c2fd8d6184cfb912eaaca283e8883c58ed374df8dca72774f1bbc3fd82b375e2

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_7579d66848179bb9140dff31d18b090d_ryuk.exe
Size

1.8MB
MD5

7579d66848179bb9140dff31d18b090d
SHA1

037e65f8adc3e2b5cc46f40a551904167b2ec5dc
SHA256

c2fd8d6184cfb912eaaca283e8883c58ed374df8dca72774f1bbc3fd82b375e2
SHA512

6d212b484bec81dd4f755f8200a8e42096066aa1829f01bcb7dc2aa531ef0cc0aaca6d30983da741c78f28f6323462aa210e2c4bd9d29d338739c4bd044fa353
SSDEEP

49152:3KX0DzOswXefymHQlIuQ9t2r4PRSEk1ul:1XNOefjqIBt2sEE5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4860	alg.exe
536	elevation_service.exe
4824	elevation_service.exe
2664	maintenanceservice.exe
2216	OSE.EXE
464	DiagnosticsHub.StandardCollector.Service.exe
856	fxssvc.exe
1408	msdtc.exe
5016	PerceptionSimulationService.exe
2172	perfhost.exe
824	locator.exe
2028	SensorDataService.exe
4016	snmptrap.exe
448	spectrum.exe
2268	ssh-agent.exe
1948	TieringEngineService.exe
3060	AgentService.exe
3040	vds.exe
2360	vssvc.exe
4832	wbengine.exe
4872	WmiApSrv.exe
3672	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\56d7c9c08ed1090.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-27_7579d66848179bb9140dff31d18b090d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cddbc2cc050da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ba5832cc050da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e918f2cc050da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cf0ee2cc050da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000538fae2cc050da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c2dac2cc050da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b50102dc050da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cddbc2cc050da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
536	elevation_service.exe
536	elevation_service.exe
536	elevation_service.exe
536	elevation_service.exe
536	elevation_service.exe
536	elevation_service.exe
536	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1376	2024-01-27_7579d66848179bb9140dff31d18b090d_ryuk.exe
Token: SeDebugPrivilege	4860	alg.exe
Token: SeDebugPrivilege	4860	alg.exe
Token: SeDebugPrivilege	4860	alg.exe
Token: SeTakeOwnershipPrivilege	536	elevation_service.exe
Token: SeAuditPrivilege	856	fxssvc.exe
Token: SeRestorePrivilege	1948	TieringEngineService.exe
Token: SeManageVolumePrivilege	1948	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3060	AgentService.exe
Token: SeBackupPrivilege	2360	vssvc.exe
Token: SeRestorePrivilege	2360	vssvc.exe
Token: SeAuditPrivilege	2360	vssvc.exe
Token: SeBackupPrivilege	4832	wbengine.exe
Token: SeRestorePrivilege	4832	wbengine.exe
Token: SeSecurityPrivilege	4832	wbengine.exe
Token: 33	3672	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeDebugPrivilege	536	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 1120	3672	SearchIndexer.exe	121
PID 3672 wrote to memory of 1120	3672	SearchIndexer.exe	121
PID 3672 wrote to memory of 4148	3672	SearchIndexer.exe	120
PID 3672 wrote to memory of 4148	3672	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-27_7579d66848179bb9140dff31d18b090d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_7579d66848179bb9140dff31d18b090d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4824

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2664

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4320

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1408

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:824

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:448

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4852

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4148
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.1MB

MD5
6fab03f25190a176ee608d7fda17b41e

SHA1
24326cc9faf5e8a2880d821ad775a6adb8ea438d

SHA256
72b24898729e6d95aace5bc805eee421cae0bbce16634e9b372191f7e7e60b18

SHA512
0f1815196379e1c41930b317ce509cf9a967ddac3099e31bc7391cd091934f3c7718275b321d051fb564b979beedc75c4f17cb25f0d5eee56f7e01d292872df0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
23ac5973e9c1af2d9bd03ccef41d421b

SHA1
b3682d7ddcf06398565985349a473e3b0379443f

SHA256
2cebce5a677c6b9f419171511d198311fdfe44509124bbd179114f7e19d34201

SHA512
ae0acbe1ed80408c6bb510f670113f3e28ad66487ed7af95e0afd5fa26c43e370809621a3abb38d82c93ac97ad25e1b4ddab710df93cf21df55152da8f38dae3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
412KB

