3cab31e6da44b7a855d1e9aa6141139310c7da3af60a3d49384cf1179e64ec73

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 15:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_638a3f126566b70307cce5796f497437_ryuk.exe
Size

1.8MB
MD5

638a3f126566b70307cce5796f497437
SHA1

d8add610f80923959cb39ab947e8b1dfe13612b0
SHA256

3cab31e6da44b7a855d1e9aa6141139310c7da3af60a3d49384cf1179e64ec73
SHA512

d6498ede5a3cf74a28f8f118449a36aa41c70ad86c3ae80fb829ce698f3102fbd96ed0d95995840ae9ab512313f317a5a3e3d682540745a4f253598aec9e1c9d
SSDEEP

49152:IKX0DzOswXpfymHQlIuQo/snji6attJM:qXNOpfjqIUEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1308	alg.exe
2120	elevation_service.exe
4972	elevation_service.exe
3188	maintenanceservice.exe
112	OSE.EXE
5116	DiagnosticsHub.StandardCollector.Service.exe
3604	fxssvc.exe
3524	msdtc.exe
3624	PerceptionSimulationService.exe
3132	perfhost.exe
1768	locator.exe
632	SensorDataService.exe
3976	snmptrap.exe
5036	spectrum.exe
5080	ssh-agent.exe
756	TieringEngineService.exe
532	AgentService.exe
4752	vds.exe
4120	vssvc.exe
2740	wbengine.exe
4208	WmiApSrv.exe
4956	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1247b26d7c1fafa7.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-20_638a3f126566b70307cce5796f497437_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14476686-4332-4254-AEFA-4A0555D6C96A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbaa50201264da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be2dd6201264da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b66c93201264da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d955c201264da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f48ef7201264da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a69f0201264da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091fa5e201264da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d955c201264da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000420ef9211264da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000893d65211264da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2120	elevation_service.exe
2120	elevation_service.exe
2120	elevation_service.exe
2120	elevation_service.exe
2120	elevation_service.exe
2120	elevation_service.exe
2120	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2784	2024-02-20_638a3f126566b70307cce5796f497437_ryuk.exe
Token: SeDebugPrivilege	1308	alg.exe
Token: SeDebugPrivilege	1308	alg.exe
Token: SeDebugPrivilege	1308	alg.exe
Token: SeTakeOwnershipPrivilege	2120	elevation_service.exe
Token: SeAuditPrivilege	3604	fxssvc.exe
Token: SeRestorePrivilege	756	TieringEngineService.exe
Token: SeManageVolumePrivilege	756	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	532	AgentService.exe
Token: SeBackupPrivilege	4120	vssvc.exe
Token: SeRestorePrivilege	4120	vssvc.exe
Token: SeAuditPrivilege	4120	vssvc.exe
Token: SeBackupPrivilege	2740	wbengine.exe
Token: SeRestorePrivilege	2740	wbengine.exe
Token: SeSecurityPrivilege	2740	wbengine.exe
Token: 33	4956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeDebugPrivilege	2120	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 5092	4956	SearchIndexer.exe	116
PID 4956 wrote to memory of 5092	4956	SearchIndexer.exe	116
PID 4956 wrote to memory of 1936	4956	SearchIndexer.exe	117
PID 4956 wrote to memory of 1936	4956	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-20_638a3f126566b70307cce5796f497437_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_638a3f126566b70307cce5796f497437_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3188

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:112

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4256

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3524

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5036

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1640

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4b19ca94f6efc7ea790428b335922196

SHA1
f94aaa521867419e82c1c0c891860f5958b17154

SHA256
02e8a7a8716797e62e7e6e5b7fe0e9e3de030eec63061edcc5a66b717af86a7b

SHA512
fc0973ec58f3e0d6f5b98f5aae9deaea40addc4e82297b82fecb3a0b4bb0b374664eb3ef4cb0be1fd5b42ee288d2d00679190bc41817e0272c28eae43490c52f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
e49c00807815193d660f2cefb74d7459

SHA1
b8bdd98cc07f2d92b183c19300ddeaeb45100b6f

SHA256
c2af9be9b03ebb45ba0bb154fcce4f23921aff7c6ea94d964431002cf49ffa42

SHA512
ce7a7f2155d54cf8410882c8b86bd252c06904cbfa2c006f24cf06ca1ff62a0609971fa874632e2ab028ee60a2ec4cdfbd487f025603bb2fc6c6fc1fc6c77a4b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
512KB

