c4a6af9831f96673cf4b533399ab7a0634e0c7507eca112565206bc13e1c4ad3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_c8563dd3adb82281868916d9e3a152d2_ryuk.exe
Size

2.2MB
MD5

c8563dd3adb82281868916d9e3a152d2
SHA1

c84886ce91d1a35d45c70087ba0c078e9534c256
SHA256

c4a6af9831f96673cf4b533399ab7a0634e0c7507eca112565206bc13e1c4ad3
SHA512

a566e6533a3337f47ad1cbb7aa559c6dce251cf4af8c538010244d264115456c9fd1b65f34ab138d4ae68f358f2940e839f58688de284a7c39e1b5477cc1c41f
SSDEEP

49152:uNl7soq7sQCr1kyG2xHywRfHIO2Ts4bvD+xlMPdlR8v4UC0Eg6ET7M/I:KD23S1kaxp9q6l2/V0cETQ/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1596	alg.exe
2036	elevation_service.exe
4488	elevation_service.exe
3432	maintenanceservice.exe
4248	OSE.EXE
3716	DiagnosticsHub.StandardCollector.Service.exe
4320	fxssvc.exe
4556	msdtc.exe
2352	PerceptionSimulationService.exe
768	perfhost.exe
1056	locator.exe
1692	SensorDataService.exe
4440	snmptrap.exe
2596	spectrum.exe
4700	ssh-agent.exe
8	TieringEngineService.exe
2772	AgentService.exe
4564	vds.exe
2340	vssvc.exe
2324	wbengine.exe
3656	WmiApSrv.exe
4316	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\77c639697c1fafa7.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-20_c8563dd3adb82281868916d9e3a152d2_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76828\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008699934a2d64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eae3fe4a2d64da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000120ea94a2d64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca68654b2d64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061c19a4a2d64da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001aba164b2d64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2036	elevation_service.exe
2036	elevation_service.exe
2036	elevation_service.exe
2036	elevation_service.exe
2036	elevation_service.exe
2036	elevation_service.exe
2036	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4748	2024-02-20_c8563dd3adb82281868916d9e3a152d2_ryuk.exe
Token: SeDebugPrivilege	1596	alg.exe
Token: SeDebugPrivilege	1596	alg.exe
Token: SeDebugPrivilege	1596	alg.exe
Token: SeTakeOwnershipPrivilege	2036	elevation_service.exe
Token: SeAuditPrivilege	4320	fxssvc.exe
Token: SeRestorePrivilege	8	TieringEngineService.exe
Token: SeManageVolumePrivilege	8	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2772	AgentService.exe
Token: SeBackupPrivilege	2340	vssvc.exe
Token: SeRestorePrivilege	2340	vssvc.exe
Token: SeAuditPrivilege	2340	vssvc.exe
Token: SeBackupPrivilege	2324	wbengine.exe
Token: SeRestorePrivilege	2324	wbengine.exe
Token: SeSecurityPrivilege	2324	wbengine.exe
Token: 33	4316	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeDebugPrivilege	2036	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 3004	4316	SearchIndexer.exe	118
PID 4316 wrote to memory of 3004	4316	SearchIndexer.exe	118
PID 4316 wrote to memory of 4708	4316	SearchIndexer.exe	119
PID 4316 wrote to memory of 4708	4316	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-20_c8563dd3adb82281868916d9e3a152d2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_c8563dd3adb82281868916d9e3a152d2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4488

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3432

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3344

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2596

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2992

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1ec80c5c76639b184595394f20f4840e

SHA1
d20f8c52a3805ac17d716a634c55cedaf944a622

SHA256
112f95f9842b03bcbadf88e280102e33e48be54dd49c0c2939ed8c3ddfcde769

SHA512
6a50cfb711526e6c7b97f6bace0bb4e885c24c5f550fde198c86285c25c00e06b82d82783f54b3c5b30dca93cbe34a56f491f90c46894d7af8d433d751b91bc0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
f243c70318a39e3f35c65df1770e2b3d

SHA1
5d2d2454f212b1a03fa6daaeeffcb0dbf36c9c61

SHA256
723c31e4a243753a99705c790168ac29cdf005fb266bc6e30ebbb185d7be5d30

SHA512
c6a04c55e96c8ac8cde4ac32595cb82f03086c48f98ff6af79e6cfc10f20add58f840acb12a081d87d61e7ff29fdaeda24d42dc7625ee8bd2ab7f549c98d6b2e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
0de04f58a0d623ae9ad78ac3bdce1c0a