MD5
0ebcf67cc7a359a481096f0e116a121c

SHA1
0e4b8828d667093818849ca681ae7a07f6c164d8

SHA256
a54f3b852db691bfece4d35c5429757dff6709f95bfedcc8a4b0a7945dc692d6

SHA512
c1c884108e9133f9ee57a7f2cbdf2be380b8f88c6216c822508ab9f698c0938897adc7e8ec5b8dc3c97a270bb2b8e477029019e5587c12ba2e8b70df459828fb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
297KB

MD5
0232d3942b975b812657e637c812ddc3

SHA1
2438c8c48630b432448b77eff126f61868620d60

SHA256
e8d0e05207b694b4d0d55e2fa832f126dab4004a823d318cb1145e17b503be88

SHA512
36ee6fd476ba6022a9db3cb3698f80922c24b815e89128e9380d32832255c558cabd615474151b05d8c8a0ac1eb361a05772e167d00945c8e2c7248842ca4a9f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
446KB

MD5
eca01d2cf42fe0e609c0c1906f30fc6d

SHA1
400878c884363f6c615e3f26394c40f36daefaa6

SHA256
2242330250341ea56e9ab3814906d4c8752a434c4f114bacc832cddb8e9fe6ce

SHA512
ffcf0eda85dd30c677e0a81fbfd55b781e866a8f4d202b470d589b1ebc12551e14fb1ab3a4f2ae40ba90e0e2fda979445bbc5e38c97ec8ff0c846752d1edf2a9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
299KB

MD5
f32a005be0a8626d31fcece6abc05517

SHA1
c320f332685004daa53652a3ca1af26cbb1e5242

SHA256
249d3e64d19de1a4af46cf2de5625e31845f24d181fdc3e238715da13376b6db

SHA512
776baec91e1d13155c519b2edcec7c8134bf801030b6ead4ba7ca8b01263b1ba59b13e2117a33a4c9f2b09433c74be6ae12e6e14b365a53d30e2abc7725bccfa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
279KB

MD5
4e13b0715255b29d4983157daa3e2276

SHA1
57ee3b03cf21fb853a5f26cebbbc2380a4187168

SHA256
0791e927157f0abe19d223635b8bb1b51232fb1686f0fe98c7b9c87df3a0ce31

SHA512
b4752171ddf739793a4a4d61d3be1f357ed8f50d8a8fd6a008853341cfa4f48eddf1da9e6dfb7e534832af7da2b0656c33bebac445b62928da53b5dc16a1992c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
363KB

MD5
0ddbb172e0065f910ca3cc4a2c91393e

SHA1
50bf5f5600241d50b946ca4021061c2592bf50a8

SHA256
9fa7cfabb0205bdbbca327498a218d2ca2fd3a3c816a67d7083fe8e203623c05

SHA512
70ca462dd70a7a8947f66e72ec0ac999673ba84dc170305a67e68aac27ed3e08b4008bef2cc86b7d4915135d78dfe2e1fc348adf0fe42ea5772c9d1312f55832

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
371KB

MD5
63699d604a51b0353aaad85f581cabfc

SHA1
22bbfb8a695f2b7a35b02d508ac0b4b4f63d000e

SHA256
f8e80e60c4d1181aa198e39d1f9808afbd1d36ea5e28cd4a397b294fdbe4a95c

SHA512
25b26dab00b132dd51a5275345f2f4a85ef1cbf7b193b2eb393b9bed0dcfc630763fb9f078826ecec0a559e97a758c3441a7acfdb77e2e2ce97846c5d8427c8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
41KB

MD5
c3d836ca6a18a256e37e8a87004fc731

SHA1
2b72167f9069733c115c947245a42cb14289db2d

SHA256
27ce34e3af6370cf08b5950a427526021d4c2b1c0e8d6e0305bc4826f7277011

SHA512
6dcd9e2069beed79c18069c9fcbd6ba09e4630bd69e9ffc1756caee19f1ebe3e43f217d9ad8dcac4fd2749572cfee48cf20fc9a58e45e31d8005311c75c3a315

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
237KB

MD5
828dd815cfe96991c7524990a4a13a91

SHA1
020d37f9e00f9b86fc99f72d3d3026ae82e34fdf

SHA256
4504cb13c9bbb38bf06e1e78d98df212793a635c282faf8034f5eb36128e64f5

SHA512
28b71473d1edf861fabdd6bd70c3ad68847192e250b4185644853a9680f6a2abfb00b37a2f42b388ee976bbd0867080f1df8149aad55c33b67308ca53dbcd875

