06ac37e2eabb45bcc0ed951ab1f3b6609b80178960b90ef6511b9c103c9b52fd

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe
Size

2.2MB
MD5

f0311421af6b8d38da26e4409629e5ff
SHA1

d96c8f09de584b9a063461eb2593e18e15b467b4
SHA256

06ac37e2eabb45bcc0ed951ab1f3b6609b80178960b90ef6511b9c103c9b52fd
SHA512

d8cf13f7125b81c84d59c959cae64a13e27c551fcf2d4aedc6a4c3dc245c920bc82d1d8f9e8957a1326ae57d20b4c03d931e9d72ddbb83787c048a868b36a123
SSDEEP

49152:G/opsDuePJfrFHIzsFKV8LN0REDmg27RnWGj:Guaue5rFYSDD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2972	alg.exe
220	elevation_service.exe
2028	elevation_service.exe
768	maintenanceservice.exe
4408	OSE.EXE
1260	DiagnosticsHub.StandardCollector.Service.exe
952	fxssvc.exe
2120	msdtc.exe
4568	PerceptionSimulationService.exe
2800	perfhost.exe
2340	locator.exe
4816	SensorDataService.exe
1828	snmptrap.exe
748	spectrum.exe
4200	ssh-agent.exe
5092	TieringEngineService.exe
5016	AgentService.exe
1584	vds.exe
972	vssvc.exe
4004	wbengine.exe
4900	WmiApSrv.exe
1656	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eeebb6fa4d74bb6b.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b6912833b50da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000880710833b50da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022a7ee823b50da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c6eb5823b50da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b393db823b50da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019ca52833b50da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1cdf5823b50da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
220	elevation_service.exe
220	elevation_service.exe
220	elevation_service.exe
220	elevation_service.exe
220	elevation_service.exe
220	elevation_service.exe
220	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4032	2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe
Token: SeDebugPrivilege	2972	alg.exe
Token: SeDebugPrivilege	2972	alg.exe
Token: SeDebugPrivilege	2972	alg.exe
Token: SeTakeOwnershipPrivilege	220	elevation_service.exe
Token: SeAuditPrivilege	952	fxssvc.exe
Token: SeRestorePrivilege	5092	TieringEngineService.exe
Token: SeManageVolumePrivilege	5092	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5016	AgentService.exe
Token: SeBackupPrivilege	972	vssvc.exe
Token: SeRestorePrivilege	972	vssvc.exe
Token: SeAuditPrivilege	972	vssvc.exe
Token: SeBackupPrivilege	4004	wbengine.exe
Token: SeRestorePrivilege	4004	wbengine.exe
Token: SeSecurityPrivilege	4004	wbengine.exe
Token: 33	1656	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1656	SearchIndexer.exe
Token: SeDebugPrivilege	220	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2648	1656	SearchIndexer.exe	114
PID 1656 wrote to memory of 2648	1656	SearchIndexer.exe	114
PID 1656 wrote to memory of 3384	1656	SearchIndexer.exe	115
PID 1656 wrote to memory of 3384	1656	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2276

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2120

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2648
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2836

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:748

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4816

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
166KB

MD5
3ca3f62f1b110923c9f114cc31c5ddd0

SHA1
de2b5db5a4f9199225cab9c2a4ccd0601e896e98

SHA256
a5eb99be5835826461f673ff1294ea15278123ef54023230e150da27f2487e8a

SHA512
35bcd6d52e0a72ed288ac8b53b6bc7f04586d087b12afd7342d208d913f38144d43185c5123f49db3e5eb0c992239c391f18088b7e0bf74c246e354016e6bdb9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
62KB

MD5
b3c73189d4fe393df8019ed39b806a0b

SHA1
94ade5a7a9020c3ca8ecac8aea598200965642a7

SHA256
59bece720d8e8c1c0ae358ba21ae5839588167ab87ffdb67dfa614291022a4cd

SHA512
51f2116365f5c90655d9c27bc30e439b72e008fa11d7ed078c1ca266da147c9b9bc04edb612dd8b5cecba804a4d397b30607fd3bc18d91c4ca12f4b87529ecc3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
66KB

MD5
3200606c7b92e26398d8909a39f42ff4

SHA1
f0aab79f66050e6f2ad51041ebdc9ccbb192a1c5

SHA256
f9b35687fa4e96763d853c8cf9fca1ab8d9f3060cc0436383aceb7ab8be18b78

SHA512
ce8b4f655e3051ca981df0d31d972afac211996dbea6902532cc9357e70e7d59b55b00c7021d0ebb20009a8e096c249d23123b091ecee8ce734213ab8588699b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
131KB