SHA1
073a4b6d59be66cd3494153bba6184c66e193455

SHA256
7488ba6595494e5ddc4d65fe30999c9eafc21167fc9ec03aadca6baf812d2500

SHA512
48ff98fc0ff7e55f68af839f5775c08b9427930af4f4648ae66bc6808b389d35193ad1349248d89241abd0ea6d649a2b9cc1483cd2c84dbe4281ac9850127c0b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
782cb064f4dbcde6cbdd194a5740f027

SHA1
0b9f0bfa7d8c34aafec920668a8b749a4357354d

SHA256
84165921d746668fa43a4af4fc250f5b89401c803331f8edf76a86621a177168

SHA512
459876532ff22ce41320852fbd9a5a2a65e4c7c5620ed8bcacc8dfab5d69716d2db53c24b52f97a1ca5ace0e7f27eb3fe888b0545bca509b586abd99b7b22659

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
acc68eea9a95e85e7183b007319cb35f

SHA1
b379f2f1fb7915c7c3df0c25923b4a6009b46cdf

SHA256
5d344fee5506a338a79830ebf77e0b73208b08a2fe91019dba1b972a09f41bab

SHA512
56df7f6b79f8be5cafbfccbce1f9860e279a823eb7fe25e6c0af215f257ea13eb2c92360c308f6806679cca3bf461b585f0ac27fb1c6f28649cfe92835648427

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
960KB

MD5
7babdc8d0674215dc4bf55b379c69d7b

SHA1
fd2879ab5c6f3661e734a8a3d29b243127961bad

SHA256
479002dc6444ca09469a3a58d06cc70fd94b6bbbda9919d803c6745beee9538f

SHA512
14edd486cb8fd75f23da46f20e731adb88bd2e39036da5a8cb0ab7f368a215b2320a3049233297f4dfd874efeeb165e3185eba0bc11372a533c354103d86cc33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
640KB

MD5
5eec86a13377249ea6136777b78f6dc6

SHA1
6098bed757d693dca2c27e49700d25ccaa799951

SHA256
1e5a3b72143a5b7ddd87b02af1d5071a15fb1e874f70fb9a65abd4353a4669f0

SHA512
320e09819e5e46a439323a6c7fb42a89d5ee744dc54c0a84bcc8a02ad5c1bd1fa1cafaee8ed5d1000455b995d6cb54496053918d1e0de698e658e1358cd1f1e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
576KB

MD5
8044bef156123cf0f5e34a165322d8bb

SHA1
19d18607f2308e609eedae9f1eed965ffd71c0e3

SHA256
528f807eb08427dd35c08c44bd75a43ea07459dc27389d3d33611bd3ee2467c3

SHA512
1709442be47ed232c7afa7e5003b6913769432266403837292cde044270941946d6bc8edfd0c9b824215e11ca661d3e0e04323637cae3223a854feed7d99aeef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
576KB

MD5
9678449ad4465ad46561c4ac632fcc97

SHA1
1a1f954948e3f0c7a4f8e0fcbf17b982e3b2536b

SHA256
f71c726f23e3f5039dee6a1afcc9352a7b1f95d8ee5d55a5ac5496297d61cc04

SHA512
a5bb108cc2ad9fb1e7cf127570da5b7c56097b8232d06b14943f51c69d96af35f760db7b40d6f87fada0a3da31fe1f686ed640bbf458950652380575a070c7d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
576KB

MD5
8953c501db306b3f04ed6c57497aa4ce

SHA1
612e1298fd6ce027603be7cccc62acaf019d5abe

SHA256
d4fba858edcb1b3c907c11c349bd4bc681b7e1268a7653d96e8bd5428891ebe4

SHA512
ce802dca394589b5f2f5fdb53a28ebf132c77163c93c5566da2b5676c05289fb3c8b81ad38bef2da49f69eae501baaf5880e08568e114449bd348a5dbc854a1e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
576KB

MD5
b2c7100cefe89cd4cb3a42b855fbfcd8

SHA1
065a629afb676c4504dabd525b1ba40371474ae5

SHA256
fcdc809654a4ea2fd4ecbadba5bf025e2308db2e48238c3595bee85528e2cfcb

SHA512
d4031980f9e38cb42e75a3e8b9438a8bac58867cc70f736d48bed78fad7c967851247a74ee7eef0c7c549aef265667d07aa06b3dedbd9aaba4fbdc1cafd17f8a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1da2fcccdf58665d6643c641db48fd57