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
292KB

MD5
51ba5cc91e2258cca0b4f6beaf4f6a8d

SHA1
cf55c90fee569baab8aafa5f0d341f9bd8dcc76d

SHA256
e49b0ba6a9acada6fb7f0155a151bc6df87bf8cc38ef1937b2461cdfb8bc8ee8

SHA512
04d5e3c3cc6b35edbcbcee3b46a11f80e5bce7ae698d4c691eee8532d28562fb2d0846de1721294e93943d1aa71471ff7eff6863b3a1ffce367a40dd7b97a4ef

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
775KB

MD5
b6c8a2fcab53bc4097567626bef9cd8b

SHA1
80b829eafff3a0e9df70b66bd453e3344bfe8d7f

SHA256
3fc339795945adb1fbeda824beb2bfb2b905a8586ea33bae9f0ae62d5a8660d9

SHA512
f009e668785afa0bfdd33a3784d835c6e998dc585a27dca826323ddd6e7b915f65443bd4644e9ff02777ace950417a964f3132eba98086db3c2013ee9fac91f0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
324KB

MD5
732b842bf78f64bf96a620219cf21816

SHA1
0155cafbe05db754e7408f945a187cf8a6d8d232

SHA256
b37db8024af1d3f29e4c8a3cc284dd7376b179369c8e372f0c633da7f9dab2f2

SHA512
0f11ce8b2f14abfbc8793e4a21ce2ca27852bdeb55596627ca561121cf8fe0638a4003878cf5d4cf4554d598efb13763af18cc296a5fb79c40a9e7a120a928dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
273KB

MD5
591e57d7fbb2cef70f776243ef95f962

SHA1
6af422ab0342bd35d902ef9e58830c8742388614

SHA256
ccb544f95263c12e27dd2eba61193af94fd1dc44b665dc78a692a4ec562aa3b5

SHA512
3306bca9bbbc8f8768d594dd4c354ac5ec56e305846a9d86d0c7dad572450797a8399e88f5243a6b5671a4def682d74b368609dea034bffbed9a98b1aa7df079

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
52KB

MD5
88b93dd9f22a6034fbba4808bc11c3a6

SHA1
55107d643dd50ac68cfbb40c12cb61ce42db8b92

SHA256
b6eda785c8ce3048add21ae959f0fdafff71aac0ef97115f18acdee513cf32f9

SHA512
0e8a3b23b57c5ad7e3051e82f1ced3e8cada36a50286b7be3f33d5ad566f7a784d408d1bf40bcddd2e9f5823efe90cc241e5169e136accf077fd7388bb8e4b96

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
224KB

MD5
33ec35520aff52d60948a1fb5fd9ca10

SHA1
aae0600204cfd95e26cca4cacabfd1a7adac8406

SHA256
b47fa28c28f2bc08144b9feac08d6096ae4daee71a480ac7cf3f341fb7f110eb

SHA512
43392ca1b8e9b9e7c0d2b8cff6927842fd249c832652288a1588197e76e07517c2be6824df584fa07ba006cf775700ced3c4a727065afee13ff0fe8b17627c1b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.1MB

MD5
66e990bf9ec1cf466e1411d116b2d4f4

SHA1
1070852c945a3f1cf9e9d07258f1ba9f4f0c276e

SHA256
6f218beec476ded2bdf9027354cf641a3ac88929b3126413e343c33e95afe6bb

SHA512
95eb4e2cea54b2fdaf33612765b08bd49e2b1642fa6e356368e7e124261028dd6d766c77cd8bc3f295e763cf44ab8909d14b988f0b33a8c3d31d62381c8149c2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
231KB

MD5
5ff5ba2a92761eb0b9aa1c88ebfd99e6

SHA1
07839ddf28c2199b2ab8a6ad299e3575618c6f57

SHA256
70bda57a831f6d9b3197d89e43120787d0541771ccefef6ab38537bccebefd4e

SHA512
be5292a3502e926a6ce2a52482db190b1aa32bd59d33a575ce94f6dd05da6040d42a098bb6292d33af1a7ef1c41754823e0a76f757adf0bc472e73219879800c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
394KB

MD5
d64da02df3baa1ed663b28a01ee71a45

SHA1
abbf635b6d0dbe99a73b10d495dfc1d74d832a18

SHA256
1425b54faa7098624a8feaa16e93fbcf532befb06ca923a539273b7a8b77d686

SHA512
e465868524e9a202bf9eeab2bc796dc84a79073ac5ca86c01676a7bb4cdf889d3478cce9a2b92a2c97f344303f187c31fd094ef938250bd6f6907af36354f5e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
210KB