MD5
628adf6b6278884b1722ac284380dbcc

SHA1
469e84bf9d7728a09a1337cd7a9984c3fad09056

SHA256
8021cf6a3c52d8330b58a16fa8a6a1b0c8ff9b6380baf8a67c1120b3b382fc80

SHA512
ae5167a86ea8f1aad12afe5acf668764b73aa787ff5b40ebe81284d521676ece091cf8871cbff0762c46b1ff5528b9e413e7f9b65b1b3e446c9eb3cd09b86b29

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
256KB

MD5
7445a1e2a3e17296ffe49b50c64f1563

SHA1
62d18fa47e1e092a1bf23ebf3fea2aa7353c2faa

SHA256
4e30137a6fb147e23c3634128cfe31958b7f57a964bd0f115710ea90d466d0ee

SHA512
3d40c8a7f8613e224d7fd0daf079173005b676dc344fc8fb6f26198b152072a764ee9a0472a8a8c792cd71de1508eef555787590894bba2518eb6850426190a4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
192KB

MD5
bfe35e0028f0194bf3de09650904e746

SHA1
2cbfe4833e38a0605f6af0fc512c29be12acdc52

SHA256
323c05252ad034a3dfdb290a245ea50cc09febcd5a3d1d7db6e63cfa7cbb77d9

SHA512
7a63291c96939532ed2764436a26e37b19e08fafac5a2f347f0b1d6ba7d55f26e227208dc4e746b2cc42b5bb34208e4e6d7fab92187d67dd247e88142e762f61

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
192KB

MD5
ca7373c3f47e14989e3a08f3134a702e

SHA1
578412027973fbdcc3d0532db0c66a37280ee6cd

SHA256
e6bca2b026a3985af395078e85c8cfe98e2e7fc5798108b2e864066719f183b4

SHA512
26f92766eac8624fc809a3e4ad6433b4fb0689889d7da06ba03d2d771e491d1853b862ac11d3f2077ca08dad054a43b727d1c7d882b74a7400070bbfa6b90a3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
192KB

MD5
1bfa490c4ac9d949b36fc3add4453e89

SHA1
356892360fafe97c5e20257362884c2fd47cefa2

SHA256
6953a61e6a63fb4d3bb3efd5f7b72162cead9b3cb6030d2098281c864d0ea907

SHA512
937654cd0715ee49aff59ace35c48e6f7db3abb9d63b491ac564670f0e66f7a3193c53c39f33008d0d33dbf04e29e47652ab6a84f630bb46b30d1919629c2337

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
192KB

MD5
55345dacce38a38ce856229c93bf2cd4

SHA1
7c4f340758d267ff976e08038bb9525937e0fbd1

SHA256
aa83b47e42c6afc1867e7f2ea9eb32233bc2206df1add5e8bc21ff9666936502

SHA512
197ca2e3e7a122557fff56ab5c79512d98c32361494830a9cb91d0b977ae3e19cd0941703959edb8222261c89342687d381195b5bfcbf95e950c1b70ed104ff5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
192KB

MD5
f0dc745f7329c3e2e688bb8f1832679d

SHA1
b7497eef3d0231c1217e36fcf86b8227157c0f28

SHA256
b767d125d46e193fc2cc748f0e18a968363369dbcf7ff4e9fa9acd98c6d3d698

SHA512
17f1ba08c71bf4e38e00758a859216ede05ddc06cd8a9ca94bece8939b5c9b1e6d9aaacb612bd2a2dac421db7666f0c37a1522b4c82e59b4631bf2db3f198fdc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
192KB

MD5
0ccf00be4021a345e977ef76e777deda

SHA1
34300166e9a8155cbb9356bf2e5c3f6fa038e1ed

SHA256
c87e716b9962fd8ff36a3eb793faa4af2eb86ebf1a81f2a290e20a057634ccba

SHA512
0bd7ea4d54bfc31c9a64be2f51ae238db1e3c6d3322157a3253dbc9cd392acc97b9160562403cc1d7f4055bc38d4f7a4f45f0240053bdad09d1aeae4596b5a7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
192KB

MD5
419b103e2f906fb14840431166431955

SHA1
a887a80efc4bb659f7d0e535a7987954e4f46843

SHA256
3836deb4efc9f1c57fba20948365f2f0fe3d03527f3bf4d3d20302a0c9f91046

SHA512
e414138276a535d2e49883cbdb9bff5b90b471aa7e6802e9fe177460de6ca039bfdb0f2480acb5a59eceea585dd19e27de888701004d6f4e7a85ecb71fbb050f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e0dfd83fc5ba4db04032ec617f85d9f9

