2274d06a807dc35c9270f64ee79cfe57c723c152878237f6dc705b35d1c258c5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_b8cbd8a1559ae45dfa13bed678979f91_ryuk.exe
Size

1.0MB
MD5

b8cbd8a1559ae45dfa13bed678979f91
SHA1

a19ac1175ddd7da80b6094d967cf3022a37122e7
SHA256

2274d06a807dc35c9270f64ee79cfe57c723c152878237f6dc705b35d1c258c5
SHA512

b566b5d28d65b68fa5fa08b543cc5b025bf1047f93c6882ed755a93d082d21eb02b0b6ff0dee893ad927d3843c137c485117378c5e8446dd8ae0655b45bc74cd
SSDEEP

24576:r6V6VC/AyqGizWCaFbylatr0zAiX90z/F0jsFB3SQku:r6cbGizWCaFbMaB0zj0yjoB2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1896	alg.exe
1688	elevation_service.exe
540	elevation_service.exe
3800	maintenanceservice.exe
316	OSE.EXE
2536	DiagnosticsHub.StandardCollector.Service.exe
2392	fxssvc.exe
3056	msdtc.exe
1920	PerceptionSimulationService.exe
2260	perfhost.exe
332	locator.exe
3420	SensorDataService.exe
828	snmptrap.exe
1756	spectrum.exe
3556	ssh-agent.exe
4276	TieringEngineService.exe
4916	AgentService.exe
1232	vds.exe
5044	vssvc.exe
4640	wbengine.exe
4412	WmiApSrv.exe
1816	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\95d0df87d590e271.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_b8cbd8a1559ae45dfa13bed678979f91_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fafb1b8dbb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004223e6b8dbb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe
1688	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1360	2024-06-08_b8cbd8a1559ae45dfa13bed678979f91_ryuk.exe
Token: SeDebugPrivilege	1896	alg.exe
Token: SeDebugPrivilege	1896	alg.exe
Token: SeDebugPrivilege	1896	alg.exe
Token: SeTakeOwnershipPrivilege	1688	elevation_service.exe
Token: SeAuditPrivilege	2392	fxssvc.exe
Token: SeRestorePrivilege	4276	TieringEngineService.exe
Token: SeManageVolumePrivilege	4276	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4916	AgentService.exe
Token: SeBackupPrivilege	5044	vssvc.exe
Token: SeRestorePrivilege	5044	vssvc.exe
Token: SeAuditPrivilege	5044	vssvc.exe
Token: SeBackupPrivilege	4640	wbengine.exe
Token: SeRestorePrivilege	4640	wbengine.exe
Token: SeSecurityPrivilege	4640	wbengine.exe
Token: 33	1816	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeDebugPrivilege	1688	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1616	1816	SearchIndexer.exe	121
PID 1816 wrote to memory of 1616	1816	SearchIndexer.exe	121
PID 1816 wrote to memory of 2588	1816	SearchIndexer.exe	122
PID 1816 wrote to memory of 2588	1816	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_b8cbd8a1559ae45dfa13bed678979f91_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b8cbd8a1559ae45dfa13bed678979f91_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3800

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4388

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3056

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:332

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3420

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:828

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1756

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1236

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
639f3f87011149cd435cbbee592f3dbd

SHA1
862e14b8c791eac40f1d9c82cb7c46bf736b8183

SHA256
0c7fa32e8b6e6e03cf0fcfc2d9d5373d61bb28d6638b8a807229d188e6bc038d

SHA512
f2ba2c285e107ceff5e72a30017f5b551b2313871fb03c9216a79b9784fe261b3d277a2bf34d35585266741a8a691f0e50b722001ac36bfdbc83fa720027e4f0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9a2db2df44acbf575e5eb1b1cb34a1c5

SHA1
a4a403111b3f551da86464cf9733110e8ee19024

SHA256
556392de7037bd8f5bbd27d7387865d963ef16b0b084c7c001f1bb6b74878f6e

SHA512
9140c0b69f00260b7a102a78edde4bd0ceda1e337a128bd2f2d8357ad9647f7e6ca2f3c0242e629d0b00a8add30225adb1e30d39276b6cb96cc1c1b2522bbc4e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
37f1ed52ed5fad1dc96a2ed016341c6b