SHA1
b72fae06bbe81bf08a64840455eae3500bf7cd3f

SHA256
a825aaef6b8a781e9aec08aec4983ae4e1065efe71f4377f5cd3bd5d84ce05df

SHA512
2ef0aedcd6fcc74dc720b17ae6cccea4e9d702b16460c9770a86151c2c6186bb7e6775c10ef4d7cc62475dfad4e6af2935a4346bcd673be8c3ce3c31ba4e9f00

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
b4625e24a9ccc4df9dc3b88f305eb9e7

SHA1
0233bca55755ff7bf4fcda46505f1720897acb81

SHA256
1ec73c1c659ef0b4d09b92545697a75d8ad6b908308ca78bb110e677d3fde305

SHA512
21fb2b0bb93879565ae5ab47cc097ae4f6f4f56259be1cbd955fe1211021df43fe479147f1534a1b76168234814584432e2b4e51d92ab41dc940c236d5827ebd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
06aebbaf13429974fb7939090bfca9e9

SHA1
3f2afd79cc38f2c94d939085b21851bcda11dff0

SHA256
48a8e715078a09de30f9ba7c38684889588588e2cd873dbb8d6db46eead8eefd

SHA512
8bab6ab5ea22f77b035577eea62c0b080fa80b9f9850245b6ac130753d1907d8dccbe0e6b93bd1c86f44b4e6d6f1756ba72efa920eeedbb77c2950fe981479ab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
3ddb8d3ba9cc2374e12da42d440829e3

SHA1
fa444b659d455ba9d034155153f1a134dac40d72

SHA256
bcf271873d5469b52686f241def21d68eb3bcfb5cdbaa93d68c3120f64a62f9f

SHA512
c99e767d2c61a6411162323f7b2ae312b194ab6bab330202e9c141b0ab448dd958fc0240d9c51e02de5182c6bd7cf88e03c1651c7342fac6f1d22d41767ca6f1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
76a681dddd3bde8d69d4043cc7d5d64e

SHA1
13d5618ce0dca96b4a6eb719de8d41b59a140fb1

SHA256
7e83af5780a08e297ac32b57b44a9a26d6c1bd6e7497e7f89df843c4f0ded501

SHA512
482ca6973d1dc5be9ab80f5e10416b7a1c33f9292fe75024ed2ce1edbef8238b17dc80c7fa48bfb1e801b7a2f8bdb84950b6b814b8382db5e2814e154a328fbf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
7fef8b18848c66a15562e03999bd560d

SHA1
52d2eb4fcc1d9d8b593482cfc4464ee950f0d78f

SHA256
729658b3d3f380adb62cf637cdd425151170541db33d890cf1026465f3ef017b

SHA512
25406e5899112e017d27dc4fed5fc4d16c05909ee86d1e1c78879639dfcfe8439083de112191c2a31e11b489339b7212bc66c7216b3116efc177466903949b4e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
78a4ad0e1ef2e1c36b644125a8ee45d0

SHA1
ea9c82ee806c2ef3cb6a934bf66acebe4fbefb18

SHA256
eb1ec77784592cd3eba07beb22e00c291bacc1345c7b46dd8581952c6a99703f

SHA512
45cb9fea5fa6f37811cc328bbe4f6c501aa3c6559769718114941dcd4e1cdadf062dee3256b34bb2cfbc83261cb71e5e21e4d40849566a59da1c3875b431501a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
90cbcf5b95339accfe20daa82285b9af

SHA1
0de4dabb71463cf57862cc978a8b5c074b704796

SHA256
cec766afe2042337404715406682da54c5fa127ece8d3aa8679e23dfa4e68f7b

SHA512
62d4d4f525abb3144ff1ed92f70dcaf69c7e7a0cd053d8e7dd10913cab06120ca700a1d4b365629b600f12d8cf6a06fb32e3353e23f8b9057b651acf43c22c38

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
3b1cbf29e2abd6d1310c2b989ac26c2b

SHA1
b541334807979630a0363ccf03354aaf0e7687d6

SHA256
c3d3b68714ece134d5a8bc598b4a537def47a944222c6cd82d10dfbf4d90dd7a

SHA512
d5900854a72956a7e2bb5b9d1b9be4fe2126296b51a9ee1d96ae939efff27b44e071c3d4c24aac087737078a2b0e33d452b8b6c1b3b65d0505a9498606575716