SHA1
c48d0443b4e721c3122b42100285a2aa11436211

SHA256
063495fe82959ef6139f1ee6159a9ce1633546d6327d387caaa36a4064a90f40

SHA512
5f9f98f25347d7760e6d49ad3b36240cbdf8218a19393ab7f1b84400fa74dae41e026d0f3fd328e712febe4da4d9a77976a9f471b504019d1694731a0be4422c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
5d49553ffee0ec522c95204b2598ddbf

SHA1
ebc743fdf18b7056b33c9c9dc08cd1ee5720f764

SHA256
e2e9831944bee3a13a0e8c2320455c1be4501d7bb16404a4473fbfe960c14552

SHA512
5a42986f1652c7c2b43ddff181a4b8d8b19424b0ffa71147c3fd3e66749c34c52e66be9b9b57d9810886e1efe6db46dbc3fb533f2c7e0f4adccec3d8e2517398

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
890e6533be8bc17c1a2e27e900bf4cdc

SHA1
7f4ca65c95f3958a494d6d546a879b86acb0ac82

SHA256
b879cb52b8772ce38d73f9f3b5313c74ad8fe30a326fcd6733a45a0a948a084e

SHA512
2c505a6513bee5a94e35bf017f66d9914a82f0aadfb6517452692f77df53359e78101bff00bdb1ae122c5dea1a6bdcf91bb2fe45a417a72e37ce85ebf250bd07

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
41d8fb9167b72070d57a6f6381c0245e

SHA1
f9ae33d676bbab7fa32c6e878289d97909967d9d

SHA256
bf8df8f00c4875dd2feddcc729f1067122056cef739d797b02b0f690bcb61936

SHA512
0f2f6404d90543a61009410d4be4fcab7cc7151078900ed8087f1e616b1a8c47ba68ebf5c664afa911310c2ba39bbb0e55e14e9cb9ffc43d9e932a80af193343

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7964f9a03bae9fb319810b2602491d99

SHA1
8ece601224948c7a435b5e19db1388af407a8a1c

SHA256
1d44597a78fabfd16be922932abd8a60d57ede8fae32730c3fa3ed18c1409d51

SHA512
b44b14c610e95f783eecf13c8066a1282547ac0e2fcf01c307dcf351880c5df02e7c1680ecbbf2fbd67388b68b8d502c24b0bd99b7791160738d815e13780097

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
526b831c7690290833b8b7c73e28e1ad

SHA1
b5119a1c43e4252bd58a13a6e6329d2a87a0116f

SHA256
a8bf5b907d987b148759466cebe655e00ab69e1b0343124f08c8872de8eb8486

SHA512
af62dcdd899ea9b73ee8599fd7f09aa2f3a498467cf495d6337f8fb081b09eb7510b5265dfcb798c1b339265899f9d626b53ff59889c42733cdaf325743b6d34

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
bda36880b8bbc30481c75d96f6d440ad

SHA1
df3f464bd634a379d2741b590ac3ac7356875a6a

SHA256
8dccbc55643a5c92eb7f8e3a67a0781142f3297a858983b3b91bc293c368eea8

SHA512
434f84cdb246147e3ae6f1727dca6a4b5123f8a8c68ee6b6eda482a7451f64c0a97f9428fffb602c7d8714c5107f79ea658f6647a56789d454857317a4a9c50c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
26038878b1dca4f644fd6ce913d3243e

SHA1
47d90664ba73264fcf8eaa88db192de67433b2fc

SHA256
ee9ba195fdfe34285193d9a4ab12bc8b42fea22b4e4ee866a222ed1a87280e91

SHA512
f8b8f168b6cead49c4e675b74865ebb34d76f54e762db1d49e131ce88d5bf833f99ce062e8a386c033f947093e0e8d7c5cefebf6682ca85761965ae6c5768a5e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
8aa80d06df90d6610acda144255c3d85

SHA1
6e41452b977e76f2769cdf282420ad5ddd61443d

SHA256
86942e362413136a3cf1281e1a9800aa61a0c53bcf0f8b42b2387016911535e3

SHA512
55f220c9c5ab20d3e1930d754b91557f60fd347b0d8a35bd0209747490e9e4e1aaf2db718e513e7ae037e662290c230dee37a40699b3d4435eb50acaa334b672