MD5
92efbb40782a71e11a1f4e570f58ff18

SHA1
dc4a37723bcfd8112c286d739e0fb904e21cfea8

SHA256
2ae7544bcdc646e0ebf7950768f276662863857481444929e4d9020a9d8f38ea

SHA512
206b7216fd8763f218fa21c913d20c6a5df4e0f0192707e57ee1deae2c6065b50f48e70e33be81337a42c3d9dbb8bd2062f34b2d27ffd99158f406be2cee036d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
91KB

MD5
9df38b96cce3d740cc64d60bddee779d

SHA1
25bbdc0673a5766a83d6df2ebc7e6e60a267655a

SHA256
0441922ad73866207aada46f298faba4a16cba9ed98678b31dbd6f9bcd951a86

SHA512
4c1b3ad13b9d165a3e9348231b16e787d8fbafff76e8b6fec8792a354f0309145d959969b27df2897a85fff462ca35a242d5cf6c99f735a4f85385cc1005a1a0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
71KB

MD5
f58df6fbecb58ff27057f63e70cc244f

SHA1
bde1d313477b81fb57b37ec7496958ecd0456a1d

SHA256
8909220bb61a7ce4fb2e8057a5f28f3491d1b42951a25dc4a4059d4aaa364c6d

SHA512
8aa597246286e7474f2d89c3b2211ba669dd4eecedf8a1075dc788a264ce315bf708f3035e1730febd793282e6198108c2782d8234ff78eb26e9bb4ddf73eb91

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
128KB

MD5
9aa6cbe6a44b23a21307e3381cac4f3a

SHA1
b1c680b08103ffefeca64b5021c74826ef3ddbc6

SHA256
b974444670b8c60cf87b984efc332676364370fab18de775d7c414342cf7e16a

SHA512
5e1d64fcf1562acb0d25702485b528d53ba66d93566a2aa842cc792b165579a85c3e33fc9e2065eae1ec41725f7d8d74693d05d60488c4b5f98b729c3a5be7d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
152KB

MD5
af32f398be74015c838d700616fa2285

SHA1
56f90bf8c93e673f268ff7efaa1d463ccca86092

SHA256
2f9c74d010e22b617f78814b5009981f382c88b6815db057e6ba7dbe4e333060

SHA512
c0a8158b02c54f85771a91b647cf6138245dfba08454607f3a8afa2b0cc0c8ebbd31fff424fd97ea5a897faa5328afe2122b301855237cce241cb5f8a9dd14a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
92KB

MD5
a9b522371e3003cfd95be1fed23454d6

SHA1
dd95e22b0d28c7d16ff36cbb1f614eaa6922bbc0

SHA256
1adae959978dc9b67519e1b364d749af2d8836bff3ed3d77f9a1d8591daf0564

SHA512
136ed6355f08d00ab77ba06dd72df281c1c8357d88193128984636d468b93e74718010f8dc177de83c1a1ef10eafdd86a97910eb0e04f63492bb1092ee204e8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
130KB

MD5
bcd7f403a71e2faf3fd21e4150cfa07c

SHA1
790ba2f230f33113d913fe378aea335d46155b8c

SHA256
84b3184f2499b930b1aa1c11bc3c1f69075d7bf791fe8fc5c32528c8bc71f514

SHA512
adb1a90c615bbc2bf8204993d6d5f0767698962171eb98ab485502053604191063b385127e98fde21191be750af22aaf3f850dd3e759529122b4d92c06d938a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
59KB

MD5
ea0bceed55b58932ff013c7d2c8e165d

SHA1
42569519df20dc679704e693de8a53905ab1dca4

SHA256
10cf05ec435453282816a069f650d9d6429cb85d542cdc61ae1827d568798715

SHA512
f27fe383c235f517883fa2635d2683926cb86f0e87c0b3b6b1980b952404a8643b82de882e5bd2f29acb5f6710e37e94b3ee38766c693d2b2d7cb5c08122383b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
114KB

MD5
5f3134826bd5d1727ebaff9a37c929a9

SHA1
ff1f09c974682e4fa1905f9e4ebf4c4e3c709226

SHA256
dca9a173aed45d79da5d2f5db35863cbb2e999b59ae26fe8b8a590e539613013

SHA512
91aa344a17e622babcc2149c5f2a28490a0a9f14e022759f57fd6e5f87f18de5e2e0270c36d7259e0b04892b2d6e64db146b5699e60c366516d9ab7a4f51c3bb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
128KB

