dc6f20ccc63452f9d68bc9a10164b0efd6d55abfc335e3c08bbc554662ad1a68

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_be8ca3dca8eaff9180c3ca120c3a72b9_ryuk.exe
Size

2.1MB
MD5

be8ca3dca8eaff9180c3ca120c3a72b9
SHA1

e08b08ba25967dfd75e61752e868e5f4b3f62547
SHA256

dc6f20ccc63452f9d68bc9a10164b0efd6d55abfc335e3c08bbc554662ad1a68
SHA512

87ee9ae753c6ccec385a947989308949f77ecda50571423df47b51a506a2a9b906bf450909a1b86dc5d344c9d2dd92f823fbec99b4740c28a15930883c0ecab8
SSDEEP

49152:HjFX33t4INlfTqkUMLu/52bulcI1wXZTBz5kkQ/qoLEw:H7fTqmeX1Fqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4604	alg.exe
2940	elevation_service.exe
1500	elevation_service.exe
1656	maintenanceservice.exe
4888	OSE.EXE
4672	DiagnosticsHub.StandardCollector.Service.exe
3296	fxssvc.exe
1744	msdtc.exe
2896	PerceptionSimulationService.exe
1708	perfhost.exe
3376	locator.exe
4680	SensorDataService.exe
3520	snmptrap.exe
1668	spectrum.exe
3644	ssh-agent.exe
2424	TieringEngineService.exe
3028	AgentService.exe
3228	vds.exe
2040	vssvc.exe
212	wbengine.exe
2740	WmiApSrv.exe
3052	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_be8ca3dca8eaff9180c3ca120c3a72b9_ryuk.exeelevation_service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_be8ca3dca8eaff9180c3ca120c3a72b9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\798d2245b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b5b1e2f1eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004198fa2e1eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ea92c2f1eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023d3f52e1eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d6b6f2f1eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae5ee02e1eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2940	elevation_service.exe
2940	elevation_service.exe
2940	elevation_service.exe
2940	elevation_service.exe
2940	elevation_service.exe
2940	elevation_service.exe
2940	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_be8ca3dca8eaff9180c3ca120c3a72b9_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1720	2024-05-24_be8ca3dca8eaff9180c3ca120c3a72b9_ryuk.exe
Token: SeDebugPrivilege	4604	alg.exe
Token: SeDebugPrivilege	4604	alg.exe
Token: SeDebugPrivilege	4604	alg.exe
Token: SeTakeOwnershipPrivilege	2940	elevation_service.exe
Token: SeAuditPrivilege	3296	fxssvc.exe
Token: SeRestorePrivilege	2424	TieringEngineService.exe
Token: SeManageVolumePrivilege	2424	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3028	AgentService.exe
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeBackupPrivilege	212	wbengine.exe
Token: SeRestorePrivilege	212	wbengine.exe
Token: SeSecurityPrivilege	212	wbengine.exe
Token: 33	3052	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeDebugPrivilege	2940	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3052 wrote to memory of 4780	3052	SearchIndexer.exe	SearchProtocolHost.exe
PID 3052 wrote to memory of 4780	3052	SearchIndexer.exe	SearchProtocolHost.exe
PID 3052 wrote to memory of 3524	3052	SearchIndexer.exe	SearchFilterHost.exe
PID 3052 wrote to memory of 3524	3052	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_be8ca3dca8eaff9180c3ca120c3a72b9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_be8ca3dca8eaff9180c3ca120c3a72b9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1656

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1744

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4680

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1668

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4868

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4780

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
00df386a9545937ce893a21ed20095a8

SHA1
fab5c3287882bce79540b85b31a41181c9607941

SHA256
4f868fa79164972418a05fd20ee4657a171780bc74ed9c81db16ff9203a0e5f3

SHA512
3cbbe9a65cce820ee77a190cbfc987bc5aa09ac913cb77cefe3b67ce5e2972a8b70898dd8c4365480adda4a584774bef05f843c35ccc1018bb0204e577e97f37

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
b4b96329c2db199613f6ed1f5ef5871c

SHA1
0e6e83de2b5a9c378ae5804ce9e289d72ccc41a8

SHA256
cb05af0960f9f19de2975416fb300cf6f1c5534f667f6fa29c277be6ecfc9728

SHA512
9dbfb2c9f4e7b69d2116682006e3a57462fdf8c517f53e3b63c96a8fe4301423fbcd3038bf3b48def266d79f21a35a7dac3328a8c86416f4f3ce3d2195a5ab7d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
839d788324633e509255ca082704cac5