MD5
be6aaf2c58743987653fa3ec771da450

SHA1
c3bb71c8522d680c7a997e488d2756d271e282ea

SHA256
f6b962a943ad9ded52504a3ae3173ddc91a6f69c96921691e4d918d70fda6964

SHA512
26fcafacbd05c876ceddbcfbaf37372aaa8e64c73fe82aee8c13a055b5acd847e96e4917971c7e6fbbca136d0e86631308f8cb6018d9d7fef96373407c65456b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
239KB

MD5
d42a1742aacfcbae3664d5f2164cbc76

SHA1
fb55f822c9b5f8ea06632b4d2537e7a2ce00f105

SHA256
e22a2903a5af502c8a13e9be5f8c28c34f7bf2d92d6382bc39e3c50b4a7fe761

SHA512
d6ab329cc1b707c7a6a610efd3e375f8579d7ecf79a4e2fd01d287e75dc942523b822ba433490b55cfff634e2d01fdc6aefd31458f86e6c4373131099f705ef5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
253KB

MD5
93e0659f64ed6a4053e4ffe80df4199e

SHA1
200611783423608ae806e6ace1462af3413850b1

SHA256
b9f52b87b4ecfe921b63366dce722b70120046ad8167f1eceb3b7bcc067e545b

SHA512
bc860e62bb273c74c7b4b770330bdc799b73faf52ad14591ea1921e67342bf3cd2a7b4c7e3c4a07389eb37bfbc6981fea00071355927c54a1e05b7fb404a6460

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
248KB

MD5
05bc55c8a446cf24751cc9e806df0776

SHA1
9151c2c3af3300ab5cd02d3b6b9cba9c7283ad00

SHA256
33b11afa6995e6774041065e8ed10b30ef582848532acc1180c3ac162877b9bf

SHA512
8142db6381cbbd98b34944a84c9f6ef362608369a59a9fe74f00eaf1bb2876ac14b77dfbb1746be664434ce4c612ff182f3688f03a72df23422e19bd9b2ef7ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
278KB

MD5
d9739c477d914b52e8906607cb0c0687

SHA1
b7b0a775a99755799f0fd5ed024e09021081e116

SHA256
0b7bcd30d93ae08a4fe6aef5901fc653abadf022b7a49ade0bdbdf136f2716bd

SHA512
e06eccf5081735f18eb239a3110265b80afa2a406e25e522607fc937825e9d3ca5e31dc09c52c5d6eeb4f11d194f57ad6d8fcf64e04ebec251ab0b6c4a56bb29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
436KB

MD5
6d1e818105ed0f00d43711585344ac8c

SHA1
33cab580140c43f9b8964cea296243db38b5d818

SHA256
06c59f256cb83b47bfc0bf237612877fd0f20d966d3dade5ad3ef62c38f2735e

SHA512
a010767864c44b807ce71e8af8f4cb262202f74a78197a758f1f42f50f90215f201cfd91df00f388071d682b904256cb3001981fcfc2ae9784d7a1efe1808f1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
281KB

MD5
18bed0333cde843dc5aff3748a3f252e

SHA1
ae6afcb189093f0bb1ecda953246c568c87d3c81

SHA256
76fbde3e5ca3b94ee079417966ceec9ed3fba85b517289e1c686e57fd01bff15

SHA512
c718c3a06db5e1f49ac4885c78ffb19371d6d9df74b497c729995691b5656b8ae2a569d9766aa3208875ca1e215c06c274ebc803d3b173a53b1a055960e4f536

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
186KB

MD5
0ae38b2fbd0358a457bd3ca3fcc87417

SHA1
175358d92ed82cea497ee3c471c213620a636203

SHA256
443e7888f46006ab1ca2e637a8a5cbe13e748371902de6d6004201ea12649457

SHA512
bf70ca11b40d2ff98aace967ffca59c6dd237535f31930001ac38a79601b88d09a63232e24b5602db77fca8b0e50510010e562dea259d955c9cde19e377c9222

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
248KB

MD5
eeed0f5d30286bc191e2cc365d4cef95

SHA1
351e7aaae4a1d34b57bf074d680151731b22bbe0

SHA256
36f4663aada7449959aa46b4d435c1ffd68c890baad927f15e960d72fe189c55

SHA512
7403c02afd22d959aca17d8c7d4b507c7fbb72a3485ff35040dac986a27f3c1b51ac881142adc43770634d5c39b7bd2e985445037b9b01af8eec238edaa81436

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
200KB

MD5
91f4efd2cb2fc6b5d718fd157395f2b1

SHA1
e18fa722463dd1c5eb7189549c59c3108aaf460a

SHA256
7526ccd1f9538c0378990b6a0287e39a6af4b21b57bf165746922721144bb930

SHA512
b4a6c55410405634f87fc22b8c27d238b95d21b43669ed81e4f71c689767a06d3f4f792ede59039f60f226dc373c7e9bcf8318040632a0235762d5ae07726bdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
285KB

