55394c3de994d046fa7d54001dc232ac7ba5e28d1bd616642cb141f78ef75ae1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_d2ad6448d65cf3b427ed45fc73e284db_ryuk.exe
Size

2.2MB
MD5

d2ad6448d65cf3b427ed45fc73e284db
SHA1

4d0924986f828c45b55b66359a94a9c929e78f7e
SHA256

55394c3de994d046fa7d54001dc232ac7ba5e28d1bd616642cb141f78ef75ae1
SHA512

72153140910440fab68364da7a8ce96fd6f703d13b8ac0517ce3e343ea3fb965547e6a91cbde7d8027e314a95954b86f4b7d63297e61f8ed1bdcc2ffc9c1c7e6
SSDEEP

49152:bWWu1zKeINNj2bchBluP3GiyJKDeDmg27RnWGj:bWBcNj3ZoSD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4680	alg.exe
2692	elevation_service.exe
1000	elevation_service.exe
4768	maintenanceservice.exe
4100	OSE.EXE
3028	DiagnosticsHub.StandardCollector.Service.exe
3536	fxssvc.exe
3124	msdtc.exe
956	PerceptionSimulationService.exe
2820	perfhost.exe
2708	locator.exe
4668	SensorDataService.exe
3400	snmptrap.exe
3876	spectrum.exe
2548	ssh-agent.exe
3448	TieringEngineService.exe
3376	AgentService.exe
4172	vds.exe
1608	vssvc.exe
2292	wbengine.exe
2988	WmiApSrv.exe
2300	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-06_d2ad6448d65cf3b427ed45fc73e284db_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fac9404cc4fd1e7a.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8cb8031916fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b077c31916fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099453931916fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e7f5331916fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c246c032916fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ee07431916fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035e4bd32916fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000df72a31916fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000151b8f31916fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ee07431916fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079322631916fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2692	elevation_service.exe
2692	elevation_service.exe
2692	elevation_service.exe
2692	elevation_service.exe
2692	elevation_service.exe
2692	elevation_service.exe
2692	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	644	2024-03-06_d2ad6448d65cf3b427ed45fc73e284db_ryuk.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeTakeOwnershipPrivilege	2692	elevation_service.exe
Token: SeAuditPrivilege	3536	fxssvc.exe
Token: SeRestorePrivilege	3448	TieringEngineService.exe
Token: SeManageVolumePrivilege	3448	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3376	AgentService.exe
Token: SeBackupPrivilege	1608	vssvc.exe
Token: SeRestorePrivilege	1608	vssvc.exe
Token: SeAuditPrivilege	1608	vssvc.exe
Token: SeBackupPrivilege	2292	wbengine.exe
Token: SeRestorePrivilege	2292	wbengine.exe
Token: SeSecurityPrivilege	2292	wbengine.exe
Token: 33	2300	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2300	SearchIndexer.exe
Token: SeDebugPrivilege	2692	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2172	2300	SearchIndexer.exe	129
PID 2300 wrote to memory of 2172	2300	SearchIndexer.exe	129
PID 2300 wrote to memory of 1520	2300	SearchIndexer.exe	130
PID 2300 wrote to memory of 1520	2300	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-06_d2ad6448d65cf3b427ed45fc73e284db_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_d2ad6448d65cf3b427ed45fc73e284db_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1000

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1688

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3124

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:956

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4668

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3876

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4424

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2172
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7b8a01b66daa0938cd05e8a67981f096

SHA1
887b1037e4af43d2d9a52e4cf73dc1b8d3f46dce

SHA256
587109427d653af39decc7cbe6aa011ba4c3201da8223f91fc81a159c48baa63

SHA512
fbeb308691d1f3ca4d7eb2ff64d7420d786c2300605396114969e343ae4079e7df4fe27f66b80da54d5b593f1709b4dc90eda9efba0b18203882dfa31e0bf157

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
eb0a6367706f6c99723308561a6a2994

SHA1
2895827395489004d1820935c0d5258659f761b3

SHA256
afdfedbfade4572e30818608e03b3002f05ad9a6fe43f9714321ef1303866f99

SHA512
244a643e8898bcc68ad7f003bd983c42bd5ef5bce51dc8bf190bde2cda4d0c5815c2023a76a0a436e94652e646bffee7059b2b91f927db9145b9f7198273608d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
084c61035b9507a6602dfa125817ee5a

SHA1
ab760811f3dce522203cc214be3f1b828a6de23c

SHA256
9055e1e1b735fc3ffbd7adb0d58099dfadcea2f6f9fefee82ac09ea0ecaaf2d3

SHA512
5eaff84bea3f8e5e673dfda5e32f5fc192fcb7b230a4313962de8febca1b854aa4d7c45681e2181cd11f9068c4ede83de7d4d36f55498b9fabb648979f365354

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3b235dc2ef96d742688085097f5047bb

SHA1
eb8df47d8baf94f90ef4e35cb3b10ff12994e33c

SHA256
698eb5988393f4e8659052d00647320e76acbb9a222a0485219d0199ac01d03f

SHA512
01e1426a4232659d34d2eb9a9e40aa64051568c8bf1aea8aa21baf4d8d5432c6bc55f24e5716f2cfcc7c0f3eee1f19ef70f1b11a4a6f6df59e95e51b6d71e91a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c11c6c691d70bff7d4d7b762633beba0

