310c21b842cd5f92385e8690979d71e385017119d9c38dba45614884d3bb432a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-08_9bf57d63052b2a30c327abe84aca7486_ryuk.exe
Size

1.7MB
MD5

9bf57d63052b2a30c327abe84aca7486
SHA1

8ad528e9db2e56843b2ad10f71f8f8070fc45049
SHA256

310c21b842cd5f92385e8690979d71e385017119d9c38dba45614884d3bb432a
SHA512

0fbbc04bf0c5bf9e81c909954fb78ca89113b0212af7c0623cea4abfddec6eb583985529fd5f3ac065d08b34a683f41a881932eb030d613b629c1294571ec3ca
SSDEEP

24576:66V6nC/AyqGizWCaFbyW+22gmTSSNR+2dN:66cNGizWCaFb822gONNRldN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
536	alg.exe
2528	elevation_service.exe
3336	elevation_service.exe
3280	maintenanceservice.exe
1044	OSE.EXE
944	DiagnosticsHub.StandardCollector.Service.exe
4328	fxssvc.exe
2476	msdtc.exe
3236	PerceptionSimulationService.exe
2384	perfhost.exe
1108	locator.exe
4536	SensorDataService.exe
3872	snmptrap.exe
4500	spectrum.exe
1792	ssh-agent.exe
1480	TieringEngineService.exe
2332	AgentService.exe
4540	vds.exe
1420	vssvc.exe
4448	wbengine.exe
1284	WmiApSrv.exe
1144	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-08_9bf57d63052b2a30c327abe84aca7486_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b47e0dbbb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b635736802a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf15776902a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009dad4a6802a1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b180bf6802a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a07076902a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000137546802a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cd7326802a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c543e36802a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7b2746902a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2528	elevation_service.exe
2528	elevation_service.exe
2528	elevation_service.exe
2528	elevation_service.exe
2528	elevation_service.exe
2528	elevation_service.exe
2528	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3972	2024-05-08_9bf57d63052b2a30c327abe84aca7486_ryuk.exe
Token: SeDebugPrivilege	536	alg.exe
Token: SeDebugPrivilege	536	alg.exe
Token: SeDebugPrivilege	536	alg.exe
Token: SeTakeOwnershipPrivilege	2528	elevation_service.exe
Token: SeAuditPrivilege	4328	fxssvc.exe
Token: SeRestorePrivilege	1480	TieringEngineService.exe
Token: SeManageVolumePrivilege	1480	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2332	AgentService.exe
Token: SeBackupPrivilege	1420	vssvc.exe
Token: SeRestorePrivilege	1420	vssvc.exe
Token: SeAuditPrivilege	1420	vssvc.exe
Token: SeBackupPrivilege	4448	wbengine.exe
Token: SeRestorePrivilege	4448	wbengine.exe
Token: SeSecurityPrivilege	4448	wbengine.exe
Token: 33	1144	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeDebugPrivilege	2528	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 4444	1144	SearchIndexer.exe	131
PID 1144 wrote to memory of 4444	1144	SearchIndexer.exe	131
PID 1144 wrote to memory of 236	1144	SearchIndexer.exe	132
PID 1144 wrote to memory of 236	1144	SearchIndexer.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-08_9bf57d63052b2a30c327abe84aca7486_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-08_9bf57d63052b2a30c327abe84aca7486_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3336

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3280

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2476

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4536

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3872

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4500

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4708

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4444
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1b8aa3ce5ddc9f9ea99a4ba2fa6a7b3c

SHA1
64b421030270aa8feffccd789cab321f7dd0e54f

SHA256
ac2990e5c20daf5f1f657c9e9746cbd4941cf0f4ae7fbb3ef8fdb156b8023f9f

SHA512
9c143c01a08da49ae1d4c753b57debe55f3d4d9ba18245753885f052ca578db858a6a6924d56e208cc353972b65118d77b959f247d42112e0b94cc54ae35d158

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
34b376ecf748aa4d036bd742cc9c07ba

SHA1
97d19f57e2ca740e2d4e0bc5fa46ef837a38fbe0

SHA256
6e94286560b6f8face473b7c18174ec311d74e907d004c2aecec850b3ce2aa89

SHA512
9d3054878c2c8ed466ccefe3e4845960fa5d5170ea57a4096ff39a3ce49c56901b86917420a8fc88ee8ccfb26a321a9be69e166ceec48a52d50141cf5711d6ff

