b41821f81753dffbaec508e591a8ea815cd6ce3fe40afcda0dab76295657101f

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_68e7c1c77429052567b42c983315dd5d_ryuk.exe
Size

1.0MB
MD5

68e7c1c77429052567b42c983315dd5d
SHA1

837201f0efaa2d1b1e8a7e93e1ae41b98e7b6f2c
SHA256

b41821f81753dffbaec508e591a8ea815cd6ce3fe40afcda0dab76295657101f
SHA512

7b33ede41f73276861631820d41c2a5f2b0a62d1cd467bfcc8ab20912ed0531768b0b027a9e0d31aca8047d2f17e8f157f33d24cfcbce7d77d2fa4ca06518e16
SSDEEP

24576:66V6VC/AyqGizWCaFbyUH/i328ab4F+rM/aXq6bJfBUam6:66cbGizWCaFbHH/i3da1YS6ozB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4248	alg.exe
4784	elevation_service.exe
1492	elevation_service.exe
4940	maintenanceservice.exe
4580	OSE.EXE
2784	DiagnosticsHub.StandardCollector.Service.exe
2296	fxssvc.exe
4996	msdtc.exe
3108	PerceptionSimulationService.exe
3264	perfhost.exe
3968	locator.exe
468	SensorDataService.exe
4028	snmptrap.exe
4496	spectrum.exe
3016	ssh-agent.exe
3960	TieringEngineService.exe
4708	AgentService.exe
4056	vds.exe
4952	vssvc.exe
5000	wbengine.exe
432	WmiApSrv.exe
4736	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d95ec5d11ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-16_68e7c1c77429052567b42c983315dd5d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087e36e2bb2a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094cb312ab2a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000590362ab2a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005436202bb2a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db98222bb2a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005436202bb2a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a07b422ab2a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059a0872ab2a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2180	2024-05-16_68e7c1c77429052567b42c983315dd5d_ryuk.exe
Token: SeDebugPrivilege	4248	alg.exe
Token: SeDebugPrivilege	4248	alg.exe
Token: SeDebugPrivilege	4248	alg.exe
Token: SeTakeOwnershipPrivilege	4784	elevation_service.exe
Token: SeAuditPrivilege	2296	fxssvc.exe
Token: SeRestorePrivilege	3960	TieringEngineService.exe
Token: SeManageVolumePrivilege	3960	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4708	AgentService.exe
Token: SeBackupPrivilege	4952	vssvc.exe
Token: SeRestorePrivilege	4952	vssvc.exe
Token: SeAuditPrivilege	4952	vssvc.exe
Token: SeBackupPrivilege	5000	wbengine.exe
Token: SeRestorePrivilege	5000	wbengine.exe
Token: SeSecurityPrivilege	5000	wbengine.exe
Token: 33	4736	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeDebugPrivilege	4784	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 208	4736	SearchIndexer.exe	125
PID 4736 wrote to memory of 208	4736	SearchIndexer.exe	125
PID 4736 wrote to memory of 1164	4736	SearchIndexer.exe	126
PID 4736 wrote to memory of 1164	4736	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-16_68e7c1c77429052567b42c983315dd5d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_68e7c1c77429052567b42c983315dd5d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1492

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4940

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4996

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4496

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4416

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:208
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
93f50eef11a15f81357a6c05fb65ae6f

SHA1
57b855bd9ff6d3f56067ea7abeb35198f23e4fe5

SHA256
7867b411e5ced2fd86a21d11de4e6ec1894f1dd56a1f8369a8f02dda94f812ce

SHA512
a78c70a97183c596cf67e35de0a6a77956ab3308c134007f999c51c01f99ccdfdf050668b6a8fc4cdfe61a2ab8ad1dc06342b5a9088dc77fb9a5eda247f4f699

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
54481ed7258b58c324aa0cf2aaf742bc

SHA1
62e9042ccc1ed8ec7a531ebec2f5945aa6410a94

SHA256
a975baec14d2a72d14206989758686b1d7987e543cb5a0d4802bfc59157755aa

SHA512
44651eaac69a7766c7b5317514692aeebffe0855c0a4817a1181c144006d3339267ac1e4c508666b1ded50307707a3e25236fdd09a8dedf50850f8c1f33235b1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ecc2b17c3a4c7c4dbf6e52770b2da685