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
b2a01fb324b54d92816d824b38ceb769

SHA1
359592f198a99f8c47c6036baeeb30460474270c

SHA256
d81ebbb6cbbde5ee935c47b9c8b92649ee69488a29059016f7e89ffca7820289

SHA512
e2a8b3a6935028b96d89640a5f53799a8d3cc6fff83a98b1f71b687edf5aeba24ed90f09525ed876a37a09e7649d21000177dafedf7c814ad90ffbb8bd38ba84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
de7e1418b2dc143219096b846de6914f

SHA1
3d0e8e8dc340848e0b5622ccd09b280b7e977000

SHA256
a1a80cfcdd02935ee2ef735177fa3c05acdaca6c32062e41b926d01a1906e569

SHA512
e024cf40a32eb996f4c40fea33b915e7eba49e8a49a0a3b18a4e91debd9f90212526aab85f7f8749b00233a09fd45fb843907ee915479b83009d2b9465a5c488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
5345d94c99b8520b43c4953bb3012ddb

SHA1
aafa7973280932056fdb1978ca8be0a2350ed21c

SHA256
ae65a54068abf2e05ef040841505cb5b008ceb75cc3ca483f395ef61d0851648

SHA512
0a1d398e731cfd60115941b481dfdcf26c9b82cf1730c492df5a31ce087bea044d0b8b972264f52363695550a71ec3eeb3e721f18f22a999b641bddfc4e40a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
1f78f5d3588a97362972ff22fa6280a1

SHA1
bd1bdd5579c5efe5e91bece28feeb7a13fdd06e0

SHA256
22b25cc75f895d67c503d89a972e41ab89eb4f012a0f75aa146ec6bb7d2db9f8

SHA512
acd4d41a50b104f6c005aadd1ed96b2536abd716d71b1b655684a9a7a521ecf77cd1bf5febb93bf2ae53aaab3aa6777d372cea6b50bab9b9798433813c9e5e9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
0b92edbed9cea17e29c2b954efe606bb

SHA1
d8a14779cf1152425bffb63d89bd82d28e05ba74

SHA256
957bd7daa4a1e82fa97049b39aaa419536da3d4663a1bb0a4414009f9bccc0c4

SHA512
ef585d054aa15c59e18912ccaf37117c8ad9807a13007ad22513f3098e5e10a30aad39d356bf77c3738516d644b9e00eb3d95536cddeb99d54eb155a132826d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
0b9249db696ad0326fef5e35ebba2fc5

SHA1
4f8e3d6fb5c81480be7bb43055fc44cd204c44bd

SHA256
0940672e55fe764fc40b44780c532ae43b113d072e324b574ded4295c6cacad3

SHA512
fbabedfb00575f6aa71fcadb4aea856bfa130e010df510255ce072b98d626df93192d52412e4fd1656798dd8182d145e0a6789c85ee15222c6d4984d3cbea6c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
4fd56f0203a5d2a3555cd727a0ddff83

SHA1
f8a0da2690ae2d6ebd6dd6376f199d5d1a9ed2a3

SHA256
d6397b03c49c259766167e863504b13860f3d452135800b5258fa98e4c2e2c8a

SHA512
bf6103b43af941b8e429922f89e6054b21b221a8dd341372b39a71eff3da132828c2e1d8c81e1a88bc47c854b6cc72a5673a53a12a549d62f2a4e3205470ebfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
c37d253e02bf915b5e698d60c1951eb5

SHA1
649bb16e9ca0548e3de315962689aee33cef6020

SHA256
0c0471c7d4229ee56ca5fc03bab3d5f7d7c70f351d03fde0f4c3caee82badc3b

SHA512
093aa08555e852449d15b2aac8b00e7f04b64f3371e4dc7a4c170f565a3cbb8d9c23e05e07399c434803212c57ff6d34b9d22d369002c983964555f0474f3f69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
4c729bb8797096b97f7008ff2d4971bf

SHA1
84524ffee262f9ac56742c5464fe48ffa181150f

SHA256
95378eaf50945afbfd43ca1ced8dc1ed302af1b8ed943a8686a0a8fc5ef1a85a

SHA512
70bd96bd8e3bf37751bbaab8db5636d279d8a6dcab7f9a3042d4a4010d71846fd05bf57c182ff3d8efcc5161871c33188b356b843dd981ba9b55e5e56449a1dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
81a9167de8639f2b9d6eb7348a64d3d9