SHA1
b74871b96384f7072e7403732f2156bf6539a13f

SHA256
702c207cd4416dcbc52ab886f674b20ff9c03023932992a7c0f26a9f6eb34264

SHA512
5c7412cfa8ee6e1fce21924462ea765d696d60d01ba047516684c58c492f30070bcb247e0699eef8a0208b47a2b12e7499cf4f95eb0ce12513e2ef1ae5ccd1b5

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
f7ef79d9405dd636f4e1f838e61cf9f8

SHA1
a9378f8e9bc0c40c786efd6e5bd3b21d3a906a4a

SHA256
2c99d0bf3f77e43f144bf87778400d593931e342c6ecb4347aadf5111d682b7d

SHA512
3eae39640562871dea91ad666d528d9010075eb92067282bee62ba6404b8e7c97bd9f63ad42150135099f77645fb16d294a162fb104c2b0fa1b867d6cf5d689c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
7379cd2c606d5f9d447f65424b263aa3

SHA1
64c9f00aa56b35dfad32244a9366acd4a76bff58

SHA256
b1612970f0468dc0666730f9f72ae61591cb6d0281096c508f09afffb48ebadc

SHA512
21ca3c39754133ab028dc86e05e75b4a9f87e1f08cbc022c5033b48f24e4231bc1389b9616bf1869d0754d1f09dd81b13472c3b3f6bd9def55e8194e4a62d9cb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
b7df9dd16eb59449914fe5dacf49158c

SHA1
2ee17eb059982cf03e9f6760ec3bc2a6bb5da6a4

SHA256
de3f0afdc27fd27fb61c72c5018fe546720cb74087a09ac3f4bf5c152069593a

SHA512
2a4145c5f4bfa8223f589895844f4f6a82603b89f817266af39d9da12731f05f23f2088c46ab2eeb0e19930b86c399b8617722791be6fd5cae38e7c3bb310ece

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
5939ba13081acf716c40d51f63fd417a

SHA1
4eac91df616edf76aac01443289cd8b1dd87fdd9

SHA256
2562a8f8249e36061d93d7193ecbb199a49edf12817a531895a69fc9eb5231e7

SHA512
16ccfb1c0291cc8b2c1c684f596b7d416718f8f017ceb5e0478768dc8cefb812e30519b0cbf6c40fca41d794c89370d589d92ef2798bbe97d8748dcdf91c50fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
c80cb651773881ffee2ece9b7d7bc06f

SHA1
7e44277fdd1b86afc1039f204d00cdaff34df621

SHA256
bfca6de4261413cfb0b5199a9d474056c11e76b5a2c6c54ed571dda8a803f84a

SHA512
541a08741617e00894214369bd4d17280649298e22ddff5e624d72f6e148a6f285bfe351e9ef0fcee952f4bc42f595bcc9bd8f459628172060e0ee2b7ab4693e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
852ec1a34fbd957ddcde9db795e9c02c

SHA1
8cff3d0989fc87daa8328f948977473d654935e4

SHA256
30d12d1fc942cf4b930c77e80e81e0b86cd9c122af829553c2624a36218925da

SHA512
34ac23dc3a39bec747ff8ee08c82847ad304dbc4c23edfb0689af5f5c781652a86ffabda9aba58d29713b1c68b7aa54f4ac12d7949efd9e4285392a0e164f847

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
49086f94101684c758f744cdfe0b2adb

SHA1
e5fc5ee965bbd04622794576c608a4fd348379ac

SHA256
649a03e6c325a4b00bef8227a04f15f289fa3305f75ff19359fd7ded055f30d0

SHA512
1986a10dd1b908749aa0cf44404a3e229122ccb2b66569dcdb6be9ce572e2404af21bb95363e1d4f747df796ae3118711a9d6c45abcd602fee6d5c606193dfe8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
54544bab9b16fd3b8f7b85cfdade563d

