ffeb6a3238af4d5e54a988b024f4b6175688a65bcf249f42614c03451229fc1fc55eb9fea7d4116b611026544781265dbb70ec659d3ec1a7547b973c5f8d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
490f98893d46b0b73267370e866ec701

SHA1
78113006cae4b409846a58c8c1b78ac615203ae7

SHA256
b8fff46b728a7a472459ece8b80697288b79f86321e9d4afb0ad7d027aabae9f

SHA512
1c4cd282b8203b839f18e6998019d79216194dd89b504f2426d41354d49d7a47a49cd2903d9abfd3bfb4078e57b6f29b38f9ffde968e916fc1e6e687f17a7344

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
10ff129541ea75c495348f0059308ada

SHA1
bbf7e58de59b4e099bc4198440f429aab9c770c8

SHA256
e18d1697822d8693e6c4e442fd2ccd7334c880d9193e1cfe7a4956cb7ff0235f

SHA512
c8df6e7e0b9751ab8b6f658fbfd8d4daf348f6ed2c63f98d72e570ecbc57ebf67b4d76849758f9908aac109317d754f906ce0c883650a9726a441dc1fee94c6c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
7f49ed7f4308103340d59ae6df5e1a91

SHA1
09c3e51fdae9f291fb5f9dde48c08f05fac691a9

SHA256
e0c2e2ccc7d317efadd7ca37880b2c84aad4aa8c5a7eb50bb180fcfd3f5f2c87

SHA512
6a7dc9ca0102660c1ec515b12c8683dc52911ef3923e0ec839a8abe245c10d0203d27efbff3c8e1651e27c2c7002017d115824916623c84479cd69334e891830

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
8ff880ea6f7485de209f6db6ec3185c8

SHA1
b89ed2050f9826a4a80133b96b6c3f8b57cbcb2d

SHA256
91eae741fc4eb8661aa902654a354538db77534d7ffee1d0a455a6a8dc80d26d

SHA512
d95b328ddb5efcac4c45e2c8951d250a0961e899897ce1e87da975ff509389e13835f624431384693b921769bf6db171c7cc9f877ef9152e3ddbf440efe18cd6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0a80825179026ef0c484a31e903f0af3

SHA1
18281c22f2f2b6a0cf8465874822ac1f13d28c47

SHA256
027722a46a32c566a25d5883003758ff35f1cf9dffe8ec690d3a46d69eadde6a

SHA512
167d5acbb2f9cb00ec74c57e3023a647d2c4e926d257c541cec06b1edbaadee5af4b94bfc997b6667f24682b7dc91bbabcefd991009a7718e5ff15daeb8f413a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
c070ac0ec8279e6b62c09d0b824fce92

SHA1
d502620c5999ccd4d13b620ea03e3d3f16a59b0f

SHA256
a0002e35c87a1cd12856ab85cb1aa0819c5a16de326780be59882fa27c05f614

SHA512
f6cc1b59544822f3d793bf3f51ec7f4db9ef29213743380288913e2ca8f74c5a7447d21e98e3cf38a5624adee449f5610cba65e2dcc335db7a39fba8a81a8341

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
242ce9b6eb959a9ac858b2fb300276f1

SHA1
d57f9f037dabff698e8dba080d596af0b7df6e82

SHA256
3d563a21e378919162e47c82dd0f521a30c261364c355dcc9bfe5af0220a041e

SHA512
33409e1487c9328b31725c32d6a6f935bb483d88ee4b02adc4ef9b99c8720aa6fae631d5d8f96c0bc49088af2dc921f6f175e70a497892aefba058ff668cb2d0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
088461a175ec8ee01d2748dd3efee57a

SHA1
c4088a27a1f4653c1a619bdcad133006d7fdfd14

SHA256
449cd3cdc48af37567bce81979162b5af0da04e7ac92a439973549feaa4844d2

SHA512
db25811cb3121ed31dbfdf778d6999a301167359d67c5472eef3771414c1a0d749aaffb1cfdfc3ded2b7afb593ef1684f8c3d943bf4eb34cae43b992c8eec520

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8b766d02152f8674984f3cf322e9ed7c

