d23a721cf8f9c381afe18b364fa8c3f86d097e74f0a5de76ae19a3f44221c3e9

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_432534a97dce902e629bcf675bd79763_ryuk.exe
Size

1.3MB
MD5

432534a97dce902e629bcf675bd79763
SHA1

b4b35048d8599899198443049bf32466319fbcc8
SHA256

d23a721cf8f9c381afe18b364fa8c3f86d097e74f0a5de76ae19a3f44221c3e9
SHA512

2d059c298ed39e4d4c44cb6392e8a7bfd88ebfd12a86ca704d83336b2447cf1e0e7a7832b3ef33e0fd3c57ab7ebf36930c8073413cccc886b45a936fac5ff46f
SSDEEP

12288:PsixPwnLuXdP7In9w5/lmFN0YNG4JEhBRK2tNLbrMKU5vBXd:PZFwLutP69KlPY9EhBRxtNLM5vBXd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1468	alg.exe
2812	elevation_service.exe
2876	elevation_service.exe
4812	maintenanceservice.exe
1880	OSE.EXE
4908	DiagnosticsHub.StandardCollector.Service.exe
3280	fxssvc.exe
2084	msdtc.exe
1896	PerceptionSimulationService.exe
2168	perfhost.exe
1164	locator.exe
4956	SensorDataService.exe
3540	snmptrap.exe
3956	spectrum.exe
1968	ssh-agent.exe
1752	TieringEngineService.exe
4996	AgentService.exe
2692	vds.exe
3932	vssvc.exe
1100	wbengine.exe
3176	WmiApSrv.exe
536	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-21_432534a97dce902e629bcf675bd79763_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\875c224213a2cfe2.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F8B77882-1947-4FEE-9AB1-B3670914BF7B}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d55b85f81565da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004490ddf81565da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002098e8f91565da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c72edbf81565da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
636	Process not Found
636	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1280	2024-02-21_432534a97dce902e629bcf675bd79763_ryuk.exe
Token: SeDebugPrivilege	1468	alg.exe
Token: SeDebugPrivilege	1468	alg.exe
Token: SeDebugPrivilege	1468	alg.exe
Token: SeTakeOwnershipPrivilege	2812	elevation_service.exe
Token: SeAuditPrivilege	3280	fxssvc.exe
Token: SeRestorePrivilege	1752	TieringEngineService.exe
Token: SeManageVolumePrivilege	1752	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4996	AgentService.exe
Token: SeBackupPrivilege	3932	vssvc.exe
Token: SeRestorePrivilege	3932	vssvc.exe
Token: SeAuditPrivilege	3932	vssvc.exe
Token: SeBackupPrivilege	1100	wbengine.exe
Token: SeRestorePrivilege	1100	wbengine.exe
Token: SeSecurityPrivilege	1100	wbengine.exe
Token: 33	536	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeDebugPrivilege	2812	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2980	536	SearchIndexer.exe	116
PID 536 wrote to memory of 2980	536	SearchIndexer.exe	116
PID 536 wrote to memory of 4536	536	SearchIndexer.exe	117
PID 536 wrote to memory of 4536	536	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-21_432534a97dce902e629bcf675bd79763_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_432534a97dce902e629bcf675bd79763_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2876

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4840

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4956

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3956

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4280

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2980
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8ac4fef9e1c853067f6e79946e361c4d

SHA1
f7d02b0d68a46ba88aa6ffb33feb7dc542297d0e

SHA256
8bb7483867cd00b644a16276e03a204a853a0c8d869631d5877abc7b148d1352

SHA512
a8dbd13794a2b96d08ce924c320c62846b859c40278dce77ab4d653b7c8bc97a893b1a6e6ac44830f2782e3de4cfb1642fab0aa9abdf514d27dd4e19baf8178b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
4d95830e7cf60c2ad7b4a94b7d3d4037

SHA1
078dd292d15a7ec5f7ba29c6e693aad42b2243a4

SHA256
8c443d0f31e1399ba339ae98a0c5b7b8706eb5ae2f6e5dede1e56e0ae2316ec6

SHA512
f4c11160f3b6889b2f7a88eec53ec1de70135d3a0fbdfa7fc24458ee6a416c4ac6acca1971e876c08b1823346b8d2431e53142a3067c17a8728d4faa6d247f4f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
f8159ef7bb5260506200d80fc05a5bad