MD5
7f02b0d5a925371c76ce4e73ac222b62

SHA1
af0460b683a3bebade78bac5d6912b3b64f74060

SHA256
6bcdd2e172ac0225e9d73827879408ed7322664e67bc88176723cce32f20e843

SHA512
1ef8395c3f0104d113b39ecb864a7cd475ed66fdf19accc2c415a02f008a2900ae1878fe78ea7e134bbd73153d44ecc763c40a1b614357c1f29d1f898f5ffe43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
196KB

MD5
0efa816a9070c912d575e8ea358594ac

SHA1
f952507e6c420a397fe423ba9ba97578755500b3

SHA256
d47bf1ce6709df315c85b7365657b70b0fa327cec2ca6861d4310395b41bcda3

SHA512
00fbe057fa92a7eb5a4a74a7fdbf8b0691e7be944692afc3d3a96a677c05bf510a0be44a09b9761f7cf8122615325aa99cc84b4b5525c33e106c8aa6e7774be6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
200KB

MD5
fcc8f29952a66104e176300e8a34d577

SHA1
208d1b0f79868e3214296ff1329fa31ea64c1456

SHA256
cfb230f7d0323e1db49e1ed21b90c174420f8e853d6710bd93abb36d368d0884

SHA512
70cade1944ab928ce566abc22881846363cf051ce4ab2b7aa6caaae3c6ef7639db9d4767a701f5502688f6ff1adce2d8598319bb00cd784f5bf50295ae75ff0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
280KB

MD5
8e09cb212ffb848b6331e5db3f720c0b

SHA1
5af3e8dffc9378b18734b3bcdee63571b65558cd

SHA256
f53102f8ad92403901dab3a268dd8a989f07df6f93f29eef5a76ddcce7a13fc7

SHA512
4351b5beafd5cfe7cd5641f64582475b94ddf903f2350e66466eb9f1be9668ef82451f58f31a03810726b168af7ce1832021a8becc724d991e7f454f591da580

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
285KB

MD5
604423f65bb116431388e5056a37738f

SHA1
a4f703e7774c5f482fa50ebef41933f90f0a3440

SHA256
96171fc57b7a952602b40975ec610980075e5053ff02873cb445b2ed1f8eeb6f

SHA512
1708321ec391b48f950aa412f45c926205cb0ed8bc2b7085b870e5b69094478720b70c58f04aa47e74f5c59c14a2cc074c1b89a0c75071400aeb206aed22bd84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
259KB

MD5
40fa79917ade84e718ea85adda34fa3d

SHA1
06d78721a73b2d9fe903138c34d42db59c2083b6

SHA256
694101989287306dbf574020ff46779248aa1eaa17e468d43d33d0e8126125a7

SHA512
e17c73ad9b6d3e72c963fb63df5b6be49583a4dd7b539a4376f65215dd44bf32ef66f104f4486efdcf66125736eb3413b5387e87873223b6f498a0ae68349a02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
202KB

MD5
a6dcc02bc2fe3b7e710fffd819802b87

SHA1
479ff0f60860829cad9737b0c67e2112d4d946b3

SHA256
74cf0930eed74c96684eddf9b40d3c9bc0c79c64d7c88c235621f38755e572e7

SHA512
7b3b1af9f50d0f7fc640c64e0f69b0177064eaf718eb388f026ed0b4e5da6d9273d04d2be3ddac742a3f0a96d9ddb5a3a27d2b831179144664cbf66d52b07ec6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
62KB

MD5
6001dccba13dcc440ce95dc35ccd00af

SHA1
5108b2d3ca584e982883e819c6b6bbffa278460c

SHA256
f28c414d88a09cf0f333b2265bb994793482f1d2c01cce8eccf881ea79468283

SHA512
84788bee3ac50d218c4bd00d3c1c81d0a2f8509a4023da7151b1b6d2cff8afe1befd743b3f796aae3ed6167d181891dc6f4ec361e1d7935c8964f216731462e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
17KB

MD5
aed9be354bb20f2577c4c08b4a9e252a

SHA1
b4a575124ba645c0e00fabcbeb30b1a2b373db23

SHA256
365781cbe3a463d2dea2f54c2bd674576b35b35e8195e1acdcd5ead79667d98c

SHA512
8ee6b734440a88ceb01025a637f06274c69acd758ef2285fdfdd3e7bf747aa2db232bf1ba32aa67d2d52510d11d11ba9989766ad531023d042fe07bc505191b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
6KB