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
459d7268ba9960fbb09568dfcdf6a3e4

SHA1
b267f22e0591126c1c0cdb0f27443c2fe4ad9e6a

SHA256
420b4bd0f4b97a7a35eeeded8f0995dcf5d127d844b0919679e0a8f053f55dbe

SHA512
b91993379e3e81f7a43f5a3c127f0cb234eb4570c49ccf4abd4904a913c1f321505dc7d002f4f14c6e877d5df4d5d34fdcba35a9fd44dbabce6e2308e820eb3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
6103b660e6f7dc6a057f75ab50b356e1

SHA1
d46d17dc182191cfc53f522c02d59201cde4616f

SHA256
10f37705defb5c9dfe50b1fecf480997bb6cd292fbbdb2d04508db3e1b317976

SHA512
90faf5d4f74ed9209a9f2abdc8e4d7a42c3f9acb1da2b2139b1138d730ecb257ed12b5f6935fa526d30bf3f2f28839795de18590082be3d484d07c1239c13c69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
6f04eec84ee03a6cbb8e1991d9b3240e

SHA1
c6dc1b3904a829e2e78aeea130b152d27df986e0

SHA256
afb4e1d756fcad6ff1d93f9d607dcf3d86068d10e56cffda9cd93f56219154f9

SHA512
24e590160e9b9fe13c951d2d7cf6f60cbecd0bc9af2384222b429608650aa440b9b3853c402e5cd5e9272440bbf8aac77b84ce21219894b93e207112a508ecee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.0MB

MD5
699ddfc4861279909c10cf52fa7adece

SHA1
f719f61c0356618f9ea1253b387d2534b220c377

SHA256
9788bfc24f1ab9de484cbc6de10fb6b9d82d668cc5b1d2abac628c5c47d7d1dd

SHA512
a56acb634946b3922f8e9c797fdb752e6da0e31e47cc91f57e5477c9aba5cfae0b843873f2bdb367cac3ca589f21deae2dc196dca8a7f12d50df8f01941edbdb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1024KB

MD5
6f2a93dde30757b50aa712256ad866a8

SHA1
03162c3e85d465e1819255791ba8e272c96637a7

SHA256
6aa9b845faf9b40f163f8db8b0accba7b115995971b29301ebd4462df8e04bdf

SHA512
701420c9fd84e9e163aa5f77f2e46bf5732b9e57489eb06f387dc8cbc6cbf9f063aa1b342f245d1f84a01514f6fb999a7b73319b056a539dd9bae2c9558a9dce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1024KB

MD5
2e3fd79bea6fea4529c0065bb4c4ce23

SHA1
10300ad13a1c94cfda9d53221bc65fb1bf022fa6

SHA256
8dccff4ee1728c8269f183560412d207274aeca835f3039255e9874244198dd5

SHA512
ae99dec60c068a1aa446a8e285e1854959db29b0f087f2155901b7261db81a1a1ea255bb10069a77d3a3e9ede1695f8add5ae3164ace5cd094a5ab00d9933643

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1024KB

MD5
634653ed062be17355dafd086599c8cd

SHA1
8cc9f789bc5449e035e317d1d62f73738944f685

SHA256
b5116faacda91257466d6acf4ade49eabec05117fb998e96c9775233ff0b8fdc

SHA512
7277df4a5201ea781005042bcd26e229798da50625d79f3f9222bd77bbd28fe05636ca7ededb764e4e450bbfbd97fee326f4e47fd78b00e7902bee8c7da3e219

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1024KB

MD5
784767f9092bf086b9bf0d0a10c17fd6

SHA1
5d48aefffc3dee9a91c4223528f2c04f7e68347e

SHA256
2038fc09afdf638c6463bab2ad76b9cdf1e97e7e1d58ccdfc52c61242464b9e5

SHA512
ced615b6e5244f1698f83b33b49f4ba3acfb89dbe83272c1408123176c5a16645f4b02fb61a61bab03c4d4daf97db1f74164d54357b6700b029305df61cd3fde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
960KB

MD5
f0a65111a55f74cb4e744bde1da77e2c

SHA1
ea8178fdb9e519451774b8557c9adcd611590d2c

SHA256
8767fb70edf3c33d317a0f28e555dc3151e4f93123247dce5554f3e7aa2121f7

SHA512
bf273fa1103f2540e787ffc1279413f17e307ceff343d2130e05d0a6f0baeca78d7c7507a61c46f39d8acbfe0b56ea02712c14bfc73c33598d5081ef8a310776