SHA1
19e2931490c1b1c649371a5d9c16b0aaf4279232

SHA256
5b500c6d7a609bc105a79d5d721d2a9bed9f90202f7bfe2bf99bbe217331984a

SHA512
c183acce650538ad98958b6f383d333d92d7d01ac3e66c4039f4e8d60c78ebaae1cf865325735878bd37caef42c2ec810697a6588a8ba585f95a4d436167093d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6f89d747a88922ec171eb38c1122ad2d

SHA1
8b49bf3e3856dac7491c64f1966723e383187b35

SHA256
b5ec20bd65c6eaf8b6be89339ef0270a36aa9ddc25463fc1b855613aaa8b5fb4

SHA512
52cec26b0d2fc930bbf6fc08c8e809ba9533d7c03a324f75fcab23a6184c806f9571531b256abecaa93a7438507443218847c34b0030974d9370778f493b1a3d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7663747521b3167a389a2690c5847bd7

SHA1
6a60f19aaff783e53b500d1da5460488584919b7

SHA256
26678cbbc922f7d26831147c88953f8ca25cc6a50f6ae938024c2035486ac8f7

SHA512
ec361fda05586a03c3f788f5ea8f07510be2c70465f93614ea4ff5e96bb9e5ad090d5e15dd6f5d8a9ef721f656fa464e760fd7d27406867dc696fce2cb7ee5f7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
be26d777b632e7fab8ec737e0796b8a0

SHA1
b7db923396b55987a9037b1a6007894afa764199

SHA256
a345bdb31d51b4da0917f3002b37161f85fcccedfdb881dc2a5283eab52560d3

SHA512
46f9e5ca5c2b94da844943688ceffab6dcb28d84b8338c7b737ee352b8b24521a64e13c85bd4524e890ce997e81fcabea6e53d3578a577056bc58bc1d3ff4bf7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5b41bbdf5636a2179fa25c64ceb23e5a

SHA1
e2861215a6d7fbf6bef8c55bc95db630fa79ea7c

SHA256
5b5156808358d17ecf097bdf8cb7b3b3e17a3df8f2d65f615f5f788dc7e1cb2e

SHA512
456e65002ec9989fc7d2fbfd88bc55e84672494d27c3693d9630c40a70a8d362f6eca90615ccfd24ed3c25dbf4648bd22aeb34823675b1462fcaece7a1b3a27a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3595af320ad0fed224164eaa58a41913

SHA1
fbc2249b331c07d097321553f0c1602f74fc40aa

SHA256
fc111f0dfc02e2a8bd9e97844f7ba2a115ae2665f310456fc954b88e8cf85fe3

SHA512
f26bce6bc2db519e94be16500a6b1e0fb6d6359d0454f6d435c8e4dec44d78c1adb5fda499507474d28e6382da7c01ae3325a632f39c22600796a6ec241d2b42

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
07b9e8cab5f9704305af0289eae0436b

SHA1
4431b96a09b59738954946adfa7b62cf56a30b72

SHA256
f3ceae71c3015773b6ba28885e4c17f7676860438d3ed6f3c66dbcee76a8afb1

SHA512
66498f97c0bd2a9ed24cf9f4be587d1f443a8b8d24d0bbc8a55a27694e4b52efcece1ecf0d021589f794041aecde9cd5b61ebeb433112b7eeb8b757e8ef73d13

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b54d908249d71ffa2fea3225ddeb49ff

SHA1
fb9679d018bcdd2ce6f9613d1a851c4ca322d793

SHA256
a725a5cec98d49e74fc2515d5d4fdccf1936036da749ff3eeeb65fa896a2e28e

SHA512
62c1f8efe6bbedc50e5086a9cde8c0909af33544e4c82d05ff23d5ee09de83159e3428d755b41f0d19853ff5b5ddde75a3150f5e18fe482a6edff67cbc198f00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d00b4737f98054c8d487690d55b75d77

SHA1
6e4d52889172c7823e026738fbb8f5af02daa294

SHA256
458bcd7d5ef8f1741bcb1871683595063c0152e1e482cbcd4313d9624f6e8723

SHA512
b3af6fba449cafa41e36aa2f4f7bed8f34dea6d73e10b0235a585530636dffd7214c78fee64b3dfe43136a16c2f4d5f6e31e46757ad7a678b7d1a978f1b82cac