MD5
0dae3a255277f1c5beaa9130caa446d9

SHA1
4c3a768feb5bc3cfeec1cd35a92ec118053aa59e

SHA256
2fbe9e92d16118b3d190f6c15ba9ee7b88537947cb841fdf4fd53e4e9b55c05f

SHA512
84e5c8a964f65cd779fe5dac998b044af8d12c468f2658cb3ac14dc9c44058b40c03c793b454cac7ceff3b6452c3d89a6693f442c5020652acadde9e8274e1f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
30KB

MD5
bbeec2d2da10ab3092ad5d843e008235

SHA1
b77b8f42e81223dce25cc3d6e17f2d5f918e52a6

SHA256
2912e90bc4f65cd0da4fc81b4bf2f82a728b4e188d9d2a2e72483890f222ea13

SHA512
e945d2e81f28c4a9d5556827dc86899f8bd497e6dac905ae2e3b9e0414e11cd7a765b2fc47655f4d119180db52d406311dc4fcacf343fd5c37b5530e1e936b9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
17KB

MD5
d1305b20608d6197e2deeabd6822ddb6

SHA1
aa1e11f7d134daf8a1fcea217f94823e0baa59d7

SHA256
3e4dc0bc56483e4fb35c5b18b94c3418e19580ebf1f718a2a3a3fca5d0fbc98e

SHA512
ea5e468835837767813e85a0b364ef2c203b364d210adfffdee9bb664f16f636540d492b7f21df9713e6ef2eb5363cc9d6e5a74508d6c1e4dc6eac2ff9f57f21

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
254KB

MD5
b5339e4708be0cccdb347824246b62a2

SHA1
db1e2ef4abb5e108bd3d71e96e67ff13576651ea

SHA256
ddbcb006f6036f4c130155e3077c871a63d75ba618fef607f890304808541b86

SHA512
21c714062faedea65807692471ebcb18dc7d3f8ede25ee7a1444e66f56d2b7e91eadaefd8f5f2e7902dfaa78703a1c662c0261281bb8e6268a581cf6062fbcb9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c9ee7044c169a58196a25865c2ac4ffa

SHA1
ef00032ce51335da873d81b5a864bf9d2940397b

SHA256
205542f56c900ea4b2ab2c5b26db541b12862d881ca99c655741dbbd334d9b3e

SHA512
ca10cf725efeb6878689d814839f0a40924fea01b0aafd81cea0d88f7fe7bb5c623adcbbfb4eb0fd619143411978b637982b43606fa9ea937ca62b8c563ed9a2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
247KB

MD5
3c79173a61e67f212c845ba5cd3b4641

SHA1
a3d65195cd929cb2bab108a0f2fb79c90e2e7ba8

SHA256
0f4536425afee462d77e16281693edeb97f9521d3c092fb20054afb479029d6e

SHA512
68da52796f265822a7285bbc5649d9b92e20289a9b7498c14846d318d5672690258597320db27964ec8e19a92fc952b98b2e1d05ce262a7a687493aa342f67d4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ed0db234e2617fe0f8d75c19d41161b7

SHA1
5eba6b287a5fd4fac773a8805ed6a144acae9bf6

SHA256
c68ecb54f23c79476b5e1c0708a872e5d0d78a0c60a97cac5c63b40abb37f926

SHA512
d4e1616e0bde1905da2795708ec67e292434cce8a8f605a4c9402bf2bbc1a1f53b1caed09bfba7652e5005f336b2ea4eb91974a22fd8a3c0a49421d806fb85d7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fd558c414fbdd4f727c63cf119c15bd0

SHA1
e65cc538ba2623688221bc587ada0235b2149837

SHA256
1e759c5e4fb790b89ab07f4858010901d62bdf2ab4f8d4c6e842b852f6435b08

SHA512
8f03bacd065e08fb61257ceb4bfec9142c1c2034cd7c5c11678458206a0cfa0ae74285ed1566efb6e484e09d9fa9ccb5332477eb51253e4a7c666b337d2c8e5e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1c94bf1f8d0791ab10f0316beb6b3bbe

SHA1
ff14d846e9aa6bd30d42915e4fe337c6a2fe6c9a

SHA256
ee239c0c7744f3bda5e996d0ddfc1c82820858f382cf3f9d4ebdea251ed83262

SHA512
497815a7905888e88a69d34dbde57f640f1d2432095f04ef2548313b177a5f922e635b7e233750b2e0a3349bf3522edba5582cbe8bc0bd4d379598025ea6cc6e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
383KB