SHA1
a359136e4726a10e08ed32ecbf79bb8a22d70436

SHA256
3130a8017002b25a7bb2ee96760945f8fe5fd2a29c491d7b591c5e4039edaafe

SHA512
e0edb8ae89555fdc6a06c49435733c1f5dd847ea1309b649f690c52c4db083a1b3fd1477889f6034d10a4ce220bfc264386dc2e68987e7583e47b78198912932

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2a658da25a4271d51d6d2f284c996e21

SHA1
25b278ba235f234c7be21e1c577e9ee455184acf

SHA256
3b73c3cb6b95d4f5826c18758d5aa44d5d4bcfdc0da4ec98700e83367c2d0761

SHA512
1ec032a0d0462aaa24e56f143c8ad96d31ec7c636d1adbfb7aa2f63c910688d3f2ec21ea8810adf483a19f84e6ffc522875642ace9a68486f414c501e0fdf729

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e89c11d4f3343198a74de2ec554f1f38

SHA1
e00050e4c2a62a60c20660087af02919c6555b24

SHA256
d9a3b64c59d1a156106798a536405659743b7886e3edf7955225c9b3a9209c0e

SHA512
dd77715d4d29eab79ef34b17d8914c16ff994944ae5e81ddd2a4341ba31514564d39bccfe1603ace07712bea9d6d0aa758351ba26495b67dfcc339a57a57d647

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7acefe061726e7f2bf5fdd1207dca084

SHA1
898cf8f80cc65f07ed3fb70fdf2575cf21dd05da

SHA256
1460ccf04d73f565988e4ba147cb11e51279a56303715a7323bd932ea8ef2814

SHA512
f73c22da77f3c792c3d6ca5ad294c3d9fb928b8816c48334335842e8fe1d6554bc4b4353a78af5d71291878c55382e3639347d0a5fba6a54fabb5ca6395435c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
186abdb73154c1ee1911135bb518f551

SHA1
7a33c4c8daed749c9caa3d69e7c1ad3fca39ba1f

SHA256
a75008c1b8c26c377908e19d66565c84b5557c9b8ddf2da83f84747a69617754

SHA512
a02f0e3def2c626b3dfcaa5319854d8e7bb649a93dc7b5fd90c49389110157c0d57d26a052e2269e6d6f7025fd922c5eeffd1a3430707338d3b9c574f7b3d0ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5b871615520b4a72f12e14a3c77c6655

SHA1
53c8741c5f74e7d3293f445c4950ebbf579cdfa3

SHA256
70784d01a58aa5acf591ff1c1daebc1e0192e3203a067edc0b8b29af89cefa5b

SHA512
19e4de0ff5dddc57516d3840afc03dd0dcec582917697c9cd10c8e3beb3b4584a7d63a5ddc6e5189a9d8a449e698b853d594f45f411d45ec9997a3b396e0cabe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d83fe56d1b53f360529668d28f56e039

SHA1
2f565634cfafca95ce9c724b9936e50f169ad0e9

SHA256
a2068518ab80a75118664d1bb4a261419add92b1b117ec4069bfe5fa906b5cb3

SHA512
374066d05e1e93a636f3b1262b26c0141466fc7f534963dfc1799a71453b6b97adc0c323d4bb481b2a7ddd9be0da8fa787d71c6a3d27786164a3ce6a0b87e57e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e7194e290e49cccf11844d437275c7e1

SHA1
bc15a28f1a2ad9971dcf550e9bab6f3777f5fbe7

SHA256
8a1f63364076a1f84d9240626fce5ed830e47a71d92b682655d4462cfd2f6112

SHA512
01e99ad8ba824bc9f0308745a3e3ce1c9fc91b153c93fd5f20c9c1729c5121621d4a02ad3b94bdb1180539fe43d88463ecfc2683e865a58093eb9bbe3eaaea77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4354e58be3897f02540ed22ba58555a5

SHA1
cac43ef677cf54e442dca13a4ab4ddc73039d768

SHA256
69bc9e47163c855bfda0b0b5125cc28c502d3232b7d1ce4d04e93535cb9c1a76

SHA512
5ec6f4ea4d79010377e41c6000997dc545c2ac213c945eec6c03a02287c50b348307f72630441908b797b1b1f994a5434c37f440bb10bf963419f9fcfca2b08b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eb1846799eb99f82634aec3e4b20da60