SHA1
2235c443be5933562fe2afa05036d410b1e41d49

SHA256
425fc7062d5bda8ed3ece225effe4f0c8a095869ecb4ac238558bf0f0260ba3f

SHA512
baca579bef2b7728ab489a24c4d1cc82e61ee02e335fde35de736b45c8d1cf2413e9d50e932f3565e84dd896594c9b3d7e8c45f43846d055dc2d4fcd05e78a18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
576KB

MD5
d06847d92e86964d4aa6dbe67be7d182

SHA1
78c5a9bf9de34372a711156d1c75ff19a3860bd7

SHA256
14d377169f963693eaa32b933a6aba886e8046b1147375fea4317b5a79c58018

SHA512
be6f76b8fae3d30d2148d39b094fd2d932af5d7f39c3937fc525fb5d4f615453295c322331569878a44a66e9faa0fcb0e87b735929bda40389331acb7ec3eda0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
576KB

MD5
81b441d9d6df5789825717a34d7805f8

SHA1
1a7d93b89df4be54170a97d4fc7c9a7492cead39

SHA256
def9051c1852b216d3e30ff4e4d9870e5a3fe0b7884ecf717aa16ec884ddf74d

SHA512
745637ab3d99612045a6febaaef66bc3ab1a3f5296ec2745fa58fce580d4b8655d1ddad9d9d699fbbce8c7ab51c7ad794c2c9fc70f74fdf3c897b3be7b8b15d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
576KB

MD5
e2eb5b0a3a6cb432766edbf46b212a40

SHA1
1eb7a16c98707a90af28769d9f21302b391ae327

SHA256
374fd6a6921d449432b5b2cace213f0a7cc0307f6675c4204a56b455e9fb8add

SHA512
bbf1687bdfd80269984e34db888278524f1167bf1ff03bd72780676b75408b9e5b36629f6df59e7f4d512982ef353e7d8e5a0bcd18195457becf872eb2bc2104

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
576KB

MD5
808e25496e72b9440a27c5591d7f1f68

SHA1
f9bcda427e7ca1cfbe729c5049cba4563cbad26e

SHA256
03f509acd9fcdd3c00e3d78030420bea5e22c24afe14ce012ff279f2ca45cf74

SHA512
b4290dbe9bd9bf2bea7afe5a893a4e29849992bad3c1b0e836ffa96a26f01b56839fc7d61ec4825e485b53f956d7a199f82f1ed51254ed6bfcff046aca00a6c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
576KB

MD5
5ce9b10a528101b58f5f84059d580738

SHA1
8e2446118de0a9cf7c16296a318c1742b61b019c

SHA256
c495c3bcd0b3c7a8b51cf8b86e44a586c48b468665c8986190e211b1b84ac0aa

SHA512
106afcd4486992018510f7a8337dc71cad2421fa70d925395a150bb1cf9c9e0fad6818bacf019669d616b71129dcaeea36c202a823cc089577f64607f841aeee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
576KB

MD5
7623cc41b1290f9d6189a78e9cd9e859

SHA1
956655f09a64ffc91bb0bf37bc5b3c5fbdbce945

SHA256
b372f05a131d8235b94bdcedace75b253c6e708a3803ccb9ae0fc097270cca09

SHA512
314df441ea3e2c8e8001f9a6f5c06af1b522511c6e1abfdfd1f47033c8d1ccf7e313bb67c2f0da8ce81f102bae97db7da425d855d8dba27b57911955809c93d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
576KB

MD5
d3cb7c1dfb081a922c7541206b1e3221

SHA1
edb706e8ba527cbf9822b0eb0a6edc48515a41c7

SHA256
1d9ee2430191c98cadc046f12c9680db465f768f6653a6d4800770b5c4396792

SHA512
cc67b38f83dd065377ff0583f7f3278b9a99db8e9dea594cc522dbf4b85e521cae4751a4b779de3cf2c8b2f1cd615515e38ee858219c99f069bea08c00de1563

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
576KB

MD5
7dc121fd9f8ff85d35e541f4b1f288c9

SHA1
9b4cc7e8883989107b533e0428764738d79521c6

SHA256
567ba5b1e91d0f9472bfbfc65485a7f5babd8437ead67969248e0b3eccaab2d8

SHA512
059682f59d15a87bbf265d023e6c36b9e1ee55b9fac6a1f0330de05eb806e98c624d28440e50359ec0dac264b4830e51889bda72669981a4fadc29b308e37859