MD5
023d936f531af334b713fae5425992b2

SHA1
1f66f184492ccc740f5f7d5b80120f77648cbde1

SHA256
0390222d8ec6ae7a1a4e15700abbf8f04af837851eaf18d08eef3059510f4ab7

SHA512
73315cde31458362106be60499b67046576c759a40ce39368b45086edde1c1dca8ab1aa531e60fd0311d8a9ba22d1832978a7e72712f4f7c5448c4b8f85a1f95

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
280KB

MD5
5809f6c0cfbc00877b12ea44af35d4a8

SHA1
9e2008519c4f70df6a174349238f476c6096b64f

SHA256
0f1a3a764c05f330bec87c09aef63d70d8d993dc8815cc9e653169e274f53f4d

SHA512
61fd42920e0750f858c897c40f4c2628cebbfc686fc4e69fe14bd6bb34b3e1ec742ad46efd6ec5a7de5d2dc3aa79168955705bcd7971d815d17b3af77a30cb54

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
73901846602c52a9f212f2cc8e2d99c6

SHA1
8ec0d4cb495d2001f09f048ed78038fd01e088f3

SHA256
2c4594bd327559de01603452a7e943d520d9c8b7b52daf71527b2c48daaf9d8c

SHA512
31e05198b31fb17648fe73e2f35f7f55106b6dda589e6853e40f06145894b6e8881e9d87a2911fa42928ed5846f9e8f073d3b2ffa0bbfe2339b1c9c076a39740

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
83KB

MD5
71657fe433d273aa78333ab7e431047f

SHA1
9a439cce9624b46b58569657687f7069e90d9cca

SHA256
fa793a9eb49f6b4af5cd0255a472784992c972d8551b21ed5f21d3e41dec0910

SHA512
ce5ccfab289193c060927b3ab608c7edac4e40fb375bfcf7f347bf036e58d2bd2154a723c1279e4bd3dbf40f820e2b5b1c6d0aefceb7299db628508a1e5a7fea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.4MB

MD5
005ab4cef2830dc152580fd607374e73

SHA1
1aad9141cf268306622cc741a5e0602e26429e62

SHA256
1e41808a6d24c4c92b1fb7edd4b798852e61ab2900163d1080cc7bf9fb6ca3c9

SHA512
acc4b9a51dd91031ab0bcfc50089c206ca60e100106bef3b856117740ba762d39e71054fa8b8a40ec67d648fbf004c76fab6edceefa26353011510bb7eac073b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
540KB

MD5
7eea2aa3aaae3cd802d94e7ab159fa0c

SHA1
25abb04ba18ed914735f45b7e69ff06516b8bb9b

SHA256
f8c94cd24c44e67eb3a126941bd21f12e073c26f84a6c4e703fdccd0dd9d098b

SHA512
0d5db9763cf65739ad22b8f7c95d522f5d6a523a43a68f720b3a9b1b3c2bac07aa98aa165613183a40fec853074f1ca8f481b6b79c68d210e6b36107c6370f55

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
232KB

MD5
292c68800849da920a1ac8f714835771

SHA1
c22f088266ca0d659f1994de66b65f0790186964

SHA256
22b7cb25c124358e1da9f55f29df94193342ee9a3ceae4e1b7b21b7ec9bc67f4

SHA512
aabf1ae8f525f03c6e329219fd98ae7b2a6fd58aa834135bfd64069dc5a495e1e57d4736e78b9264fa0653de320095fd4224e76aae9bb8e09eeffe7cf7c21199

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
343KB

MD5
434eb613f1a4ecd5006ec50c42f2e1a6

SHA1
16bf899cbe84273b439f8463ac4b1242b47cd2aa

SHA256
360e5cbf4b215cc57fc095a5af6f7f68c241415beb111be1c5fd44a9fc1179f6

SHA512
21e99173550759ee640b4e679d8b0a38cf48d4577d2f5881e4ad4f77bea8bffe5edcb2f7c39b34ecf5184f9b0b230338d49ccde0434ddc1ff3b63d557cd6aff3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
282a1c02b97f858e146df4947d5d9f12

SHA1
9bb034658d4d04486ea5d64a6d10cc30c72af4cd

SHA256
015276878b4cfa48f8326d7f5f723674326106bf68110041e565d611778c1128

SHA512
627e9fcaa899d4dffd627122517cb75d4ac70940604173d4d959c9c52d3b2a2998c5da937c4d376ce2b32a30c695edac76579fa45b69f3dd44c799d5440a2ec9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9731494aa8d3dacd3edb0903fdbc087b

