03a6bbb97196b6d5b1a72558dcd0d9f17ad3ea6c35f3570358cf387b572438e9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 11:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_8754c766a0423e042ed7771712f1640f_ryuk.exe
Size

1.0MB
MD5

8754c766a0423e042ed7771712f1640f
SHA1

654c0397410483b10f2292b94526e489012322be
SHA256

03a6bbb97196b6d5b1a72558dcd0d9f17ad3ea6c35f3570358cf387b572438e9
SHA512

1586d48b3cc19df81a7fa9361d8a104afbef452859fc507dbc75f5b2f43f955615c0d42722abed54be638ee180e14df05043f49092afa506ea07e70bcce2d81f
SSDEEP

24576:W6V6VC/AyqGizWCaFbyn8S+LbzQkWWbCzLLB+lMP1NFzSRY:W6cbGizWCaFb08FD5nb2LLPrFmRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2468	alg.exe
2280	elevation_service.exe
2180	elevation_service.exe
3104	maintenanceservice.exe
5080	OSE.EXE
404	DiagnosticsHub.StandardCollector.Service.exe
3476	fxssvc.exe
2884	msdtc.exe
2904	PerceptionSimulationService.exe
4196	perfhost.exe
1064	locator.exe
604	SensorDataService.exe
4736	snmptrap.exe
4100	spectrum.exe
2800	ssh-agent.exe
1476	TieringEngineService.exe
2916	AgentService.exe
1548	vds.exe
1148	vssvc.exe
3476	wbengine.exe
3188	WmiApSrv.exe
4000	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_8754c766a0423e042ed7771712f1640f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1d32247cc3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0eae23984b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bd6ee3984b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bea7a13a84b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000688e643984b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000268c833984b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013825c3a84b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc9bd43984b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bfef53984b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d88e03984b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080f3ce3a84b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4520	2024-05-30_8754c766a0423e042ed7771712f1640f_ryuk.exe
Token: SeDebugPrivilege	2468	alg.exe
Token: SeDebugPrivilege	2468	alg.exe
Token: SeDebugPrivilege	2468	alg.exe
Token: SeTakeOwnershipPrivilege	2280	elevation_service.exe
Token: SeAuditPrivilege	3476	fxssvc.exe
Token: SeRestorePrivilege	1476	TieringEngineService.exe
Token: SeManageVolumePrivilege	1476	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2916	AgentService.exe
Token: SeBackupPrivilege	1148	vssvc.exe
Token: SeRestorePrivilege	1148	vssvc.exe
Token: SeAuditPrivilege	1148	vssvc.exe
Token: SeBackupPrivilege	3476	wbengine.exe
Token: SeRestorePrivilege	3476	wbengine.exe
Token: SeSecurityPrivilege	3476	wbengine.exe
Token: 33	4000	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeDebugPrivilege	2280	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4668	4000	SearchIndexer.exe	126
PID 4000 wrote to memory of 4668	4000	SearchIndexer.exe	126
PID 4000 wrote to memory of 4648	4000	SearchIndexer.exe	127
PID 4000 wrote to memory of 4648	4000	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_8754c766a0423e042ed7771712f1640f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8754c766a0423e042ed7771712f1640f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2180

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2884

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:604

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4100

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1300

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b3b70acbb8159c7528e3daea8dd067f4

SHA1
b0e661939f64a4ab99f19c3cddbfe4f795768722

SHA256
86484176df1fe0767d0ee81a7038a1d82cd6a8fc352caf4e024a2c387cc19c03

SHA512
1fb870888152fff7c1fc14f954eb1ce14a3d5d823961ed4f983475d4ae05d413ea50d2fcb7b641e5b38a66b26a3c1cfbb90d86e0c4630e50461697edda26e889

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
18d82b287f0bbb53a39c244db22056d0

SHA1
19555f65e7d9b702fe005a79ff901a353d55dff3

SHA256
255b17f3d09cd6ae34b0d80935b6fe557c2eb8fa513572b6eae78405bc05f572

SHA512
a76b2802ec9d1bb75d8b5bb3eb97bd9030a5c77ecf955723a4449c5a2f938e674f0d91a66c4ce5e5e0369b576af1f91391c156c2b3e301d20e47819fa98039f8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
34b12f6510ce551f48f549db8abb12eb

