a51aba4879be666b6b452e9bd157a34d19b4e4e2655f6705b091c14f28b877eb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_4f5ff38bff481c51c3bdefc261c70fa0_ryuk.exe
Size

1.7MB
MD5

4f5ff38bff481c51c3bdefc261c70fa0
SHA1

800210e349c2fdf1db7dba14b9f0b90f584ebc8e
SHA256

a51aba4879be666b6b452e9bd157a34d19b4e4e2655f6705b091c14f28b877eb
SHA512

412ff245228f03f465fab8aee4be67e33eefe547da64f3169f1d8aa682e848ad52d6c77e962a3ede6670d0efb0339a9a5a0419ed37ce19725141e2b25f6dbf62
SSDEEP

49152:Y6cMGizWCaFb8RVlbnXf9gPTTW7H1GXC:fG5CaFb8RVlbnP9WXW7H6C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4968	alg.exe
1444	elevation_service.exe
4780	elevation_service.exe
3312	maintenanceservice.exe
1516	OSE.EXE
3824	DiagnosticsHub.StandardCollector.Service.exe
824	fxssvc.exe
1476	msdtc.exe
2968	PerceptionSimulationService.exe
1764	perfhost.exe
4444	locator.exe
4200	SensorDataService.exe
1228	snmptrap.exe
2372	spectrum.exe
3004	ssh-agent.exe
1620	TieringEngineService.exe
3464	AgentService.exe
2476	vds.exe
4108	vssvc.exe
3384	wbengine.exe
1056	WmiApSrv.exe
3416	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-05-24_4f5ff38bff481c51c3bdefc261c70fa0_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_4f5ff38bff481c51c3bdefc261c70fa0_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c8aeb5a8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091fa3b92d6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002232492d6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb38f991d6adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066e64792d6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e61ca092d6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f387e891d6adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec842692d6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cd6f691d6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1444	elevation_service.exe
1444	elevation_service.exe
1444	elevation_service.exe
1444	elevation_service.exe
1444	elevation_service.exe
1444	elevation_service.exe
1444	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_4f5ff38bff481c51c3bdefc261c70fa0_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3576	2024-05-24_4f5ff38bff481c51c3bdefc261c70fa0_ryuk.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeTakeOwnershipPrivilege	1444	elevation_service.exe
Token: SeAuditPrivilege	824	fxssvc.exe
Token: SeRestorePrivilege	1620	TieringEngineService.exe
Token: SeManageVolumePrivilege	1620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3464	AgentService.exe
Token: SeBackupPrivilege	4108	vssvc.exe
Token: SeRestorePrivilege	4108	vssvc.exe
Token: SeAuditPrivilege	4108	vssvc.exe
Token: SeBackupPrivilege	3384	wbengine.exe
Token: SeRestorePrivilege	3384	wbengine.exe
Token: SeSecurityPrivilege	3384	wbengine.exe
Token: 33	3416	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeDebugPrivilege	1444	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3416 wrote to memory of 428	3416	SearchIndexer.exe	SearchProtocolHost.exe
PID 3416 wrote to memory of 428	3416	SearchIndexer.exe	SearchProtocolHost.exe
PID 3416 wrote to memory of 5072	3416	SearchIndexer.exe	SearchFilterHost.exe
PID 3416 wrote to memory of 5072	3416	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4f5ff38bff481c51c3bdefc261c70fa0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_4f5ff38bff481c51c3bdefc261c70fa0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3312

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1476

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4200

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4116

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:428

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5072

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2c5015561e9dfb2f5dbd0e6b7793e490

SHA1
5ee0bf5e718060ba982ef0a0eb61d5fd56c2dc02

SHA256
84027834323ea87f3c023a2122abfcdfdb164283135c4646e1c13890437d87fc

SHA512
70824ffd81769ef6d3f4a3ecf5273fdeaad621758891cb63924555ce48a9e65140f35e1aedb17a3137c83d663523369d8b13e9361fe6b85fd63772db46e22b4a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
767ce462cc4bf7322a92553dfe63c762

SHA1
a104b3b945fb6ecc707a2ddfd7dfcc38c6e896b6

SHA256
c3fc81c671a965337eb49f4ee4e91fd33da85159f84096950dd8465b25ee3706

SHA512
08b8cbf28fd5714823f5de99b226c9bdb256c3daf441007eee87c34bd805a0665ca03d012ada19ddf2ff8d5cb28300e4d9da0f542f66e053b38b218d8dce6c5a