SHA1
d937818bf593f02cba2da540cc303a88630fc98c

SHA256
599b45b0df8b0ac1496c45baef589605a76f52a298ed0c556099dd79983cbc2f

SHA512
72e42a69bde65ab44bd390f835b43b559e2bef83c033c5a244d7ed9702d1b66fd7da42b30efb9bc1a896673f0675617cf6bb28fa00184535e8aa8573b3bad3d8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8b7ce09548079cf6aa51a4844600800e

SHA1
6766ea78ffb6ad5554e706f02f37a2cbf0c173d7

SHA256
4649ac7f419daa953b92ace86fddb26a17cef468ddd59a48ddf2756e6cef572a

SHA512
d8ddf72892e3e2a4f1bca4f84e384bc75f94852325f7af8f5a713fb5762e1949346e8df254855fcbdc92cf4d9ad5d5c76d3a44e2d5d5161913021558e9d7f5a8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
034f452710c7bcf356b71943881a9044

SHA1
7e5e844534db8c8b04092c177df3ddc1f6dbeb9e

SHA256
745dd8c8f4318cd9681af06bff6d2aefd6c48f6ad1e599f4e6f850642fb4ca01

SHA512
522b7450c056459a25d88867d50f2404b73e98369d73cfd3391347bc4819312cd5b96dfcb7d38e6455bf210fe754a7e5c9feebe0ce5073c2c97a26442a507392

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
576KB

MD5
5d97fbf8418f169f5645a3d38ac1624a

SHA1
f075f101b86e0bdad9586f98af296b2e0ee290c9

SHA256
b330d4e9f98ce744a444549854a31f419476021716725a181ec68fa01bf70065

SHA512
3726ee4e5b540ec16e33b09ce4803fd91fd4a8645e9d57f1d1b86a75035dd63dcacc561abfbfcf96a6f9476068c3d93f09545504b4ef7b8864f57694f02abe10

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ab5413b7b718196ef7234c069cb1e1c5

SHA1
d2f948e92b25151996794bb2d1b0f959fec5f455

SHA256
de6212d4d9e9c30eb8582496d6fea8119fc44f1ef78541ccb2a1bac87934a921

SHA512
0e9bf5c606effd707de815da97d16c433954f6683b7171d1c59b1658051f2c19841ca10ad11850920fdf92a515566890c757aad8409d0c04326c4b1a458d3d86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
2.2MB

MD5
10e1bfb4deb350d671355611726c09ad

SHA1
4541167b14f6375be8fc7f3ab9c1f9631c4cbda7

SHA256
2dc43940cac1bb54eb81d063b4e856d1134ae01a34cd029545cfe76f7ba65cd8

SHA512
0b0ffb6e5697187a0bfd1f00f8cbeb1b17309ae8d9bd3defa830cd2850171b51a8ddd931ab7f8b2859b10a70e95aeb7818f5b1d27f37a41805d3d6c2bcaedcda

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f110a8158c5157a2628b01771ca40805

SHA1
9be2ac987ba37bcccd12592d80591d8592fa1fe7

SHA256
b24e772e69da48fe603593ce1e4a1c206a9a6b9593b479c6060d53fb70bd4cfd

SHA512
516c7cacf4edf29d1825c603db2f95888f2b1a25df786dc7240ce0b2d15020ccc71d7204f4fb3ba17ba89229aeb529bfebf24a2a663d1026fa20471963c55372

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
512KB

MD5
02581a6e88a82fefd9799bcf4a3de9e0

SHA1
0507e995868ae05a29e9f778e22807250bcc71d4

SHA256
9f6e6a5dc81408cf1a5c6f6600849202189346d38fb650fa5c1752e9308902a2

SHA512
8c1f40de4b1bfe51ab9d068c6b0550c6969a6665129b22cfbe2ad479138d3163c0e39b022d45db07f134a870230231d1708f7c09cef4d1b3bda30a2e53c715a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
576KB

MD5
f8f9bd53f41b9d7f9cc2d14397d95a98

SHA1
7946b1f29727c3253d1beade71f60c36bb29bc72

SHA256
6001de07254cff5cd380f1141f0dd691939c906ef4222512ab653418897cdecd

SHA512
d303bc677dc84c70f9be93d9dd858b439664d26bb0a4dab50e25ece9aa1946bf33c9bc538e08abbf70c4f81e28c2aeef2d8884c6e0ad687d40a42930b46d380d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
576KB

MD5
749f664825a0a94d144ab58d3f9d71ef

SHA1
44999600dc7d491b3faa00e6ffcf3ac2c9399f90

SHA256
19be625ca4e97b3d5d81db02b287211e7910161fd440b4b8fe26494471fe7387

SHA512
fff7fe8d4d0a014e22a501a5e5d6274a58583647edc25f5af4809a3dbe0fc9f4f9d2867f376689477af3396884a6a1b334f78cfb26b3bf705a4ecca2d14529af