SHA1
2db2d54e6d9cdd39d2de767622a8ed9a620f0467

SHA256
be8a02bf707e9ed78f607a15ddc3f56a713971ccba3365adb8139f02464789ec

SHA512
31ff0483f2fa45e3e7b4617dc6730b9fa6e00ebf392fc44695cc0f61b88c1b5dc084dd3001d07436bda0b5ef746eb955d5332f1188b470897a4e39f4b8a779c4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a9c2544f805e63b3d018de4fee69cda0

SHA1
2a3f6c98737775807d7e689b0377275eae99a4ba

SHA256
34126781bb3dc5cacbbcd3af592a1317a27babd77e54ed60e315d1a472dd4cef

SHA512
ae48d1295875c34804fdd21627566312057a9d08d0b9a172e775e1ce427e21eac3536fe32cd7faccac1e4435127513d1da7013aa9294d59d4e993a37226f9ce4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fa30b9816bb98516dccfd766a2372f32

SHA1
e6414b487ca0a0c0d1545377fba9ae067b668251

SHA256
58dd01de8fab9a88062382208330ade686b638259535d151249eda063f4cd760

SHA512
5f4cf5e66b32461d39a3edd6c72c36220f340a968e10810e7a03b5a03557ff2b7b39182fba5cfa79544cca700ebe1193c81e7a4fe5b754bd4ae659db15560c84

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f8c8289755df0bab3ed4221bfb1e3b38

SHA1
3cdf0bd07ee508a347391f3d940dd8c6edae2548

SHA256
ad994352ff1eca31a61e1cfef8f5feb10cafafaccb01322d634a242c8aa11f1a

SHA512
03aa50584f36cb0e11b2fdfd09d15a424e009935e2b8e4b3293877f0ebb432c55f4f25daffc5b72307d9a5dadf55b3b8eb2b5259441eacfe11e33685fb37d9e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
366947892b6ded150a32570d4d65a4b5

SHA1
3db9be47723c87fcc0677d3397af06f0c9d112c5

SHA256
21e9771e154cef40cea53788699dfa56de0aa8d0734eabefb2d80eb5de3e021c

SHA512
c2bd01ec2e1dd61c7e50a68bee797e7e04e9b9c9492aba03fba844b8146c4a4e7e91d432b1afe6385314b68c1db41bab8abf82f86dd72d2e88c4f614a7b808e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
858cc235f4a0a1e754f7c56b941ebef3

SHA1
3fb3fbe944d7d12411a4d917a94da8433c75e7b1

SHA256
a129e93ef8910895506025977ee8a6e0947e7804a5bb8409ae855aa55a6056e6

SHA512
40719922b046a7402b00b15f4b3c085602a076de7619b308ca4357df55709b76d0c3e92d1f8cb3bc7444c2655aa7c0b159a8a78eeb23840df76958f28945ec6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a04cd8dbd183e24771d592749095729a

SHA1
867d013145513e9e000b21631afe29ddc6080063

SHA256
f71ba11cf0abdb4a77d689b84bb37960501cf339fb302e983fac33099185202d

SHA512
d000f7fc34ac6179724a26de2e2ad7b15a87973dec9824ecb122f5ebf63368aec2a77a69565cf61399fbd614d5a792766d697c728fc3f11a4a97abe43591b69f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bcdba78c253b51271866c643e2732fc5

SHA1
c06f938b5e587bc3d058775e7a092ee6edf043db

SHA256
211af9527bba0fac43cd358f85afa265b8cf60faf6951c75c731eaeacbc1a83b

SHA512
8d6bfaec7b23b285abb5c9f7cc53f72131b68e1972d26f4d86c41f78068398aa78d150564c2c2b225086c23070e098a21abfa6d64a954e6ee1a8f622b0cda614

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1d29e10862417b7a9a9e3ffa2af18ec0

SHA1
b76c7997bf3993a8759983ccd2b39bf722e4c1b2

SHA256
07f831a70ece5aa67ad7a04d5f4f1565db1ea4f124d54211c719c7428c6cd5d1

SHA512
73693e7e73ec947597930d6e8a244a06bcd956a2c7114f5bdc8b803706aae9c67ebc184c10bb61670f3263848e5bf18a72b969c2e279f5b3658261609112facb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7f9c285431820d03dc16442e171d2ed4