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f1f6d53e473387c19dd9e1165ccdbfc1

SHA1
6b13ffb800426106743b213c244fd9cd850a9ff3

SHA256
6beccefabfe145620f090fb93d1cee6ff10fde0ce135d25a378f7bd861576f27

SHA512
32a5ff77dea3031f162c4b756682ddca8b9be1ae89722f08f73b1756fe7096d9bf867d24db8128c9f29b92f04f13695b5a6b502cc6fcfa6f7edf97886eca2415

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
dfd1e69ab5d989ad4d9dec731ab7756e

SHA1
c67c22a8070facaf5b3b8a9d337b9d5172ac4512

SHA256
2127f4d009856b8d1a73fbfa82739cc619c7ec189a1189aa2cfdef2b47cb3809

SHA512
cac6ac6e90f9b9fdc280aa54989c4d23b617407b459233606e78280d8a1f90eebace182b18a9255348300c6ac3d81322ea64446dda0a71a3f04af5ae25b190d7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
da875e9ed8cb67024fd9d8f20d6324f2

SHA1
48784fc639565d4efcefd890e77aca2d5a647a01

SHA256
6bc1ad47768685bc543f36abbf62a916e546d45334c50f778d52b52042571be5

SHA512
7c588153e0aa3ecd6282ae06bb48a636e2d93309bc5200fae391a50f1862643570c2f5c501de6a113834513bfdab8bf1b4fdd1e20743d2097255f3a706f1e60d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
462eea95ea92c21a1064a081f68e4d4d

SHA1
ccaa5b55b4f2a8202e80317f17254cfd9d7eafc1

SHA256
eb8777ba0362f25794a3e0a4050e9603656b88fa7685c3f4aae8e318318a4b95

SHA512
26a6fb77fe45c8b942e915590d99e02d3707ba4ba2202a570d4c57cccf6bee5e7b916409a725a78e8ad748f8b552a42c3c64435ac96dc23511e6c1a1440f8fd8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
65ceff7d463ef0db9306e70cd8cc0960

SHA1
9544bef565f55cf576a8bad417df818c8dbc6109

SHA256
3d4c5b79847cd55f49f51397c143e2eb9dc36bd449a1117ffecc88403c9eb6dc

SHA512
a3ccf25605a44a831464d08a0b6443818382ad4dbe243945d183cac4560a9eb15d32782bcce730b0ddd761791f031ffcbc42f48e63e315ceaf19cde2458a53e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
11089a53a7e1be2e1e301d260f8c8c18

SHA1
eccd31377d71e04d11f35c68172b726b9d6bc3b6

SHA256
55caca2c618fecfa0419dc524b044971c2772f96f6f288d28413039963fcf342

SHA512
ca32f53f1891ee94d3beed69eda9832be0e38ded6219bed9a57359362f9ec3cdd2a9d4b2013bd50dbf73fbb81e4d8b7aee816640742cef2beb002667bf7eead4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3a4d9e9b7061acc55e79f943523377dc

SHA1
694189418cf01fb2ca73e3450308d13fe5dbc4f2

SHA256
bf6ce1005499bb9a27edd513257b6799d2fa99f6d3679537e6aa740ba7b62947

SHA512
1fa433c45ffabd3026568b24957a5f6c9dae6e1ba9dc7b37d81f55258ea942136be64fc09b7bf2734e4404e3a431f579cea56f16f97cbab0f8fa5006cfa56f7a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e7c3590ec4c69d99b23e87b6122006bb

SHA1
01096ed2be351657b8f4c933d17e79bc02a99a35

SHA256
07b506bc6f9b46f2a40db018e65c7e7f2130075a57db39583057376efd33f2fb

SHA512
c5353874ca5eb8650d23d834db5f3b53088fb3fafabde650987aa8ae102a7f3eca8c90524e8213f2b3093cc616f9e13e0a29366373a587866755cd92af93a4e0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
89fdf8b5b24943b5f1ef1a797b7044e2