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
08d52ea7afa419ca69d792afad48002d

SHA1
b6fdd696397b1880f5390bee74486b8089e5c52e

SHA256
9a1a3c4a250f241e7a66e7b32954f1fd2c5e2538616858f5d3456e3ab8b3fef6

SHA512
b2da496507c4c990c0e7aa7b4a7af6723082568689e8490bf1befffaa45d82b2cc03282ddc6149f82f8b61c08c64f01132368c024944f8dc9ba8d13b90e5866a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4ce4be3481c8bf3fb8b74e919cb98aad

SHA1
0bc8d904afa285ccbfffc51479309d31dae5159c

SHA256
ca3553eeeab57e2544a16adbf99be3079adf487a083acb3ef05f35a27b051657

SHA512
1f61e4d7ed535f5ca31a02207b36f0074e60dc64f2b5c74680d20961871b1cbaf5551cf9b8890c56570bf8fcdfcb310174dfb481e9586fa30d6674307c5de73b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e01962ba9933eac4887fe747b0a37502

SHA1
a923f0236131aa4f8429cb72e4a0ee0a194fbbd3

SHA256
10be376680c1e325c76bf9aef0f9755f3f82173bb1dd02d6a7d618f86f7eb45b

SHA512
1372f9d8521b8acf2b59a3378762a4d05fa05aa05ef0d42d37e33d44119809f32739d0e27594f0a7b479b7dad1fa58e1b4eb295035f5d453091a07f4bc2b2781

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5dfc2a6d2659437bfe3643f2c6089367

SHA1
529f9bc307fcd3c2e7d200575e46f7ee93b9694a

SHA256
aafbed233ce57cccdba27dc520e7e196697fbb98d2d91e1a604ae48b614826f8

SHA512
095926af437065a87b49c7c067c708e3947d55c78b54d70df91fc23a5fe32f6d0cb7504b0cc1e266e078e24e24f9cb0119ab191e979bbe284dc6d7230db8a17f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
bf226be367a4e286203ac6af4d023404

SHA1
d2d0a5d1bb1ff0565eb0fb26b2b7b49546e6cdc0

SHA256
a7ef99afcb6217cf75c59d65b5918b4304c222bfe7cf10f4d7bbff0889d6256e

SHA512
bd1d11156bb7bcf0990d17c72e8ef92bdd2f5eb07087fd13cd90127f0d7ea55433aeeacbdc2102b5948e21c9f24a628ddf333e3f43abb30eb32262ec8722e068

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b7dcc21991e5ad41f35c1a555f35ae6c

SHA1
c9db9618a19f17d40f67b27892a7519eeb25dab8

SHA256
71384c5ab7f233957649eff80ab045bea3b1d7023103764b863aea6b7efd23f5

SHA512
8e37cbf08e7dfaf8414b38090b726c23f3235654ae0db2bf8a51d8acf9557b38db755adbab306f9327f479332a95c16b99d414837d6cd48b38f48ed197cd9e0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
b51a72a5487e5f14cfd5c50d1e5d7568

SHA1
0a4e329eb1a03e2245849716ca66fa76808d2a7a

SHA256
3f14f7dc029d1858a76424ea44fc0cbea8e80e57b9b32d7ab91f86156f1c2a76

SHA512
7abd3e915fff9e2c0ae796829ad619ad4fa58d7443aef28214b533086a56f18f74da15e6e4ebe4d2ca2be89dbfaf2593c124fd46810f760975fa670ec32235d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
619e852730aa0e960b7076750bb26d13

SHA1
1943f9dfeaf0e47ed7909801fae2e858108dfadb

SHA256
1e6ffb8446201432bd03a2e9ab2cf808977f96aca7e0dfcbc1bd52903a596c68

SHA512
c79d683c8686b352de455ba118b9352b3fa8dc6dd2b61edddd66f6285877b35c8435d4fb866219e3cabdff1f6effcad3e00f834abd59835637a51439818df068

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cd91d2cc5fed32b5b867066589552da2