SHA1
37ac02b478384d571ad3fefd1d8dc7aedd15a240

SHA256
70ba19118619f32099c9e97adb6634561cf85e2086b8aebf584d08bafa56162b

SHA512
599f895839e9ce8f64dbbdc7766f493676c8f99afff470241ae49a13d2932ddb6bcbf1127380129b38b6108a16da50c84362e13c7f1ece75a51c50584de34ece

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
81300f689221ff8628910661abac2ae1

SHA1
1a316d49d8c41dd2943bbbcaf00b1a0f8afd51ff

SHA256
5edbad2cd8cb14f2139768b28dc9f548db9065805599c8abcdf555e09a8dbfb5

SHA512
d595b374f8c3632b32177a90e56be14f7fc008183e9d319e0a1fddf3c6f44a2359c96a8b626eefd89dc0cfe51aa81696ebdc18a09502fc9a47d195683dc97221

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d7664ca5dd60dc3926507d6fa6de009f

SHA1
ad83b781645e287dd761dfcf3e43747fb04b39ea

SHA256
5962f32fc4ecb4e6cf48c7fb1a547bc13a3975c68b6989fab6f5e9fd2732d237

SHA512
beb49c7fc3697cec24e15ce5448f7e5caf4442f95f9cdd508b5019121717b2a5fb992f5bcbd3000719bd175ba878bb25a34289d4cff9ea3f3d93fcee623eaa2c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
db878ff6080bcbda7bb3c1f39f1c0081

SHA1
facb6b351a8896e9c6a3ad6d3b57756cecc5ff7f

SHA256
6d4eeb71baa9a23d8cae72a5b067f185e593f611caed3d45881340e36f1d7af6

SHA512
a6616ba04882911192bafbadc93c4101dd3e0e50afde5d1dc8e1c3d380424de8f255bc89d3c13976ae06fc510a83f22a8d8c70fcd9eaf15fcf79e448666b3cd1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bc79768d7698ecde70bd91e4346716cb

SHA1
5e040e93b148bbec18f28cfce6a179a8480610ee

SHA256
e25d52fea426d81e2fc5371484cd5e9d0e6bb10615c8362c3f7cbea31f4e8d74

SHA512
c3e923d53207f447d851393c2194ef50457c2539c7cdeb2acaae36bd581fc796310e6b59ce1a2074f13202cd972de3b18611569e94d54bcbf248351b78dc5e2c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f221099e55f5052ba13a33b409a4e15b

SHA1
ea27d7b01168f471520b70d2dea85d377b624cc2

SHA256
a222c5dec2f1fb1a9631dee806ee3b73de1596e70a88255143365c9cf1eb1d77

SHA512
cff666403cb460435396c145b569e7451ca812cdbd4423fd2a24354d6f0a72394b7b6de68b58f6f9bf0ae8593366bc867989e63af5181bee328a366ea608af75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a3a3f1273cb8c0a4a0b61b54a51529bc

SHA1
bda3770c83f6632239512b591c267857d7447413

SHA256
596fb33ccfe4bc42534314438f731caf3f5e40e8632688714cdb2709905db9fd

SHA512
c117524ed90844131130b592fae01c05c0185a50279c5a89ff68e050ecb2bfa80d81a809bff692321f5ff53de95c1ad8409f0d955d8a7ad3dde141791d5bca20

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c0161f784155fa4b4e151ed2f5522c98

SHA1
366cf10cdbbfc283a9f7d6b21714457944bbe5b5

SHA256
9acc159a7faf39c4c90328bcb75b9060ef0d19d6673a9f11dfa9dd16b9021669

SHA512
8ba51d37f2d8102d67f4980082ce5df4ac82e257e8cd8de1a2d65fac11020b2daf9903ba4e0e982954c360f3105a2bf9130a19cda9f51cda3f9dff02cdc2214a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5af98ad1daa45771faf5395809f27249

SHA1
6d7facf0876198999145bb5b86f70e64440530f9

SHA256
550e55ca2861896dea9ef4e82f62e0aa37018522eca7075846da7f94a2c75513

SHA512
19c945c820de6d59e53f82b356edd87ffbbe77fcf7e06546143604f94502d8a8ff9c67b3012e9111f9a2d08642da5489d7b67122655c2462a30b3f44d7bb1358