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
da24dc44e7691641493c0a33aead7f7a

SHA1
49fb8065f45d96dc3e52ae76797af03dfc2c9b15

SHA256
a61fd86c3b53cd569d43243a0369b6184ec0df751e220ecc93799fa8d5bbf65c

SHA512
14f084d9834c1438dba6cabdc8441508f7c5eba665d994f9a816ef932b12e7724f96269385428866c52a4f7307c6c6867f1da5fd1bef839924ebfb52552834a1

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
0fee5d4a4e4082a4726a07c9f50bdb5f

SHA1
fbaae360981b498e1a247dcfd676decdc2445a5f

SHA256
8f4c9931cbdc253ce4da87f593eb52738637798b3efaa281d5ead50502bdaba4

SHA512
d4b5edc4f8c0f4e6d8b8cd46be742abbf3876bd621e2a6c3bcf998d7ab2edfd694b521c1ed152111d7f369f31c9817b9c243d88db7d75c4b8096ad2eab4ca6f4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
fffb947e21c7dc6c34fa98552267d84e

SHA1
912cc2876c0e62b38927f627a063cea7dd8707ad

SHA256
7a979b3c6b0a8f3ca86044e4b71239de97a2451c2063f73f5ede6ec361d16cc6

SHA512
d6e08d9d8059e595638d04b2539ed11cbceaead15f8c41af1e32bed73ae92271ee4e8ec67f34ef6609083891b046575d9593b1eb125a60beec71aaf60b1f7c43

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
5f80c8260fa31b38341c387a8f5e5a09

SHA1
5e0d507bce379fd9fc17a3d0f9b7d585b252ef90

SHA256
17404c90bbe5acde0699e9191a2c5adb9bbe82309b97aa7793fb18ec68207a69

SHA512
22140e772318da2592b5a4c6db21e1e2e66b6da324de6f5d62e1716c52dcd26189194b39efe15fe11559cdba000f307a35623346f8f779be1d1272d97cf75681

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
b6a48e286049c9ae50dbc0e567165aaf

SHA1
cc8cbeb9b3f91c332b1b7903e2f47988f9fb2b9f

SHA256
bac697d372b388827e31fc1ccffd4276a5293e8014f3a8f44c0732c5792fa240

SHA512
8213b178fca4f625db00cafdff520f20b283afcaeb9da6a5668f2db4afd3d9b033c5da7eabfdb421b68bfcd02813c2e61355b3c9d21196274353a6b4906a1232

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b2be9df6b2732194f38b29076d6235a7

SHA1
97bf44309803455cee5e9c60ef82a50f9897adb7

SHA256
110f69b51fe070928a0a0626df4aad2ff45c9c1c0c09c82437ae55f0999661be

SHA512
d7dd013374a5f7482f825bbe5deb319cde64d00648af9fde0000da5d457bbbfea5f403ad61edb52083a7a9796af9ad6918130460de6944b51100409d9a2e9b5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
68e1f07e8e510f760ea4f25269e52dca

SHA1
85a940340ad8ca3f295637b6d5630782367434cc

SHA256
63d4169576fcd7fcbbc9abfe1aa8e37db53a5f7e40cd5be245a66cd6d198ce6b

SHA512
d23a10ef646b701b07b497ffba94b95801729ad8fb32767a713aec675c6c7d41d458b9c85710bb60388f7ecbcebca5ede6af43413bbdfbde4033bc70b44505bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a7a647d7fb6514ccc30a38973792b77c

SHA1
37acde3b5528792bba3f7cc0207b7c33d0ecb401

SHA256
01d55419fc0dabe98a37a38c08484f3d1f23fbe13b0fcb2c978f9f4323c32485

SHA512
fc723045a5cc562640decac1c350a42ee166593e7275f2e1953560abd87845e95fb426777c9772a79296672b1a0a29378ded713e27119931239c810aa3f2acb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
b48daf6187b0f4f917695008402eb638

SHA1
36e917eabea146921e5ea97caba0bbaf40bc26c0

SHA256
b2f291a59b12c6232c537297cca673d9fbd28828d070394c251776d3623073b1

SHA512
b7e0c16bdaab01821a6b771ec5f407f185e55726626b48c1a6da31f04ec691b1a80c79347806b17ba83c15c97a7d5bf61b0af9f43d8789839e1916060a2dad77