SHA1
ef425fd0d4c5c0463dc36d9c235735abcff10593

SHA256
cba281e301fe9b47a75a548ffb887dc23353677ed7706d247e48bff5e1a63a09

SHA512
c993e0a9537776ff9d618d46897c949e241619c8d095d142bf1b803ef6147e51bdd5821061abd2df9c29198626f0888d0282caefd400f2839b16d804dc32b1fc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3624ba6b35bd565ed5fdc45e7c2aa58a

SHA1
3f32d03eb3c110cf79df8bdb09747d0a77d0df8a

SHA256
b24dd761e8bd8b237b9687f1e6dcc877e14942f4411058e00b7fd4578c4538e5

SHA512
6da9174e9ed960f64cf28dc8fb909663227aa67a35cc7ff431c11f4005786b61648ea096ab328f4046260374ec7b7a709cd4e1218d74aaa902063583273f6b5a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
11141af8afb88bfe6afa091819bbb114

SHA1
94e9cbec27bc3e9d66fbb437eb0eb9d2e335f5ed

SHA256
a06e6b7ea60b4ea45a466de92115d4a38f67e0819c4bb9f4692da1b85ca30e80

SHA512
bf34033af4d9b1997992d55657d7758abd6c276f403e7a63c06294f74ba425e263522f3097c0196b8d6cc4000da860c23d05ad957874c81effed731c5a76e7b7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
66e9a194951de29baeeb42cc42370821

SHA1
1b2cacd7f103469e9d3e043667e83b243398dcc1

SHA256
af216f7b3427f28342dc3dc9429587653fe631016b19e24789ed574514b33c30

SHA512
352f3f15f4ba12be1d4181bb1064561e2180ddc0b1caa3c7e2261b62d9080ee51266759fc6680c5710a48388b6efecfbda44ca6cb32f344c25776cf8eaef4a50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dbcc230c344c2c245b87c7f94dfc5e1e

SHA1
e0a067b7e87ea1b398c40607f7ced60ba11d681b

SHA256
864081d6e4361ff02f028b0820191a002f662fa82a4c7398e3c8cbce20af92f2

SHA512
93a25acb41c9315b4ca3e788eb3fea345a7220eee4c3153200f2f6b6ed5929e1c300c94f31b9dd4e8060d11ce29ce53f9213c5b036f1bcdc6378c4378ba36840

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9dcef32d156c2f7693a2f41756242ea4

SHA1
1664f5ad32827ab2c56424a7eb6b7da175a59748

SHA256
b6fff5631598df832a2ab17c4701b9c90e66331283600efce8046a6821cd505e

SHA512
ca57ecc3166e2ff16d2842bbb091da2db26995f1ed94ca8c327628c14ca6d73023fbbb367a4e4704555759241c6ca8c0dfbb07c42038b27c81dc4f7682a754b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8267c87b81fa02109c5cebd501028880

SHA1
9967f60ea1753efac992435f58152b297305596b

SHA256
ffc2495ea76b05df7828d342d7e6ac2354e6a5df627bfa52f7fcd1ef4d5a8bc5

SHA512
7846f78c37bd2413182fb6a1e0a915217ced36fce10f5f35701d4cb28ec3734dafd78a86045429f1ef676a196b381ec86c04d154bcbd3a770c0d0d44ac4f80ba

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fd93aadde16e0230afae579e409e8ba6

SHA1
6d67e84b3db1019df5b47ec7c23b3920539dd0bd

SHA256
b59db27894d69a3da91844843d6d1384139d348b58b44f00c0a6bdbeaae2a09b

SHA512
635bc44f0240cc4214ec07a4d50cd65ea7995046c996a269e7da51f57fb272edb09346e1b10e180fcabf200c6397cb844ef4025a037a486852ecc6c3523e3c8f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
38d79397eb546e36037dfb97efb75b4a

SHA1
fc0ef813b4e75e1e7733da9fea46ed00360c9a52

SHA256
a3ec392486c493b3fab51af1c9ab73f3be95b0cd375df98a815c1eb68c82b41b

SHA512
93d9c7140886a1c833e8ad9aaf358ab2eec1710101de38a94bf5aa747670e79c82c8b7c1f44a6bd478fd766903f528020fbb2a686db63bb3fb8d8c4d121ab1a6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3eec62919f61a0fbf04612facdafb430