SHA1
9e3b0ee2624044922369ad8d480d03637f01fdf5

SHA256
44eb5d2e848fdca7a0f679acc0acb57c45c1ee4287c6415967e2de3e291df3f4

SHA512
3d2934f8d2c7e01efd665d0a894c4f398475af7221bcea9b83ac2816b2593b3d290896d8b211516bfa60dad69a6e621831c3883804b50e016d8a59ae30ed775f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
872c5d30f28c3b5832c8402187a47db8

SHA1
1acd19c1583880f965750fbafdb4ec280085e648

SHA256
77312605b1e07d9cfc094da7eb6de047bab63c3932d59a6908604a90a9cda04b

SHA512
c128e1cf73f5f5196cde81ee007d0d20ad6123171f5b07271fb238f3587009209eb447653357516999f9f72a57c873179db63ececae4ef3c18f129e291a6d3d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
18437c556ecb7462daac4eb5e3b5dcc0

SHA1
c027a3a1e495b79c01e4cbaf0f61c52638cdfbc1

SHA256
e808db04929045c4131ecfadac6c3b9ceb3e54032552cee5f9251fc2d276088c

SHA512
d6feae1ac7621cb470787479f6fa50e32ddf72cc95714d19dace6308f9daf483d2d22805b1115b9f76552b049e6145e445b7960b3b018244953fca77f8c71f51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f55392f2daf9ce8bbbf2daac8dd642a4

SHA1
1f9160867c32f9099e5a46b92158352f841553b3

SHA256
46c10e1dfe760ba0ad6ca30902c56a198d48d1b95467a40e38d8cc6baa905825

SHA512
be402627599ab13a75726d9b21038396f7b27ebb6a0da04689e733f5d093ee978ef9346af483046aaf71a8eb15aed70db138ede883bba2f547ff760786955e1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
331f95c6c51fe6002442fd637c6f78ca

SHA1
736dc80cd67236c0c283ce1f4db35530634ac1b5

SHA256
6759726ab1b42a16f7ee7acc784df4429e2b5539501b4872e8488339ee839faf

SHA512
d19fab3b5af06da14f5327a6b312a7b183a5d9d82c133ae5082bdd5f1bc763c20823f60132628bc36237660be688886a44b6bb130a1a4767d60c7bf307ece444

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
93093c866a033ac39b35b53f3208da51

SHA1
05b0a1e1c98e92171c3832f0669ffbca9be5f521

SHA256
4820ed3abf73a8105b8b6dd856a262b2215187ce38722b313a0e9a67d1b509c4

SHA512
f34dad0ae4729b8ca3b425d1a2153621239837c0103e0bb7b6c4e045b95d035804035c2bb45a161bb0201c6702d576c35cfc416346b022e7028db8e75e6ebb35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2460d89c42efce5b63e9b6c5902501f9

SHA1
25da3e1bc13d2ff3f57885d82e8bb32dfcacab5d

SHA256
82b6cd7812a11c5a2f0877758c9b51fc1500f77efb5d9a0344bcedd542a981ab

SHA512
fba9cfeec916abda5228f1389e84850ecb49831b406105d0528641518a3a615afe3b714036a670b8a52a16f490870062c740e3285ce795ae020cb755391b1dbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2cfcd9b7109aba783bc21e3c8a002767

SHA1
2885458df810bf4d6f29e730c34c7927fcec0efb

SHA256
b0a4dba9230ab74608a62f69a61eb498d1f04b327dd63fa9d8fd82e3b07c33d9

SHA512
0c8aaa44712b172f2ff7d8b559ea68bec4b3c5b95b66e7df216e456ff4ab69c167ea3ab198150320a76216e4d1b26db66141499467a01f76f5804b6a0e6dce9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6329966a73a996075588e1868542ddd7

SHA1
96087f6b4f2780d42f46ffc8417fdd058aa52a2e

SHA256
161b835262875bb4798008504675c920deaf5e142208b805215fcf784c38fe93

SHA512
d0ee89f8d0a29f13ff891cf13c7d792b61202234b2aff4edcdafec5d9bf7adf2f2a92297c312de2da24519b361b75fb59a750911f468c5f66dd651bcc912681f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
dbd47bb45483fb3d29702d56e1ef04ae

SHA1
398f24042cd611bc3f383cb03034b20ed7c6cf70

SHA256
4ab3eec8e7942f762ebcf4332b3bdf71d2e4f045c4edf54d9d4baa60ee894388

SHA512
8b52d326cb2c27a7e4c5dd042f4f8b4f200fe59e58c86ff8c51c2e0527fef669310558b4778bb6800d3ad8988ec81d0c0313c8fc2f18cdf2f89195b10804319a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0609dc32ae5b715c36af68d34712e46d