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ff6c7bb779c21c2f815fc79f105d8e11

SHA1
3132fe32310b7c7dcf4ec52b0a3e3f565c99803c

SHA256
db4417b805b326aafd1a359874563116582a5016220011fcc77804616ad00631

SHA512
871149603e00bb4b1b5afb7d61b8fdb4c74d5076adc77c44ede20ffd7d1a985168e102e9f1622ff1516f779fa184eec62499a93fb3f70a7c502ac92c8d535970

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b3550d8305bf180892d25dbe96ebd635

SHA1
4488d8ac62b163e6d65243c430eadac5dbce30db

SHA256
2c37557d13f235201a8ddcf03fe0229447d2d64a1e2b6ab037eca7abef47e21b

SHA512
4820b71f840b3a7a2a323371bd117a78b10bff1cc477895358c9d6f6c8852c7441d1ef80e7dbecfe437d6eb087fd076f14748000fa5b6c6fac81c3e55a43f458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7d9cf1799e8398aa2403438550938b45

SHA1
30a3ed57cf5d36203bcb971ffffb43064fe77cbc

SHA256
b4baf841c6c7e0a3b4b4832c4688c0200df23958827713fdffa3452304084802

SHA512
2f58f0c4294cc713874e7c24931a41457f8fa135d9aeb3af0c8465baa6be0444a1b4841315322d47a474b46a0236f2f8f06a37e962d9030752335dfc1bae772a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
98dbfbfb5b558a7620f2f3e3c1ceab08

SHA1
d00d90adb961b59e004e151b54dd056016a7b0ae

SHA256
7067c67c3cb5194e69fb6808622f54fbed243203f76055e796ff8657b51621ff

SHA512
a8b1057dd2375650899dff5d940fbcb81d954625d41cb5b7c09f0513ce3e87201dbb823b43e9ca875edd12bd27dc72545726323d92d138d77ddde79a37ab1cf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e975287becbdefe0ed4c8a02432f0179

SHA1
577d7cc64a991959b42e96eb31fb7651d3acde9b

SHA256
e9df9591b0ac2b5a65ac5e3cd41e65b128a98f50774e90172c3b6e46c0aba8f1

SHA512
302258106a16844bb53ae46a5f4eaa891ae79adc4e1c134d76f8cf3824bc7c6b256809e16ee6a93f42b3c9b56af6115e3b59d2602287181f21be6dbb0025f88a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
979ec04e68cc6c7fa53d989c9972fed2

SHA1
ed523c3fd9e5183246d292c076781f7dea39a36b

SHA256
33fc4c6ca729abd4089224d59cc385468e32fa3eff4804063ee5b3d8717616ce

SHA512
2fdf19678cee83b5225d80844a7a511109f7bd36e880d1e6e3358516cbd6c059aa1a7d5a23751383bc0fff228b329a1e9ba7d09a591e265550ca30907238b93a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6a75f32e2cbc4874ac7e5abc2ef0dc24

SHA1
06b8c92f89420ac7a9003c0af42302e6817c67f1

SHA256
2ad7928aa13548fe345fc7c3d542f6b8c42154cd60820e0ae4d742514b6390d7

SHA512
e9f46303d3b0d8307cc61b471ee8f5ea05375f9d65fb6e7e5a1a21c79370a6de36ff705eba3d01a39bfb547afd377822536020c0c1f279ea0b002fe6ec582946

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bd16a7aa0ccddcad7bfb49473c5ac755

SHA1
4c0963e0f363b4e38caf6051ec05df2b510d16bd

SHA256
b4619cf172a3d2c40c0c0b03bf573a1efd8ea74de12cbcb9dacfbc9e120ac66a

SHA512
0fb8bfa274dc380db1b303c9d7d6c234da5cfe8e387b72c929b23a3b640b3431ecdf36b3c85a03bf3b4686ed9e272e1ac50653cfef749b6b1b734c8ef3682f66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8ae74dafe7b834cfa9883e43ff1a296d