SHA1
2c07da6f1163803b58b483467c4835932c3919e8

SHA256
4dc57acdce55cafe945fd5ad49e8736e9ae4587414f74f3c61cf5f5b524dfe01

SHA512
80b72d0edbce93aa837eefb569d6e4ae47a2274b11753f2be614365af58b7e1667e4710ff4384ef7c1a27e3426b2d584a6755263d55596d64d56cd1cae4c143b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
39add48dde9da3d8df2bf572e150985f

SHA1
7e5b40075264c908c2ee92644979c8103f049bce

SHA256
60948a41998546c9cc5a32750d8af15b1d89e911d30da26eaab9294b6aa941e7

SHA512
0e449deafd8809a0aec3cc33818f5b4ab84519bccfcf6b4306b7e90d750a4db04f975118804fe2eedadd17442b5319c9297517b00c5b541e6f752549ddcf494b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
5cda167b16ea6b0e14c7a3e0d0e9b81b

SHA1
49cd5179bfe1b897d8db8236cb19e438ee65e45e

SHA256
dfdcd5efd42caf723ce523a6128896ce206437d21ad9769f1ed432505ab7cb60

SHA512
0d9ec907c5cd89311989bde4ead38a2dafd334c1dfbe3100d3b360aa60b3733d3d669c60e5f9004b188e493451b331dab88041f941b8841ba53aabac8c3204fd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
553ba08c1e5c5047050e08ad9a6b4e3d

SHA1
09f4194ae66282e7d01a056f7111996172f14024

SHA256
fad6f699e30809fc2679cd54a679bbc25f9d5bd5e3f4edb51ffa78f4d71eb1c0

SHA512
1294e838ce31307a5b23ea8c75173048a564a94ba1476b9da40402749add7edf43756a021a3fc6177af7a655e08bb74fa0c3037f1dde622664d22ad0a9fe3264

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
c27526c5ae346f8b6e8ebb32e167273d

SHA1
ec86cfe53a8a706e1ce8420a01c62587719280ff

SHA256
b83af09a3e5d65be0ee16b4e18e28793843f5d373e9e1b50e11498b56c0e9524

SHA512
80aef7f7f2b646b659c8194d2ecd46d50b2c34441b653b409a0becbd5ce994d4235f43236b3a45afbf92c9ad12677cafaff5bc82f1b415f99ac71a52b2850615

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
a7c40bca86c313e865f5adb29e88e67b

SHA1
f5ffe745fc62bd669188dc3205f770f4bd3bda8c

SHA256
78b98afc06542a6b41a6c8b5fdd9029bc6fa08235576a929111367ee83e37a69

SHA512
187b25b57f96c1347c42d889e7358fc0c37d06c16d64388569fccec71fe1974b36a32a15d35dea041f6f10d33006b69f534510fc46848d0b9afe9b9771c8c14c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
db18833e32764bcb41946216d890ef3f

SHA1
5af07690573a9c0c3e266e1820a7ed5be4d1383f

SHA256
4dd9608553ed8c6e2311b2870943a02ed51ad9c402e6c77967be5b9489668019

SHA512
f1ba9f35db81f28d61ba24503538cbfe76abc774f4f87a7dd5ca1b06076498194ac73e72caf1aa6c8dc594c50604718f1cc6b8ed455a5ee1df521d90af866797

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
21fcbd15db310dabf733d6bff5f849c3

SHA1
9b52ba2ed102fddb64bee96a7650499b575e600e

SHA256
0efe5283da40fce6245c7a29fecabdf0468077ae190045c032550bbfdd2126b5

SHA512
ea6d29a2d7effef2cc2aae08cc3fa578e17642da63f174522187c6f576108be5bd616ba7e767d5d72370f9a694e87b616a3e9e423906abd17b328a2f4c3073ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
e62800fa599800188505b5d064b7e435

SHA1
0f20ea661d8d4786b8922872b494bcddc6a3da18

SHA256
ca7f0259c84bd18dc5e70d39c0aa112a3959cd4d593665de6f25096b1c5ebbae

SHA512
8f41cbfa4ac240a95372426f57a81244e0f2192dc104b2526ef217aad7d408bd520bc75f99b27704a666d2a4a37e7b372afebc47dcefad0fb7eb423221cd5bf9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
cd7549222a56b9b90a762453a88765b5