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
df847df50904952f21b72cb5f1adddcc

SHA1
65b9ad41f1c4bd254e812a15c96663cb1d016adb

SHA256
2c8e37a3ae512fe37e9219b2154ee489050f9af60d82a2a25c755b9ca1b381a8

SHA512
38b3258eddb243c5dc1988f00fa546275cb0c3eee9eccee25cc5138571c92f824bfb81cafbec0d510c7da5f497294f02a369b79e74c928861f22f656164321d5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
e71e55aecd0effe84d708a635989f277

SHA1
43f392abe1c8671d88d7377889641a09c4e35220

SHA256
5437f6528f527d9cfe503e0b672dd393ae8776b7dd43fb5cd15f79a276c566db

SHA512
caac0d3741e8ca42d6ad1b55f23d9ada895dda47af823afe17508ef8b6c2959f3b91257040ab365784e16f4abb391e87d6254cf951cd28d68f58d1467f6cdf35

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
320KB

MD5
4e235cfde5c60d8e9e44114eaad5443a

SHA1
c892aa91c87c240735c324d274dcf4daffa96d5f

SHA256
018accd4ac62eea255430e7ba26d7e020e7a98bf52d1d23430fff74b59c609fd

SHA512
5ba618d14e367dd559c7d9f5d1ccbbed451966dd42d7ae114c1505255c7e0783b815c7a29d826688bd66666f3150754c2d79c646d60b5705be6a8f28902cec6c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.6MB

MD5
c6b3fcfccd8f8f1836f68e122eb328a8

SHA1
2b2e7b2c884da3ae6cef3aa1322a1b6bc989a857

SHA256
15484176872fbb96f831a9157c03abdcbaba73eb09e00100b63803ca2ec3f7d8

SHA512
a5af1549ba989a2bff26ac56dfab92549822e9bd184d22b775fe5e79ecb4fe65bff84002019882e1570b99fe6457e5006ebd62f2ee39ae7ae4a04e7451fa13dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.8MB

MD5
b652092e506fb90efc4b4617c483c755

SHA1
4d101c7c2042a7273a90d2fc681f1377a438fa6a

SHA256
36f06f19908341de94b9277fd353703611b6714ac5b05008e764fdc4def95e97

SHA512
a187ee3cc823e92a28fc6071510805a723cccbcc474d6cd09e4ffbcef6fed205ff1a09165dec51270fdc3ac50d878d09499720bdb7d00023dd664f0dc9ae2e0f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
960KB

MD5
c7fc05785d44265243669b1c6010b647

SHA1
ff524476487d70f26529cb91f7a257d6ba8a54e4

SHA256
02ed0109c2ede2f1b94b0ba046cebd9564ec7f3d088eec9976005cddf7d8ffc2

SHA512
b8f109429093c4be0d331bb2d7008b7dd6503b2cb392eb06302d49f7e14a18b377c3e454ecf03b20fd1b285fa9b92852e59301c897fccb3df275bbcd8bb116ac

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
5a47e52d1b304decd0b5bc0bbb780832

SHA1
488648f4d79df274e7e46516d28f28dc7d41e715

SHA256
49ad1f8efeeaf8f4163253f72f7f6b067815d957d85d62bcfdfa9af9122f3ec3

SHA512
119390a66970ce6e5cd79684119628176c8b98660364a172d6df3a779d16bc0e0357319dab8f1c983b70aefddaf1fbe9bc67948f95b8cb9130239a82c3632175

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
cc7a957bdc55201803d4f6338d90f857

SHA1
408b552bcc1844263e6c8401b889fea2134dd93a

SHA256
286fd2ed850f5a53893c78effe32c858a857c5162c574eed7fed2a63ee936e48

SHA512
e5a78cf85adeec4e0e64fc457eaf4250104291e2078eef7cca4ba9b296bbf7001d4e357117414df6579b2c9d0f4d1be7d650459eb5ff5866e36c911b1755b1da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
b98fd4a8e359fd79fae3e09875356a2c

SHA1
7d08be47835888c8c9dd6c3557c98a27c23c2f57

SHA256
607cee89b9a3c610b692752ff211225bde4ec93d2eb3ef120746164997fe41eb

SHA512
1eb1f9ebe02513bc180338ca2e94c73c0f1bcaba75171a6bebba3e8abd95336a6c477da61577a873d80b3eb5d7d5f95fc4d382a4aed775d04d56cd878ba46681