SHA1
71e00f0c5cd33fba2e7e55e496b5c4667461a935

SHA256
f3326a3ba08ef91cdbe22da5fa7b8d3b54831c07663c59c52f46eb5a4d5eb5dd

SHA512
adb038290afe4ee4ab057e135c6e02e38a9bcb0b17484efefb9e9d7659ed8c5a197963c36806f8a1e7c6acd793ba4b78923381cadc3ba137e497cb9aaf97eaee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5f46b69112b0a7c4c173ab0951f76ba2

SHA1
c39baf13cadb962bffbbd715442c6df618cf0353

SHA256
5358ec9b1b37132f6a5147832d6ef2701e73c3a48982e230a9601ef3d609163c

SHA512
056a688a2c972a63785c7343156f414362c560baee87f0b1b7b734678513134186410fd6c4b1b3a24e2d0bcfdf82e7aa2b8aa31e8d1ccd8a455b5cba70536b78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d115ea6213c93576da9ddb05953b89a1

SHA1
eaabaf7ca0180f4c72447112b74869dee2373635

SHA256
0c0c3203c4cf479a90b77ce7f334cf2e151b3efcd1d371ad67afb7529997d1d9

SHA512
11cd72a30b6e0d9313036c7dea7b1890b278682d31f896261a8662144b6a80eb21d81be3bdb47b8d5df0c5e7e365cdb84affaeda322af17c2ba1ee5bd1971767

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a44d0cebf4a819862ccd9727fdfc91dc

SHA1
f3f171fec6bff2bc499089660895f47bc3cef7f4

SHA256
2a1d29f31645cfb422829c168dd8c6137e592dc3a8e9cf54c8ebdf9d5dbe7f4c

SHA512
2a5b7e2c1132362d8260334c3383aacd9a0de1db9d68c16cd27540ecf1faef634f82220d624ff66356f4659defe3c106d8a5528ce44f258baf14897003b71b6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
07fc43a3ce05ba2095dfd7237a27e260

SHA1
2520b92c2bf021dfb670b53511d6640549607544

SHA256
07373cb5c74588e2dbfc59d19636df34c1d8174add2425f49dbc270f2e6aa96b

SHA512
77bdd5b876035afc8fe630f90a220b8fdbd9f17fa138d6faba0f2ad41961f440deddb0fb7ca2a79766b5c478b0f55882503a00faa6b881b9b14b2053349b90bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
47b5ffe8e0c3462eb5f8fd79f2b13349

SHA1
99353488919a8b8e3ebe222b8d44f11d79cd4b98

SHA256
2b48fde4a6d0066c75563197ec5a828e2f5c7b1bb206c516e97607e734be1730

SHA512
d561066af17baac968517a321a98c8f7ff535a57f46fc5e3e41526449c9806a6def5bd124f06616092edbbc0fe04f047bc12b3a545b923d092a4055eff5c6a6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
6ccf2556bd8de3b37c1fb5a765b68c90

SHA1
45dce46fb5833cae39bd1051675fda5f43d85fb5

SHA256
f936712d0ddb9f3f09ba458676ab84ab951ca0c1d6713820c27033135fe5a6b7

SHA512
cf127f4bdea510c9b03439d19d8023750ee89b11cd54bcd919fa8fedbc423e5535534675179da8e5044cfc5c1303378cb2a17b40587087df92d1502c5d2f2a62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
54d87ad90bd3d2be5f913669e9381f1d

SHA1
83d299bf46ef31081d92d71b1e2ca9fccb15bdfe

SHA256
350ae6d8221c5da086a1e25ff5bca821e45c30a49c9119c3a4eb92ba65a443dd

SHA512
cef771f4253fb1482dcbae3f95ea30335936c7acccbeaa6bfb2e739e499772c956da7a16aea822db414e581f12319bf97f39a3c1fa71135d79df8c020eda4f40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
57d2dc86396339bc43e571da2fdbb5ba

SHA1
6e96a765dac7a5fd864952552c728f2b7ed892df

SHA256
f1a20e28b98383b22e89fc2069238da2ae02e7e222f6a3c854817d6795dc0aed

SHA512
10c78634cbea80c10b74976964e1026c05f3435302a886c56605cd9db306744f697b1eba195368e7ee37ea742542e0a79885cedf284d48542886ddc99e950d50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f5bb51e2891988adb046d6accb44cce2