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c9bf858c4c956861523b47504ee5be01

SHA1
f097a82dfab7a677255bf5aba65baa8ea84cf4db

SHA256
65fab8fbb192fbd1b16c65ea94a08c2f9d39d7d262ad67bc5e90caf4ea24d103

SHA512
3c66114d6442dad1cda5d8783fba940f60a8bd0e16fa81f797c952ffa4baadca6c45ec4accc2fa166abaecc9207654fa15e8d3346dd53a44a0ace39d28e44a4d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
3e9b165721335cc5ba699e498db614c1

SHA1
72e7d02a28146bb2a366c83ef74995a882df86ca

SHA256
f50157e63bd04dc800fea95c41f9a6af91773f820ef649a4e2ba7237659028ba

SHA512
43791287c81e684e3ddc0fd5d7a0f136161e2ceadeea8650813d5c17bbe17b8807d95077fcc10da73934322f7b780e5d3d47ee4ef7ed60ef435cbbb382e9e11d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
117af1fe6e649b6f8bdc123f1c5d8be0

SHA1
6fa96ffe86e84780abf28004ffa111f2dd21e907

SHA256
f9f0e7b014b6e0ebd43183d63108e72379d175ef72f3da6396b32fa83266d277

SHA512
4120490e323ffb3de24069e0b38972ae0515094f9ea885c7d8bc9aee08c7c192d53e629f7e01f4072a8d5286bd9b2f86c62458821cbc52efe93e8ddab9e8f3ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
651bceea893c445a290e7198fe0ac0ba

SHA1
7f6526f6152bcd6a38fbbd3d6dc3ecc32a011337

SHA256
b4f556e15963427d1ff77736983b132e15d728fae9b1107cf7b642fbb2bf6abf

SHA512
7eccf79aad8d901dc7a19f8d03d5215f4af39fcc90210ea16c568ec746aa76217c2dae3fae053935858acfadca5c83ee93b5dc38c0f114a2559850fe43ad3b95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
aa5951fd67957b7ab3ee6c1a4e067258

SHA1
3615fd5b514c175b783a3f02c0c0595b3e72651f

SHA256
1bafd434676375355008d1768b6998277d1e6655afa17d4a9bcf69e7b67906be

SHA512
ee2622a90d9783cdd3fb0abf504662fc3edbb264d7992473110bfd63e0103460398266b7564cfb6dc25887d1c55886bfe671eab7b4db6fd4b93ba3611c20236c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
ca217f020baf0011e2ef4ff6c3db091d

SHA1
73f0115cc8dc3a7686dddb25da0b7d172e283a37

SHA256
af7b7538d0f3ceb28ab82fa16eb638dc742fa580a554a927f38b70755f5480fe

SHA512
9b9452de2a4eac0754100c3f747f61cd44f5474378c6d9f24b93ca616e3f59572d77d286d548a8b5dc3c65395d36a6896b3b2fc29778e504d6c833a0a0bbacac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
4d54a313bd6f48afb5f12164fb99f9f0

SHA1
e6e5e5626181b31b289f048e3fedb32073a66611

SHA256
6ec1dd2a77d6c0ae38f3eb513aa4f97ba075b5e0115f2e6d1f6664a18d767a1d

SHA512
d2f755f8b547b7761e4bba6ddaf245bd3987e58d9b1e8e8bfd8ad2491821ba1507bfa04051bc98a0def45338b6253bc7a0bfff0e03a856d35bc952e977e6389b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
7513e4da31a55d8a8d9f0a0991dd4ede

SHA1
3d7c2ed2ea9ffdcffa9b20666c33a58d38a06874

SHA256
7a028a68159a444daa91abc526749284fe38273333ea804851bf63f3c805e449

SHA512
3cb54bd9bcdc59808f8552274609015fc907fb8fe5fe351fc4c2f05085473d48eaa8fc08f0eecb000e8c9fed775bd8387dc6911e63d64670920c1376b73539e7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
038e83f00ae758b2d5390082bf01689b

SHA1
083b357f5b048fcce00b70e75021a6e0650c1910

SHA256
576687982a379bb954c3760d831087ab56999754a11a04e623543dd1d3743760

SHA512
1f8032347904107ebb13dfe862aa3869b02d4d82aa1f8259ec0267e0d806572b554682668b8be502147926f2776a165a9c5c61a6636274892a07e7f01df5b283