MD5
86d2f31db64d735eb855c558e436ba9a

SHA1
a1444b4cda953d8ad74fd51ad636cb3e7459c4f2

SHA256
0552f6b33ffa866004cff29f9e4814c4db1cfba16014bfd5317426e5a92d13a8

SHA512
f3a58d4cfebb8df9b999ce579f9a449c8844efe71778ef993765471a884b41e1c99a491ed2937fd63a4c3c5a53e9ba2ee6a83b14e8100a678080bd4e023b69b2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
786KB

MD5
05ce7f7ec59dc138c011e25d42240805

SHA1
625c95a7cd3f95f508114f250f30ca2a155a134b

SHA256
ea29a4aa48d08439f7f18346d8d46eae0e682cb04ffbfb20d721231fc64590ca

SHA512
d2c3b68a1926e26f7a2a82d136f95fb1627da77f48b30e1a23ad097e94303b8b3e8e8c5a357bcc21288e5d9334189718dc2391d7629e6eab1ea85ffb3a48f337

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
15KB

MD5
200dcae1871653ea9dad46348a6f9293

SHA1
3d7dfe9f2a74f54b3b4c5a6938ee15fe710f632c

SHA256
82571c8430add09d6e90ea7bdfa38d3d3a714285ba78010a4ec6e0dc59920aa6

SHA512
19b6310fe23ea1091ecedeca6182dff84a9143355bcf4fc05763eb056cb1cb8f5c3902f3678f4e4f3ab7543561558c035d8cc5a51a6c0968eb033f35d5fd694e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
175KB

MD5
43502eb051ea741cd64cdbbaaaa1b9bb

SHA1
88aa7d56c4c355cdd210257ac5cd0b1cd8d80e07

SHA256
32ed9fd5a8aca1de6496a93e4b339847e9beea5f592a4204059e920e31d27863

SHA512
305bd26239df4a621b1743abeffb5f871174d73e693684103c962f1f4f60821c60af8c05bbb99dc41fb26d97e2c890d115a1c6f9d55d5f52b07c2de1fc2e6263

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
117KB

MD5
f0f8780087dcad471e509355f3b54388

SHA1
17a1e1dfc5ebc60da677f9a0a3f65ce38a5d0aef

SHA256
a1bbde52c19291fff8f85e806c8dd7284bda52e2734fcfb40c78b986d1d020af

SHA512
8a61ea642914a1fc315189c6a0487c6b46fe3dccd569ab0b67f597fd40f322199cff15249efc541e195814b1e58f5b3754ac23710e807d286d6117d17aabb361

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
105KB

MD5
81de414dff29ef22f4cf72e28d216b9c

SHA1
e4107a8e72fcc95da35a06def61ab878ed4f6fc5

SHA256
4cec0a7df2463e8f10fd9fb4e9ad6f5764788a59783a28425c54c4c85aced3dd

SHA512
be3b4be75253dff71c573027e39175af3c5b9041802e3f265c5d3d0b7dcc9f4c1d391a573c65b77a4950f6d976315c0b4f92631d39ee43c1caef377c39f047c9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
272KB

MD5
f54c54ff2e134d35f2a23bf5f2b38e40

SHA1
ad2795da2f4a248894f58cb1324dbb8a15933893

SHA256
4fe86d7749b74bef050631e4a203bb5a67f7e2edb5ea14134833a3a6366249bf

SHA512
a743677070150ec2009117ddd3bb3549a0390db10c44df7851870e046ac0a363fc0470fd821ecde2f514d8b963899cebe592e311c32f496cb2568a44ee96b673

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
140KB

MD5
96cc005097ceecf0e87798bf93dce8bb

SHA1
a2be4d25e2a249ace2fe974c38ec7286f7013a7e

SHA256
7368bb4ca4b7f55b7f32266a3788bb865fe187eb28ecbd8c5c13cf41e1726ac8

SHA512
0f144c4c55ca85fcde36b3130b3f5c1be19c840d5b773533557fe0553656fd11d1bb271292274a4ecdf884c1723a6190e91dc73623299ee31019526631d96e2c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
61KB

MD5
0a1737e723e41aa21eccb6d558587449

SHA1
bc88dd3af2be97bb0406fd031118656bec63a53f

SHA256
799aa2397b57ce15a870c844cfb457f20c75df7e414f5b0ffadd73bd344493b8

SHA512
08beb0055116cb77c245abdcc818a6398c7c2f18f7ee20174bd8ff214ce3d6fe9ae761b39e38447814fc7b4128de335b26376ed363ba3fa88fe405de80a1efde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
160KB