SHA1
56f96f98f6f7f059c4f9224b6872c1c8bae2dcbc

SHA256
a774bc50a9e4639d5a85bfa5a03fbe58b4ed3136d5df0a7bedb5c1e13c446fe2

SHA512
a65e1d77bc5b55a333dabdc2e3c24e11101b167fdcd5c5daf67964beb34f699cde06059ad66895d18a06470e5a352fe745d43b3c763857036e3c9e04cf174c74

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
007a56c691e4bfd740176f31f55320f4

SHA1
7c57e2c4a4b96092b64e2ffa4c8a885f51e5fb26

SHA256
6fe06c10a19849842e655cc11eb2e2800520285079b9a82906a8dd8b101c65c3

SHA512
5d794908c8286edb3425f1ef49ca3bd362f36335e996dd16825b504809a47891f8f4af1dfb01976455cd230685f870e3fcc10f268612ba9a9acd234e5a634c9d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2f7a8c6277e5a7bfb03f930a366622c8

SHA1
a9ccf9adcb54ad7cc0cf6556b883c4c4949e10f4

SHA256
b1486eb4ae5120110e9883a3e61d547b7341cd13472d787aedd4f7f1dd3feffd

SHA512
df205515bf3df9376c17140e9b0f2793abb62784b48c7647378f3d43ae5526347e964767ee8bc6a028285be61cf8f9e86e817f03813c43fda31663cff51c485a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
87453098806bd72c232510597b5f6cdd

SHA1
44fa295eb663043ac3ea8539a815648b0c255883

SHA256
857ea660ac1ca03b453250dd63aeae72f74c130cecfb642274bb7ef138e7925b

SHA512
0fe6190bfc37c1478f5c30eced68f1995dfce9c71f2b751a81d6fab6ba701511292585d1c49697f232d86d735d067801aa92154e6f0f3a0e8013ecd808afcd89

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7d94c87ef16d740613e0c3ac7be33753

SHA1
d7fb454f8dfe7fb7330325ee8ffce618a680412a

SHA256
13a2ed60dca70e280eb85031700d61d1af1d0adc0e379f576b7b6a20c9939211

SHA512
8ed89cb8b04a7e783f6294d6eb982a04db0959263382b07764f43e121c94f8848747e43d6552df6283b04b4f7393d4ce004f00bd719f2110c02fea534d1cc3f4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
dee9360a0cefb5aa6503c0b967931a6f

SHA1
de15f9a16e2b8cd15737847d910230a151b290be

SHA256
7281ccf869bbaca5328174f59aa715a6a79ce9b20d7714f58ea3065aa6f0e9b7

SHA512
654846931aa277739911585508f3e8431d28e8218b221a8120cf2ac587db1c8bbfeb7d0ce332619d14965c266424d0f3c8fb381bdad8e266e55d10e5cc94135a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fbf1d0804f58cbac2a67fff8282fd491

SHA1
3db7ba88766e51ee9edbabfb616f2351fb5e1455

SHA256
db04a3adf30443924320f35d755b076c326e5109b7253365031b14ec4e3691d7

SHA512
aa4f3eb59a00ff2ad1fa7636c136e217d45929fa822e8177736f675ccafbc6b4086e97593f70b62f1f07423dbffacfd51f649ed4bd9b457b7fb8c72e5df27b31

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5cbd0691b223ac9453b950e64d446760

SHA1
fa583e36c6f462352ff9e88ce3efd1baaafafcfa

SHA256
742e97c27979670a4afe36b171a508ddcedb86af37878a83d86e4198b99fb21c

SHA512
6d4f6ed0d8e38ea0e76da4e8c5b4a88c5a3ef9cbf56bf109b04b3f82b0b508046fc66f346c20393d98970cd7f2641db60e66218636058792c3f2360d698243f3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e21b5c5c7b0dc447ff0cd8260915f343

SHA1
52be0623ccb1bab19717b0040cc113d28cbe06a3

SHA256
395b5d2b8b6d468381dc439142264662955bd6ed824e1d7ddfcaab5ed5cfaf28

SHA512
c9c740d6f4862648fe59a5db42ead45f309fe4e61f52f5e0f6a251dbab7d5f0a7a64f0f626616ff572537bf71cf8614f6a5051c4e13c671a39bb932c52e526e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bc5c1030df921584e178769f7f562503