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.3MB

MD5
f438f59282a0952b76599d3c826eb701

SHA1
10774c29e50bbfeaa2156eb071266dfd62c70e33

SHA256
bbd62e4fd6e2f775a2a2389e4c06075f99194d2e48420742c9ed65d72a1773fb

SHA512
76c33815d8914f8670f8e9fce18cd4c3bc6af9f43765d3e3d5d5016ba51da71e8ae2d201857c40e23611a8c92ce1a9563f78e0fd82c81bba67e7af78769d226d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.3MB

MD5
03a55776360d965cabbd472985918283

SHA1
64fd8a054d2fc14d12a548265ee50fc923f8ad90

SHA256
136a784b94e907f68f3cf6a2b5d8d7a4d83b519f0fb0291e6d526c8120a5c17e

SHA512
b4dd57ff009052119af3c29a060f882a233d9a372527e8ae3a3e788be0c39487bce81183cd2effa4a9989f586e10485104983e641a7e6771b5704d522c7785ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.3MB

MD5
b88e4f2915655d720b67df2e5365933a

SHA1
d0e4efcd189411301617a0d81940232573e8a703

SHA256
117818aecfa2c643f2286e64248de8728945b065b658be6b30650636f4f291d4

SHA512
38f4fa11f43a1b606ab2e11b01ee42c3c829e216e055fe1c5ebbbf4839f692184739e1b596b5e174935b0da641f2f06c83960d34a40d340a006683714833452d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
9358d4f3f40fa33ad4a2c34f5dc89106

SHA1
c16e45660acbf2ab2820bb4b7daaec0c93c2208d

SHA256
8d440652e9b04f9de1fb11d8378981ab89cfb73a0ed20b39eb195789f5ff4151

SHA512
7a7d5f3ef53556c6e906fec87a69dee265073063995572e2855439e7219debe338157304f2126724ece8ee09f873ad09fb6001a2a87bbc9f91530c780ef42254

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.3MB

MD5
936dd14ae4a5c1e0dbf358e90580c6eb

SHA1
4df13cd7948ae98d103e3e29e26c628945af1f21

SHA256
4ee534e743bfb8a3ea53ff1dc86cd008f02e78e2a42333b8dfaaaf59449f7870

SHA512
ca5e15de5b9573a44b3c47d6fd0243eea280a5e7008e2ef930c55c30d7cd0be6c2af9ef4819389ade3fd93e86681805b46f6e03776a97857812dc2238dc2003e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.3MB

MD5
d249190f63a399a3580390b7ccd517c5

SHA1
1301acc7b4684e703ad21af0a74f30c515d25361

SHA256
c71d476c211d79e9c43b710e5279962b31b462eaaf16c647b3c02ca383c84098

SHA512
61921ecfc9b2d1499fc84da5f4295d03ae787864d4eafeba182743c6357b8c0767ef1b2f5bd808241d9ea7194d6cf8bfd9a6d0af9e499ca05aa080383c4d05cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.3MB

MD5
5983c6799be100c47c4019b76c7f861a

SHA1
63e0e2538a81439c99b8f4824ca3f0d87987b027

SHA256
095b3b55e821bdfb61549b5528167a0cad31bd283b89a2010d2db728cbbf410b

SHA512
3322643dfbf48642a97d7e2620c0e5bc1ba4c9cc270772435dfbafb04e8001c02ec91bec57b4c5d88a7dd99e3e43262eac4aa00952d81e1aef8c6e48631b36be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
3bedae6a552309bf0ba65c32a13fc19a

SHA1
4fa06316288197d1bf6cc6e36452c7f8b491d49b

SHA256
db6e196d7858047f5f7edf5b7110b6c101d50ae53588a04f182a314188dce492

SHA512
4258bde2c762d9f4886f669984d27e760af5d1de0f0c9087dfd9d6200d4b5f5f98894ac7e2053fbbde04d14ad29d7d52de4ef97504cf358a2d3b25e9de1acc6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.3MB

MD5
8cd0431b516f6a7a8fe5170f2acf579b

SHA1
e5c87656832f102eab87c04f979fd85ac548a161

SHA256
cb9acbaf901a0c6f43513ec6549a60f2b0f7d5cc44aa1c7fe81a9d4b14bc7fc1

SHA512
ef18aa36cc151481ba3d88b9415f863f4183152223376b8342420ff77ec568c26ec914997784407f55eb75d8db916a7155e70264dbd5ee284a8ba1444fcb3b87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.3MB