MD5
d2051dfcdd0298bf902fc0ff34cbe787

SHA1
aa2958603651e628ae98e6732a13fbc6dc5685e4

SHA256
a7ede281d2a49f2cfb8caf6966dea25febc657799b047c0ce82e829bc19b6cc8

SHA512
ff84e0aa8af163481b5a5b0f9e1e8a20771d00e815cb1acbb7c078403b163b7cff1b19a81ab26a19afc2591114643e1c185bd1a2375f924965b6beeee6498884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
122KB

MD5
f0a1c662b17d41fe4625a163b94bc5e0

SHA1
9ccf1869bf5bf5f93c8d216c5af20ecf3381d6c9

SHA256
a518bf32168dc38db0746b0ef7036daba82bda78eb5ec83af36c29c46dbf449e

SHA512
7d7c017b40db36316b6f05ea4d8340358922029fc0e9431bd1007e47682cc41b380ca603225a134b526163037a06d7f8c46d12f1bdca732cbcdd1aca9518d648

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
153KB

MD5
94b547e3da1ca3ca344cbe8763f66329

SHA1
74d8dca1920594319f032093b16a3288cb200877

SHA256
45d543de26c6c9c57a9a437f0d12c5c0392e303e963c7424d0c293c0290e718e

SHA512
b20f1d44c10b42e93897ff49dd612141b4973a6d81823df7c07cbfd9b8554b73e8e18a708133df1419dbe242d8ccf84e53779bf014fc71ae34ce11edd308ab5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
135KB

MD5
bdb2f7234277eff4f33218505b602660

SHA1
22c0fa3af42d811d2a3aa9877f0aed9ebc788270

SHA256
4c2d5237d776e9dd602b66a3cb4b193a0af443625032f454d7fb6aa164eaf814

SHA512
5bfeffc8333fe6d7dcff441a557f39189e4402b6e7c2796171fac5c46dbb4a89c378d4d6e7cb7f33055c4382a3f2641432d65b263099224274d6eba99f994ede

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
60KB

MD5
c999fdb9e85a04c9548e3179ed78d221

SHA1
f2561aa9c2c808bbd829fe20c238cce8120e0635

SHA256
28458cb0660d1d5bbc06ce1b10530097d0f240aec9481cd107b184394a4ad460

SHA512
7374f5cc3139c870adfe7578d2ff5448ff2bb6102fad897d29c8ddfb4e22f749f88d71612a67b4d7c5746994712f281dd95b65b00f1334a3cfc774d560b8a20e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
164KB

MD5
a2fb9c936cf67553d641c2ac73c0c40e

SHA1
a90ff94897eda6b0da0c14dbe4b541ca2d8b28e2

SHA256
27c9836c71a0760fdbd48c9a8bd406ee00f708254f652e8c3c3cb34aae8cc193

SHA512
6612da4f2bdc2a7a7df0248507e9f67cd84f4b253cccf8c173421c6b6fa59c6d0c066b133892277c9654ceb309a759f15eac97ca748b9b8c24c4993a948960d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
80KB

MD5
2bcabcce8a6723010230d1be1d485083

SHA1
027cb07c62bcc832eae7972428c23a0463cc6a62

SHA256
02082d4499a04058a13d177f7cb355823839c06655fa4fcf1925d0c9c7309145

SHA512
32560df3c2fff73e7735809d47cf28b8ceb79759a4de286a27de3c15e07abe9e78fe910d070dfda320bf792f23021f19580002b8605272ab65d079ef9255c294

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
82KB

MD5
0da386cfeb66c188e86937518324ffb4

SHA1
ab4484bb952fe4b65da6d96c762ce8ca241c8af5

SHA256
a6d4181f757865633dfe5119572ed51d464af2d42318ca3613cc8417494d6a6e

SHA512
b23f52d4903d9f5ddb1074d60b757a021c400a81084c617e44aa6a611775f74148100e38f642c5eae973c70e76005b6c3a7b41c298674507e577d3f2e3040545

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
124KB

MD5
f165b2ff7d1f0b0ac8cc1c42c1909b58

SHA1
bf40ccf1f5076db83a8d3bccbfe2e1855ff0a5b0

SHA256
d12ff75c8356d78b6a2e69d9c6f8055d9fe647fe6c06f75468318f24fc9aa1ef

SHA512
dddce34125339e802f362790373b809a9174d1e8559db97c6cf2f50a3ffa85fdf63553c2a91155dbae65be41720396f4882e68ec79064916c6d12ed9fd920c3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
74KB