SHA1
75f9264f3e2f7783df897f35284b641ce8130692

SHA256
efe9c3acc39b278e6a43a0ec2dfc3f4c0e602ca97d8611f57e9cb874014f9b22

SHA512
b4e67346f31eabc0a36dc1f7c263f2402c6c100c513590fb152eecfb5ae24ae3ecf08829745ae91d27d12a01574b1267852a334772e5964e7f91f8fcfd33fd66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
18de2ded27a92a0fe4ff20048e7bdcb0

SHA1
f14eb4a3c695833d49f386c1e10b6ae23e1aed0b

SHA256
e2c0bffb433077a2fc389b990b8e4c6c74f7a4f3ae6f6e81efc60aca184296ba

SHA512
9f03a25e5b4fff0cca0011ef4ffdea122968e8f7e32259e7448072371ce08c1683cdcb8e6b2a34122e533cd0dc43358a4b7548ec6973444f5558ae767c5e3729

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
26ae52ea9de4f54d9b8316ec171309da

SHA1
de17a1416e60368ba28a3d00689d602160990646

SHA256
f26efa140f7c5b26d524b62ac4bb86ae754f584cdef13321496843ba39c5e86f

SHA512
27a93da02102b9b5174e6f625b4af9f8af3db154b9fe6382afa938cfd571e96752bbc75ac9a9b72b1fef9675bc4df4b2fd6968bf48c3ee0e2cb57b27fde03276

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
012ec16461c1c9f562841617cbd5b398

SHA1
bad9d786bc1bf5c10d98b1ba31acf279c7a83f71

SHA256
f2905b58d0215c245ae0c3a7094b6c13e3a7a0dee4c22c03f40fa41057b17fc6

SHA512
64bf553e3a6d90288cc3cd485e5665cbb5cc692df52259623c57f935ef13019f46160e887a975f49012f982e3c4d3c53336ab5b3e225bab0678c3887524e3bcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ab93b568fa2d3397cc09092bd064609e

SHA1
9898191c4706496e779b3781c11c3766cd417d6f

SHA256
f9430fac3de601ee60ba589eaad5c137fc0f6d6731d21396390856d687e21ee9

SHA512
bc0af9cefbde66002f55c794c2d0d1091d911dc5ae0c727c23374870dc9402e51fcd00aef334d65cd584b9a7a76666cbfbe3b4555b22fef4bd573d4b650ce60f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b93e64affbe61f9725fa4c51dd9cd5df

SHA1
c9a9fdd26b0416a45005b7c03d03c2f53ec76f7b

SHA256
00dd4f3b0ae5e6806bf1469943183579dd8a63368ad0c54b75c0d30c1d49fd9a

SHA512
d3f3c97ba8845204a23ae37cbc2090fcfff898491815d1f59f9329e4b24062a4972f61d1437b3625c2f1ee1d0c3ad0e9e603fefa8976517fe041ff62a334d734

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
25186c2992bab6e7a5b6725a2e0680b7

SHA1
0fe79f8f79b16822ccff464413180354d00ffa7b

SHA256
7747c79408773e711e360dbb172495a13355f466b3e321502cc47a0bfe1c4a9a

SHA512
a4a1f8590c4088609d6d26a3f8172ac4ef1dd4bf17e59245719fbee6581c8be0897aa392321bea3ef7287a4f0b58324b965cbf808785b87b19339f9a3de41d75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
381c7a1ce61ef3dd1d2f2b7c57ca8c2f

SHA1
bc7b98ff086799ff3bffa087e5e31798282e5a51

SHA256
2a352c12b20e35c5facc8bd4419d385aa006cbf31f8d639be9ab5e562d7a164b

SHA512
9ef23d3f519eafc18aed12127c5ba3782c8b1eafcdcbf2bcccc12b0747d968cd6e716768f9547c33f70be128009751ed60d434954076547a7666a1166fe1953c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
520a3360bf6f3ef7e05ada44c07eb340

SHA1
41650b36503528d6f3803b495ab07b815a6bfac1

SHA256
c6d39d7fc20a9c750f743af0056f212d71294d07a2b88731f5c0f8a82776d6c7

SHA512
e176a4e374d05d76f7f29d4f017770e14f61f00639e56a5acaffe6f4a654a3b52ad733f359e83c8075fecae6543097ef6901f799426026ac82da10439698457d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
ea46e152ba783afd66d2f518ad32c7e2