SHA1
e17ca9b58e12f7abcbff9f66a5166f35a9cdec52

SHA256
6951ee2790a7def804e2ee7d6043fb4b5ff67dc41ab6a581e24031ce26200895

SHA512
bececa2fbfcc42332183e63eb72b032d8aa5395174d1a496250c0c6cb122b7fd0ab065b0eb4e9282b1f3de69b77e4e5408263e213441fab16f93c01a3e727138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
20dadc2feb1bc57b8557e3fa341017e2

SHA1
ef6945cc5f318015a3ff518208a210d3b345a979

SHA256
887ed339f54d40cd5f433fd63b5580fb6bf6c9ff1e157c0e6e590174f8f57790

SHA512
3cce7b04714fdc0d863c698e1bbcb2486f5372d0aef7a264d1a01ee4356dc19f502a5f19f8d4e354559c85c6164a9bee9a8564be3f88cd13a4bf988aecf3a1e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c10261d3dfc6d79a608fe27e09ff45e1

SHA1
a3ccbc212b67fd137e8b2ae568485de271935079

SHA256
e52e036f99b36b339065dd88d265edf513a87aa0d5fe15aa94b800a356836da5

SHA512
5dec778709731f4bc18906dffda2c5098b4bb0a5f1814820228f564d9e296c6964a823f3b0ba53679bdec84ce6a3eaf49e5b92c02276862daaac894cf694b090

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
00c6fa21acd58389cfe3a63a5539b9e6

SHA1
2ee1119e025cd275747df8b3db63ae1e6347f237

SHA256
b6e01723fe79de81fac180af3c32bab9e4cf5d63cba65d4a58c346292bb0ec83

SHA512
3e0a83ae14995a447b0394fbd9a65cf852685c1337739d252b12824fddada30e7b6c2a743b624924382aa83f282e577899347330e6209d7c42c1068712674c7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1ee5dfe9413b94182758aefa55a010bf

SHA1
492d41a0765280fd275b598155ca1970db6ca74a

SHA256
110e9712da9e6f878efe49a2763a900bb468de4a90d047c8173c74b8e7b53fda

SHA512
a0a9727bcfd17c153925e4c28b96795bbc5d7a1889409865dbd4091cbb4ab7a221191b5d17897e7a8f86f606f94f9f86cde5e537f4f27b8c813bac272d25dd41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4774771c4f81f4b0629186d10e7abc13

SHA1
7150373a10f852270a877218f092c037f2b91a77

SHA256
39f94d932fc5b1a372ebbec32e5dc0e193e87d21d0daa5d1cdc6adba463c2189

SHA512
29883f1b9e6972bf14f27eb30045785061a526f49a887566e1bfac91020bbc6d1a2d5c9703ed7da2b3425aa81700c648d1fe14c35c7833031788cb6fc6e98fd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3ed77374699cf2d5a928efacbc58e30c

SHA1
2aa6bb23b5e618b472a6d7a0a10f7c794cacf245

SHA256
4dd2499b1115bf21a2800f0d1012f66305476237939a21e063b3dc9feb578942

SHA512
fb051a14c0fa7060097b11dd37fd0d678297c5310dcd0a99e2128db9b3fbdb64450432f1744775dd60106077e1d5a5c9b9c988188378948683d7a9244160c769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ed22d0b8f09192fd60c99342303ea166

SHA1
f2a68b7aa5d23476bba092631d49501f2b8d1210

SHA256
6f4b37a6d929c29c53697e6689b9d965b627d7e65cddb9ebdab77c29b2260e83

SHA512
73cb15a1e83f95be008436681a6f22681dab4133789ab666c495eee52fd2cfc044a738effe630ff95d2f6098827fe4a9c5b0f24453064b12198d0a578f27bf2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
337a4e81b748dd5071d0f692cd86fc28