SHA1
d8d1527f64a2dbcff89652d1b3ac88f0ba92281d

SHA256
f14d2a58ce2168e108814816ad8da493daf04f306a2cc8f9924c2d31903df633

SHA512
7ffc939f23bcdbc03fe3802d73b19e5ce2f1b0bd1646cf0648a011141e20fe1808a24a718676a30ddddf33a94bbe7d56411c02b22456c0088dc54c653ceb8541

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ec7dd32402b3ab38085c9875797a32b8

SHA1
8fe8e952d1de93482c2e371dcb23c2658246f8aa

SHA256
c71c95f588fc55e9fa7bbf330212734d70e7f35ee0d1abc09cc6b20299717b84

SHA512
4e332833fa16f39842875e1b5b20c632878c91b59ac44107db71117a3999bc7a52a0b01c8829455e59505552c1494f8a5df8d8dbd85b7a90edfbd8031cb85e6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d2a41c6b27243fad5de92aa77bdf03a2

SHA1
16938f1d3b83cb88c415e833359b92e808fbd976

SHA256
8371af782d2c2cbef06cc74311726a0cd49642861181ac21416102fdb85bfd0a

SHA512
03e390d9d308539e13e9f856cfcdbcef188ae82fc36def5723cc4872e7e79ae94d1b1cbd5c130b50c05cd01b036dc5b9750d58e45f16770e389ff92494a23b7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
02423255074252f5b982cbdfe7faee3c

SHA1
6d863680d5c2715ece75b33670911122df9b0ae2

SHA256
0a4721e886a304dcbf5e57ddcb1a36ae264505721884ee335faadc10ba03fd87

SHA512
83361f757e28276eab5039449193b63357dc976abeda6cdb2159eaed0bae37c0d01ab2dbaaeec8245afc9825ca142e68e6502dab9bbd21077b11831e053ed0ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7a15fefdbb8d87c23d071557470d489d

SHA1
e9f377b0c847ee65a1d29957d3b0b6e986dbe657

SHA256
9f0d38ff88a42a35e6f41d13ea79fd001d89617ee7836d24bb6ebcf7cd5e44ff

SHA512
dd5833beec8af40ba168ec41447925304e05d4d02d4a308ac861ed2c26b0e8a4250cc27aaed129f354f19fb69ab906f1ca52fc113a546a968afbc6ff14913ec6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bd3fc69f53bfff053d77a014e91eef31

SHA1
782bf3d88393b7e6b5f4b5906dcb2df456d509a6

SHA256
81c142705b6b35938b305f1bed89808e366db92d6a3669fe3f4ff154076728a6

SHA512
28c09304e718bade1bfdc09bb43a08cd785561eb3ea3f003820508bcea8e03804706b25db1fc74f8b03f95ccfdbecff63e22622978b1148031038438cfc65406

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
08ebf3ced7dd6f0e710f4a3c4711be6c

SHA1
7103d2749c88289deb83165e991a8d7c5af0b362

SHA256
02e355b5070aea3a84cb2ce857a21b372d5b36dd26a56344b2a589b228e5b66e

SHA512
5accef73fd29b7fc0fc1dc5f0e23eda46c622838a1b32bba2451fecd10272f07915854c6fd53b7a38da7d05da4b68d7adecfa377e40efcf772bd6f46d7bd94bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1162dc6b54c26c553bba4e39617092ee

SHA1
91e2a7be1774db0ee13c1f510d98c88b18fdd21d

SHA256
389148e8510c664235995f0222de2fc0e254aff675c8a90078328bf0eec2a390

SHA512
a510e16d2aa5fe811fb839343af430ccb19109b7931f36d0a45b888ad259edea0547d3d30344ce2491fa01e0b020b03dc7ff673e724329d1cba2538fd01f2c87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4fdea8525f0bf59e57816a49e03a9fa5

SHA1
107073b037b46915bd0f08a5c02b12c212916905

SHA256
1eb5388ba9fb6d8567ea49878ca2521e83f9f2adbdb2f55055d554a0465af3d6

SHA512
5a473eb02b5ede150383c74f9b928f7e99cec5cc6a0e1a31b3bcfdc9808e1f2e12d3dd5a39094be2f0d6faf851c47bf3c103e4e8e0b1763e9b1fda806baaa66b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
bfd8f41c77d1ed9525645f5f47a2f8af