SHA1
5550d310f3451b7b77ba8122d6a7cd668075e202

SHA256
01865af486745241bde9e7ad0a5561f9a70487ab8cdedc2e693ae3e02ca86814

SHA512
5797cbd5ff8bd2014afeb34b6b78bc04780bf32ee837f87d28b2e9ac84f653113bb015fda133b5ecdf47f8ecaac77fdb1bc929d6e30c933490fb309511ee593a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
c9f2e90e3048641719b967aab92d3c18

SHA1
ee8eec329521ad6f1bc7214428a93546a639d450

SHA256
c883a5b51f373fe5f6bf3f8465655779aa3b974c1f901aa3187b63c4d40dc198

SHA512
d28c660986f6d6c87fa9bebd9908fadc5c5668f80e59fbd75023a45199e1e58c89eb60c83d55ad5b2ecee71da9a45f9f2b0a9b93667cc31d57001f43415ed4b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
f3b310817ed37c63afc5bbcfb8e46f09

SHA1
fba5f0ae5d2e007d23af768c1fefe727251b17e8

SHA256
9778175388531afc3f773661ac8d21ada73543c4f086f56a886be0af710c9978

SHA512
bb89f7ba15be307bfb189a2aee8627fbdd2738c9406ba84e543d94097f6b4afc47a3b9f0f4ae56ae65c5bf7c907222e56611b1e732a143e2445bbf978f962ab1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
d9a2b935fc81f45f17cd06b7c74b57b6

SHA1
3edeb5d6360b6a4e7db00f480bba827c775dd9ae

SHA256
85d807042ae7a63118d655b945883eb7fe7e1bccc17f9f517f17a53e98ec1110

SHA512
7988afaa692bc653bc82489e746248afad7c388c6cadbb1dba3e06d8e676199219ac9f9d3a1d2e5a9d55e762137bd87b9e245c14e0b150168bc537f2765ea5df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
dd4954061c65b028393756620505d12c

SHA1
8a610c771151852de3dc95c33a68f4fc442c7886

SHA256
7351db0221db4230ee6b16cdb4f6b626a323bf46bec1ea6b2b72239457512d7a

SHA512
2fe0100d3b97161637af5bcaa720d1b349b35b05848dace87894bf013c46c5fd633b6cbf28a7ec24ebac7482714b068d6364a69828f4165cbe0851ca3760a14a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
3744023ab2fa07d25c0e646c2da42f1e

SHA1
620ea7deadca25c5d036bc4f397e9342f4ce70e2

SHA256
a73e09551ce8df0db421ecc6678fb2b0a02889b9029a17f3971da149c0efe326

SHA512
435febd55452ed3d629970577b0eae515ef7784dfb9ab9058fcee2a06f6620bdc98bc59169f1ea4c4a35cc4d87155557afd37d081905c3bf10ac0ec95a7f335c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8c50fd08757a4273e05b09b64a2ff501

SHA1
3bf0cd6505dd4395eddf9329c25b648e7945d823

SHA256
049ba12f9d97a62bb172d41062105aadb365299932358605d6171bdabcfd3f08

SHA512
15edbb4b9c5164f271a1ed0040f7ee5bc3145793adfc67ac2de0745668178d85fee2f9a1344ee0e12bb43d451ea3dcfd213c9481225fd0a1221d57983a9ceffe

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6201b1a15257c13a657ceea18c57a6ea

SHA1
308a8e778830df90807bc4e9a0cc83a11e34aec8

SHA256
3520cc6546dad88200dbcf36cd9c373142b17a9aeb42d80d6b5c43365361ba1f

SHA512
8af79c0f865502babe9c06be0efd7147d2ef925a133dbe25ebe3153a14d4bfdff25bfcf428ff4269666396fbbe715de57bbff2bd2e3e553c7a623e40f1f8e83c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
25a78a36326119f943a277d71fbba13c

SHA1
8e9b2fb104c4fac7e59b023be1247d4dfcaad8a3

SHA256
8aba5a0e3ee1cb510682a7ca9cd738fc5dc2b40d25a629ac6ed1f2b7ca88c63c

SHA512
b54f0020a5c7ad5c32fd43b68f7cf68dbe3e8c8585d01de6d0b978a326f9202cf4d7df2067f738e32b5d9c04f749db2d3dc990787ef1df4b91f453c102905146