MD5
9d1b17f3f448bdc40b968061e2a6d434

SHA1
5c60b4e4642d646d89e18541a0b92edf455d631b

SHA256
c2b72f748547d017d43020402407784fb7c8bfebca38e85cd2f9e70311e02b19

SHA512
63b38db2cd87828aaa95f341814f473eb2bd5b044ac0f95cd78bc4545d8753991c0f0e506c86c19ef42c38b3b9004100092ea35d03281f76a929499b47cec201

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
7e7eb28092487cf3e9e0ba22ef472f1d

SHA1
81339a0233ef42bc91458e98b2610baa6ed9ab66

SHA256
957e23e7d367f67ae3fca72b91cec30d4529bac540a5b41d1420214a71d80414

SHA512
db264337865086435203da4dab3c8cb4c7615ec94866abc1ca03264db761399dcb02c18a7ebe70af91e395943f7fcdb422e65af3b7b0abad413b60f7b0e72a92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.3MB

MD5
830ede141f0a1da5779e9a2131f89cb2

SHA1
854d75f9086ed12fbbe08ad1ca69c995edd8a954

SHA256
c5ab0a58f41d5fc6da13babbd29507a1bd807a3ae8cd88d4fcce9a01b34184c5

SHA512
ef7c2b45ecd0a83eaac044ade161b54ee04932f7172f6f467baedec6bb9f108772f7bed911b60e683793b2fd9a2e502d151cf33379fc3c2ae4ae625198836041

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.3MB

MD5
b9fc6504ceef06f9a195e0cf0952873f

SHA1
24f5eaa4feb47886d5ee69c97344406b1d8387bc

SHA256
a5728306363b28676f5a8b1b20cda2c821d52a96c48e2a2e17a5de43e2fc133f

SHA512
695a729f8c804485120de19ea5a6f6cd656a8909c1fa53aa6a67732346dc5f4acb2c47085cc37fe2a8ffab98ee6f02f67be7700703b3dfd52dc21cad91e28ab9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
320dfe478bdf985e95a921425991e682

SHA1
c449ba140724be874774f6f9e365a9566bd6921e

SHA256
bd607f5497895e493146149fdbec351f00135afd9492eb38ef8b7c39ecde1db0

SHA512
9c541b00d3a4921cf775fc4e8b3d86134412e6d69ad04d54f55358bbbff1f8422c74a6141276a49cb420efb8d402654d39d95f1c13ca41bbaac3de910f7d8c00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
67c4f63f0b9c7227f69558488284dcbc

SHA1
d5d49019ddbf0d2acb83d3ebef7818a4fa8938e2

SHA256
b116d564d68adae0063cf09230e55aabcf45a19fafb4b915876b4bd7115df810

SHA512
a2d74464700807b241099e77e6db706379c79dcfb6b4ebe90dc8d3e21dc73a0fbf8a578b5be675d624346e8cc15cf255d065ba5c4189c743008b999d7294a769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.7MB

MD5
051f26c92a6082edcb088b3a5da2bac0

SHA1
37606a7ad1d4f727d2ff3c96ab86dda2f86081a8

SHA256
11c8f144377da6bc1f26659a6b2915806d911823bdd4527935ad6b009da7208b

SHA512
ed87fee170d884953e4124c1568c1a2cfd7b3b9930904f4fba0f148a5069f42d90dc544579335ea19518c2f148cd7f440bb3fdd620975bd391463b002e081c1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.3MB

MD5
5f8bbf9ff0ef9db369e75c2fa1bec2d1

SHA1
34f002c96ac314aef304e41589247d85abc40c64

SHA256
464733b76effbbb301639508023883e7b5fff886c42d1ca62d6d2001bd5c6782

SHA512
76ceb17592f6dde6b1840e86cda1c7f903cd663147127d650a67b3578e5e67118c41a1698bbaa25f1e95ddbf9b991154154538fc031c0f8de8280a9deeae1c87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.3MB