SHA1
a610ba4db5bc6654b17fdcefbcd9d5f55c19b0e0

SHA256
72d43191e68b2428bdd18e5fa11d00cb8b21e94b479cc40fbabba8637863ae5d

SHA512
ae04f4b8389c2df733dab29b154ec34539a00ecd1aaeb778e4b1a5f1c60937691552d0c3355bd8e8895154b33583d4125cef9a787aea75066f495017fa252601

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
24bf13f7fb852d3e745f5e9406b7fb6a

SHA1
7ad9e23eed7e99f406d38d7efbc5aefd39408d7b

SHA256
6559a6a3b2e38adfda8c10e93d8fdb0978db6435fc685d4274cbe9f4089ed784

SHA512
b8fda25c3a2f506b0785f93bce69e58dd86c0ca7ec9c25e68a39c114a94d51b7c56814f014f5e8b06787a8e2607471b87290bb6573c7d70ba4a7a4f49ec3e7c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
44f1d641524405026ac61969e5163799

SHA1
94a2584740babcb3d727e184cbdcdfe45fe8b00c

SHA256
6b7b3baa92eee5d2f08bcf326a7aeaa5a818ecc5b4636383fc035a32de9d9e29

SHA512
5dee17093be45a17e72d4f61b0d5f5aa2c41f15c2bbc8a4d91934e0525bc7473decdf001b3338a4d26271bebaa05d327d93d51e7fdc253cb8b89e0503b441c8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b7eab9319fb4c104730e29edc37eeb06

SHA1
084e9e77550f3d7e6e1c78ec19a005701def778b

SHA256
5c82212c89171bf34b850735a2f98cc6fdf8101af86a93cd5fa0875b3f31876d

SHA512
5beb4e07cfae771faddb35dd122ffe78d92e82b3a83bc1c443ae679cc63852413a2f498204986f32d9817d572d836fd261ad122044ad6af4613f3388ce82306b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a550fb3207ae629b09750c8fa00c9316

SHA1
ef74da0a91191c105fb37e6653336eef74ebad43

SHA256
9d198727cc97b440831c9ae5fa6ee9ab1d0e3714356f5f8d435eee425d9e2515

SHA512
3c81f70679dc1092ac57ccd6d780dd48d210fcd1ae979f9ca872bad3c43d4ad21bd9baefd0ceea8e33a9ba4f65913adfdfa040044d7cdca2ede957560dcd5e53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3a5a778414b9e9e7b47d73adad3fcd6e

SHA1
c3b43df1492d7677ac40f5786c06a680629c86a2

SHA256
aa958e5f16bfe9c386fcb98a6acf12790e993feacc53f30f49ececdaa6de0e40

SHA512
94885f8419d80fc96d7b7f2abd57cff7185695ba6dc88c885880b5c3068bbc07f812d6aeb76df3f26564c9a2f65e4e6c1fb888af97751df21b2a3514f0e31ddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
94d7392e9a6d10ebc2169b8e10ba55b3

SHA1
29be40ee25c28a33904b2580398c2e07916285cf

SHA256
67ec745ef6a8eba45b7136e61b9e0bda01a8a90d071c2ecf74aeb6905d49d9dc

SHA512
12210e268cf42e991ffc9abf8ae38916c09615fd48c79cc2df9cddf7a230c55b2c47c6ae505f6be4d59cb2eed4a305735645c401964d00132e40dbe27bb0a9f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
19416d0599ebf05faa5fe08a6fe81db4

SHA1
c86d236cb4b3c88f3d8f70c0bed0534d791324b9

SHA256
3e0972098ff5ba065a4a0f054b6b9511d843253625d7747e859006965d2035db

SHA512
33630faa88bee1b1e45531dbaa570f411f34f7de129a98cbc77b3db3b68dfa680d94e965d6060e36de06b11fc27d0168b0f1344e7aedb0b81dca83315aabae88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
dfd07e82eaa88d31d30e96291c7c53c2