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
576KB

MD5
ca3bbd26b20f79db6b3a5ed6432fe4a5

SHA1
3ae8827f2f240f2e9973cca437a5f5894ee522fb

SHA256
1ebedaf3a76bc20a7924e6103d6c326380a89e06da9777e37fd0ad976ad28b5c

SHA512
51d8716a889c0f7d62cab47c4de87694962a8e0260d784842652dff727ca5e1d2bd4dce0906a5fcbbc4806e5d0d0a32e4d0f01daec94a84b1d7718476f57ad15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
512KB

MD5
9497b0ceac8111d3f91c14ece6dc4141

SHA1
39624f6a3be1dddee97d9566d3e8733baee38065

SHA256
0b74a86a8848922c119a7133dc46949d56c5ea664410eb5762cdb83421538dd8

SHA512
9764557be46d65a700036fe6f6f8ba313d171d1770bfa748788eb6554618be840ff89e8c6e63acc0c355eed3a614d8b46e2742b310fd620026b17320b1671cd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
512KB

MD5
1bab72fbdb395a4a3669fef9130c56c3

SHA1
ea92e94a745be2cec3d6308a01487be89cbaa9a4

SHA256
7a18d24effab56c53d7b3a086d50492d3308e21bc688306b9b3023a25ded5c4b

SHA512
7ad8a2b6ea3113db25034849172bfe3f460ad534c8d667e9eb7e58a9d9003db08d9a1d5053546eb011cb10df634b625c39f8a0e919855c62af7232cceccaf0ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
512KB

MD5
7d72d8b61853892c1e017101fe56a54a

SHA1
91ec188b6050b4cf5ab04829149c4720d00036c4

SHA256
51f76fcbe96999e68a7554719c9d5e12aa8d33b3d99296da757efe2db5bd6826

SHA512
05a88d4df2e7a3c67b454a33556d519de7842985f9e020d894ae6180ab012b6ea537e021be4a31183035c90aa6f3975488e084056565d1d8d7cacd4667fb95e5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
6eb83435151d1a7a2209ea5726f98a18

SHA1
fbff16b54e38501f40c3d120fc2d960518ea7d5e

SHA256
55685e6bbb592ca50cb79d4c5899bc0ca286edec1c49802e0cc9e9f80b9590f9

SHA512
dcc9f4756644e47927134a757e0cf1195415d8d5f145ed4ae87cfe86a0670a4ff12a29c681ac9f62e6cb1b52be6b21d40f64f82d39c2e9a3d88d0801b6108d1b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
984704389bf54daae482a34dce9ba3f1

SHA1
8177be7ba77f39e4183b0dac0ecddfbd3aee5bde

SHA256
e05bfefc9345e042f5e2b4019d8eb26fe12963c6fac52a694d852963a42b0b4d

SHA512
9bfcdfc692e9fac3b18c4b11b9350f904b038002cf32ca6d2dc1a3a3998a51feeffcd0599402c74d6875418f0a883dd68fa020192ffaa2ea0ef4501959e18e61

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a16b2c03f80719a330c3c58b24732c8d

SHA1
6804528c438a71f30d71ed5f25b8ea989d08dc8b

SHA256
5bcecb1b52f821d6bee015940e01d4463c06368b91ccace79af9ea8825ec4b0a

SHA512
bf4a5ac8edeb726877bb2dd8872de13df8b500403234feff21f6c98be770ec88a68358b3d3388505cadec8a03c4cd2f8e07a0646e90600c9878b56046711c2f1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
714c430a773aac960c8682ff0dc35afe

SHA1
629904814f2fd2ce9a38067d07b55ad0522914d5

SHA256
94217bbad8461f9a74666d13856badfaab95d56e18625e747ce27414ef2fa6c9

SHA512
d8e59808c2e2a9c92b52999898512a1df7c053f8648d9c8e9b09b125a0b3287b08ec6d3775829a975ed1a02192bf3c8b37229bd3631746801ad448734e71e1e6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f730d09d7bf31c86e902af07e864b846

SHA1
f7d8ca2d340fd18153ef81ccfa730252d5b54a91

SHA256
28d5d5312f920f3d054436a7eacc89894deb2cc54f958113948c495514b75a80

SHA512
513a192d30c3fa50fae0bf848fde9cba6049722d2561ba1ad86aa41fae28f610104e19709bc1d49da80260d586ab35b6d2c46bf67d10e141f125ef2915c603e1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
487f46c2296f6df0ef655499a75b6038