MD5
5dd52b1fe276e3a067f2784b98669b73

SHA1
1a2c98cbfcd2f07c1e03ae8f714dbd726820bcce

SHA256
0650c0aa920ec1ec648c2b9595c327fb1f6c302ab5b1746953a92c433992ecc6

SHA512
d4ce7f8613f05c35d57dfd54453c0b02e992844216c012df359518c88bc7e4782125c9ed665441bca324dedacf371e569bf43b5ef6433afb70d1e919f3c64cc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
87KB

MD5
eb479b04900bfbad2c44edd9b94c9656

SHA1
003c3f89ade68b395db98351cd5e5ab00618d900

SHA256
1544fcd4bb6014a130a018bcdb5528ee3c6de3209b1161e3ca2fc129ed0b7a7c

SHA512
fc7b812a6c578b2783439e24ffaa4e30d9925918a4af7518940630027716692d111505013f3a7f07124ff29e42b8777c6df6fa260e89f82d64f08c09f8ca8f2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
112KB

MD5
b85c327538b0fec15f3a13c1f83c0b82

SHA1
7cc8b535d3aa99502d40923afc2366b546006e02

SHA256
273a221a0873c7e2ee0570dc95e9483025931960b0277f5009617ee57a20bab3

SHA512
d62441a6ca2bc9595e62e76f16344a460b0dc22c58a80123eb09ed914c5481baf08e7e094f8200d4d12ee0ec819e79fdb05e97ecb69a165d9683f3a7fed6d726

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
132KB

MD5
dd0a82f889a263cf7a3f43bda6521c93

SHA1
28c36ad2b60c23dee625a0b38ee59b127baa59a8

SHA256
8d67888886ffc360bac143e6aad90da138298471cccc0b7244639f3f26a5f451

SHA512
d18d0fec5d5456926fb781ae8c4414b6a34bcbcfcfb13215ece65fec2e37d4964ac7a1851443876acd230b994f3ba3d8d82edf85897f0ddb4f150dd8279d6538

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
83KB

MD5
735663ca49409190743c561ddd6ec483

SHA1
f3410ddd10b8eaaaf53b75c956127e5f7fed3f53

SHA256
3ae3c3452d8a90d9dc112630a8d254a7aadf227c541a0bdd1d563cec102abb94

SHA512
275062f218824ea608e0ccdb42353d386e0481c9a609d7bf39f30fcead7bf69c1158c88c48768a47813a6d2fc31ff09476252f6d56fe060f2e490032fffb1462

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
100KB

MD5
85f78e15ebfafd25db5e1f0f687b85d3

SHA1
e8fe241c8065fd8650214bd4b5f22583144d461d

SHA256
123fcc53aaf221d017548fcfb8e508a6893aeaa0bb3c41f951be57ecdb1ceeff

SHA512
5e69a95f87a12cd39582b27e058f64a86809f2b589c5d984b1eaa3d3cc4bb0a84e13e2c462059d02123b187140808395626f92e4bea563ae70e25650c4f66c39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
40KB

MD5
3bef0e4f76d33710bec0ce27bc2833e7

SHA1
fed9d826d9e918b1df7f88700e86547129cf8cec

SHA256
f38a218ed6cae8e732c9246ebaec4f304b5b66cbadde5fc76e6cc6a920feda08

SHA512
d191e3b300fdbf9ca4350cd4ab24164807774794872c878a3f433e79c9edfa4a5f0a192f9609f7659bed1c703b60abebe3878dbe2f75518c520ba7d7a93da8d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
22KB

MD5
4f76898458df1ba7034e9389e586bc10

SHA1
7120465201ab90b0356780efba4440bddd88679b

SHA256
93cfd4071c20a998bc5defb0747a6f48673e7408459414fa305236516a45889b

SHA512
f4c1fd93f45a8d639691b9d7841e704ab07f9525bc29c82b0caf788b4d3488f4c96f46cfffd62394d353c17d9e234d62b427fb8f5a4cdd622de2ccb5537ffbb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
11KB

MD5
c353fa6c2f32a506abb76e851c7d5873

SHA1
260c3e3cd57b91613db75d35c41048890507da63

SHA256
26e7780e9dfe5d397a99286d5c38036f7e812c501cc17d36ac808d4d239f6bdf

SHA512
adc1a919f6c90eb67131fb4562bc58cbb014102a41e87796e323137e499f89a3ecda5835eabcca58b817a565f2e344237e4a0fa6379c3e87da93f9fdd34e4dd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
53KB

MD5
395136be3415d8418fdea46f1eda33c4

SHA1
e0fcbe1f1aeafa2a01215d740ade55df44dda6e1

SHA256
b6fd3ec3ec935afa7af62726628a11d11a382e61725fcf31ac8f968a3aac644d

SHA512
05a45a72061d47130ccf622404aaebd7e13b23d7fc36223e8f91aee16176cb8a89b7f92533534e76e8953ea4ba71859a1cdbbe81478c4679237702b5b3c0a954