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
960KB

MD5
0c0a5d7edf9707c352429d7e3535b13f

SHA1
c284363a173020e9dbef09f4623fe8bbce3ebfac

SHA256
5b54f64e57ecd139c2bd39ac2aa664a76c28c21bee77e4c15ab8f58a3b005901

SHA512
8b12e87a5af65446647667f030b6af333e869a89560b128df67723cd111fb7278932cde5c684e353a98ec2f84427e9649cc112bfe62b7163b9878895a9becaea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
960KB

MD5
7ca04a851f3073daa4a02dd093499fdb

SHA1
d6aeb84e08477b79d7d8c451604d0532d611f124

SHA256
3a9c9e8d9d47578fc2bedab6b830dfe2b76a48b7323bba03bc3ac7ab6f8e737d

SHA512
3c8d6b01559ea502288fc66abc03809c3a9200f89050f10634ca716a3a276c9d86be348208e54f1225f782ea5e241471635f13ff5207c03ff1a530bc2a381ac0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
960KB

MD5
bcad8565b15962a3dadb5dfb3ac102ff

SHA1
9e8527afee6f84fb917254ea3e195cd1beb513a0

SHA256
d3829da6f5a0e46abd2b53be8ca24a7ace366c7051d08906abee05095f7b7a56

SHA512
872aff239ace0f715789f7903d77dfb90314355271b7fa2807b8e2cd3e3ad9e97f93bf0c821e9e3c6048da7117e4356e188c4dfd680d78fe63a51b1901fe8a64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
954KB

MD5
94e5b57e1e11565286472502f48198e5

SHA1
ebd28d2f3d11be717567e1070d75ea9c100c6d31

SHA256
b1cf767a9176716191b9e656276656feba1643a3c5e9e88524b36b080787e956

SHA512
9611e7e3edb46a65fe1ff15350b2855b2722da2af46b7e9186c5d040aa3d8f5197bb1d0972dbe04cb3ab00a9ff33eff7445ffecd270f319777c2f00ac6b238ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
896KB

MD5
3f1c6863392cd1eda52a3a12925aa2a9

SHA1
5d3afdf12fd28fbbcd6866fdca2baee5583359d8

SHA256
7bc15fd4215dc259a6b01f7348cc9a491cbb11deb025a233e35f3ac9d2504082

SHA512
4065373050728eb6ce59cc449ca2e5c832e8adb46cce0f7a02e64174caee8f0c6fda601dccabc082d5bea68aa9b0c5aa7675599dd7b011178227317011865fa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
896KB

MD5
c4e9b1cfc5d4ce1e69c9d4a60332c018

SHA1
0e114c0d9d10c54242fb34ccd63acadf8a958d9e

SHA256
15c9bc6c3fb2fba0107fb5392c67be1c2075154f46518c4c5963313552e9a377

SHA512
082a3d005f0d0900f630878e0a220ae376cfbebd3ffd9ddb31fa82502500890cd9714e0ccfb1dd2f59d006c1199dca31f8e8ed5b06b594888330912a01901994

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
896KB

MD5
036241cf3d6c148683d4a20f892c200f

SHA1
76a400225e1a81c8a06c659add2cde6387aa372a

SHA256
a1f4d0a63bb0e19b3448d50867c185c9dbbf193bfd8634cbea53c8fb4bfdc33a

SHA512
1e0a11df06c1090176c9442110fc78746b9ea84e96b307ddb3ca0c2dfa3b54707283a2c0115d904b0d89adb8576180d870b21cec26e808e42690beb9b48ff1e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
896KB

MD5
8cfdb3d8793dbfc9083e6a5759ea6a70

SHA1
339784daf2e6768fde1f6e83fb14561af36aaf5b

SHA256
2e8c6e31dcada0b794ed90e5ea2def0014200874c7e80d57327a1ee43f3bce79

SHA512
8d06be7879a5813d3b1e04301a1c9c8e06498632e4f013025381c50ba7fdfc6542c5bf443a3b98890d711d00d8e907dff26c97e75314a0e22879471adb239e84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
832KB