MD5
7b30df5260081d7fded4305e879bb97f

SHA1
d94fd977f517814c65384b0057f6e851ab5d566e

SHA256
c9768296f3b3c75149450e2beb9636b43af9bcbf01bfdd24baef60889024b372

SHA512
9c4d35de66d44c8868be1066eb199f6d798bd967efb2e76974bf8d29759c25134a01bc57f8054107e0039ba7288d06eb812a28f51575ebbb90636159cf42db2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.3MB

MD5
e30823018637a99e3ee6e19edebd36fc

SHA1
23a4dc8e8d028573c7ebaa600eb5e5644e8bb098

SHA256
189ca118de967a69da3c63506dee9f05660d8509d3eb4bce71f230e09bf16170

SHA512
e233d0ab1bad38c4472cad6c48cfdb1e51ef642ac5ec9839c9eb721ae88ef077b89c9129b337e85bce5f3190e70cf5a41022f31131875d00e6476f1730991d0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.3MB

MD5
ac8cfd3dd9d5875ac302d1065db07313

SHA1
7cff056e567c555764ab3c00d7e10934387a3b73

SHA256
609e5515d721d1fd7441465324b4ba35198ea99d59eae3720efccfa28313dbe1

SHA512
c9349cb021f913ead6901873cc5462e3cbcd6f2cfde49ec30c9c95a682fbf815a10afe853e8aa7906605a0da9875decf546b19b7dde0e55e37c55be4c4343aed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.3MB

MD5
0b2e2e3d1820e14793227eb4314e7d51

SHA1
068c931b5e1b1c8658b664bdcaef6b3f0dc9bb66

SHA256
411f7d659910b804329394ebd8e127f93838e64237669b275ae26396c7d6babc

SHA512
203b04f7e8f3eaab8ee9160355491e88264bd5cdb2ba19cbe2cfec00b38bf3d13db7959123fd22fbb3519575a2a4f914fba2f25a0bb055d2e556760e9b0d5ac2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.3MB

MD5
2502dbbe9a136a9598d7af6370e8e251

SHA1
01ffc9b4a55efe04e389aff9f13e454f3161771e

SHA256
f82b058be55f2857705b819ebff783fdb54ea6d44e8b0c049d5bf93cb7d5e7af

SHA512
4e05e77ca0ce8a3a5fe32b2b43dabe9381b27de9929f771cc2d25085c8aadb70b21ed1ae58f96c5d3b3b7bfa915c31aec90b9958fe54a0ca7635d6bc5c930e60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.3MB

MD5
de73602b1c8820748a456991e5b1614a

SHA1
7c2d3528d0392b241567378ef98b3b24af9f9dce

SHA256
4db9a102fb18e06de84a1347886500dd4ee4a0a8558a2cd58ef6f9a2b1dc1af8

SHA512
f630869608f3b96502ac748f4244fbadd6b0f907b4ca9365a357cdefe2a2b825e0519e08f1b87ede5b6c3f1aad525ccdbd4df20143ac361c038083c50b4c8da6

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
44fc636197cdf47b652b7ca0405d75c5

SHA1
ea53367a96dfa67be29a31a342b6549c9b49a803

SHA256
6ad9eb1e1fa5e801f1f6cbdd7b996c283be05566e83f5f07072fe5877192741d

SHA512
d8d25a3d01df667949bca0ce885d2247613f804361825bf2a59a1e3d97ef7c2c4e651933c241e2a93da1fc5e744dba8c99881bd287cf37afdd38dd7899719f32

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
93036f2e4ccf8af4dd9662529b714d57

SHA1
dabe7d9a2009203fb87ee5b9aa61b1273ed38770

SHA256
cf0e2b06559100b12ea6d186f83c37fb0f7f477e327b3bbd39ee9e27f82b59dd

SHA512
821f345dc32017c3c1d21bc90fbe112fde6de6d96e9c5f47a0d6602e4c8136dd084ae7762a4ce20bec7d76e5ad14377ce57211462ab0d016efa6424d234e2304

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2fe4293b0fcf16846570dd82cd3ced4f

SHA1
71a544363d24fb2ccaa5a4208fcaa32217fe1726

SHA256
787b4ede47d171fc1b44d6f6b0f21f91d2ae106ef3fe4bb470c7fcd082f6c0a0

SHA512
a50799c452dfc3d42baa2db397998bb8ddfed77060f28b6d677bbe695887f3e573f81daa5988f7262ea9866a96816719b957c47d4ea7c8d124205cae540be128

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
2855b14b444784b59f90b1ebb7cfaa19