SHA1
8a444de5953abacb255491458ee6a990afbc77fa

SHA256
6abb8c8a90e7e2e1c088ab3244612d28024c3cf90a199470aecd69baa40a33bd

SHA512
8df89d12258d82fe4c27feb35541bc3244f865d8b4491316bbae527bdbc0f5435678e0ca21a63340d88058decde6c71b1d7ec41a92574ddf2fae1fc2633912fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ecdebe2bdb34f382c6611c1c81a3d089

SHA1
950632ef4ad705031c98c57ad2adde7ca14c58bf

SHA256
486c5d7a6df8cf9cfc53651359fd48730e2a88a955ad3a5d15902ae4670153ee

SHA512
bbae304c3b34d3b250af6d340d02f6cc25db138164a4a2c66ceecf0ca477c4d18bc6da255d0fe30e6cbd9e7b5a560e14c35531deb4d18acf8677e7f31e4bdb8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
a885f281297c9287ef797e7b396b8800

SHA1
87d2dc2fbbc29536bc35a187c54c6b5b09b1f2d3

SHA256
0c47394895be260d33a25cebee5bb4191d5730eff4f2002167913ac106096c26

SHA512
7c0e9063dea5eaadd1bf1edadc3a5ba5d4de18cc0d49035b3f8950a887d1a4d7c44fa8eb3e84d8d44ea0cdcf5194f1c96ab7f53b151c4d426107bcbfe78b5dbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
756615c95c5d2383c24a82d0ddd8d8f4

SHA1
2949c0011ab03487c32533a99aa03e955f91b702

SHA256
8a5aaac275c822eee73eeef1d2c2934aee650ed69a9f7d82dcb717f32c3ac435

SHA512
2c8f51d2abec4cef9b6f1c9c5106fa65fc8bfe52335d7f9976a098fd5cf74d3c5b928cfef02db71ca74dd5368d82e0040048af8ed0f89074c689f4134bff58f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
afe5c8df6fdfdbaefc6e88c036cb2110

SHA1
f67eb464cd64b5102cf6805c250d6d508b9d42c3

SHA256
c86509134e0a51931dfd1f954cb4a7cde936d3047d2a0a0217ae0ee70d2dc492

SHA512
13cf6399b83b287a4b2b12e5f75e084a6d9b29bb5398e6aabbbb14c05f12e1213288f44b674bcbb3f50640b40b7b8358bc6aa43f84901c03bfa50fc0e625f358

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
04549275525b620b967e412bfc47946c

SHA1
6dbb296a662c1cb19b953cdf2547f876b3eea99c

SHA256
873ef1efa6ae1a4db3db6575df0d32017df6356e1a681c786d25a6a8800fc964

SHA512
c6d481e8478abd04976311863e717ce6b29e7248e225fdae2ddbc91fd4c3d5513fc2a31e0d5eb64bf6f8a376bd06c07e0a8d84dcbf43d292ed6d82ad9237446a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6bfee818fcf2c0d69d9298005db28a9b

SHA1
0a92bc3c62edde546919cb06eec922e10e26a904

SHA256
083d9efb7510ebac23dd756ca4993716cc8cebe071744726f41ee44f3a4a5645

SHA512
64dcba6727a94d593f96d780d7076c06e8e05627cea252e26827e6b923a0226ee720c2a58faa334bd39a40f0447f1f69748c442826369b20a4533e193b7f132d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
fe35a728583ae1c415a80be9a3b9a22c

SHA1
39e5bf7296f3f7a4676caeaa2433f2f2e2b0c727

SHA256
547bcc17f485ae12d09895a03cbfa4caf9b92f633e4d72d5c57f927334608083

SHA512
c20b7c8d1b00275eeffecab7b1ecf549fdb86061963e4b995b94fb3766da3ddb373201d5325b30c20dde6cc7062f7ea3d21ce20d7dce7f03a3d3e96f2797300d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
8ac573242c7a719de0331ade169aebda