MD5
b8e1356a342d885c90f6c45536903ee9

SHA1
c69bf1fb054c0298a23724b375597288d6bcbd4f

SHA256
deb4cad472f9608f9e7c3d69658080bcff5dc193cf144a8056c894e6b7ae575f

SHA512
9ad3c36c6c1dfd3961896591aeda1127b23d1aad78422dea9a4760a97d09afc96751794a7a41b4542e62d39bc0c9023e02c860d6d723e0bbb47dfb13d12fcf1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
64KB

MD5
9619d6aa9ce5d2336cfb30b8c814e65a

SHA1
df91efbda80b415ac1273f10eba0c733002cbf92

SHA256
5faa4b5ed4f956776b9d0ae1d69bc77de403c0be15ff2e3471d21405b5571a03

SHA512
e028cae85bd33c4c01f15b1997059cf63cfc37a0b80985b69fe74fe57c7c32bfbff1a9d1c9ab4325d030474909153af8cd1046eef375faa20c304dda96ef5b2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
64KB

MD5
7dda6d6a2744cbe9a5ce0e474ac8887b

SHA1
c8edb5582fd6b599f0dba76ad5c0080130238558

SHA256
a43c1e383cc159c9345872c83c3c0cb5f6d33523ff3b8d212985d6a6fcacc4ae

SHA512
8743736214641de874730da4b4f98d90f8244f036b0dcbf3f62a6adbfe111904b60adf7e2fac6b80214bc4bf220afe52d9daee9b0f544e2bd99d900611d2de5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
64KB

MD5
120935a7ec4371f7390f5bdbdd824b02

SHA1
2fc82fea1792488ab172374a329f30b3431ed146

SHA256
4c2e83525da68a9d653e9dc7d2d351c8e5d6526d034b21f681cd0122953332bb

SHA512
476b5c9283c52718a1cee4e1ae979c701394ccc48e3afd29b9ee3fa1a9cfd97b0c31fd5043ed068ca33bfe31ef6cad6d1d3265fdd8c871f084f25b6238639a1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
64KB

MD5
692009d38bfd3dfd7ec7fb07bf3f61ae

SHA1
37a391f0f545d57b6d03e885ddea777f2f062b3e

SHA256
ec5f581e9714ae830be252e4f41a1a23a20cbfb6ccbb6256cb784dcb2e66cfe8

SHA512
c793f692fa4b9002ed94386b2e3d6049491ae2d214e9d1469449da29270117597d537e9d0500b4d3a7565261ecf15fc3b7b9e81116f9be76e6b79f1fdfa54974

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
54dc6dfd6b124db0454d759b869a06ba

SHA1
fd0521f78a2ec1018c0a591643c30f384493f643

SHA256
e0a398c7075b07153c7972b5cdd86a23d92ffd40428847583c7eb7c82fd56853

SHA512
80cd732303f6bf81340b433c3e33490d20c3c6895d52546dfd27f94f0ac265d8e4919a64e02e5a3a41f261429761c0178c2ab2a9d1bbc3115a1e0a6a25d6413e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
f9e7297a890f6a8381fce3ef0e0b042c

SHA1
c3afadb5faafc3647fca0a509037e797ff12c5c0

SHA256
a80fe4183af921eb4332149357d2c25e20e94ff1eb4e88e0eb157e7fc70d6595

SHA512
dd08a6bdf91a265078016d92578753a4a18cac2256dd982224b7ec0b5fcefce16b1cdca29cbbde4d40960eaf369e12dc4b1cc9740b6b39eed4d3f84980e352b6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
59333b9680ea24efb623c22c4701daa7

SHA1
5082a3aadb109e325a3f32fc7a74b7027792ea87

SHA256
6d4fc15548d6a709471feafd7fa0f4099ad0c5bd627d090b4f2f2354e36cb016

SHA512
972137bca794f04241b71d631d2bf5e6a5113b76bb1d541f51b9b74fd9bbed46fb481fa91014065be44266155d3cedea00a4907f4957679a38c7b9c652e6fda7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
9f763cec7d0648aa0c15842372764f64

SHA1
4e4eda2a8fd0b6e4899a4d8020070eb27d6dbb7e

SHA256
a24152c6411aa9bb10da665cc861b519c89ec6879e34c5a17246bbacd9138c3b

SHA512
cccacde13e090ae21ae30dafc262f296d7787041973a8844d293d0905925521981de1afa24741c4f6cd270ed8f0a13cc1ad6900b6bc55114c6b13aaa04b62f9d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c00fad3ea0ec6fdb8a355d8ec9936e59