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
34KB

MD5
19f3fa8044d84b4eebc052e9fb7a7c71

SHA1
9264aa0cb243346cb2a9bf00cdd203b6b6f9ef92

SHA256
de4280c91fe969eb114fd1cb36bda3864426d240edf6ce16b444100649b01d6c

SHA512
5c56c7d93a90f27dd64eeac74471e78dc086f82f8fa2e22b0056adf4736d706eee32259eccb359db6b13cc4a520a00c398b84e0298a985138fd7344834dadd99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
72KB

MD5
245ad33e720ac5336ceb9775a980b90e

SHA1
2cb53f76cf37072d0919529e327bc9fac17976b1

SHA256
d13ea0c90ba46b7b3e835c8cbb5186c9aac68085bfb000b8f6d6999ac06979c7

SHA512
082d72a91b92c266bb7801375350a4f63736d1c1637442bc615e3ff4a235b7ac77e920df23e9251eb07e695671f8027c540a4ef3f2795dbdab18eacf169c67ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
74KB

MD5
9288b72c57ff093a2e17a6ec9df82956

SHA1
a582f1643c1f19d6dde8fddf6b29f2fc3b9d199e

SHA256
1781e6b8d2cfccc889230fede4b31ef1ef4b0c2162d4b7c2390d3b8bbc3c3268

SHA512
3dcd8c89fe2730e34bb47d3729666c80957e0ca200a4273ac84e54b90259abdd30420b220331bc5d5d32a5db5975f36614443e75d20ed99f5e154482f71ef6b5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
96KB

MD5
ab5485525e5b974200e6afb16309e4f5

SHA1
82b8dea3b3d906a13ea0f40365baee3216341242

SHA256
284c34c45bed7c2e1643f080797652d3ada19c27b762adc647d801fe9749bdad

SHA512
26e2ed248a5cda226c87c825b4b158c43166433c9e9af4fdec3f75678947c161078e5d11dc08f4c340ca258e6665eff7211840d99bb11ecf9a7fd09e117ca918

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
42KB

MD5
08dba5a35b1e2ed880058d09f85368e3

SHA1
9db3b6b0246d017ba77cab50e5d3d9b6d49d94af

SHA256
ac3150f1e1c6d0d3646670b282f332c6bc2df1f594fa5921d4117b0f558bbb94

SHA512
9775296f3012f5f634c6589c00f8a50f9599e1393b183db25724a12180cf47d7ee5f37590ae4ac0e35be91f6815da69f6b89be6cd564146d85f48f176e36e913

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
125KB

MD5
8c037c39372f11f4264f63c6b1cf3cd5

SHA1
fd42a5ab18625660d068bf24cb30c2ce2c67d938

SHA256
90340a3c8a71e4fa58e78f01870d036adfcb81cf74ede444f9cbede18b550461

SHA512
31f90a06169f8564d162e3bdb3039e7b9c735e91212ab9c40b9813af809f440d0048055ee4dba852477935ffd6e7df1b26e4150d2b14c599f1c4653355c9a509

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.1MB

MD5
78ea3f4c046b6006640529e593ef9857

SHA1
d6db02eccdfcae311f13af934f2db15d9f14c437

SHA256
c34ff4eef8ca856254dc762b30c5eed608e6547a1e94b39787d61335e5388627

SHA512
3a68ad0204ea827eaf97c5b360595f021e4585ff3147bed075478511406a26c8f8bd5c8105bb25d68c7f43efa5de1fac9f6bb5284fe73c79d7b3ef2d7db1716c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
147KB

MD5
9babca40381115a6b7979471a84fe52a

SHA1
f9af80d000f26742393f954f5e8c5da7417b0001

SHA256
3f15f15581cd65f043e086cdba89d91b202539c884382248ddbaf1ff39576af9

SHA512
e667863cf8a11623192ecaeded6fe98852780202bf5adbc46de21a9c42a0aa49632184a279f24a6147e435ab133d6014289a8de925b88d65d624305bd6629427

Download Submit
C:\Windows\System32\Locator.exe

Filesize
76KB

MD5
e62f85179e9eb141a6ea4b9258cff6e7

SHA1
8d75c3c0ef65b044a24abd098181744c6ae10a48

SHA256
928cda2f63e7946286f6eb4c4db9bdf710670289d59e886e35be7f79074b6acd

SHA512
b448009844ae8cb283335e86068180a80e52f4bfcfa2c432aa701efc00b1c13b4d387b67761ddd8762457c188e30f787f853b1f0271cdd252a1f0bd1e88fea37