SHA1
e338726feb6b88ef50d2283b7e5c0326bcf0d297

SHA256
7ea8bec5e168b6c095eb5b60fa8337cd6d9271425835b9a590f6c378034a0382

SHA512
17c7ae523009c78b8006dc555ee6c847ae138e5ea7b98484b45181a89bb16f93face7d4938098d9aae9cf342e2e4bce6fbc1eedd20c9c448e86f790b8ad0e9e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
3daa6bb2366e8e98d82f11d86362069b

SHA1
674b9713195b8769c7f170901e24d67814c5ca17

SHA256
4da340a3a4867e3e033e13a424cb05162eaa5ec50974ae8cc865d5b6ea410ba3

SHA512
6ae22c21eb1d8283ade1e050bdd34725d719fd715eeb17cd08ecb9889147c557f095d988328b893f65ca33738ec1c044bb17c385ae26988876a28062e7fdc3c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
b5557023432ce98e407fbcf9bd8ded50

SHA1
300d3657ac2d0af422ec5a1fdfd17d964cd74fdf

SHA256
7b965ee19a9f1bdd922a2cca9249c8a4e91ec017cb677859135852ac990bb715

SHA512
e0422f01104538f163c375dd15506bf370a780580b95a605e50fcae96379ec6a4d84174f12cbd050042daf58004df7073a28686601e7f1a6779c8ecee76f5651

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
28f97e76069862b955bc9986851b8f35

SHA1
5198a19118868a90fa9cdb1fd6bdfd20a40091e9

SHA256
cb44116da47dfd93ec565babd3d419544e078e0a35f0884d243d43630e79f9d0

SHA512
2925cc9131e7af3084735e8604a8713e833717590594c37680cf3f418736701ae3ab2e11b1bc9054ccd1292b25d83174b8221bb70899768aa5ea46814145a495

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
cbf273b2715832873acdd2bf2bf2dc2d

SHA1
a930e5c1f92f231a27c5a78cf688535504898e08

SHA256
5c3d57e47697ca9f3830116469f91496db2546af2a8725562be847c8957b81d4

SHA512
e2d1dd95807384f72dc3e4aacee530bce0a902145b39aab11c2bcbeefe290eef93e7a0c1e5cdccadbf025fae021492df3adc0e122a3cc8f8f4a373dd98daf584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
feba09729a36a1113b16e12a7d42559f

SHA1
e908956f221bcf43131649158faeceba88541428

SHA256
71c3f13827dfed9d02cfd16c494bca0a7d7613ed1c8048a00357bdb7956f9581

SHA512
d82c8b42a5d6f71153c7ecb23c8fd639c9c76cb779eca722a53ce8c2bd7854b06f94c3f4db73bb5abf6bce1d235ee7ea9b5539d47329bebb3822b76871136600

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ba09ee14672c9454d9dfaeb064ad3cca

SHA1
e9ed655a3dcd96580cdaf4eab75ee40baf0676c1

SHA256
4e9e6d38ae2375ec3197335ed305829d6b54d012595a6a8cce2974b0567132ec

SHA512
2d85d28da275a494a9926a3c3fe9de86eb8545c3a80066bd2dfe5b685171da79bc71b3e2097e184857e65afb5b16f880104031508de2ead4949489b67e5d577d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ef82f6401567d481d98f5daf7fbe009b

SHA1
5a51ee4121bdffa1dc50371504dbad4a6d75a11d

SHA256
cb509c727d361e257ca606be0b43fec937a88b4ed9107264ed245fead426481f

SHA512
082055f0ce6b1e9f7eae72fe8a6399fcdace1cf328f2c3fd0def72d5c2dff7baa351dfc37ec3993e927c9ca3f6fdfe60154dcefa0dde1a5bc967c7a7b197c7e2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
93c5cf08a43c82fbc3ea7640edd001e8

SHA1
6f08f729a8a154dce408043da69c4acf0bab77f4

SHA256
aee49ef06e2760ac053fff25f91237265c5d3b9201cddf7030ecc59302fa1434

SHA512
c9e35ea1c9bd44658f4f0546a455c34774eba5268b25056eb91c91b1244fed86f39e4107e6b57ab0dfdf561ca364853f77de8974df6f09e499c151a41a05b5b9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
047d176fef23fa7c7388f193ea578452