SHA1
211a2caadadf1d36554e24f4b3ca095910704a7d

SHA256
b93b9b62a306fee895e1def921de6128a38a0b60a7ee51494b308a415ed14627

SHA512
fc923688ff4c01a47068dc315a4fefb516ea4cfa2d7b2db08c4aca10c802df938d57043f92185efb702df6ff29a1ccc810cdca230c24b3cdbf0bed83077e174b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
562ec8bbafdc43e81ed2caf0e35d44b9

SHA1
5626e37d657ca28129b1a33e3d9dec1fa3cfbb06

SHA256
5779be88efa71de64b3a6533b02a4a0ffe1d3a78e648190b1e4695e6765104be

SHA512
f1cd7c63521faf201834184b6a1496c30935ff989adec2e67cdefc10268a87d2684fb40879c2bae6532b660bd282c64909153b11f8b27e3a0b5c64b7784884d8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
1f9edf74689bf7f1bf1dc0e29878adc6

SHA1
48ccf0de9fa5353c051b4a166c01843e6a1fd7c8

SHA256
9afd111601368ab5aff07800c21e032b1ac5391ca04e30155083ccfeff63342f

SHA512
21dc53ab212d78f25462199ff6a4647e6bd58ccfe5cb00cde78b90f2e5994d7b7749400116acd40ba960a750ad7d63c9b94c3b159fae58160ad4b5849fab5b79

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0ac556724abd87a6b1826affeeeb870c

SHA1
0b3f30a0430c70c7d4337efa38b59c6c4a2886b7

SHA256
c1c0be106113ed36b12282ee7667367f639b7459ca01ab7d3373340a52de0e28

SHA512
91cd552432cead47984789c7b41422a96d7a8b4125215a5f4c4e947c527fc9136c5ae04377cdf73173273a0b0386fc464d56d1acdaf24171eba9dba206d34fdd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0965be9e99dbf226ccd45e22f7c78aea

SHA1
38cfd1387e07becab0e88ec6930ba2049a933d1e

SHA256
023a64c17ef1846564f1e65d55e0ea6723e20c058ae5077666c544de05b9b831

SHA512
32f06422f09aebd9d85aa4370344078486411a127d253abea346fc792775e71b897d1d425ad11d1b68cbe8f835179f34d040af53e52709687a58913098adec5b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c40cbbbaa326f2383ba278f98e06fe6a

SHA1
211ee3b31b82a12aebf23e3ce01fa6d0b9e0f801

SHA256
c91cd4cbb07615ef37a35db08840c4f190c44508811352d19491115ebdca690a

SHA512
a5a62fda54aed38f3a3af2ba2955ea0ffe6f1cf2d80f92931e39885502a997bb8e5cfc17240c70ba341fe40437e26474fcab033deb777fa9145090002342c32e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
14ef6d12ae4a8ccd2e53a82030b65365

SHA1
081efbfcd4789eb3c19d75e603c478458c86b775

SHA256
9462a6d1541ae2d957cfe91f2b0f117c783d39c34a736357109eaa802c4701f7

SHA512
fd9b3b39b96906ef5442f55ed28d827259d6d6498ab6761e70acb76b8d7831c9db16cca45ffd4aca37eb8eb1acce3a2a77cf1d2cb93df54e28b9cb1a320d216d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
48b71a09dcf8d5be682f6adb77ff7f27

SHA1
b41ee8deeb68ce364faca22672affc8cc1cf30d7

SHA256
2665ee3819d7d762e9832b52f90ca1e3e3ba34780cb459bab1f980e64df376f1

SHA512
1b1ec85c85a150e2a38abcb5845db45b2c4eac15c113f7b6c23690c62ff80539c3c3ee1a4ea42ab9881d98da59595c4529d2d1888c7b7828d8d4f927cda47103

Download Submit
C:\Windows\System32\alg.exe

Filesize
453KB

MD5
d524ac70539c19c6c547e96239694f87

SHA1
f58bbc9ae8465247797196a8592e64ad21ede73d

SHA256
ea2aad175dfb6d6e7bcd61d184f32792c44a7e37d534c1ffb0e41d6dbe7037e7

SHA512
bc3641988caba8fe7d52f9815a5cd387f08411bda218826d2df853826dfb64a48fd919a6171d92e8a96a6cf3fab9a2898b9f019d0bdec5dd5df80cad7e2040e4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5dbd21991f49cdc1f21ca16763e4e3bb