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
122KB

MD5
4686819c3e345210e71d39369d6ff7ce

SHA1
37ee3e60df4d9541e0162be931b184b934ee5898

SHA256
dc761a231e6c604b70c910c40bd48cbbe4b67ec5a1476798b661dbdba70b1a22

SHA512
725590442ab7839d9cd32760b7e217784898d5ffb67182a59e338f4352a829fc10f840370a3f1cfa9360e9aafc8de4176bf718942e37ed2454e0bd9fd10d9cdf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
139KB

MD5
71e47bda0399afb323c340ba3d378e6f

SHA1
00a9b6891be39155c74830e0f17c5221759df557

SHA256
d987e8e23ef3d6662cb111668b6db80ae5459cc4784c430c08986c91262c15c0

SHA512
7e849cea71c83f0d6abd0ad5c28d296ff44f478ffb80611c8ad5e12057e90c4e74d3a44ddce9541f63045afc1f0503a4d6b73d6757ceca0f74db399f893edd03

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
8KB

MD5
8cebb229cb1be5c6190ee47c953f1084

SHA1
4baebdf9d806185b73db79d1ac23edab32d29f0d

SHA256
2b03795e39ccfc496fa0ca3516186a8dd8f30764e8604216c5e73b4e749cfd26

SHA512
6b70c0f07726859a97754e2d400337c31ac098d010a87452324cbac12fc5ee155ac18116741840769cfa58824d34019cf3560633d0f4497b60ae3cc0d820137d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
34KB

MD5
463fd7a065f9c559718d06e9347b9077

SHA1
2b458d35ffafdd03909b03601fee804b12519fea

SHA256
4f709d894af60990088dc2a4bc97f9827917a0c4b5128802f73e79e1d7439fc8

SHA512
b7e75f698dd49829a6ba5f55bb1a5c4812763bd4e6327d9f8d824294cc34ce806535f986c784b8317ac591be5e76fee13b913aa0d2394ea67693dad038b237ad

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
111KB

MD5
94b68b6797fb0bf7c0c3875645cfc950

SHA1
b5ad738dcf437a51361612ba8c18c47582f3341e

SHA256
3a66da4b599d43c6003bd9b479590283a20a305a0e1d1cbf3f55927c90d1f276

SHA512
0ceaf6d23eb4a060bf65e658c07e8c96b739ef348dbca8bfe2b27afbf2782eec50d23dbdee0ff51703dac0e5ee78b21a473673069d9375d45eddbc04cc2c399f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
57KB

MD5
b23fef01ac3921267876c69cd804a5ed

SHA1
af0a4bea99fc40f15b6087611355bb4108592a72

SHA256
76ac5a3382a323da90167a3d99e733417ae8efb877ab011d8c870276c776daf2

SHA512
2ce8afc8ca2623f29375432e6958841d2b5f256609da0ee60b049e6390c16885bcabffb18a96a25ddb82c9a2c9a1e6da3f0bc524069ece6db7f657106bbf0652

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
25KB

MD5
d75e116e5abc35d75c9838f29911835b

SHA1
ccb11b82234d1b33439bbaf882c4324a1c6a39d8

SHA256
4c244f3970788b229d1ea82d3b70a2d04490c1718174f18b24efc54c07698d65

SHA512
d76328f96611f2e8c4e6ed7f0e53ea3da14a45cc7088f784f58b8e9c899c7b8d0e63457de72858d3c9b8d44220490ac5cc62b17b7f41fa2512bc9a718e955291

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
92KB

MD5
08318ea2cdcd201b17043609efe000c0

SHA1
90cae801a1fdd7b613d67dbbec11c72979a3b660

SHA256
fd4de0aaf4c284653101a313d00876257b82340263f467cb4bb405be68dca117

SHA512
465acd6e6dd250c23ac874cffa493fc2482a542d22f92d65f653655a668a4ff148d7ce357c3d584bca2eba4e75048dcabc68dece4f16cb9478ed1195c8aaf65f

Download Submit
C:\Windows\System32\alg.exe

Filesize
401KB

MD5
f1bf58ad3e9fe1d1c2db914df5d522f6

SHA1
1d055379abbcfc2f8f4dea5df6d48fba82f43a38

SHA256
41d0ade0c5e2437e57f306184969d3411f24c3fa084efdabbeadd3b40faecc50

SHA512
c03902c6dcb29affa52b28f5cf346570e90070e7eef28a4ef391f8872aaa8b6b1829c9e2b2f38037d3ee33d43254f43bf7ebd920d2c6bf67e7f08988735a386d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
53KB