SHA1
0f0560323435501d30e39f77bc76d4c99f2588cb

SHA256
dafc791058746fb1d285f6cdfdd2e53afa7d42fb561d922921c8ff6853b1fc15

SHA512
aa5b36ea2289471bd7e07d80e8587771456b00dd712d56c24df26b3dc8886a9381833a1fd51216d5a267b9e4619eab5382b5548873ae7c9c226b586ad89e0ce9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a6d797ba632cfa4cb50a933eddbb6ef2

SHA1
aa8171e7527a710d605e3d948cdeb5fe0bd33f7c

SHA256
6a364259ce7fc0fc644e1e239fc9ca21e0943b68767b9dd9cd4277ad160a2000

SHA512
c965690aa321db22de06be4957394d33385f0b72edb5f0c85c18e025a00c6bffbd3e69b1f975248773bb88f1c1ea489a10e3df273885cdacca211e56a9ecfdc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
69cbea236a5499844f8ced36c5da9723

SHA1
b8617037ebcbb45db1b91f6c0e6d46e84cb201a1

SHA256
87dc5db3600e46b5b50e5bcc4f880efc806197b7448305dd452bec97372e00ec

SHA512
df8ebe78c82a1a921a4cc4e0a19f5f69281b01227e7e7d033b2dc7c0aed367456fd00088888872143e9d983d9c769e56aa670bd791d55006d01599b5d3409c47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
77d5f836267709c7ff8e65c7514f1dbc

SHA1
c872fef379b5e486ee954eb50b0aeda42a8a2c4d

SHA256
14682b77422ecaf13936238ff4a73fd34fa2e9a5d4cf806803e81bdf24d2fdc6

SHA512
e6dc43f6a69b221810a03b99065cc12bcd5640b0ee84f5e0db986df22bcbfb1ed4c11884650b5c01af59c2021cdf596bf60493702ca200e7be4e317e134e77e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
acc24763745576d58eb0069c88013993

SHA1
5c7d77f4c461072b8adc930d210a92ce4e70d0f0

SHA256
3a0d818355874ae70a31316384ad38bc668119a62d95758a2bdf170b2e6b19b3

SHA512
02e6cde139a0e24ac8a7fd8a5515a8ec3c3209d65581fcd2975ff939155666873ee792ee4c4d25ace57f639449d6da85e723c790cf639de9033e7c2e63e3027e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
61a3b46148994c37a441d664b71644c0

SHA1
fb2be9feff5e4b1051483958b4ec67fbc64eccf6

SHA256
6c19fda2bc823b7351b169f524d492ac0ee622f43cbe661d8bf7e8ba9e6ca01f

SHA512
533a02bc3624d7a5bd0fe96015872d6198c52727f9946d3f3bf6cf5807240ac42372821f6f521cfc14b0115f6f247116e63b5764ac22b6840e1cd53a71462be5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7b26b0731095de6d05b90ee57f100b1a

SHA1
4c755e02d43121977995ebc21081893f56cb6689

SHA256
415df0ec7c45561766d8dc202de0bc7aa8f9e2c056677476230e33291c71d116

SHA512
3ca111cb3453b94c3a6531c175890bc15fdd540d07da0cc3874a6cf854f7ad1c887f188cea0dfd40d88eb23c5cfedd9ce2d7856b863ed4d42cbf7f4f39224974

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
2d2f64f9eeb778e9d88cd217e446321a

SHA1
96b4caf01c3dac8e39891a62853dd6d2034677aa

SHA256
9e5f00fb4998496ea97353b885cd4a0e65c6433b0e31aac0bdd580c6f71b304d

SHA512
63472016f278b11ab39234959dcdc5f8ac47089ef736c3bdb501a9be8b4b5184723604bd13378ee6bc2480c2aa113bbb4d4d9bda308b93265ea186b1c892d09f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
68e03dc02e90c98a69b728f1efbd445c

SHA1
a4ea192ebf5328a44f45dead6b7343d3764996e6

SHA256
f7deee714724ef66006173dab94d98498d9f93a2da984395cff2ccc1e1b6dbb9

SHA512
15784ec6e73cd6f81b411527f7a2179fb801dd28a5197c3d00750295037d2ec69b6b68dd62bbec6a7ab20e9b7a714a8bca90d68e40cb7c5d7174b1150b3f1ec4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
e336ab88d094e97720af3d4acbc13ade