SHA1
5190860f61d81efb63602d64e603ef59bdf6005d

SHA256
90b10df73ca72d34308fa7dd53c1708c40389a3e1aa8174ac1e1af96657d204b

SHA512
d0187dbcaea307d19d38e392e8d251dedcba25c48b4bc3f04bed5af1880c6e6ce73a7f5bf2e842292f37a1efe068f749a16d88b11f5240dc954bc0d10af259f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e8b3fca142e2f44c13c22bcee225f2d9

SHA1
8d1b6ae5f81106c950e207d1e7e6b722d38f4b93

SHA256
cc11ac0489585a61963b9566d6bcf61f23e61db37f1402eacf22fb00e7b0486b

SHA512
0764a0436ae242cb6da58f8e0aecdbcec8860207be5fd764ebc574aab140598c95e183d30f70b6a658ebc84720abcfbe7a2a33739554a36c3dcbef0220f72e97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ee9f6954b37dec2240a1069032a1a4d4

SHA1
13ee15bdb97ff86ac675699faeb90d1fff1e391a

SHA256
49b5ba7975766e496fb404a86bbf7aa8aea489d8fef9121d78dc392bbb994599

SHA512
86da2d4c9c6500a71eb8b4b08c019e1f2c8ca876cdac335b566446c77acaada9bdb3f2e03c07536d7dc34d996e23871581cc77e856169d381915fd2371644e83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b331b568f579c5db3cd81763a7254dee

SHA1
4ca885028fcdf726d25b57f045144ae31d4c1f37

SHA256
a6d3d6aee1d181599a1c2328827972511fb34a643b8a8576d44409aa19133bbe

SHA512
c80213f25f83182c2bed5749cb211714a6e50eca67d0b35bc2c0370629dcb45fdd56951b79d1b114c338f1c5ca3e111511b314c1190c29d8c0a17d2f666ddba9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a64c0b3d7ec973abd7031fcc75650f10

SHA1
aadbcbd80bf8605787f56a6d3f71ea77d2a30f5f

SHA256
70378347af9480f1d04c5b6eb143d1d33bd7a3d69944af4867f29b3089b656b3

SHA512
47f6dcd71725d30a2fbef77658bcdac05e641777f6ab61c544b5ef87e44bbf57260fefafafd2377b4625e629e1a778cfec7cce698f6f82828782bf02fcad5bfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1e31b01f708539fc0c029dd4e4535fe6

SHA1
9333dbecab4c74717c54fa73a8e197dc36ee915f

SHA256
0a40281111392f3d7cbf8e0c79cffdbcecee64633772b48b19a5c5f994b21bc7

SHA512
74e913decca7016b492ffcf1868112918a378a97bcc064ca71f67e2b2e7a1dc69073410b86142eed1e9e718f081cb280e6f711b675ebad953e14954c549d36bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
7120e14ab70ba73ac3677d3399022d8b

SHA1
2b7f8ab41d0ba6a9d0c79f97edf5506e3fe854f0

SHA256
569f7b1099ff6e7081815068cd68b569c8e99cc08e7c911bb1637de4d23ffe92

SHA512
9657648eae4504954c0261e0e7893fb7776790935ae050dd13b5e7ada9a667ca7855ed0bdec9017084ec19ab17d9a2fc07c50f102e233d99ea2a377852caaa05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
30b9ab802f6f262101b0990d918e432a

SHA1
78f94148d40026d2eedd67128c3166946cab5952

SHA256
7f91aa92743e5351ff5d7a72d0c965c445f452f985baea316c445403b498aeeb

SHA512
bff29b2fd8090eeb2c58a6fbba9acdbed1ebbaa800f08cb106da40bb0c6cfb28afcf4d369e89b235910338b6c8d648f217aa0a9149c9bd6ebcfd77afcdf3568e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f61d34c10e129561cb4e045c4edfc7a8

SHA1
2f198504fa68a41b9b302e2f6a6a9cd05901dcf3

SHA256
c8e777e37079b2f3f17ccac136b80a8d42f097bcd180a80de8c160b76998cb4a

SHA512
88d10634bb448b0932bceb4eb7b9888b432f84868d2cfdf3454f59ae6e7278f335e932c66796c7ada06d0587b68deb166e4b2d7729127c1ad7cb757c86e1f38a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
b12e3aee14563e0fa3d192ed5cd4f597