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
997ece82f59c249be84cd283b695e86c

SHA1
8d7eb0d18b6bd20f11aaf91f4eb974dd92f0b7b9

SHA256
cce44b39760865eb85ff43134b9d2887a04a1c2c51fa54473723c36b27343965

SHA512
1c568822292d2292869f8d2449d35c0b749f03bdfea709ee69cd7700adc907da8b4c6c8391099604d0a6ce663ca4acf17a8ab56d76d2fc6ae1c78d969544e59f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
0a3ad97794d5b59dab84003263547979

SHA1
c8f16908b6fd9268bfe2bfdbc9452163f2e04603

SHA256
1deecfff1140f325b0cfc9afc1c83ac208633e320c6d18a89ed9ffebfee1db17

SHA512
9a5579c40558ef8e1fe0aeba87c53e8e6ca11db8eaafc67a9bd1328a9469fbe44acea8721d1bb2c717f64bd2a58cf6aa520f55dc165cfc660f43378287a2a035

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2a71624fc3fb7072f587d41234965d28

SHA1
a1ad1b5634c58fa626aa9ccdcd1e64f504bed165

SHA256
01fd4b210277ca84d5c4038eeeeac11e0bf5df5d876ba8a5c92aeb11ceeaefcc

SHA512
bd1fce4fd09c666d5bd6a6edc54eae7ca9f82cfefc9972e177499fe5b8449a95be6a62fcec44bb0d274afa2c1ed130ba5d1b6b9c90383bf3be33f06e3f22f584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
128KB

MD5
ab51bb834f315f70d56cfbc3bade90de

SHA1
56d1c78a86f9ef27fdf0c2107a791c59f89927c4

SHA256
5bd229e13560743303fe7156fe1688ecc5e7b60c6b1905706123525c9d6497a4

SHA512
abe77d79421dd63a60446286630ea53d364ee8fcedd8988248c9cb05d54fb1cbd65a39d96d7bb116dd1e4b194cb688bac93eb157c433a709bffa51d042845b1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
29cd0346790a3fdab039a67c6579d321

SHA1
19214b8cb41040ffd6de70d3a4fdc8a94d12ad9e

SHA256
93390b2311dbec678123e82bed2e958fe08604994a4f81ebe3ece8de43dc4368

SHA512
0fa272c5020756d3b5af73ee021049cc5438ec21d7cd8f427f87011254ef6e9f81a7483ea853d9eeab51905934c071c04ba3f51a287dd72fd87ac39f9468d2fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
046d9cceb8a7955c59c0ec3f888c5786

SHA1
25b702b1a78c3cf5c64395a629deea670f3c5a23

SHA256
c4698a6c3987cc6754237007e993946ec42dec16f18929ac0b1d70bc9b68d77e

SHA512
0fad1f619ca0febf72f36704a9068883933a06fc749fefaeea0d56906f79f314cc4cd3f19c92518db1f83d55ed2dab934a5b4e7d3bc8a22d78755527a1ea03e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.2MB

MD5
f25e4415216a585458bdcaa21523a25d

SHA1
91403f8979d74780aff25abf9dc844d6e45a6bc2

SHA256
611e8a67b527a604440d50e5b6f34070a303f26851ab0c3dc07b5c8c0f8a9744

SHA512
b94c34c812bf95173feab6685ae1601d6b7af6a6d52dcd329a3a6a425a0bbfb5f63b67ee4fdaf856290de72eacaf56bb0fe8fcb90b3835b4c16272bb3af5f880

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
042ea7468aff652c250bcd96f1cd6a7b

SHA1
72fc71cb8bb1729e7532901926f416b06cc2b29c

SHA256
eb53c75eb92a8bea50dd8ed3b35f29bf96f6212b3dfdc7755842a20a12a5fbf0

SHA512
f3eca7d16980efa4ede7fb7c7b3b49baa6a80e69231861358d38397cc5814de2dddab4cbb2eca1eb9ce362e51940cebf001bf0f7e727c205f7731da4f92cc4a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
69645aee656f9a1c196788396d258674

SHA1
4943ef4248c72aa9cfebafa180fb14d85c233a51

SHA256
4247fc5d6d49141afceca4faaaa4a4265f0d8886ddcd1e6b79528fb4faeb9ba7

SHA512
1c0ea160a722d877d76d9b67908faf4c1285659ae13dd1130c99c45a68fb57a74e63bd4d046957b9726f39231a7a0cf10bdf68d5a36a1d54b20a25b6d5e70b5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.1MB