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a8fb55f8f6953eee4596cda6e9e133f9

SHA1
d665f692ae2e7417f481f09ac1aef71b633e183d

SHA256
9a2a1814cab595a75d53655940efeaf57e07739da6faca33a6afe7d860412dab

SHA512
533054ba9b07f4a060320b667739091b8f4aed40c5bb049ea265eab58e03be3ae6b4ec334be095a0f6281c75534acc0f332559f04c88f93ed6c90eba52d72e76

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
af0e791586266e167c072bf57572e02c

SHA1
210fafe637d938b1ba9f54d47c604daa277da03a

SHA256
59f05f65c58f3eb32d818aacdfd9a088041f9148561b4199ec2d6af3e2b675b3

SHA512
d07e6ccf4e23c0895c6929f1158d5b92cb39bfd4bcf954a1657cceb6bfc24745a7397bdbf13eea61287e89607bd9a44c2116b88407d7d072ee61ef4a45e4d0db

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
880f9adb52748d72f1747e7d9280fd97

SHA1
9a8869b16ff2d81ab4779a1b91604c54dfc41039

SHA256
575f46314b6fc2caac1aea068df3659e96ebb46b9e9a56cd289432dfaf478c78

SHA512
3651ac3055ab1244774e2bcfb316a20bb95d6e3b3226d5a0cc7bb32ee523ee6a02e423624dc6de10091d6ff1eec907cda2a45a93f04ff6bf78d3c833b591a2b8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e9fec90f0866ea5de2a5326ba962603f

SHA1
28c863e0c74746600f5c2117ef5c140007fb9ef2

SHA256
7996e4459de83347d2d3e491237da914ae3228a9beb340428dd263f952496f3c

SHA512
7c594850e768b14355c69a6acf45b823af6964980ebac34f3cfc30d9033f94cfdf1fea4324e0a89a7801db65968d46f9a03542db35db0ded1b73d9002aa248ed

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
82cd9b6cf541d4fc88b46b22b492aed7

SHA1
f47b6c28b643b27f83269dc8eacd3a9f0dc1a862

SHA256
daa9f572c95838e3aad02505c0e4700887e7b6284942b0d7ca3edef53969fcd1

SHA512
a39057bb1bb7bcdb4ed2279982aff39dfba0ebc61ed82e9b1a8e81c879d9723f6a4de945913508fa94b39aa3d2678970eaf27417145c6d862031614ad0c8dcac

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
926e9bff35e360c76bf6d2ea3f6dbe37

SHA1
f7b6d11d3a72a6cc5547e2e1eec37b6b773fea10

SHA256
061d7b1b28b15dd47684581a030dff785005c305d979bd67cc8b9b76914b127c

SHA512
9591b80f0ac0858a944090bf535fc56d9acf553eb27fe0449e5443f285d6320522673dec06c944cf49bd38ce65e3ac0bfac071abda9a656dc7cd60489d40fbdd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
656bf023ed424c2a4c4bbc9e10d092ee

SHA1
43146372cb0678047f28d26448e16691564e3238

SHA256
605c5c30d1e9b60336502efb9cbc35cf779bd56ae581f8d2f77a70a13fc7af93

SHA512
cbde1e5f5f5de66caac35aeaef98cdc72f0f8784685fa4946163c9030756b0214e864804b7010dba5836cab1db2290533ceb0a555e7f167895b4d109d10e6859

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
645caf405b97a46a42ed8c5f3914acfb

SHA1
5b72e10aa47f841538fe02af1e7cb6f259519fcc

SHA256
a8d6736d11e4d7f160aeceb57c30e24817fe27fab1a75a25cb21350636765b1f

SHA512
f00a5310ebc4e1ec91c4b2d90d7241c1d2c6e41d7ae1bf7f14cbec078f5154589343041e2821022ddbaab6d2b28a564adef3c56b9177cf49865f4b24a2cb40b6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
deb5ffe9ca3b99ca41873012add8a094

SHA1
14244a444336880355995aa62460cfa668d0c863

SHA256
89dd3b3397a84759113293cea65b97086222024e559be223d45b16345ce637dd

SHA512
11e82da975c320eaa9da58eba89cee9aad7c6e4b00a20c8cf378f4d8e60fc01b555be12fbd27aad650b479728f0190892a8c4534648f71e4067804ddff319495