SHA1
f282c2f749fbf11f19257baceba02f749424c921

SHA256
7b03bfff9cacad0c7a9598e356386bfa63374cd1fffdfb3c6d7eab55d9088759

SHA512
d25c803dffda06c76f0047c4b9a11d78e2c14c86241f58a0abce5a6844425f2a5efba2f54aa5eacbfbce4c22e445f6916db4c14a023574ef0e7e120fbbbfe2bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
9997eb4d4fd0fa2852d7b32de44e644a

SHA1
3df2187476c88cee1f3f3e0aa8b23e22b913ab43

SHA256
5ad5d11205585ab8380961a0872ef98252deacd85220bb4193fdc54c25ac344d

SHA512
e803bd0ea0e3a72ad063d5854f8443a0d29145243f95eb50c5326b0b09db5f24bb9ba11064b23b99017d189bb010f7b30e28d420be75a9e2c2d2acd3ba409134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
f8a8c60ba62cc2c2e02cd9c44c3e2637

SHA1
6168b0d931fb4b8cc3e1ed360699efb25e15f42b

SHA256
134dd7b788e1c3541c2bae34adb2d7f131befc155387bdc736df898d18733df3

SHA512
27871e55c77ecb838f7348cc7e16dc5d4f75336c28d82ccb66b108e584cad00816f3919b2e1508e518e71cb4b2095050336ce547ac257c514471e2c397f2610b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
966d90b2f34fc9bf1d1860d0d183f361

SHA1
31c21f47b6c07e22a7e7f010a6f9d8cd9271ee33

SHA256
3a86f38878a1746ce33d35ca605c3735636545a76d92e23a8bad13e9dcf45086

SHA512
09b7269d256c007ed01bd90db729165eb0ba008d27a37a959bc47242f9190c8628e7d5128bad260f41c1b4dcb874361d1c1af221c5914d40dc6a16d8d16200a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
79b85d5c2da050a8c9491d39499171e7

SHA1
92bd7176b9c7f42e241a08223c8f6389bf493c4f

SHA256
f0d2bd9e60eaa105f6e0ae34daa40a4f4fcd408467c64ab0dc77003686446cbe

SHA512
8c3da905aa1c91e6501e4901a1cc842800440517191ac16ec86c3b5d8c301e29af11ed187d6655763901c9ce8e29c739c52e6270f560b6e278d2e8c54c2c89dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
221cd65c46bf8b5505f807e21229a14c

SHA1
efccc086af7663e03fa3aad2309cedb9648e6056

SHA256
d8719e3614fd3fe6aff5f8c924f42180b57ffde79e65522bac06f7f4a648062e

SHA512
86f2b2f7cf039df3bb01e40d3105142ef2d97556da29a312142e3c73804f4cce596aa5b80bb418de4c632817ac3c06c0a8977d1301736e88b8f5c43e7d4bea28

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
67b297cc15d1fb13ad231aeaa65a69e5

SHA1
6d14ec806c3364ab0e6ef31dbde9b301b72c009a

SHA256
cfd560c4a66c19536340b63b55945b62e595acf0911661c62f5a3d838225d595

SHA512
764ec762cc1147cdff37a5d234c03ff2e663a58b3746b9129827da778d1762eefc2193bfe13fab68ee1310f6bc669c95718686e691d770417b16fac8306b64cc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
35685a522356cc65c80f327e9079cd13

SHA1
bd002a1f7915bab020682d24380f962c09c28cc1

SHA256
d078a10c31e211ae66471bc98928e668d499223039897e2defa99e6caed00d20

SHA512
0b60c547e7f10c7769575cd01c4d14621ec2f266385d104c91c1c90fa7fed54166e50af68ad8ac22483fba2e144969256751f9f29c147113004754568a013dc7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ca4165c3e11ef65e8ebba939d9aa0c1f

SHA1
a48824619bd8de10a18e9e1b254a1f1fb24fe413

SHA256
b2c0936e29f395626c1eb9d59c8cb759cae29aa5d0087cb0e898b8f82c50f4fa

SHA512
8bd435f0465566b3de95dc9ad01cf9a0eb0f3372a701fbf6f170a808f91682eb90171f534e41acb591c79fdb10dd6bc55d951d9aefc6742c2ddb51b4ad5a3b6b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d955be713c1cac3c3a53728dfba35617