SHA1
faebb2df29bb5511b91b416b8d2d9569f6bb3d90

SHA256
849a92235594e8ffe13178a9a28e189de0e5a2d604460b3f28e78e04409e6eb3

SHA512
c662afd3f4dcea67953173180e8ec41d3d0b192de982dd36fdf83eb45f6ec0b95c04119ff03ce38ce9a74697ff5afe6b9bb634a3ada672375978b20daf61ede5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
fc0f53181ef0bc4421e9431acf5bbcc8

SHA1
882598d9f3bf7f89fee0f24991fc15f325d26fd2

SHA256
a65dba1058d6c3c7a4d1b1132b573bd0d6818b37646bd62c6efbf64b6a40f3a4

SHA512
33fa73402cd7d3e953c1c06abf046616e46768ca449b101086d5ffaa19a1c5292325c17fc828fc2fe783fe853b3f8bb278e2f5c09e1e999c13d8b8a016f5bdc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
b8cb2276d20403efa6177f73b29b2954

SHA1
ec8d69080149c2d0d2bcc7479f8a792c8012f7f1

SHA256
e0c286ca3c736960a63642e225a8009aa3059012c9dae1d7688b03ce8ea7ad96

SHA512
b21fff3d9d517cd6ea3bfac4be26bff7e0bc0e09564b90ff036a8781b24a5195fa91446879abb4ae9faa58f49abb20feb4726a7882d8c01a45453cf74eb6fd86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
3586afbc46510f9408a6ac15f7825ee7

SHA1
c6dd025fa3d791cee6253f0f2d5ab37b05bf48e4

SHA256
86ae098ea4328ac33f246cd610312368f7d759a2faf10e6f51610f19d3ecea80

SHA512
7bfd9c8edffe0983d51c0ebc32a48c8def80ffd5a8abd87597e7157484e3353854fce7eee0ec534ae3fc1e0365298b84c6b4c993873de1681c58a6b3b300ea5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
34c6f6a4947c35d5add65d51695639f2

SHA1
b9ff23d4d094eec1475e8bc0e95b880b3fc8e4a6

SHA256
5b076f5fdef8d4cc733f3dbeaec33be619ab51a7dd6e89c22f427d12cb0462d2

SHA512
98905e2a76df0cc4fce7aa6e82db58b2ab6871e43e1025f66091c2bbe54ae518a36765fffd0da9cd445d424f413b8004b68053c7b76ecc28d8d7f14a641a8731

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
7bd0392d8a56134eb2d9ccf9e90e5759

SHA1
60caec7b5d12b4174937d48daaa0fa16be981bc4

SHA256
aceedb7a13bec03b0ba0b2b06ab350e5793a4670b47c78f69ddf9f138875d976

SHA512
6e2d6a632d720a10093aa7e5927edeba729b88c1ad7ebd3b20e61402103d97cccca0f6dcb806fda393035b6792353e37147bddb9aa4e92015157693a90f2fd54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
af843447134bca1703eb48550e39fb8a

SHA1
8ed2d24b4450889612bc7c6526c0980f10072e14

SHA256
1cf4661f7e3937e4080b572605e2eca1842820d1718e5c33ab4e841f3f0d8ef4

SHA512
aa94cddd9810ec70185a2dc4ad1a35e4dad72127deac129c8c05189150c9a1c5d5e6111a271643b2f55595c4d3f2fa169d3d0e3fbf077e9265d42402a7f5c923

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
c7a578bdf8981bbf82c49c8986b069b9

SHA1
3b2d86becc34c028f144f07b796bc6562a429617

SHA256
25e59a8cba6632d6ccee7ca61ec9a34504bf1156dd0e083b19a78f8f29f681b0

SHA512
78aea7902f1b8947d32bfcc7460279836495d0c60a158d53ad8fb925c51e1c4fab185100a5fd091e39d801b78922aa4fb6c4ff7bc84167f0c136ce5d688e7193

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
afa5da11648efa9e2eab42275f95526b

SHA1
2f86e356120604b7100147e23625cbdfd31afd21

SHA256
53a8c41bb12dcecb9c43cddce0a39c3e30da1fd8831894868c75a5cd20be7b94

SHA512
51093b9e8183aed2901146a451f3512b71e4949271be721cec0264a421f91cef086dba8ad137d2e6d0747888c92ee4f1df92af80a3c3d4f7349a904cc300b74d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
cbf73d4cd8b51a2a726fa7939df64577