SHA1
e04ed7bb40996edd529affcda432467918cbd575

SHA256
c70a56cad03c2d4fb18f9c30c8d3610f04201720f848637c12bc8fba4e54c53f

SHA512
ebc6cd5759b003435ad6c6a32c6f352dcaf5bff14ce9be87c713737564cede6a833a72bf8a0c024d2a9f0759f0dab9632b5bc6147e9f2ee35371972140d705b7

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e549c16d77a2d4b3c0aeffa44c7a87a8

SHA1
2b61f01a50632f0257fd9ac440c042295cf80fc3

SHA256
7495f0076204d1875bdd04a5f1d9e3c4131d46434f09aee9f1e30a2163b398f8

SHA512
10c01f73a112b3a2d3548f9833cbdce481141b9c5bdc6a0d113e187c235c96d0c7f5232582c977c269e3478be0bea3859f2310c25507c7145bc52e1a79fe571c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
307428b04227409b0be24af791bc3a27

SHA1
74aa8663913ac0025584c06b6576d2dd8d3f6b18

SHA256
3de70539cee2c42f674b7078ab62e94bfe54484d7234efbaa9b0fc28324ff485

SHA512
886ed9e5c1b8f42ad5ef3270f9e963f670b324b2d71c39cb7f675f02db6ef4a1b16cf5fade6ea4f1ca910de6528792d3ff3a3e8644c7b8123c383671d41e401c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
4778144b7a8acc8e9acd12e05adffedd

SHA1
a16bc9df56623fe132c91a72d2b41ae2829d7491

SHA256
7ef16504a55e8dec44e2c4d1b2ee7915318ba5d6359e0377f7b04efa4f4fb5d8

SHA512
87269f45a02d7c8b67ed7e94c20aa83ec5ae9d573bb1b4fa786ac78d17bb9180c13c727cb4c5a961dfc5c5d2e9e3493a73c3a5d74a034476dad43b2d97d57048

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
e9228c5e17b68fcb586d93a8f5505127

SHA1
f1f2e4172904375e9d96360525f3c87e0e5468ea

SHA256
6555a2d7f0052231c5f63a30b8feeaf985775562b15cb2a3a8cf69bb01415049

SHA512
99cffd6d8a59c12b98ab088fdfe1badddefcb55c5e33b6eddd7cf1270e3dacec8c214180bb2da4d0a4bf581437d63f2ed26523af0f5bfb253181652039b4ef25

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
44b32bc0fa6820dc8ef1fba64eab3aad

SHA1
45eb8ae62fe374a0b0b7abfbbd15fdb39650ff0f

SHA256
5330e7774243866472b169c7d40ef589d6c5e1401904c65b044d2ea751822cdd

SHA512
f28bb984e8442d5f8060b5fe24d7896478919ec1ad0f6fd8dbe8a6858ebc54629af43cf5a56a575203ecfde454ce7e7082a0cd50cf2d869e2758d85930fac907

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9c45b30ea3a3eba53a66135e4dc5e1c0

SHA1
64875c753221b46e1d0c39e1a195e268fd6065d4

SHA256
afbce38088ba938c8c2b9f59afd738eeebd743b9ac3cac9aec2d3d5a10d6eb07

SHA512
00110fe4c150c2f77f6ce162a7c84ec906dc60e12b086bc2b163c2c43ffd705ad993fb892a6c8f7fd7d91a8d68ac31861f88f215bec5867ac715b113683548dd

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
b01c4e5aeeccb6d9fbb2d3ff587a4cb3

SHA1
bb040a7ae4483f66b9cd2dfd9828841ac01218d2

SHA256
bc15c3384dbd8fd7012d8af2a5b06530120e7710a83b70b996a6dbef4548d0ef

SHA512
b7c571e3b159cb6d461815245eb4f00595c28d3bcc9cf7ef9ff7784bc6bdc1e6ca46fb560ec83ad5b9856a4bbbedfb82fba06e791f1d1940261397f69283e055

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
0c8c3e243ea3ab94454f3a66408e2e77

SHA1
7a351ac975c8830163e0ca2bbef6cb3ce1f64282

SHA256
46dcad328c126f5305c0f01bd2f4c2c58da666702d8d8f52258dca53485c7e17

SHA512
9af6803d7967422cc48336cc661201e2dd4a91dd132672e4d5822ed8cd4b6893c86699ddaa95f8429002333c5a235dbc39d625e7cebb73f0bca4a50570bcd81f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
13e7aa47d2a21c26b405773603734756