SHA1
90814ae9a0ba610fd5bdb91dca8a24da1348a38f

SHA256
17b6621c38821059a72fe5346db100477254b3583be01a86b2d5e7b2b9cb10eb

SHA512
30d085765b23fdd739a266a3696ec55f2f4159856f71526bac0cf24ec0cfbfbc29879712426c258880bf094844fed3a6f5a777dd21c6aef856893a5b7b9c0f4a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5380e8e814eb64247f938bc54125aa44

SHA1
edc739754b4b776f93a0e2e1d6757e343af681e7

SHA256
f80207d483e3a1d16f29a4fbc63f656619117ff6bd7f0d261525779721a5c434

SHA512
552bbfdeb9c6c0cfd78faf37da18ce57b59321bcb717f62ad9c394e6e06b735fa6f70689b7ce12b1c204f808bf55b892d41d19c73182a25c004922e2dde6ae5c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4f8023b525b21b1eb6ea6f24af3e1590

SHA1
5fad621fd1a6d8e94ba0dd2b8be32764d3dabc1f

SHA256
33ed1575e9b97d6a3a8b6e27cf81183ad7bcb212776c449d20cfdf0febe124d2

SHA512
72bb2cf630a30363ae2700052a0ede7b448d6d72c0121c7a1a646fa172816d3823489156cfce8028a8d53877e52db1bb9e5995588480dac4f17c66a46ba3e1a3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
3a59fe6cd11031fadcce796e313d40d3

SHA1
aa45b68c5fcf10aa68d1970a4d11ec0c9ad13fd0

SHA256
14c3f9b930a11ce772855f0304a8029584dbcacec1b48f35c45a92c7e5234407

SHA512
b8044f386aef6fb101ea385f07786cee3d96735aa425d8f49d524a74f1a4cad7d9a5b9de048f0a8f9bb6473cde0aa41fa031b8c7d5cabed71ce5e2acf0f57824

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
46115c4eeb9b9b61923d52c32d0f5020

SHA1
2e637e017758e014abb08f4e96663c34bf88afcf

SHA256
78123d9e78f20d26618eb0dd929366e4ce0773914f84f401945a4e7e750bade8

SHA512
439cfabd2dd0ce09ca630524e6915f5aa0caa16c8666d734e60a49490a0ac28279e0719672012b78b793dedaeca32df5e28324b93c8646a4472de62e86a0cefc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a5c207e79b0e3d0d2265e996276153db

SHA1
701c2b5a1035d8a1922ec9128e22d658e9cfac12

SHA256
77596035767bae7e202861c1f0231c044ae5ad0d2c68d5e506d02bcc19c6fb01

SHA512
5e29947df8412af258b6ba49eefe82ffbe578603f2ffd46c3259129e46d8d10f7b30eb4064c66c5f4eb20366911df6e3cfac3bbf43905f83e929285a7ee91d10

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f320eace575b7acef375799600555a8e

SHA1
5555a9575126efe996713cdcbfc22342450aa638

SHA256
868a5ba5ce760c1f94791f1bf03a45f514b4388ffef2519bb02a762170487054

SHA512
3c2290b4b0775dc98d7cefa3978bb63dba665da01441083bfd83fb5b23c566b2ca32b8b6f27f118c79d3a89a923369e160887e76d0c091d54a92c917267c45db

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9245f0bd5de7641d69557b6dc5f63663

SHA1
7e7d16cc663653e6db381d6c67c20b302697a9e3

SHA256
4d7dbcd96b57450ec8d66792f714bfc6be41115d53dada936e8877e59b646943

SHA512
79505ec3ecdef67e0c1b6b48819955ceff1d91a894d911ad2f3f36b27b53a4920a48d65154bf707590636db8217f579e3e06321baa93bed7e5d8375847c89b6a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e54305c943bfc5e5b260186c86e3a296

SHA1
4e9678073aec08d28ddabd94726c07137ec1749c

SHA256
b8abec47568876544028d51cf9d13d1758c904a5dc3544eb7d8d9d5fe74405b2

SHA512
9da358ca8de21c853d4e67f9a6fc639224f9a3d9ba71db994f8fc33eb3c9d1027ea7c3e986b528eaca2a1027576cfae902e174a0b194a3e24d907a5a596dab9e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c478d32e0c2289bb02b498390d2443ac