MD5
886dec7073256afb2ec9bb2e5f7e10bd

SHA1
d6a4e4d5d69604b3e2c9d409cb3796aaf1ebf807

SHA256
a6a30a1260e206331cd54f1b2ed23f54079eb58bb823a4968b4a2b2e8eb2e508

SHA512
248b2c0000a0f2e4855f9eab0cb9c7fece157fd2131b8fc358a91f99e074c1baa53e51669502be197a0ad537297397926f8b6e08f80a72fc4258043e61400ec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
b1560912682d160ee459aa9942edea87

SHA1
b49bf8b9397f53dc2320980cd79354916228c6ec

SHA256
b0290ec7628c83311872ff16fa0f2a134b220a6f47bb1ccd34f428ba55672996

SHA512
6fe46d54fa7db40c98b60a233e8e1454ad7304882b56f6968c27e9e83cda4300229175f81ead4b9eaa4a9e90aab878f600239f28f5fd6b7b2da553dbad2c6aba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
525286b75166cd2797792bc494bbcddc

SHA1
b0f559dcdd3c7fd1fcd899ffad89416feed04190

SHA256
8839287274ee77e70c8fb6791c47d7d54940a44f68124794d4a4de6c0d3f3331

SHA512
5e1c3c52a93e2b270931f01ff6eefe92b43600195a0dec6a8e29ba8cd1f20049c5fac3f306046bc4c2390a8fdb2828fa42ff301677b4234691ee7d3d585930b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.1MB

MD5
3330b0e438ecb436661942311792e25f

SHA1
da7eeb5481f50b6d727f05de50642d99bdcc9a3d

SHA256
cb89cd17ab73c091393a84b5ae28c0956a280293501a3b36245c48b78d362deb

SHA512
f66e4d609eac4905eddbbfc678150b926b99ba5cba5449f4f0fdfa7bc61887085730b5831d79dd09bf1f17073f314fa844b090ad4d408f916e7172ff3d0c71b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.1MB

MD5
711e06c0fd36bee7ac73229fb4a1e678

SHA1
48f007bb5193732c0524932c91993ca545016a59

SHA256
47ebb0e7b2aed74f783ce15cb7f5499e9bd6106da870751ec695560aea595e08

SHA512
c55ae6178bbf0f15e919ec888adc67180751662e27d3c9cdcd330fa8fb04cd68123b9fa584d2164784366edcac5e9a9aae56457d25d4d40ed8d3689b46d74080

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
256KB

MD5
2c16c3c6220d54060f03f8137db3288c

SHA1
46f1c32e08b4b983106efbe39c25a89b84d97cd4

SHA256
95b971974c7b8e58b4cdcf617dfb56fdd2136d98d7a6713182e68c83c6e23dc5

SHA512
8a4ef81d0bc06afea2969bdc7f3535dac78b51043a181403ab60a0c275e35438774483fd9bd62aa3b55a605a22074bdad6e4985b4cfd580ac2370c994862747c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
256KB

MD5
5d78b98f87b9aec36e68bd8b85993bf1

SHA1
5071eaa4fcaff17d1b71e414caf41a636f32c15f

SHA256
23f4afa68cc32f45b74535feb5ecf6bb0ddfb49e9faa74538a27910b1b3fb072

SHA512
f01c633dbe371e6d9aebbee0b3b66b9e1897039b067d24d21f8f7d43188fbbdc495192ec3b4d1c6ace93fc642bee55914f302e6f9120fed9dc55d50ec4b3e7b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
256KB

MD5
00dfa2fc82b94e9f2331d82d54c87282

SHA1
7ffba0dcd6fb5cb7086ee06e97aade12bc3f8f09

SHA256
ed320b71b1bf2bd6868b702416f441249abcc95628817576e81db9a8c5ded712

SHA512
5ea37a7dab327c417768d6722f82bd589f82b63b61f3925f71e8988602b19a4a3e6e57f18069fb76db7b81a8215932b98be33beb1d5cd6ab093a387deb83bc7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
256KB

MD5
f8d9b9ba1a8d927d0024f0a945c3f0f0

SHA1
5ae3c7fe8b3e4a573ddd2bebeb46707167a1b93f

SHA256
6643832c15f6c77aa091e458611c95dda21179dd8212945c5fdb8dd3e9fead43

SHA512
11a3d410547cc3438b173fc7e3db994400543e5e01482847fbda4585e542d72063b9945c64c119a1bd721d1a469f6c3de645f6332b9079e96f6a978597fb4a4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
256KB