SHA1
ee302c7fbe72de65ad8f8f872f7ef33bb216e6d3

SHA256
ba7d94a1192f651bc8366999171106b8a88b938a51ba16653afd9e4ab70d1c2c

SHA512
ce28101b7cd9ad6eb839fe94d6773de1824f20197c6a2462f468c0d84c79d6fa4bf4e44f20a70d3e834554a965fba7b76040ae183c36ec43fb0e864477e9d8a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
d653a7d3987e99a57982c5424d18ea1f

SHA1
1a5d3165f17da39d564483c689727a2af3af3afe

SHA256
b6e3af0296eed42165d5e768ba0578cad79b0f1cc023ce39bb27cf8cf843cd78

SHA512
92bb2ad47171975ffa7d3d740cc96cf79fc58124d0a7b4835746eb03dde6fb53ad5fcc4ad31099ccfd5102feae9d77b2da74468d8a4bedcd1192e9a9b1df2769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
f77a888d63a232e5da879bee28f9237f

SHA1
f4ffc55d00bcbeceb879c529840734518424fb4f

SHA256
0270d1d405a283428a747a7a58be14e85dca79d116a3e53211cf91f218336b77

SHA512
f887659e42a0d3651795538ff3c252579d7b5bb75ac75c4f574400cba9c56d299b76440b184a4e0440512351b78205d3749c2468977dc6ab608305ae4ea4a4c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
37adb6915478ea3709f81b679b8e788b

SHA1
e9bf2dc2b589d8a0fcae08fecec6feb0a1e7ce6e

SHA256
489a481de4b9894e177ad7696b3536346d567fc38f799a9c6bf2ba6e78dc9ce1

SHA512
bd08d8868c379b7d738d38a18c1128a42eb90892b9a961ad47e816777067bcf4078cdd8551c3132b2d448e531ced3354716702aa4b355fe44af437ea7797371a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
c48241f2e5695aa629e8b0fa6ff9d7b3

SHA1
728f85a664959923d8112bec388a00d65a2bc775

SHA256
6806a29afd3c3da30c9fbcdf8781e9738968ac8d9cd08e8a9d9071698a741e8e

SHA512
664c69fa7248c1b0a3dd169a884ef6d5a9230b95ee3dbd8fbeec9cfc55d9faeb8130eafad1bf1efae767a7a50129dcf33cc2a09f26062d7c2d015b2f2552dddd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
116386c315164ef2a0162b985418661c

SHA1
212ed79200de2d45d9d11a90760d223e7ee38628

SHA256
6f8010b29722f1fb0612daa079188b1ab6c79016d5b01b7abb3180b5054a2b7d

SHA512
82dd6a480724a5be189e628324ec41da1835922ad43a922366f54cff3add437a0301d4f87d1c1b0de7f0b0ae7dce83220bd510805ead7232f6e91d45b444a3cd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ba98cf02759802029aecc9822e8502fa

SHA1
6e7ce8e14b70d7aef18fe512e718e39e53b74511

SHA256
0383e7c370a1c79f0c43880bdd06942b3f6c39b2011f74f99daaf3542f979d28

SHA512
6c9eddb6d46a74bc4f7b2eb88789579bbdb8e7db318d3d81cef1ba39d69082973131aa6152c31861faf9dc29998ac93747cad24761589b777224dc115d24f8d3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
50755214569a0abd58de7d3b52d26ad7

SHA1
7affeb377078045b0a953fd7583f030a1b3b9969

SHA256
107b56dacd833dabd66f27bd17e776ab239783c3780eaabec382f9ecf741a3b3

SHA512
6079f0d3f00ee72c32bd75fa2a28040b5d6621ac9ccdff748fe2f958ad0324d23c9b740847b55da7a4bc0c3ae0b7144ff4b31d65086e0605392583aea95008f4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aea2201a246c65c7475ff8977db14e72

SHA1
44f0bf9742eed51352f63b87aceda7536063b890

SHA256
50fce606b6e6150498e0403dc22b15a93ec6defc46407f720bd61b2f7764dbf5

SHA512
56e3e6fd94de2dc93b739ccf4ffc1af507030825de582e8997a7758eb14d8bbae4735015ec26fd43c75a3b217821fbd7ac944891a4ac4533ae43a51d76e7dd43

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d9dff632b5d73121b7ac6e5280b73c26