SHA1
f7088a50c84b6e29f851051cc10f824a892f90d9

SHA256
33539f71f1a4a45c49e1bc71df9d9992b326009abb8871d06c5d2511b57f02d9

SHA512
f2ff1bcdcec8bf91c9891ac9505c6286d95a2deac35e0de9f0f3d4ba1e1d4f69b9a37a70f416fe7464f5029535619fa44ee683407e48647047e2dfe80efffe78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
a1e9e3b4febad275d4b2d96f2f23fbd3

SHA1
a85c7ab06881eafd5416fa192b51ce0e49aa6f72

SHA256
38c07fabd4d5cbb02c5f8cf572b2b9332da8727ddfe8a2e73b10c1664a4d6a27

SHA512
cdc1119e9a2dce246ccd96e3638bcdf1e21b2e35195846898380ae9c50ba5a362a0c9348184438cf87b574addd7287bb96ffea95ab387ad448538b656e8dfc30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
5f8d03a6b7f4791f00716b2c01e39fe4

SHA1
a93393b06b20f66a58fc33996101f705c60f379d

SHA256
4832cb9000daa8fe7d79bd3a1642d99c7c506e309adf6fe071229e06c6f8eb1f

SHA512
771260f6beeaa71718c17f006bf9dc06c5eb33b42924d1fd9d064d4fcb16c94d6c9d0274297e7d07b1f99db4e6d29ee8904fb0f34e2ada2644c7dbafa3e47cee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
94b86aafb443ff52f25a3caac715ebcf

SHA1
65f6fa0257f12a7cddfa2812d37f4b37dfc5f12e

SHA256
c07e5bcda143d910920235892e83fa7bdfe7c05fccc480752b76a722171b19ab

SHA512
8c194dec1f30548bf9dc66a45c78f5f868b1205c5ca3d55bcda0841012b00e875750f4b473bf20663471bcef8c376c84b77e7bc80dc346609e7af54adb25b3df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
41f5d78070b2e0b17386765894fd6578

SHA1
ad5eaa59220fd43cc9a68156a7c200ddc8122cd7

SHA256
6ead80185fc0d67643c01e10ab55a97c95f7c69acbf6d0b9d5b1189a8239ed41

SHA512
0a944fa610bc5c2d04bd7590cac3f40058df7b06c2bd02595debc0b93270130b89a56d2ca2875cf5a9d58394e56edd394ed8b7cfcaa1cd38b739240f11bab7fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
6e91d054f834bb08fd2d14087dc11c38

SHA1
e976941d94afa55a8275b2576037cc499164a148

SHA256
2fafd7ccc365f8490f0893ba15afbf339a7514f34e2da3c0ec2896d5557e6497

SHA512
271ff7348a0b97500c164d77913e13095157ba3a5a8b5ec60853707068aa2660726a3225c3f02ab88dad9ef85beaeb2ac4295b97ce26561ad38b4079d2c8294d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
74add3099053308660408af74778a180

SHA1
38650bf2473215bfbf58d246cf3cda67c843493c

SHA256
57d032672839f367a41a2a1f61db62f55cd32e2ae3becd62633df6c4b7e7ff05

SHA512
c0f09c3cd972ec9ed92675754f09b76ecb30cbd46a952612def810b851eb52a6e9950d8dee658910c0ade03c91414da5a462447571c79e98b9557b6551b05b47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
59d5673f7032249054befbe384c80405

SHA1
66356bb80fc77940077ee19e71ca2535eeafc42f

SHA256
1953610b687ece91c2b32d940d3db387814b58f9573307e63b1245793779dd78

SHA512
fadf420e5a0fa72e701204503c8da43c9caea915fa790a7829ab953a046c4b3e6ce76a2aece03717cd7d40b89dcc4529cb66042cc0f37b6773b6074fd02ef23e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
06da00ba2f20481f709dd34b0864814a

SHA1
734c5a0eda543f24207827e952f130240e4a6632

SHA256
912248132d7f6c45a60965ace4e29bf25fed5f2d51b0477306f5a60e6b245cee

SHA512
9f5d651c6725a12097617485a4439c72f734dd6ecb41ef320a02c966ee86ca56c245e80bc7fefbadc7a6ad95831c20b021c2276c395ebb35460b417cbdb68d5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
b513978a551587cf52983004fe29b1d0