MD5
222789d247a252a82af7b55d229e051a

SHA1
9fa8641365a33cbfaaafc4e9f1e128529881bdd2

SHA256
87b93cd14dc677d883bb31a6fe790803d2f01817ddc752f3de37a3a2be237657

SHA512
15c49f8cdf7753fc3849b885f54e146d169a5dc790955da37de5139ee6a718abd2bb293d0a4c4d4ffa8fd58b103314d9ad638f0d05e6db910809cf8fe92e48b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
256KB

MD5
b363287c9d9dde37b8b46b84ace9166a

SHA1
3e2e96583a047defe4850080168f0fd8353f982c

SHA256
868b7367f4154a3480f03df4e4b0032c2112c0bed94339b88834fa4154b0badc

SHA512
93eb3ff08fcb574de38037519924cb6e9984642be35a1bd0f8d467c230f4c0dd15e28f7d5c8b1557796cce9cb7cb265785fc9cfef3946d09fd3975f46dcd9ab8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
256KB

MD5
6a0b815ae2098bbb37bcb5b773a12b23

SHA1
44eebb0da4c60efaca6f2290bb8d0de1c8cdadb7

SHA256
49a757d177a56d2073770d1652cf39cdf3107107230c901ffb27d4c1f9992548

SHA512
8d1a69b943dce8b33ec03137e6e1fbbeffd6a87e7bc21a4c9379f31ff9c893057c16d7e27d926581abc22f750d263be10acb7730978b1fd52e69cf0c9fbdf5eb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
b202a4d52ec0c7640fcb9cf3f3df19ac

SHA1
2e308ee83d6e73e9efc6ee1b67b1137b641864f9

SHA256
3a5a4180abb2cd659e46e114a990ac32e6d7a679327a0b15ce2f258f920e9a00

SHA512
4f753a107e2ebc674dedd646f4c2a549a9e8536b49b17b30173ade4b5791fbbbeb0d184189be3cdae186fb600661b7fd07cd0d89e012c1a4baa7d518fa0c2930

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
4ec6965cacf7215a2c1b89a1228d6d2e

SHA1
740846dbf49b842c7eadd8e9e2dbba0561ec5575

SHA256
762cfa93fd9000c112abcbedc83f9b10eb3843910ab5d748d0c874acc18a30eb

SHA512
2fd5ed5f2bc589bed124220896d2a2aebddb37454fe4a1e9a659c7654d346d6beae513e3fbb85b2d26277eef9c6b91f4590fdcb0bc25bc3baf995e58d5c6ffda

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
55457e3c949d7bcf3d582a7b78988ea6

SHA1
591a9837b16f45e3e2bc1368af1fa0deeb0feaef

SHA256
ef16b1591cc38c1a728a8b6b8d17b94583c5cd37cc1d7dd414791b822f450260

SHA512
b352247fcb28c79e71d5d703a8c40671fde16553a9d8927ce20c2e2a2589f18f0f18355a3f60490ff51281600a82550588e6699782c0a7ceb63d7b4b1edd57a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
20ff049768d0d2f87846b7d4ea2045d1

SHA1
0576fe7c0033f2a42aeffefe10a19a5b92d93093

SHA256
c482b7ecb8991e14f5e218a26f8ee6aa0269bcbb04aedf81edef4fb7d911db20

SHA512
5ba9e7ad5ba7bf3166d8d24ba0de73c26701a0a843613f63d60780fdef99118c7337d202db77840315cdedd8a878872ada8bacb380d3a4dfd14d6b84a856a01c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
af7b498e1c548f936eae68e1ceeb4a4b

SHA1
54aadb07e9a5b66b83684eb413b23af0e07c1c27

SHA256
40bd7e5cae666b3cffdca053682b4f70628d78ef8737d5ead37357c1047289a2

SHA512
1f52bf0d0f7909263dca9e41244b24fe30037d070ff75bd3f3cc5074eeea9ffb1fb18fea5effef9c46fb029240b211ac927785eb5985ea3fb2ead498f698db58

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
ec9484d2618281f82cba14efeb8535e0

SHA1
3f6bf6ba9fe80b5f04922ea52e21910a602f9c5f

SHA256
0bf51e96e9581b5334c4a9defcb543c12d6a5ed5816f92b46682ff522c078ad6

SHA512
a50c7404d4563603ab3bd5e3d888eac814c435e49867ba76f0866742c9621b53b59e96fb62dfacbcfa82002ff2cb974caffe66b82949df0327394e1b1a3e9862