SHA1
2f0f837f0735ad6d916c919da3f51850a05d4899

SHA256
e81586c831457cf6787e2c675ba88874bcc574fc4c1101bb21f086a2b8f56c1c

SHA512
f30a17c2880da04e0e06532b50f12b22ff4cc30fad89742ee1e2dfcdce07d1249e00dd87c1f25b88b451e5c45dbdd00d42a43f83edcd8b26c2c1bc08a9fac6f3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
74b67be38212cf904a522c14f5f35f30

SHA1
7bb9f303ff7d43460827268dc3b781c6b50e6566

SHA256
0352b4ef5d41f941e6dc2af9a4392144c0140afecbff97193a05efdc5f8f94c2

SHA512
b2c8d385ad314a6f944d4f79caf12468b3baebc929eb44b966cf92951e871992a5df5dd6921702655eb0e8991d8070fffed55b9ce60b810a6234d18aabfaab2a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0915059176ae56bdad8602dad23b31ef

SHA1
41722cd6b4e1b9ab0f9d0d1a14de1b901d19a704

SHA256
21cea85a5f1392a48860767655c897be4f2e848b34498ee1e3c2c1ef161b3876

SHA512
d3552e1b5966f3c6478c0365588334d136f7759aa1328a5342453e1b624fcffbf1854d12a7395e1e8923049e45988abc17da3535d339b825034b0c1894513f7c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8039242f1085b81bfe3752f2b827274b

SHA1
afa1a6c4d3f150d8ae0d6c187763560f8222f526

SHA256
36db8712cb5b46cba9d5fe043cde13426fe4b645e005c8254997a27b039d778d

SHA512
ed361335a76c1b6f8a8a941cda71d0bb22920e6b10b96ff80df27166c6643aed592d48c864cf09cd8d164b09eea08a3cf56ce4e099bb67795e0ed03d795d08f9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9d75f6ed359ee9c4e19201ba5aaf96d4

SHA1
87ac9c796aba5d3eacadef33fdc3fb14c85983ea

SHA256
defcc2778a4f6b55d68147cd1d787576a80a2c41370450499f1365d8ef2c8ce1

SHA512
38d7b294d2507ebcb398957310155676405001e145355e56245df55945a8c02de07f0d6db95f03b36b1672505e5c2822146aa52ac677415f3615bb9a269ce566

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
083e0daaf7536cb5ed342ad9f2ce3cd5

SHA1
73c2030438b613d768edfdd9e5be81c0f5c8758d

SHA256
db924d433f1896e86d69d5509e93c7e6fdbb19647c7c8d6ba5b2d11d7f9d3659

SHA512
8807a84217addeda7ea3150739fec7cb119d784b976439c49576ffc4037c4e8b6a3bd2cb025b4ebb8fa272f292e4289c3b5a2df8f74fac1aa4e52a670c79667b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2f74b76239716e88d2e7d26dad8adb9f

SHA1
501c3de82aa92003f6faa8e002869132481e50e0

SHA256
8388694870811b7f2b1999842913049c73e75cf5c29558e3af443fd4b10dd720

SHA512
60cacee07646e61abbc12f473025d16e6984dd926569271ab9f58db6d24488e707da0cf05544b9c437cf67b7fbf443f3b8a4e9708e36e84411f31ea705f36af4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
65f04e668601b2089bcecd720c2febb3

SHA1
d23e40bcf87944ed61e39fde15c706400ee3e108

SHA256
648cf263f79d9f283d1193eb7962ff298882d8e52bcea9240a2e3cd90ef1a713

SHA512
3d4b4ea78a2e32efb79b1b1f835e0c4998064d1f70aa97877c0c9569f24416897befc9f8768bc16e20bb8fcf2460b85a75e5318a6d398a2c78c62b03d7e03255

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2c65574e8515762f2e35c7790e9f1545

SHA1
1fb552cc0c2da5c63d72b6655861b60df846e7da

SHA256
b9ddc9e6d7bd3f72a9fae393d4cbefbca8d2d7cd07cc0257f17865908fcb1757

SHA512
53a163e64072262ebe937fb3e5bde58da0841746e063c52df606e71f37865abcd4c9105a53d9cc9681222b36c9a98cd7e73dce6e447e3d30dc63d0ded7f7dc89