SHA1
c532886d95fee91bc630d0c8945ac88e821f3c82

SHA256
3c698a010458fe3691bf9c6d9d09d7f6ec98758c39e26364a285dedad6dd67c1

SHA512
0b057f88c758af503c174c28f7c45c07c03ea275873cb3e627369dc882b88d475bc71d0fac702367d12956342d72668cfb603d55e3dc55d86043b85c4d67e283

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
3688f9bec121c280d526de3f269ff919

SHA1
ffd3ee153d21ca576b33640786d124f1c274a7c8

SHA256
77f52770af04d0c3a47f7d4289110da17e625ea62e56a7bd29ccaf4285e85ee9

SHA512
a2d61633de763e0e7eb5ca6a6d6972317e9a983a4cffcd7d58b90105752bab4e53924fc05c8fbd91e446bf17f759f16fe2744ca3488ec6c8c2f13e3da9adfcb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
3350622483d075d2efe9add60c7e758d

SHA1
2f89c1cef7f074f40beca2010a3b84809f7371d5

SHA256
d9d5e43639a54d4dfe0d852cca6d97e1a62f77acec96f6651ce6658681fde395

SHA512
86f97134596075f80ee71c15e08493836e4a24c2d1e4932ccabab851761137eb6e39f0c64dc870338c7c02295aac75f1c27c98bedd9487cce0c14c6914a4d682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
f18309858de101411e0e9e65a4f140c7

SHA1
0a8af82fb6302b6ed903e410027bea886de9445c

SHA256
938fe27e78c31e595c002183af89201437cb914538720c399d7b009ba67daf90

SHA512
c7c99232886590e3769f676c2ec1c66eda2bdcc73f084b431349840e1b831e1675aa6b41cf517cf8970c3f50681bbfedd833ccc9912da452ed2baa264afa1e5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
1811d1f16b05cc5500d0945e7998dea9

SHA1
4418f21744876abb19cbeec520474ab1736496a7

SHA256
923ad6885ded2f65c036cf707359d1c0967122998cba9ec0a297fcad202d8620

SHA512
06a66196e058dd1adfccdba7f0fdfb9166599cd3e401d35b84de64b584f03198898f450318496fbadbe31a7647efe55601b57d3680b74880a0509529ffddb8d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.2MB

MD5
ad303b5db2dd6bba01dfd27959f47baa

SHA1
57a4d79a482d0c0e3d63355bcfee6d883800e209

SHA256
6b27fe46f746d3bf124f9c57abcdda6d402873d58aa5749af09c2f4d78fc34fc

SHA512
28cfce99866e5bdd9b48d18afda9313a875320f3051ba5c02c8f32db737aa291b01fc65aaa69e7d84dd98e984e7efa800aafff449392108a9041512e73fd57e8

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
c015a5abb61444520be79e5996eaaed4

SHA1
08dc628f3e95b4a2b0f6bafa914a80ef35f18061

SHA256
c36925c0364b93cb2e772076ebd9a18c6bc2228a9ab2b6fbd019915c8312fb76

SHA512
3dfe70bce2a505812d534747fcdcca2b46b7991677d2f2b420ad1e51908ef9279bdd367b1f0c78b75e4e9816a8bc9827ab7d72e1c00fb1eb00b57457d5bc4a84

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
1eabb7609945e3810c17321cd26e3e30

SHA1
e50212d00469e66679caf010d4358c8396956d9c

SHA256
e834185409a60f465f1265f16628618105835edff5cb7ff8e03ed4e24c175c43

SHA512
f28a8cd7a875d0bd135c7c140a6c8fe3f6c1b55558b8a4edd62d90c1dcc8cace03e6b2113d49593fbbfd71a27bb1507bdeaa51f56adb0b5dc8c0169a42c2ff73

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
3c63b88bb8c3d8e951143bc8ba4afcfb

SHA1
52f8b209a910ab9f5376730b8005f02d54ad6330

SHA256
6f67bb03d981e1ca8226216f15d7238a116c56f0a6da7b571b6994cb5a22bd0c

SHA512
a213df77743fa4cbacb8b3f6052081e93787028593add6b5158956ce833465f54a56a77d890dcc5ece7ce21b5c48122a45b71a0fb1f7f156a1dff931e5b408b3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
96ac72f6f567f3cdad0e9fca53bc90be