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
112KB

MD5
4d2354ef549843cb8147e0c089c56037

SHA1
f2597e5f62257534d3fb5bad026317072234940c

SHA256
43b28e8024146891cce07e60f32c09d34ca4a89c71e3e38b224144a49bb7a7ea

SHA512
05f3a45c4c762ba8035835346fea8ba2d614b70dcbd47393935d2c64e2fbcc87b1c826b4a3e6407f3a5a92690cd00b07273306881ab5816bf4bf9f2c9ad44ffb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0a9d335cbfcb68ea20d5aab2d8c95931

SHA1
b603395ad677b2cdbf6763b8d831e3aa59bc904a

SHA256
105b1cdc89534d195b2729f9a6b75f83bf0c99aa6a2dd3ee74de586337c22829

SHA512
246821989672c4d3b90c0c169e9901f6edbc6c3716f0611e57471315e41c700281096aa580fcf4a132f55c93b69a473ee70242ed286bf7c94839d34c4eea7af8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
69f17a5c1cefec92e3d93c00f5a8bb17

SHA1
ff864583b5dec178440d70c0661a648767b9b29a

SHA256
a866a3cb44136b52c3684ba8100732c77644501ee6a9015d58e71ddf4177b488

SHA512
38503bdb52859562ba18d63a34fe556891942097d6efaa271f94e278751c77de332342318dd61eb03c95fe8f1c197859a2a64a1ad2b487ac75bde13106194127

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cdee6d1272e4bddd33a25d3f26ffc0a4

SHA1
eee0bf3fc57c4eea9b133ec18425e4d364e49940

SHA256
5b77ef4c08159742dee1b6813eec4a4620ebd785069a41f2e4ee73c8f3733155

SHA512
97f0ee0ee08946b468ff0502abe5dd22623bfcb74dfb94fce064a240ab47a18c2b1efde4e08e44d39f44d739136739588e027bbdca3d843a66a6d8349dcb4fcb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
57e3a8b6bb458351f34d3108c549a140

SHA1
4c906f998ea902cfe23f7377dc37258d0c761608

SHA256
cb5b62985a5fefdc98bc0425878419a39923e1e907f3c7719e3cd8460d88c402

SHA512
0ea8a896761740b1617e202adb9d48c41b1c791e6f24d5bf51c0760ea055273ac22b03bc764c51d7a6cde67b54f2359ad13a2616f6bc0a6d908966a792ee0cb2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d24d62cb42c94641227b8432f0e28965

SHA1
ffdc6109843fa425bee8d6459e0b1ceca48b365d

SHA256
48e5b14cae032132cf1808042d33057438dd42e5425fd3e4139dfb449629fbfb

SHA512
b82f77a89d52a9d05f98898e162188a11512226b71417f194c30b95e70b560f5509e19750dfdb561b2020efaf5a0b7d5b849656863378aadaeb2fa874302ad85

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
7fa0e43af24f44763c96e5e5a184379f

SHA1
b0bf81c3e0dc28bc21296b9760f1761d7e6079d8

SHA256
c24c776a6e54989f5e05808ea393023a4bbf0493febf3e22e3b70bcd3f80fd6a

SHA512
fe9511aed244376f00e97442842d08ece9ff490aad1be909a9e58e947314e84c4965e33ae0e42c4ed56f4450c1975603bc8997dc9c8539322eea6f86537b83d3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3f5df3f651c53f70aaa2ae8a1816e056

SHA1
ffe073dff25968ae6a550cdd122d6976ff3ce81f

SHA256
1d2c595979564fdfca1da7ed20f2e3eb2f693408a2170bb9a1d2cb5947ede631

SHA512
8a417cc415a764967db3bd223a796431dfdcee74840fd0430b38ece28331ee367ec2ece093a98dd3e56028abe718d95816a62888d50a8224193c07a6577e3e69

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
e4e2bdbeab5d92f876847c5361f60769

SHA1
8b520e9bf345415dc1731df2c7e4993b287bd2da

SHA256
19b6f10435fb8eccda6ed467babdea09b39b19c62df02f608f386deb4ba8257b

SHA512
83039dd3e853c980f2e0dbd5363e24f5a26a32822d87a6ddfaea1a8393a28c6ae916d1a6215171e9ab07c3258114ff79ac7efbb45ce1b475fbfc799aeef831a9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d298b84e219d115feacd4a8434111d76