SHA1
8c803f477cdbf1f6f1acdc074973ef061f572400

SHA256
d5f92079c9e823ddf008ede144155410c1edee6492c681ad3a46e28e8ef3480c

SHA512
d23a900b5d375467f64d0c73aa599e80dfaf090e01292c4cf7330a7696275997756023553d85e5d25b9f11879838e4d65fed3cc436cdf6895cf033d7d231c5cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
7c0dccac9d7ccf9ff507ff673e89930c

SHA1
5b292de4a30c71e4da39f7148c0e679004841ac5

SHA256
deeb3562ebb6d04d1b98904892722e6f473e927064b4bb194d49db9562ba23df

SHA512
e3f0b32742dcf7a492413eb314bc157e7f983c5d6bdb4859352b00b19cea406f90adf900279f06ec9041b7caf79b18135c11572e4fb249e64916c5a26e516a06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
b96b1f121aa596fa4ecf00b052eca52b

SHA1
29f93743e1db5ba931f30495da142334bfb28588

SHA256
92e0160fed717ac867a75e6c17b95a695fa903d99c400f282be632b140a5c4a8

SHA512
4c49680c38a82413b41bf6dfe4d4eb2921e43124b05ef57e27618f625e92cb51f2895f795acce8837d9d40d483c8fc81fdb1088cf3d9008cae7b3f0544c03ab4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
d4667daf6556c66bc58105993f94d50c

SHA1
13246a49738e34fd913b74d6d4b07a6a4724dce7

SHA256
d2cb27a3c1eccee8e174f02183da71287b963847301bcd6a2dc30954ae560922

SHA512
64a0ae251a83db6d92d1a0b159de5bad37900cc482ea1e19cfee9e55ca2c9293d2f71532247484aaf18a6fe4d8cb93612a0dc334385aad1b183a764b7d24b671

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
1c44fbfcf7622fe762c6edc7f68e0f3a

SHA1
b4f8dd88b145658d22804ad8a598f2e69522f365

SHA256
2d52f5c65bbed7afccda57faf572ad1a337abb6a8804e4a9a5f62d0865c2cff3

SHA512
e19ca829c5d17aeaeabcc3a327eb478b04f4fd020cdfd5904bba1cfb9c8ca71ee1ba4b90f62684065e109bbbdaa0d626ea1c47c830226848aab2451dc7265cfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
33bf9e77db1edd5adfff58e1583afdb4

SHA1
7cd2439c6a8f21bc2fb8094544beb98c10678faf

SHA256
64584b96bf091e8f2799a2821081abf8f86c069d15cbb327509071fd53241dc0

SHA512
43f03654767b1944da007b289df14cd517a258faf6948ad994e2640dfd1f11701446920e6d505c6659f389bcbfc6d0da978d1cf735fcd13c838046693156dc86

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
82c75d9f8e9b8c16bf4baa7cee337c19

SHA1
5a81e5ede00aac3ef24de221cec6bd73f0a6d7c1

SHA256
79887ac0ea7000fc20548ea156db69390a47f2b86afb79766864087fab50c216

SHA512
1c849fa393feaf7d210680bfd03835c32886474dc132beab0284cc5920c020f3de325dd1b73a32fae76e37957944ccc00eecf1d2f3ebdf8ac02973a8efc0cedf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
07127d668bb87ae5b3553363d30665d0

SHA1
faef297778345156a33218556496d9de4d6621e6

SHA256
00e7e80fb75d7b905fb8906219c3e61b2441afca3efcdb78b49a7bccef269a53

SHA512
4c46efbb385caa2cdc6d3a24e1be06e106bdc8da1e621d4f953ac3b6f5fd37ee042089a900a371a72d00b507d9db5b3ca9d3b8b0ce275d726e028ec1e7c74e20

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ba52086959d4e2c5a4d3b51be719b91c

SHA1
792e32dd6e7961590c8511387835f82539834b07

SHA256
62998230d4db9ce4200fc6720968a8b3090bf2032c3b7881c69e3ef34930dc74

SHA512
53d5c97e29cebcbacc6526cabe4f2281e2f2ba55d416059691c930edfc7ed48db688959cab0890fbdbd14dfe0a94a2cfc77672e9d8d3028fb173cc01e972d773

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6a3e360bda8f2b6ddbb3c62372e5b217