SHA1
06866601f10aa512506a076d02de4def12d490d8

SHA256
afd34cdaff134a0a0f4ec0f6ab65c91deb2785c9118ae7a81edf721369e187a5

SHA512
145b42810db3487f94b8a80492e4038b9fd16a4d4d5916d4846aeacd73695ff2a2eaf624ddbe3cdf5bb9111133347fa7ba895edf3367832552145d92d0fc88bf

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c01d5e76f0b727a6583e5e27fb35d0ea

SHA1
c42191936a4115e992443d204148938ce87ccddb

SHA256
8a9b24a29742198e88982490f6d292b7faa51853824a934fedabde4b3ed72762

SHA512
2b2021e94a9a855aeec85b5f304b2ff5690b612c0d6c8e2f4e0fb322ed6b6a2b89c3ddec127895a977024441b630188b581b1eec8fc2e211e53c90cc1268a076

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
43f4c3ebbab2410d498f199d059eca64

SHA1
4339f2fa15d6c08b8a907cad2e2a35724756db25

SHA256
c107b49eb82c681cf004dc17da2825477b2cb88248ad9530364fa25312a357f8

SHA512
a232d87965b83c132632a75f20eb45d865b696fda07258ae0c7cb1e752c7aaa2f8a147225758accba615dded31c2c6c492388b5ac88f64cccb3ee6ba593a660a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
6689f4a72a3081d540fb85cff1f00272

SHA1
ceee47c14df22aed2c0872c9905421afb6064ead

SHA256
28ef96859d6057eb07c768930da2a50ac4828a9cb465143690fd3737d8bba36b

SHA512
ccd76327e0d86ba09507f3ad5a80a447a3e8ffc9a68f1fbfc8d7abbfec343506a2778a175313937516cd8d736baf47dfb96555b14c5ed24a91f019798ed12918

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
8d9c05f69b22ee6a4a9e9c58f325100a

SHA1
c569badbac02a535929a565028eb509a5651ae5a

SHA256
6ff8ddeff4832df9ed8c2685c8f3b5e4be0b6cc5360bce3ed2efa32981f79f76

SHA512
a7ab2d21f92735a1c2037afa8663e2dcc9906f3aca4bfc90798dfcac54373e43a34a907b64b7c8a1d6a0c8e8aa83023d32b75e0ec3ab415c1b6d3db6b2f629ee

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
9d0ddb8e935ca09c3cd7ab40265569d2

SHA1
645782309a666b34ea2284763770636e13ee6c92

SHA256
733107efb1666d5e8d8748af1625b73d6dac29da6c31189cb0bdd84d08eccf90

SHA512
206b8a49ef5b1d0de90b973185e2bc554345e79d71c44b4e3387a01facc4cc6f8b52377f74314611d487f069693ca2c763e09a8dee96b47c7fa7167aad24a3d2

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
6c164ab9e584f3dd4dcc9dbda546c5be

SHA1
a4441e3fdae63abb8793cc8fad637bd36d52bd60

SHA256
683a173a6b29ffc18429b1f3a353f863522f6a068713b2db4ce5dd6060c310d0

SHA512
10034bb200c601ef483b153f6fc60a020e53a3352704e5aba6e57ca22a906411796a49dbe9efc3fe84f0af7ce1682dd99b2a7bbae16b6db00ff3052dc9a38d95

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
0579ff5922ca653323122f422bacce0d

SHA1
276aaab8c488f8ad39d2ac48b7b753cd3b958723

SHA256
f090857ab42a76b73bbf49c4777af69f0141d580c6ade0ea9491f9bcc4c339f9

SHA512
edebee6806cd989931e6cb37e9ffe78593c4848f5f636239db96a739eec9878ba1de259245d9209bae4e739fcea0768766da3f39d1f691a090289830f7062b08

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
38085ba77fc39a148ecf61b987b5f709

SHA1
cfc6531149d75a930491fc8b28e6790c94802a93

SHA256
3a6c8e1ef2de9fb04529024b520fa2643b651de49dac540db11f9cf49ab3ad02

SHA512
fa6dd8e00537b0b56f4619f955cb82949e68e1943b8ff9b1e7f403c3f23ac9798221b5a3df7b1844a3779142c035a9cfc621f99aac4ad5caf48ced0abed6a5da