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2dba87b13db9b59abf435afef74dde96

SHA1
8926bcc2450b59dbe8f8474a0de7fc36f1f643dc

SHA256
27fdb8853fd1dc8399fa6a5ab04a3032c03efb3ff701c8554bcdacbf09fa62e2

SHA512
80a601ec5147c195c8cfd9f191cee5430520e6b8c143a1132faec33299fbdf5c9ae3923f0f3c8091340b22d6cdd350846c8c8ed90c8a69af9d609ccd09302188

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8e29b4278d8a2d37a878cc201d01f6c3

SHA1
8a9f774bb6cdf6a3fdb1cdb01ccefa33edb878d5

SHA256
7037cafc71a05cd0225e5b98e576e8922115de231a39247b549b7f084dd0077a

SHA512
9f2f2e7cd66d2833850f7c57fa10be19b073eed54767b17b4facf1032e20735b6ccf0f97268be544230079a21d79be03ba44a5956448b2160372a7c42f6caf57

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1b72f7c718030d244892c1a5988adca1

SHA1
a2366e19d3a324a2f1e4b8f94d0a739278b27455

SHA256
b65583cabcd787db190c53ae66a4aa02df0d9fcc502ff11436073ed44f654013

SHA512
2614f09bfbcf6e6c078b5c6b33b506d3dcddfb68c1e84aa97731f523fb3360a853d477e10b949f59c30b7f4ec352078c1b7a7a349451af0961a794e3229c2d2f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
986d8e316b85b80b384c002bffcea871

SHA1
715b3d1f1bdeec31728c997f8f357102afbe0ead

SHA256
ee9f9b381ae3111cbbb8f9ff676fb1b13a0f97926ddd4469777e1bcb38b3f7fc

SHA512
68d200f1fbd4e69df7051cbe3d699cf3268d47c2a9c066c61cdc0a06e82439a81abd08b5bd7f106602384d231b0d3be093f92d291a023d614e6d00281f046e21

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
268aabd1a57bd235c9ed16ebf764e2f1

SHA1
9566eed8983b1d5beae0b72f4939365f7318142b

SHA256
65d7fc798f73cd12ff238da02a6c016095337908e416ac709261e7120563b5ed

SHA512
d40fbca71f9aef4b7b273e04393519f2ea7dc42d8b31376c7b5e4d0e25963884e253e51d24f5a551ebbdd07de856fb7f8bde9bb2cdaef031d2f84e1b274d37aa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a84b5223637b27467c03605b12113b95

SHA1
6d64f8ab6d7274494bd272488f7e6cd9efa19941

SHA256
e0e97826d95461561b31b71b6ca10c2146474391640e464b13e45be4aed2108a

SHA512
351e3f1efd8e6552b5cb6f98643df00d4b500a4d23d5a613e16c2600e4c8575c3b8124d5a5194397eb8419016b9d7e94f6fc7c49d58a21d9531b0ab389c460f0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
be27936bf1e001da22141cb72f394102

SHA1
ac0ea64d01f64ee7744f0a9b71eebb965010e4d5

SHA256
f5732e83eb1d1b647f633fe4e66d7d518ac87515d885ff65a86d6dbfbd7544f1

SHA512
23a236302d01c6aa881b1f6fe0d204d52bb5e59a290011619fc0eceb58488a8ca61ca72a2e866d6afae950ed1a3736beea862150879ecb1559532224ea723d3f

Download Submit
memory/404-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/404-361-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/404-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/404-249-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/604-637-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/604-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/604-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1064-304-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1064-423-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1148-646-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1148-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1476-642-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1476-362-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1548-645-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1548-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2180-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2180-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2180-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2180-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2280-35-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2280-36-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2280-27-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2280-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2468-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2468-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2468-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2468-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2468-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2800-350-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2800-641-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2884-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2884-387-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2904-280-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2904-399-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2916-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3104-50-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3104-51-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3104-61-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3104-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3104-57-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3188-648-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3188-424-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3476-254-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3476-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3476-647-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3476-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3476-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4000-649-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4000-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4100-338-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4100-638-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4196-411-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4196-294-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4520-21-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/4520-10-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4520-7-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4520-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4520-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/4736-538-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4736-333-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5080-72-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5080-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5080-66-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download