SHA1
804ea7114fc18b3286e30cb56855420e68ac5d89

SHA256
d49f7c3cbb5097c90e7fb4bae99677a4c562d51f051ea5f999b247c0b757c52a

SHA512
e52e50d234bd514081ec9217ff3f5a4d3cd2f513d0af4036adeafaaecd667bdc43cf8cc6cec7389952bab352093a0ed43e50397ad2ff0adab4d49ee5af94abaf

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4c14cc8b9a5bedd7ee30f23dc4b83a4c

SHA1
8ce59ad70c108a087f98c3155b26f5db190a0a6a

SHA256
4e161b1f59189fe3a03433ac7744b991e883e18506d93fa4f31f34e9404d4206

SHA512
d3b4ceacdefbabbb47ecde13ba7f3a5566d83bb5ed6209b35423e26de24f57fac91abf1c087b27bef9b8cf888e092cc371021581a657754e800d6badf08cbcf6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d8eb23a8abf412c69daf72904c3037fb

SHA1
a204eb32c338c0fba704ad4b51ea1414ec202ef5

SHA256
d0e04653096c22ba2cc0e03d6243604686037380364cc9ec80fa743389662136

SHA512
a7304b9259800ce6d0f57300ecc25462c8d782833840fd1716676dad0b64533ca267b76f0c0b91f36821d6cb673b6708c71d03632f99af8fa770f9192872264f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7d95c8a740192491993f9455949cc5ab

SHA1
aaa7cbb7c06295f5f436d19ead0891aab397540a

SHA256
cb378faa76443ba0018453508f5b94dd5fadbe1377ab60bebc88e4f05d16696b

SHA512
8fe1e755267f487813130febb26f58c19e5cecf548ca68991a0ab8663431be466e1be366a3947dcb1f0da240d4a5d9a8f7309d71085cb6ae19ccd2ec8f8de9b3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
55334051b1ceb42e5ea3c774741e1fe6

SHA1
108a9e2451a5280cb18c885bf5e40e072483ba4d

SHA256
cfff18665bb67666afec64748bb33dc9830c6734a1bb9893a3f13e048002b024

SHA512
f2355ee5e8b82baf67e2e58cec0c56f429536e57ef27a118d58b57a9734d22fcaff6a2b171af04dde77495c63d7aecc8dee2b798d03484a73d9ad5fdfdcb5d81

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
589e17767c37a4ce40ecc6558f77308e

SHA1
1c2973bc71e70d3e3eef78765c1bfa0931a9641d

SHA256
c8193892e649f82e5e70d167c1ec813d6e055b3a265de5fc4a33742b1854632e

SHA512
de5f3ff0421d9b109de02e7701f0691cfa7292718748fd56a46837acb4a83291b680116caf680e96ebbc16a6ad5304317daf4499460ef4b39ea08c3e31e43408

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8b715c15794d2a292f8251075112b147

SHA1
d4d284689afe1d626f758e8343637e31891cba95

SHA256
ba364944a025a12cb96a513cf008964de10514723ab9d7abf2b66f25c0157429

SHA512
caea4a0cbcb883ab1c689dbfdb15b0dda4cc28ad4149039aeaedce30be499b66b277c7702959ebd1bb9d22fa62071de2832926f9b1c7559bb0d2e2cb5f89ff38

Download Submit
memory/536-25-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/536-16-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/536-24-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/536-237-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/944-248-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/944-247-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/944-254-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/944-367-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1044-79-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1044-242-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1044-65-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1044-71-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1108-421-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1108-302-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1144-435-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1144-574-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1284-422-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1284-573-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1420-571-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1420-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1480-368-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1480-567-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1792-566-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1792-348-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2332-371-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2332-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2384-299-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2384-409-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2476-273-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2476-385-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2528-38-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2528-29-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2528-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2528-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3236-296-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3236-397-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3280-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3280-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3280-81-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3280-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3280-62-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3336-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3336-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3336-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3336-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3872-521-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3872-330-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3972-0-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/3972-7-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3972-1-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3972-14-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/3972-11-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4328-260-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4328-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4328-258-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4448-572-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4448-410-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4500-557-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4500-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4536-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-560-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-434-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-386-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4540-570-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download