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a9edb722712ec101bbe64530458d6583

SHA1
b20a601fe5be4a8b04d05429c6e206e0eadd00aa

SHA256
2f3eff2b8edb8e192d82e5ac826931c8524e0aebe49cee6b4abe39b03ab76603

SHA512
fd9265a6f9a6bfa3d80504b39b02eb2c8258ca7e443c80eecb7490689363cc1b5780a3454e5a1c4ccf097ee028b1f70abdbd679f73750c581ff16cdf66afa6ef

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
72dad74a37d43197850c48220c0feb95

SHA1
0a52520fe44bdfd7cef02a4cf6a36e2581134bb9

SHA256
267757bb4076b1ad29f29fb9914f85493233400cd48b801d6c7df4d815c1a211

SHA512
8a3ab33e154c2c0ce6a92926f7bd03dc4cd953567dbb695dbddd186865bfa18b5e4ca74fe03e87bad6e3d0d6a060e9941650ddf3a66216a99ed61d1f786ab8ca

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
39fdf8e9ea71b55a0473128887da1dc7

SHA1
d6574de62f281ad89bf66e77981d5a81fe4d9fcc

SHA256
a234bac40897ba5ce77c4ebc534b0cbea767dd7ca0b6e12b744c49bdfd680af9

SHA512
5e58b2b469ebfcfd2f038c50b8701e0a5af8c1ee3be46d98d2790e497dd04c13534f7bcf5f0658c48db2d073e2bc528b5afd3571f4c5aa0761094d1f3ffcfa70

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
a7182aad0a9efa5651d76d7ff8ef55dc

SHA1
dc89910451990d90217fa5ee39a3111ee475ed83

SHA256
068ebcf8f3275e463b530c350f7aa0e3c85a9feedd3091ddc1d4872150eaff19

SHA512
fb352d06133d4ceaa753cf36b0cb41f812b612f3bc8fa994b5dac1f9140eaedbb9a774ef619d066c35d937eaa6011d03efb8b6aae84642e9a9a6939435ec9109

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b58d3d39376716422478fa2faaee40c3

SHA1
1079cea859f4dccf184538b5181186745b650ed1

SHA256
dae43b77148456fc8f3da96bbffd1c62a4f920c256c720216f4d90957b58a7c2

SHA512
11f8aa6e702ee35e2472e6af94e429089551293d9d075062972045c9004b225125d4a20427393f037c1f057952a10658c781979c431473826fbfe54e7e8540d8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
4700354b691654be62e3918cea9eb03e

SHA1
19723ae198226baf0269f29d9e05b151cbbe6cf8

SHA256
59659fa108c19fe1d98bb0ca660d3f2cd748ecafbd5f73f885322c0e6576e898

SHA512
d871a42cdc6e0308b6e0be2fc7bc08df9dabc8fb4be117e36258cacaf3b599b23e97c9c3982777998ed9752f4ac59bed8f1aeedfb4df7cbf6c3a505a8e71c337

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b21c919b5c1120a6ac2345ae4f0865a9

SHA1
e5fc1b9fa12ce8363a9956597e7b6d224024412a

SHA256
2442b7a7e5e941f2556bfe7fa2e61d39666432ad3a808055451eec9b4fb518a3

SHA512
a5dfdd06da345b39fd183cc348bf83486586de80065f4159e31b2f8f7692dce21345b4349b52c3f447eed681bc802fd7dc766926fef28ce4a43cda172c0e832f

Download Submit
memory/212-651-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/212-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1500-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1500-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1500-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1656-58-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1656-77-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1656-52-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1656-61-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1656-76-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1668-644-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1668-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1708-415-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1708-298-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1720-9-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1720-26-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1720-22-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1720-1-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1720-8-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1744-391-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1744-271-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2040-650-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2040-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2424-374-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2424-646-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2740-652-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2740-433-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2896-403-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2896-284-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2940-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2940-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2940-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2940-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3028-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3028-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3052-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3052-654-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3228-649-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3228-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3296-258-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3296-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3296-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3376-427-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3376-308-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3520-542-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3520-331-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3644-645-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3644-354-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4604-14-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4604-236-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4604-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4604-13-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4672-246-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4672-365-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4672-253-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4672-247-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4680-643-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4680-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4680-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4888-241-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4888-73-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4888-71-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download