SHA1
2373e7d7f196e9971b9e55d22016db4460e6301e

SHA256
23498ce9f0cc635840a2b66d4e84a675b2c20cc7b22f276eb703afce732813ba

SHA512
ad25cb41dab90380bc6fb78805b965df2043fbfcab4b65d3400de26f0d43a56ea62de2c67d9975bc3e6ef171d3064cf6fa110fddb7fe6fdefae95181c73e6ec5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
0cb506f8f7c7b0d1d4b82551f8cbc253

SHA1
e0563eb0d1d6db04442446249755437e94039788

SHA256
e7f114af07d067c64fa6e18e9055fd0ac453a59d232100c5c473b4573ef68943

SHA512
a4c7595e9859322ac5c36d724a5ed16086838ec1991a6f4afc321ebf0454a4270f277fab459e15132c432c4c27b093e9832df29bf2f8a77c5852138714a5b1de

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
670aed79c6bdb95f150236ccfbe33348

SHA1
a48fb6f03136e0b7396b149667c0720f1a2c8886

SHA256
f1460801b0f3c585293fe93174ed20b62afcabd09e13d9253c756e33a22f1564

SHA512
68b0f70bf3f083a5cc223be78d9c8a5ccba7fb5b888b29fb22d99351529395999fd3afb6933ec2d1078c9e0e391a6aa44127cfc16de743e7b48d1f54fa00f124

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e0efff589a3e1b3032872932e2a9fa99

SHA1
c35ec148979e417e33899c5d3a2dc840d0494ff2

SHA256
6d81b6a6e0778d3a645bdec2bde95802a2de87f6c11623ad5306316f59b738d7

SHA512
b953792ec443369bd11bc94499d14eb214455df42d49e53a0d53072f6fe27bb55282d1df82c7720b9a7d02257aa5367a0628e918d168197083f7d06294944ef5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fa06d2f01cd0dce693f7d9b93ac06c46

SHA1
8d42aaaae96a1f51b2e522a799b5cde16caa6d9a

SHA256
823e9a8ffbf28c7470da72557a50b0bf77e934905525c04b0bea8bd1ad610461

SHA512
7a989e0bb0dbd2a2a14c147230eab1341bf38a0c9887240a9ec3378b2ea2c3128566592ee512da4f5a8603c627c8a090e897257efcf7bd3b93844dd17d8dd27d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ed4f73e07c66f93fdafac58e6abf64d4

SHA1
89c10516663521016d8190c904c0324cafd4c2ec

SHA256
06b900bffce557d82f474e171f3037d9bbc0140883d26a228c249eb84fa6a665

SHA512
23925cdbd73b88f22691fe9eb01b2ce111f8edc22627a7d96339990684be711763febba6b8f2fdda1139ce18ecc8a12a658aea5e91f7299e8cb6a6c9efb17bf4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a67b9e2875d552cd4c66b8d28071acaf

SHA1
9d215e1d59846fe7862da21e1f950a35a9745868

SHA256
d7bd46a8e7d67e428ad51cdf972512c437a5f462ce0df19584cbc86a155d2095

SHA512
cd40c194421390df96f999b2f6da46837fc512c96288a6e50c605a432e6bc8765f4367b16ef166ea60b9bfe2e0b885a635d9cfe40762a254104d52d497ead51e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
daa117e42024c111e1dd7fb5fccc2f2e

SHA1
2fefbd6c20776b6eec267889ed76748bd0e5a0ed

SHA256
3952ffd33af1a30570b2fc44c9adafc73c95eec189279a8dad7335eda594ec6d

SHA512
a3880846c259ced2fb282e9a927da28ce25fc635a9bfe592e631cb52b72571d10ee0a6310cff17ed8d865256563b08ff861072a4c7b80a702197d7002d75a9de

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f8e0e8e209e348114ef6c9d5ddfcdc4a

SHA1
24923cfa48b4f5901facb09887cf369b92a2e30d

SHA256
e140ec5e254f7815d7d72e88dd21d8c6e974052ac692387558b112ef99d9fcba

SHA512
023028224d241bfedfce7f3d12b5ae951f927669a53b86fd9ce0b6eaeb20862e1a02c5437c0902ff44e3d6179b822fdd6743c4de052ec7cdff7de750818cb49a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
88ee99288e3a79b8b85f74e2f4bd2798