SHA1
1859db8d07484f862ccfa434e6e9d5c88a7106e9

SHA256
0cf6b9682e664ed9ab419ca504800e131efa561c92dd1555004865d563193fce

SHA512
96f82ebb35cc6f731e7dc2f958dce7b95550acfa44abd614e42ea809e48c2082c1a86e8ad5793f9c72e972cada528570363cce29e3f8fdf6f775911b98a3ac3f

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
00a9a90ba8c2f5289c106ffac1be570f

SHA1
190b756077545be99fc7f1dcbc345d1133848bf0

SHA256
b5c214e2403913d904433f9168a04f865d06999090f8b381309567babc704639

SHA512
9006d8d32a463ac1ad5ca8a63aaad7d02a6e9832bcd4a11cc7453b521fd65481ba9db48a559ad8c14dae1a0cd6cc1b339bff0a92f903c4c63d22149b1aea931b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
f0875a9d5001f91940dbe3f64b09e574

SHA1
5d03302a58cb57d31f89bea8c909dd1626e0109b

SHA256
ef2ba09016764f2fb85369374fdc21d32d83361f0945207ef27a6e37655e03cb

SHA512
19b3b71d1b07dfe9d2a8fb46475a8f27b097506725c276fc47b0f15587ce0293adf6def0b304e2392ec89b61ca1f9ba8ecd7ac1d2975d33b071a136777878f3c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
a9bb6766e78e720c7915d1066799f994

SHA1
5b13e2fc98795c9e7bb5a6c7be5a6190b8596529

SHA256
a61c1f8dd03be66168c93c894628c1969af38427940fcf7c537488ca0bcce65e

SHA512
0bc5d083e45bc7781afa9c2e86342f0be064349e085aa5e6183c00c0b629f7f55cf9df266453e5c2c7b5ffb27e863fc4684dd1e9906e6744294303f5d5233a41

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
9437233ea166be4b200f7fc1c90975d7

SHA1
cb032f8c5646feb641398048d8f6f66e580197dd

SHA256
133a6d0eda1f646fbf53a9aa32b1d8b7ff2398edde6d97616f5c056c19322e1f

SHA512
49548e4a399d0b4e23f2b0a79bd21bb211454a09ae5a38652fed822e84f70245bfcd8d5c057c6539f2e8f5f51bf270aeef0592e1ab0725f65830931d91a74588

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
c3cee119eda87255abeee7ebaabf2c83

SHA1
d888a8af64ed4fb3ba2314331d7602011f503c3d

SHA256
a3b7cdc7ef2b27d01855bb0bfdaac6e725145e08e0792ee6a5021b1b45091567

SHA512
cc026380e0c53524f27c76438b5d92615c60fa7c653c096b77c785788a8f1da3fade82829e7256910250474d462134b1ffcf00ce8cc60dde13f35bd63387a7e5

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6d0c4f566e587258bea4edf505736084

SHA1
5063d55d5968bf631bcc853ddb18083ee0f6d311

SHA256
d1759081aae7f0a23f510dd2a6fd357177624016a1a55da18bd84720564087d7

SHA512
6d0e3a27971d478ed41e6cdd1f524b60975416e9eb28fbe1569d6ad45bb205531765f727956abe47374cc1e8c63b9d302e0e036f9e2cbeaa88ec7830ae7c46d4

Download Submit
memory/824-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/824-259-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/824-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1056-716-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1056-436-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1228-340-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1228-544-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1444-38-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1444-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1444-29-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1444-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1476-391-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1476-272-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1516-75-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1516-241-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1516-69-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1516-77-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1620-374-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1620-710-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1764-415-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1764-298-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2372-705-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2372-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2476-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2476-713-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2968-403-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2968-287-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3004-709-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3004-362-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3312-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3312-67-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3312-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3312-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3312-60-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3384-715-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3384-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3416-717-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3416-449-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3464-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3464-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3576-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3576-14-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3576-12-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3576-0-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3576-1-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3824-247-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3824-253-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3824-246-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3824-373-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4108-714-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4108-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4200-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4200-708-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4200-327-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4444-427-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4444-308-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4780-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4780-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4780-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4780-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4968-25-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4968-24-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4968-16-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4968-236-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download