SHA1
b8b0e7b712bbe4e99407b1099f4669224d56c0b5

SHA256
b9903536c7fb39df5ae4ab7b5762554cb625a6c36e4d29901f0a3210eb7ffb52

SHA512
e44fcfc4a8121c8647c38f8596ad48fa0d00be91f2a1fc1e7195c591b978f352806ef293a62038597ccd6a8623b79a29eb3dd47020809085739b31643355101c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
96578479033b9607d25e70697f6fc087

SHA1
e804f3ae4968ca8e3ec43a8326a70fe50e01f3c3

SHA256
dd35c6c34925556058d0d844ac86d44a6e4ac03a9b556e9703794f5b4382d55f

SHA512
076838186fa8cad7daf08384f05306999f6b2e8c1b016927fc179c3f402e63dfdfc325e5fa4dcd034752bc96e5a4818edf9595d2ba5456e432cc936076a84bd3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4e106f353bb0e4c3ea77c16d3941fc12

SHA1
32eb0f7d9fc0421d70463ff4e96e62ddf670955a

SHA256
dd22364d0eb537aeeeeb7091cf36ccec86ebf1d3a4a6ead67f080052b0cfe86c

SHA512
899f6bc3e94ac66b69faf44ff17f29f458ad37e892f465c445cee8be1922fcca515f25d85b8fa101b6e5033c295d1755612d537aef1e2f9bd347979be29de8e3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
7746753ae530fa0c9cde75ad9bfe08bf

SHA1
3cbd487a43809313bd9d64c03308089aa289c16d

SHA256
c1032ff535c4f08e277b549421fbe8d72505ce1281b673b4790bb5984914c359

SHA512
912573257d0676fbab863bfeb3eb364bb42b1cf4eb0cfc160f9f23791a4e337bc4e926518b4683ca49015ee44f0229603a9729addccf8d46efc9193314372610

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
330ad520f1a6deb5551fc8dfaf167025

SHA1
d7f275ebdafd77dc9dd4a723665eb842ddf65ddd

SHA256
3375747386e6618bbf4a3b9bc7e96c2367bcf5f769a1bea586ef2a860cae8508

SHA512
051bbfd81139cf1e04e15ec789b8a8adcafe465beb294a3bb8713ce232f000cfa0799091fd16d9a972207848f82d3930725695bab7655d05ebfa580fee0b6b12

Download Submit
C:\odt\office2016setup.exe

Filesize
1.8MB

MD5
fef43a614180856b7876031e2014fd74

SHA1
510fab15692fc41fd0876973e2f224225043ddc5

SHA256
57b7f283fa0dde3a11013c74b92ee4c04996f472121e14e515a799f51e4f8da5

SHA512
eaa1cfa5b2cd53c4341b3db796a88846eea17d7c12e5055c3ec57f5b45f77b6058e8d6bdf2a0c95291955d7312173f91c0ac07a47553cca1f402f3fa4b93a737

Download Submit
memory/8-372-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/8-439-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/8-380-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/768-300-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/768-365-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/1056-304-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1056-313-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1056-369-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1596-221-0x0000000140000000-0x0000000140227000-memory.dmp

Filesize
2.2MB

Download
memory/1596-14-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1596-16-0x0000000140000000-0x0000000140227000-memory.dmp

Filesize
2.2MB

Download
memory/1596-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1692-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1692-325-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1692-542-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1692-541-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1692-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2036-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2036-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2036-27-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2036-34-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2324-433-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2324-427-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2340-413-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2340-422-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2352-286-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/2352-351-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/2352-296-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2596-352-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2596-412-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2596-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2772-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2772-392-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2772-396-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2772-398-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3432-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3432-57-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3432-65-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/3432-49-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3432-50-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/3656-443-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/3656-448-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3716-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3716-312-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3716-251-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3716-245-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4248-64-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4248-67-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/4248-72-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4248-239-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/4248-73-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4316-459-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4316-452-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4320-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4320-280-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4320-256-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4320-264-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4320-281-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4440-329-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/4440-399-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/4440-339-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4488-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4488-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4488-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4488-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4556-278-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4556-268-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/4556-338-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/4564-400-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4564-408-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4564-538-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4700-426-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/4700-366-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4700-357-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/4748-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4748-15-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/4748-10-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4748-7-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4748-1-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download