SHA1
1feeee394c3dd3946115a57e5cd32d49c7328cec

SHA256
075c0c8e1da706e24bd6ab214c506296d4b66cc711775c0d92fc40f95311caba

SHA512
502d37da707541c310620334cf2d1e8bdc3003a1208cbf402f9784a8b777566bba1e0d83a1d0eab3fcb00d024f4a02c3dee5fca50e8a97c365bc0ec193e273d4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
ca08a6ace9e8b7d09bdab10431bed034

SHA1
05ffc458f8ca67510bc7232ef4eade464042d606

SHA256
725ae8a546e99ba3b6ede6c065c1fafc7514a35b21f1dc93054a06617826b06f

SHA512
bbf38315cdb26feef5bb44ea51673627e888d9ab71f1153b03619d4eb973614ceff20dddf756252645415a41b656d244e5b84283c836af173f03245fc2a1a4de

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bdfb83a005248d4fee18baab55e816d8

SHA1
302638ec2b2e0f6bca922d667b488ba55f791b00

SHA256
1be51c50ac2fd1e044ad02cd52cb28f5a8f08a5b3aeda5257b798ae62125225d

SHA512
7fee9ea8e5213e6c451904a7451e1642ee05db95a966f334a7b00bff9f7ca0c1e8231b89d6bbd209cbf85ecf67eb86bbbb1569ad090bdba3970b3b819da0ef9a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
576KB

MD5
3838a9f177912dc5e9143e0e73083531

SHA1
368fab9a3801e790cd405c6e65ef6ff8db59c3e2

SHA256
2f107f30c9e6c9466a54c705d1cac41843dbda2e05155c62b58298e00164c07f

SHA512
5b3358d354a54093e8b9a0c6d3281155a6ece1b102e3e75a49d249258c1d67d2c06b3d306a2ae2f6b6a94e5f3f8da42dd235e1ad1eb434bdbc224c0ac03c2acc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1ed7be37625746131527e903e0de534f

SHA1
51853f4f310047dd9928166baf2eab94e32d10e4

SHA256
3c7a7eb8d3623b54e84a97386039692ff07ae11161888918ac0437a5d143e743

SHA512
4168336e45eb66af62f2ac873036f7f171e5403b9e709eec922097304290e56b3510ff91b0c494f9bd6269591114dab6f58e634b5b55b6d6b3b0f082d709feaa

Download Submit
C:\odt\office2016setup.exe

Filesize
2.8MB

MD5
67397c26b258d88724d811acd28854bf

SHA1
8f6500383bf579198e47d38cb61e2c5370f684bd

SHA256
4b33b91a1e7bdf82074b634b6dce0215139dd8d00b752a71ebca774978b50ada

SHA512
38323309777851cee6c52c575a3e75cd95cb580027263fde3898c16d58a0a3c42b4f7041d53667a24b068effc16480837bc65876f53f1d88ece14fdc4a1a93c5

Download Submit
memory/536-455-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/536-463-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1100-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1100-436-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1164-372-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/1164-305-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/1164-315-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1280-0-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1280-1-0x0000000002DB0000-0x0000000002E10000-memory.dmp

Filesize
384KB

Download
memory/1280-10-0x0000000002DB0000-0x0000000002E10000-memory.dmp

Filesize
384KB

Download
memory/1280-7-0x0000000002DB0000-0x0000000002E10000-memory.dmp

Filesize
384KB

Download
memory/1280-12-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1468-15-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1468-14-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1468-194-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1468-21-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1468-22-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1752-440-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/1752-374-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/1752-381-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1880-66-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/1880-67-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1880-74-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1880-240-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/1896-287-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1896-352-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1896-299-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1968-368-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1968-427-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1968-358-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2084-283-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2084-274-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2084-339-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2168-367-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2168-302-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2692-410-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2692-402-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2812-35-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2812-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2812-28-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2812-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2876-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2876-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2876-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2876-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2876-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3176-441-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3176-449-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3280-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3280-258-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3280-265-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3280-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3280-273-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3540-401-0x0000000140000000-0x0000000140128000-memory.dmp

Filesize
1.2MB

Download
memory/3540-332-0x0000000140000000-0x0000000140128000-memory.dmp

Filesize
1.2MB

Download
memory/3540-341-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3932-416-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3932-423-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3956-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3956-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3956-354-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4812-64-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/4812-51-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4812-53-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/4812-58-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4812-61-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4908-313-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/4908-245-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4908-247-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/4908-253-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4908-252-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4956-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4956-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4956-327-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4956-540-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4996-399-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4996-398-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4996-393-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4996-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download