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3b96b3bc927afeeb162110fc8f1ac4c4

SHA1
c5aae2462195037d323167bbd4ba6053e8f15b3a

SHA256
1bbd7dc539a0eae921501d4037a0860ef5426f6664d19241e015de1c35fda22d

SHA512
fb4f5962823b6707b22d69bba4275c9bf0b6036df2a23531595454eea443726b45831161552a3e059f37e84c661853f3416921b604613f8bec70b842f215be12

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
def3119ef3cd6a8ed6f1441e23e02830

SHA1
ed0e9302b97e4b7d3049f4fa7fdeec164aa2b61d

SHA256
0b4fd8f09bd78120847d0620cb8d3773cbccbca79fcc4b658ed749c32d5d52e9

SHA512
fc33b1edcec2d666e83c69dba8fdede7d65916e4148fdf7d54968047550ae7a8d86de99706b3e46331f02e03a3ddaf5507b593eb4fb4b0f566dbdd33e187d07c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8767cfe2ea05fa8d054bf17e577e4dcd

SHA1
464075ffaf1be5e7e99bc1452b11511b293f6e02

SHA256
53d33af2c5f1adccbafc91f2062c8b74457938123be46d8215f9d0ece6edb738

SHA512
2e23a7eff0b12d3a9a216c14f0eaca694685ef24d9bdbc3a25907b546a448636c2164faba1bad8e9e4ac2aca14c85ced64f5fb49715597c5756117e1743ba935

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
94a174ee201952208b82834755260574

SHA1
73b9618f9dc85947db04a1b78b23859d3cafef9b

SHA256
550ceceb19d4f951dc990141b9495b59fe7c2890e5187aeabacae2026e1a1e1f

SHA512
a550ab9e0fd8a0f2096a71dfd0ef50e17f38c401a25b2e5de35450c95aff192983bd1e2e8bccbe5ce3230db885fc64288c5882c16f343ecad3ca2add1d693c98

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3545bb3f8be121f5e2b3be0410e35bdd

SHA1
a2768350aa5ce644510fa719215330dfdb893bd4

SHA256
49e3ba0ca6a3c4fd008654c5b54cb9cec4e5f9dcb577c0a9a06f78599a43df08

SHA512
72867703b969b9c1aba497eebbbabf043ce7e64a359401b98b63c31e78cc935eac13779dc56bb5596d8d8fd966608636a514ce625bb2d9683ddd7dbcbab3aca4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
bd4d1b3a805c6053ca4526fc0107f8e1

SHA1
5c9aa5ca10ea5f68fe27b10bfab355c56657ff91

SHA256
b0fce42ee1e85d4f5531cd142311a783b6bbc404aee2afff02b4c95fc98655ea

SHA512
482f13f94d6b84562abcf957c54416236770c728c455766ec69d5398aafa16592941fcbaf3f50b15384d64dd06e176fbd33419e80393f70107d7462c468d4a4a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
49f29b862ec5b1be7f4eb9e0fd5dc4c8

SHA1
fd8ec29c7ab69f46de9b60c7b44f36a05816648f

SHA256
d71dc4284a4f44bc0574a714f83a1029552cb6d7b1fe964959170dd6458b29c3

SHA512
f735907a9b88deeb4cb36bb25bfd6f3122ca15869e8699973a03736812e7fc762ae1941b93f2b9bd2c47ef861b4f74054629e02febf7efdb9ee42f3131052f22

Download Submit
memory/432-615-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/432-421-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/468-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/468-607-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/468-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1492-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1492-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1492-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1492-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2180-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/2180-15-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/2180-9-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/2180-1-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/2180-14-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/2180-7-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/2296-258-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2296-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2296-259-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2784-247-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2784-255-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2784-253-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3016-608-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3016-348-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3108-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3108-396-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3264-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3264-408-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3960-359-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3960-609-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3968-302-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3968-420-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4028-325-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4028-526-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4056-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4056-612-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4248-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4248-17-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4248-26-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4248-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4496-604-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4496-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4580-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4580-76-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4580-70-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4580-242-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4708-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4708-370-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4736-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4736-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4784-30-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4784-34-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4784-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4784-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4940-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4940-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4940-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4940-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4940-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4952-613-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4952-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4996-273-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4996-384-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5000-614-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5000-409-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download