SHA1
fccc3b2253e785c46ec274f88766f8f31c090af3

SHA256
d0768cb60967db3cb2f0cfbb572f72b16f301a4b5759dae2e917f32159e6d631

SHA512
b186d4ce625675b1087262f1bb0b738ab2f14663c44e75c8dd78505bdb337d09d1a71ef4e03c63c4a1c3c68e87fedf61a8c89173df52f66b9d68215fef8a3dce

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
867946cdbd4715b352ad133010dfb76d

SHA1
d2beeb80172f7ccde247a547c84632bb28f86208

SHA256
2afbe90a2b8686d0c6840119a6b1f9353b48dcc6fb2a53725cb6965bb58a5348

SHA512
25574e3cc96244f756a156fbef15380611336ce4d80bf1b5d0fecd7c88dd19b6668bfb038d7eee94863bdf463a5968bbae653ad485f62bf9fe3b01f22b1bdd90

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
866c92c790d96dd257515fdf94da5117

SHA1
b748997c82e5a263afd8d9e4af949ff0fee63e9a

SHA256
0f918a0721c905fbd92673ecacdafca33ca6207f1fafeef4d27ebe0040bdd11d

SHA512
f0029236995d2a697ead9c44663cd14da39e809525a1df24b0b51e7f36c6103b31d8acf820c116ab6d0da7c5aaea0c5aabb2ee7c1e21181d1a1224bf8e71e4c9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
25a0e7cc5437a0176257df4c11d8909e

SHA1
9cf9e5c3de55976fe8c263785cbd420e0965bd4f

SHA256
a16af3f81a786bd0b8498ba0a3b464dcebeebe5a62747c276954768406846ff0

SHA512
514e2c49b5e8f5c375eb4f177e79b972b0f6297f26db4eb38df18948f770e6a106f4720e395fbbd4824d663bb2ebbda9144cae041f855f43494c2dc5d9166b23

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0b591e0fccf5a001146431d614dfda98

SHA1
62f06b9fedda9a9e30f121d78a94eb52fabe7b1f

SHA256
39e51a752dd072f45590e8b46ab6b1b6efe4eb4c9a6e5d496a5ce098f77db62e

SHA512
796ecf4625bc9970fa830770fbd23bd1c660ea6a4b85a9c9312cf46e730c6c4399c1a97be5b9c59e443de7b57ae3d3635bda5e6fddcfc3bfe26e538d791c1b6f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
826195c9e4a4bd9610df2da467269026

SHA1
1c4fa98e2a2495e752b4d159d60e9de655934ae7

SHA256
171c1690ed9fa2a300e4b54af4cad1c547243f64dc3b6ac42819ea09c65cd50c

SHA512
72f74a1b71a5c6ff2f8bc7021b6bc46a982e7bf80c11fd042227d1f0fe4054a98dedcb299eec1c0c7ab9dff465799bb728175edc494353635173470f52a1db62

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c021a46231a57da531d90a1c71e13e45

SHA1
cfd3f89753264053ed6239cd92cab9fb3f5acd2f

SHA256
ac0fa29827d02947dca8206b06aee93ae98caff211b6144d61810c5c08f5c2ac

SHA512
dd4fbbc779724eecc1b1a16029bfd3f7ec3d168932e4b3d83f616ef659dcc4048bd564b389e68dba006673e7a74c8011f1cea033577db171cde107df4a8b54ed

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9a22372a0067c56949c26d5138b22f69

SHA1
1e1dc69a586038305b7809d06a01118c797da762

SHA256
0e2c2d0f4b7a9ecf0e9149669ba008fd061169dcd6d04490f6646484c04b8fbd

SHA512
21ab96e2c94da3ce6f0cfe8cb83e8888f1f36061640a13a7f0afea82e851721d832ac45f6e4e1ff4967ebf276588178b2a7e11283f9f7e26e27cf7b58019a4a2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0a8084c85403648a8b01c33058e2f665

SHA1
e518c7424b534d9564e8a29eeb653781ab922530

SHA256
122d5049ae3ace34fb56626090939c152fb5c1c50a84d86d940eceb711fb46d2

SHA512
2de87e65651460750543c3afc8d6f5210296e4b999d8ce6f35dcfea4d906a680ac19e8d832a91a1427aa099158af6d558afaf29607357e31cea456f90c3318e3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bdeba38b971501e948bd995414330c8c