SHA1
fa1e105718a0e25700e00da23dd97533a3607df3

SHA256
ebc70b0285925f7a872288daab345e3c93295c5509d29977b88f227eb629a82e

SHA512
99815f022ea4711cfed10a92c2edffd2189b1f8fddc7b4d898f213f29da29c6bc0755f0f2d69a6d208e1f77b997d159f56c3f9dce7ee4880d41af5acace41f7e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5808b430b30b0827ba7b39970d9cfbb5

SHA1
e2bea9693c2a6aa758d4b58024d90cb8cc1df5ba

SHA256
ee7fa89800ef12554ec9c33c742b8f94a60e7b53ff7bfca8fa45de0e9a07d0a4

SHA512
12ebae754813fc35d3541f63cf9a09b26b5d927a958f1100850b82b9d946f80d0946f674d80413d70644a5b633e8fb4d15c17bf4c9d70cd56cd56acb018b52d7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8dc7b5f15f43830679437c24d21f058e

SHA1
5eb11bce66bca649c377aa8e40fbc7978f26fe42

SHA256
3c530d20d62a54eba09fcf90a1301422ecf46618692764f27b3188b4195397c9

SHA512
612d8ba9b58ff0bfa45bba6471a9c880b97067455243cbb57e0de482ab384ec2c23f6e88b5913beb6157a70957eb20e876f0de36edc4c793c93fd515262540b3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
facbcabe4cbab5d1b12f3d2c3ca79d21

SHA1
3a896b1dd6f6f03f3b41fda129b522808483924d

SHA256
54d7937e4ac7999aad05a19b1746e60619bebeab5c67eb82cef8f3b62a2b2244

SHA512
e4d06b61fb506e3e660298d4833912673f1d7b83f95500fa826aa45f878c157fd1e404e752eeb3e0f9718748e5cf5f00e544b3133f3b0b79ee36763aeb2a6a1b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0266838ecb130ef2def617e199a0e542

SHA1
45d142d290ea3aef30bc6da4f76961d9aa720136

SHA256
4e2b06e298ddb6baecec9ddb35c6764e2420f755689867e24cb97fb92c1b882b

SHA512
ca64f7bff4cfc2480dab3f4110c08700e7529f866ecb45bb27012d78cbaa185deace5c30806a9f0fd56dc5701457518f80a741c9463b01cc43df8fd84d883d93

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1f2d56c02527ee660ba6c8a70848f1eb

SHA1
5048af71a1bb69919eb0e1a5ca374acc0dec4730

SHA256
55943f281b8418a946d23c270f444f02ce5d361e99942841068ab2d2ceb8e5c1

SHA512
3b00bd620715092f604b4f5f653d8e13d4a7e7abcd883afcdf6a72c8cf972b2b8756ba619ef0f7e4d1d5a92bb7753b2c1f9a384efcbd1d10424fe0eabbc37694

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bc639e46e04b1b8be23adaadbae419b3

SHA1
60ee9fad44006b6fd8d910d51b761f7ba45215a8

SHA256
f0ec01a292f7892002f2617030cb2e331726187c196728196972b5e88b694bab

SHA512
c2a8c0a0457f71ad176d29197db124f188243721654dea9a0c0af57352eb6626a0723986e61d6b1b8c00fea581533a22608ed41f1405cf21bd35418b3a99fb22

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f4d8e3d26a3a992fe8ae7880f3678e62

SHA1
74b50276e7bb9b0b30e31edf3eb13ad5d92a1f23

SHA256
511f22d49100f2de72713a8712bfd14027aa0d2bfaf90d98e501b918d037cfad

SHA512
b401026383c9fb2ff777453258034dd37ac728eb638e9e2a6d5412b7dd16fd49e9965b16649c3a1a26196c06a60612816e362815cfe9c2fcc178eeeded464637

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
83d8f17f6b4ea2242e28e50403c7df63

SHA1
c5902574857818905bda3d7cbd78281c341f8528

SHA256
91128d9c2c96bae3823e910358590511fd0969857166e80b94dea661001a6976

SHA512
b1fcd66c22a17d20aae242b5267e66c5270b643b2781207697e417312131860aaacdd92ab77c456de34295866514321fd1a6374a6956cf57a9f9a4fad9b596c9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
672ac69758daf899e10aa93182fbc3a3