SHA1
692efe0cf7b9ac5e4ae52bf67268d2a3d7bfeffd

SHA256
dd2a78ab78bdeef54ca5c993308531e0ec74907df77d9682be10ab4831d22fc3

SHA512
a01c8974337b36b56a7f466d07e5bc1ec1e35e54f24b7189ca05bf7d523fee7a091f3bf38e5f4866f3dd244a8b78496478928d6e6682d0bdc583e0b135912745

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b8324e6d0592d40f69d6fc60cedcdce4

SHA1
4d919de9d96227b158cd447685c25a213a17b168

SHA256
955bd11a4e89c69d4f5e12aaf0c5e8972aa5038238f2e62bd7f36e4d28c2b6b9

SHA512
bf97937f0b0991e1bf5b1b610334875460490efce2850a768303a809a53e9c44e533802db9f33fd96c29f22930e7d939ac8f3c67add6d8ee0c540841e728414e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
339a35b4ad96b23a7f8f61902f77df01

SHA1
0dc3fd201c5d1cbc639c547baf7cba5617763e95

SHA256
ca2531f6c44653fe0301168b2bb24008af9fa212c8933acd7e6c67aa3aae2247

SHA512
564984eee1a2f031b5a7d6d191e9b6cd61c649d03940c84f21bc6aae193e853b90511b0a4feccecb106f428f18332a6e9dd5813917ee8513c9a988090e588780

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b3040ea2b2a6e5dc383cfdb2538affbc

SHA1
372ec02176898e6eb91653b7a7867a8d99a626f5

SHA256
9997e1de91f93847008d349d722e69d5794d1f1c44e92f80781e20a018d6f03f

SHA512
2f1fd3cc9e47833674d7eb1a037f2fb292d5c582c888c2cd14b6725758c6366e95a432a1eced05d2d114f72b419c86ebef2653d38ef3aa27a4f442e024ffa731

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d697287e3b6a1ed41ab2f8f9c896cb9f

SHA1
b38a45fba01e988a546f8e651c61abed72c67b6a

SHA256
ec81c51ffb83f7d377c9bfba8325efe93ed7a0216d1d1b08f2babb85d87f22ac

SHA512
6136d1e6f224c243018515095a2768014cc5b1415abef2bd04ade3b49e4c2b49a11b1b53e90a63f88257c64c2b29196aea727288b3d698e40b43b4b5acacf471

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fd04a5526d3461759b659972f0e684ec

SHA1
69fe735a7673d9b72ecadbeab2f55be5cc030b61

SHA256
37f7bbaf76f814449a795fbcbb8c88a9c708d56b6ddf46ce300bafc34cb6d45e

SHA512
08fb3894b7a37be1fccdc1cf4b72a3126f35deede680a569b7e299708ca341eafa8bf706340f32c4e1bb22eb453195ccc2db5e2bb111a2b2b9d5b42932a3f361

Download Submit
C:\odt\office2016setup.exe

Filesize
1024KB

MD5
47b968de2d3530f6cb92df40686a115a

SHA1
16b68e7762b03a07f8474526218f8edc326ed985

SHA256
7776ceec941f59cb0e34e6423d2ff3b1aea7e40124d0cffc71538721283838b2

SHA512
41b26e7476aa66cd73229c75141da5409f190bb424c99fa22c245d22a84e8b0b471dea97d09cd3c2a96367e6b56036425aca5804357b3fba1b2385a6bbb3f7e5

Download Submit
memory/112-65-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/112-239-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/112-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/112-67-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/532-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/532-399-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/532-398-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/532-394-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/632-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/632-325-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/632-392-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/632-542-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/632-383-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/756-371-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/756-440-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/756-379-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1308-15-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1308-228-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1308-16-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1308-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1768-370-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1768-304-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1768-314-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2120-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2120-35-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2120-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2120-28-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2740-435-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2740-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2784-13-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2784-11-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2784-8-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2784-3-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2784-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3132-366-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3132-301-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3188-58-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/3188-51-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/3188-61-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/3188-66-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3188-50-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3524-338-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3524-281-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3524-272-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3604-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3604-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3604-257-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/3604-266-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/3604-273-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/3624-286-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3624-297-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3624-351-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3976-401-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3976-339-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3976-331-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4120-423-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4120-415-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4208-448-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4208-443-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4752-411-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4752-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4956-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4956-462-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4972-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4972-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4972-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4972-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5036-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5036-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5036-352-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5080-358-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/5080-427-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/5080-367-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/5116-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5116-244-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5116-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5116-252-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5116-313-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download