SHA1
3bfc1cd013dc3d7f82ea97064eb6abd1b82e3685

SHA256
a7c3b63ccb710d6ea0134146657843e4944d946a7a243462c58a0b36c1797955

SHA512
eeba62e80f344a65401bea5a0a536939867d0bc12ebd2065f84796655ccc192c7dbc6eb21c1fe5bc732959a6e0b344d3989d22af2040b2a81aa8f32518ea425c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9fba4b9c6767c283e196b5c5cab1fa9a

SHA1
d0c5bcc07e5b6c28c689907903758817045f00c1

SHA256
bd2426beae548e19d74b13a46b4b9d076864b346614102825f31a29ecb4eca62

SHA512
7227a89b748f283c6413b82eef2a52cbf88c26ad087bb08588626c40c207c9401e48f89fb165499569feebe7de6d072b88698c2822cf69d83dbe804dab699da1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0ba5e0aa389aa31b8655130f8abaf61f

SHA1
553e46214088bddf5ec49a9ee97ccb991ca60dcd

SHA256
ab8695b5ba337c9f267bca1d045976b4332ae3d027fee6f4ed88d243e38bcefa

SHA512
ea15cc3b850acd99242499980ae2aae5cea83951c30c196551cc60509301dbae222d7a8538bc5781bcb61f91752a9060bfa63a51c3c3a02540347169a4fbb039

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f3b16b7eaf47bc761fa1445952db8458

SHA1
029a1e859f6c8e4fa6eb56413ca609fff8f586ca

SHA256
5f82dc00cf8df1e63529e8728d5e5add1419f935f85efa5f7fdb469cc2927af1

SHA512
8270f6f9f6db83e2bc445e26a5f1f82ca830db27ff4814df669c15a5c548dbe96babe4448f2f2fdc01a819ef1be193bd83b76d7619255d53cd88db23bd0174a6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3f5a06975328a602e4a41e19e4054bf2

SHA1
b79b7fe1ed5cb0624829efba977fbfaa7798bfb4

SHA256
a7d56a5d9bd15b9db27699717cf0994e1a9d1c1181e573d9a176e8303e16edb2

SHA512
392e73356b01f44cfaad50ec8d99a4685326e5c9a1e2c9376618c3a2331c9e94dda1b6b9a25e7157e9cfabd0988caf2d08bf5238b126f9b195d0a23ddffc3747

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3e48bceb2d3e2135e8d755bf1060485d

SHA1
454d8d862b92fb57c57747c4c400b3df5972d221

SHA256
09c0a82fafc0661050912055406f60424c65e50d624b5eb6324a1e840d501745

SHA512
4498d670ba37d7a7b18c68afd0ff33bf5e7193a5d241313c1decd9572437ee6492c407467b555390ed9d12ad840a4ea77921d8296ef3a3349e096bd192c9728a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
85334ea420557d4efb5fe625933e6efd

SHA1
343ed0d9c55342e73967039259f84541c6b95605

SHA256
b2905401fd84aa65cba5b7c131a6469a18d8eb5ee90d35c2319051bd3b599283

SHA512
c75d1fe9cc71774a6023fdfe4f491e0c3ec10f0582b5263c96383bee5c61ab7f2476604432cf52f419b54804a81afc6818d3f131c274a028da4d4cc0df4a97e5

Download Submit
memory/316-71-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/316-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/316-64-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/316-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/332-296-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/332-415-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/540-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/540-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/540-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/540-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/828-319-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/828-564-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1232-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1232-573-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1360-14-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/1360-7-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1360-1-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1360-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/1360-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1688-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1688-28-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1688-34-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1688-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1756-565-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1756-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1816-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1816-578-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1896-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1896-16-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1896-24-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1896-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1920-391-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1920-279-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2260-293-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2260-403-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2392-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2392-253-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2392-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2536-248-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2536-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2536-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2536-353-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3056-379-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3056-264-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3420-307-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3420-434-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3420-569-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3556-566-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3556-342-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3800-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3800-59-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3800-50-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3800-56-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4276-361-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4276-570-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4412-416-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4412-576-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4640-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4640-575-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4916-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4916-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5044-392-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5044-574-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download