MD5
c64fdf5bb52f7e699f1526006a8f7d81

SHA1
744da793e81a23a2685a1f1a21ff9b98a096bed8

SHA256
c231d139ef955d2ddfc25710efb351edbaf0f1b835f4f668f8dcc94856b0d68c

SHA512
4bd7d2194f3f1a8ccfabffe333c2cc43abe48a547a190a6147040957b86d3f0a871b418d79660741b389b66f3ac74c90774b380f28cb637e6bb4055e97b18628

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
45KB

MD5
407f18905e4c98996e8d8a5b0ea398d3

SHA1
b45217995272aa1ce065baeb7735d71baa8d8b09

SHA256
0e5832b028bcb0e5c4b234ebcec18ee12ec7b0ef99b40449614b08f772930db7

SHA512
a39a6961a40f448b00db091d728812673f75f7d7659c9466ac0a379ff936db895e23c51006a3a1fbe2a11792fd33fdfb6d982cdb8bc44828a3219e61678db90c

Download Submit
C:\Windows\System32\vds.exe

Filesize
39KB

MD5
309a94dfe4ca47f6e4092538d2c924a1

SHA1
8b17c85ab7ad3cddff073ff5fb8d37b12bdada67

SHA256
5455565dd9134882739caf2a57c7c4fa7be0e0ca9f49975e787c03e7ab569519

SHA512
8bb84fdf263c1af7430d162f92db6753b666ef2d92ed9242f39adad15ea7328a76cedb8413c6d4ecd8cca8395a769e36c44dd4efd1983d2f634cceb1e1948db4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
158KB

MD5
ae5df16553d54db7504b7bb85cf9045e

SHA1
aa34427697ffed61f56a80025dae2fbc8696453e

SHA256
f3e46d6caba6ce0de0d962084545da75559441f77368967e0bfde8ff3b3712d7

SHA512
8c18defd009b679749af793e363bda94a70c464e2e3cd2f7ae17c26375d1cda4d5214b8f2034ce0bd715800472f4dd62f0aa137b06cfc9f37e91b3d1ad85bc98

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
39KB

MD5
b5f264598bbe18db1ea1dded97d709d6

SHA1
aef9a14ca4590803b8074ded30f5fbf3632282f1

SHA256
d44f081d124a3bb4c816048785e2c8342f83dea415658a83945732abf7e08345

SHA512
35d5fdfc6c8b403825eeaa004aad3b679d520f401028e2bbbcc98d12b16dae16fe7db3c3f49878812d3c6da2d8f6e7f265de33954bead1ed3ab189e663c6cc34

Download Submit
C:\odt\office2016setup.exe

Filesize
117KB

MD5
653cda4f9a1cd7ac2c2963511e81c66c

SHA1
833c2da8ef74790edd1b2ae20c9421d862bb9ee0

SHA256
c766e4e08df22f88772bcb769235c255a28bdc0ed8b13ae0fed6c574a483459a

SHA512
df8da4b812f2d28a96b94730823004e343a9308def1e883a7cd4f5d85230af0bbf204974a8c898ba9f74b46436661048b49f23c4b8c96c8363a1170e1569943f

Download Submit
memory/220-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/220-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/220-27-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/220-34-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/748-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/748-353-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/748-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/768-59-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/768-50-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/768-56-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/768-66-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/768-49-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/952-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/952-257-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/952-267-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/952-271-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/952-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/972-414-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/972-423-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1260-251-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1260-314-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1260-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1260-244-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1260-245-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1584-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1584-409-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1584-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1656-462-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1656-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1828-400-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1828-341-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1828-331-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2028-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2028-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2028-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2028-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2120-273-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2120-340-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2120-282-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/2340-370-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2340-315-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2340-305-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2800-366-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2800-301-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2972-15-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2972-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2972-230-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2972-22-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3384-549-0x000001A9E8060000-0x000001A9E8070000-memory.dmp

Filesize
64KB

Download
memory/3384-548-0x000001A9E8050000-0x000001A9E8060000-memory.dmp

Filesize
64KB

Download
memory/4004-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4004-436-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4032-7-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4032-11-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4032-3-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4032-13-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4032-0-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4200-426-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4200-368-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4200-358-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4408-64-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4408-65-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4408-239-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4408-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4568-352-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4568-290-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4568-299-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4816-326-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4816-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4816-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4900-442-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4900-449-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5016-393-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5016-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5016-398-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5016-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5092-380-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/5092-372-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5092-440-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download