SHA1
d1b33ce5f3da855bb8467832573b6135b393f4ec

SHA256
e3240b32ad75b381048ddff6c7aaeb229f23b06bb44b062802f10e1985eb72ca

SHA512
2431414c092edcb131fe69582b14c3229ad17213186cb6af2bb44b994e91451dbf626a7e365de6dd14dc6dc5e3c5ec8fce9d5c7a92f5e9bf514dc305c41d968c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
40d2f0a495b21e7b585c8726a187b732

SHA1
592995d34a4e1e22e91fe9a9ac581f53b1fec279

SHA256
349d7b219beb24468f038f2a4c13474a270c14147a27a6bace5d84516abe330b

SHA512
48db6ad467396c86e5ec576dd59e2fa124a07a4f8a3c2f021be5688a816612170b1297447df24d6cc1e183ca6684a68fe6aaad714efdaf65dab8ee9f34c4f94e

Download Submit
C:\Windows\System32\vds.exe

Filesize
614KB

MD5
09bea02705e035dc81c4bea9bd451eeb

SHA1
521c5309257aa42a6ed83c0c3bf7a2e55ae5dda1

SHA256
c4d8181fe14fc3f7b0fce1e43e9bd252feecdf13bdf83c0ed1dcbb1ba1ade222

SHA512
c18ffe3a0b2010fc42060b3e8b8dcbc911fe4222fe61f060c39df09484690568dfd5473e8a14156d3600733e0623f32e89ec87e9e7505252d78298ca8f94c3e5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
418KB

MD5
9d4f2eac9074e61ffb88a0dc689348b2

SHA1
059fdf983aebcf7cc1455414120f7698ef0fd0fd

SHA256
9466257690cda2a6b53f2641c072185d1f17e1ecaa26330d94033c45c2696ea8

SHA512
68e1d3c825a477c8b1be9540a36e5fe9ef7caef64126aae692c88542a8156a16cb63342067552f22d27ea899565d8fea5762f19fbf01df452b0b60e9340e6ed8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
300KB

MD5
de6f648a21f98d750d25908ba8328532

SHA1
51c5b6c093216e661d624a21147dcff0462076ec

SHA256
b559442675a2bbfe307be9c3ddb92a948d8eb9f255ebc963fc7e58c9a7ae2765

SHA512
05adcc493d06f78247a0aaf6dbdebddca6104e8522b81f680a016b0467f266e224e818f1d9fbe134fc2ac4fad49db72c2d3073c26c35d6d2588c7e36256c8ae2

Download Submit
C:\odt\office2016setup.exe

Filesize
393KB

MD5
969ce9dc653fadc1184d283f24aaeef2

SHA1
8b718e4b1c2bced37b509fe26d82967b547e562b

SHA256
72836711d99a839367106c73f19afd2a9061a5b7b100780ca1180b9e57b10ba0

SHA512
820a2a4849c59d4b56ac4f789ce61aecef4202593409634553e5ca6a36642b1e0bdf247178c5604b1d17050da4c13060fe953fd51409e33d5efc8cca8d5a0b6f

Download Submit
memory/448-418-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/448-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/448-358-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/464-249-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/464-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/464-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/464-243-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/536-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/536-26-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/536-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/536-33-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/824-319-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/824-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/824-376-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/856-261-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/856-268-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/856-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/856-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/856-254-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1376-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1376-12-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1376-10-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1376-7-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1376-1-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1408-335-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1408-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1408-279-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1948-386-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1948-445-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1948-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2028-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2028-331-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2028-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-304-0x00000000007A0000-0x0000000000806000-memory.dmp

Filesize
408KB

Download
memory/2172-362-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2172-371-0x00000000007A0000-0x0000000000806000-memory.dmp

Filesize
408KB

Download
memory/2172-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2216-71-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2216-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2216-63-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2216-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2268-431-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2268-363-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2268-373-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2360-428-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2360-419-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2664-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2664-49-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2664-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2664-50-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2664-64-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3040-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3040-414-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3040-552-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3060-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3060-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3060-401-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3672-467-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/3672-458-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4016-337-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4016-344-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4016-405-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4148-555-0x0000016FEAF60000-0x0000016FEAF70000-memory.dmp

Filesize
64KB

Download
memory/4148-554-0x0000016FEAF70000-0x0000016FEAF80000-memory.dmp

Filesize
64KB

Download
memory/4148-553-0x0000016FEAF60000-0x0000016FEAF70000-memory.dmp

Filesize
64KB

Download
memory/4824-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4824-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4824-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4824-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4832-440-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4832-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4860-15-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4860-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4860-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4860-228-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4872-454-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4872-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5016-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5016-296-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5016-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download