SHA1
30c6e460c0e980cc7756f44b21315b9dd75b59da

SHA256
6c04b9c3fe646dc8c05d673b40b929606c87c15f99ffe8b5243bf25aadf824dc

SHA512
5505af746c103b6f4b21b306002bb1536a431231774aee84006c1e6f9faf77f1cfe2330fd5b247b59afd2c89a29c2b358768012a71dfae240b178d8fe63b3906

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e16c607dda5b3dcac7f6df016f404dd6

SHA1
e0d9c4abfe27bc211628b599f2d7b498ced902c2

SHA256
1392f76121eef7cddd641e0e3d9941e6583cff9ef215cb5a8847219496b31e4b

SHA512
41da146e6aae09e0ccf63ad3e01c6d78c93b69b3c6c12af35df23f0d07bd0bfb66533bc2136a858be8f4e4b423dd3d8ba570db374d895a2331572cb32d1a43da

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1039f0ce9e3ba13d26042e60935e1354

SHA1
56b6314290173779014777b2751bdab4299273f9

SHA256
858f95cc81fc4372418047157f0390d67eef52ace5bc8c54f2c43ec77a27373f

SHA512
e2d3d0ebaf187570853e17c0bb178b7501a7a3252e56269ca0a4b0970a59563ca93310f76028b16d7937c4f51a88485c016f67366d0ab3c47620c561b1fc8de1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
205196ee0d7635d3091bb955f6ee4c48

SHA1
ec873222d1f72885f8c1c36694a0e8165bdbf7d4

SHA256
3ffe88f1b30c301b4426ada9f57cf84698c6ef21cddbde752d8c7d43ea8b63a8

SHA512
a61ab31dcded012a35b498059f6fd56c6f730183f7750fd649a84c63fee898c40b1faa72bf5518a833d3f99f305a78d50cb86339e35c0a2da2914403b66ab318

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4b40caad8489282aee8e2759989c06d7

SHA1
3ef538dac6b17a5075993b141504d7ca974e1baf

SHA256
28c7c66d7b68ecc53447764cc33cb9b7fac13ccaef2902778af734938de9a5e9

SHA512
f9918918ace8f48cd9d321b89cfa234edcca76e49e961f669eb01fa7082fe95e1f68880842a75bae9ac7ec59bba546909725b8c6464de15749d686b949ad42b7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6d921324f72b439da178d74c09af5cfd

SHA1
cecc3de1847439b54b8d617264f34b2c3ec6b832

SHA256
8a2184e7894cc81796ed7757ab85d6f38a205fb88697ddbab9f4faf30c113074

SHA512
ab71e6ea37dea079464ac419572e13debf050454d08056678e1cfb3da00dfbc397e98ba04543d76a30e8c2df1c05ebe8771884b7e42607270f0ac91b94815773

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0bc8db1a0b550d1c919d693e7e034e54

SHA1
9bd6b3e462ea4211fc513c2b523514df1f2dc383

SHA256
9527286a0193eddf36c5a64a584653c784b9d199104750d6c1bb2a2159855c06

SHA512
6aaba0c26ba62ce02126c5fe86828f40ca555b0f2395051365ad6e41e2db40e36c89dd3acb68185fe75ed217290e9290966356e76ac32e9218fd8b725c4f82e2

Download Submit
memory/936-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/936-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/936-584-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1472-321-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1472-532-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1556-581-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1556-338-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1908-590-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1908-344-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1920-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1920-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1920-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1920-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2208-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2208-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2812-418-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2812-597-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2880-405-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2880-295-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3268-29-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3268-35-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3268-236-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3268-48-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3272-58-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3272-52-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3272-51-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3272-65-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3272-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3536-356-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3536-591-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3564-417-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3564-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3664-595-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3664-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3680-281-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3680-393-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3752-250-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3752-244-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3752-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3752-355-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3808-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3808-67-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3808-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3808-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3960-381-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3960-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4228-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4228-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4416-596-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4416-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4704-16-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4704-233-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4704-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4704-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4848-15-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/4848-13-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4848-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4848-7-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4848-9-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4848-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/4880-255-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4880-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4880-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4992-594-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4992-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download