SHA1
81254d39141e0be8dbf1f143af7bf65ec90459ff

SHA256
08e10c0cd2711a53ce2072b207a8f104c9f9fa18614139c37d6715a63a7e7f70

SHA512
b24a35d69f44a6053ec30443e0c8299a0ca44e81d3ef52b4a9290a50b8449237e6259c9e3fa3bad10df2925315434a778ed96135a077377e8ce0ecfb9fa1b9dc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
328438a31d963ddeb1ee77cea7d77b5b

SHA1
02179102d5031e1c66206201277ebe9d9d55f33a

SHA256
f4d620499fdd841a2fc671b57cbadd9777dd96564e380c35a19fc9b1357b241b

SHA512
be1f154debe50de3ac157188094542671481d54b5fcb0977c3c478c746e3870ab4dbd8486a5476bab2ab4b8712ab522212cfd51b58fa972fb547fde9a3b2adfb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1024KB

MD5
e28e2e05ba7ee5c0f2a0ba6ba3746af8

SHA1
34c93c9b26f9bacd7cf7c2d8591ba65ec595af34

SHA256
557c37ca7410eefab79ac04f8c2d08a7bd644f3554fce90888a6c02959acbe10

SHA512
dd4233838ad5d46c085b0483d2b400940a58222103fca168b52df580f1f8e69240335a2a2a069af9049cf6664092be05f76c22e23af35aa2dfc6ab709b09287b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1fcc20dd12cd16ff3ae16d6c00350633

SHA1
ae5ff82d9f62de70202c0d97ef53cb686b4535b3

SHA256
8df67c53b7342727c6515b4a2f0eecb21e951ca90bd2bd173c625d1c09426e94

SHA512
9421583a03df9697e5d2aaf99e5f944b9faae58be7c401eac39d604ecf8af276ebc2d68323362c2d1867c607ed757dc8f3334a95b0210ddf8d80da88270a4081

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5d9c441bf73a83aabb9113a72752b432

SHA1
8a2e414640b98ddcc54b8a45c42843de9ad844e1

SHA256
6237480c13bf5ace8be1ae0df131c49641ea5c60b2db21134d355353feb8a530

SHA512
f5275e03830b6d0efe578b6f8d44b77d9255e3206c350e59d3e152fa3aeeb283fe6c92c75dcb0d9877fd214122f511fd50a6f1c1481b512cd5f9f97711e2fb57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a6e5cde6f48c89e1bf5ae6f10fe3f7ab

SHA1
51fca4565999c7f3723705de3751574746a1de01

SHA256
234abb89a0f31a8920eb0a54d1cd6223f098f8e627f99dd52fb93763d8760d57

SHA512
909f892d886e247c827417b8e6cee9fd14b0016a81c5d9f5e9496f3fce5f4406c500a3a2b74a932ad21be3f6904447e66444a17d7c5edf901659ff8f86cd0ec1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
320KB

MD5
804b72e62e78db45424cc212dc604046

SHA1
c786e2bde95f8a7e3ccd3acb96655303649f24db

SHA256
2caed2a28bec1dc9f4be9e3e9c0e81b6f668ab5e7b3b20dc3153c4e552529f94

SHA512
5be881f7edaa66e0b634b32c5520d10b48fb59d0c8ec8d4bc14d9e97b5e9218e0c7a6fb324bcd4f731a4d750a980ad7a0dacf09114d8a5d140b0788a48ff4b00

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9ad9c99513a1f38cab2d992b183b685a

SHA1
84099300665fc6bf4c3886c7f840e5801aaa4c51

SHA256
fd0b3ea826766a19d9f4ca211ab77cde79f1660d0e2c9dac0c2141b7169ddd12

SHA512
4209d8c3a0a13727bba0c8ef8a668531f4af7b6c5b893d3092c6063d60b1de618210b49f7904fd03cf12f84b1baf732f114128176df7a33aad5d1972a45bec47

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
561d7d08a90f3034e5818bc51d8fa507

SHA1
4397a3d2121e2a5c64f2d754c6386917e840e239

SHA256
92af1e3279d7f7b9d042c90edf0729f6f84ae3373911ce35f6b56d759e1533e4

SHA512
683a38cf3a7cbd34a614469f6c01b69f1eaeb06662dc8b23ae661ab16c5d69cdc8588de5fe010f5ca4c1cce44e720ad1fdd7cc0da0f8e1dfb78d9a5732f90b7e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
820d431b5374659e9716fa65c3f999b1

SHA1
6607ccbecd219efe2dc96b33a48369ca4c39dacf

SHA256
7b4a76487f09486f048dd1c4fb8275b0f06c510f76f29ce59f014de33ea3dbc3

SHA512
e0659fe0bc46f2b7cb0c54e536302fdd173c380fad892220b0dcedaa818a37d3668d1f486dbd3dbfa008b696e5fa1da4d9cf8c70c333fc01a2814af555058d1e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
23412d6dd659c2d7fd0d41d6ebc6e561

SHA1
0f144c9ed0a0e76462d6689a5b35a825e31c2365

SHA256
cb722b818818ad3435ff63720639047de9e188ddcb49119886544bb82549b491

SHA512
0773b3e0e61ef45140757a78fa5ca3be257f52ddc6fb390137fb0c55394528e830208caeef95cf76694a3b6bad5c05aa9aadcbc357393acf3419b1e065612b5e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
6e79ba961976823ea4f6049684cebfd8

SHA1
970890ff91ca42240fb6d211acd9517422db6989

SHA256
c00bbd3b612826f7f533a35085d5a5b1f563bddc7b7b72438dcd34b6e2c266f2

SHA512
a82e4757c8df77c1b487c584703a9fabe2bd26d490d1462eb0679bc1d14fb758a5c13ac10709a35f3b9f5186d12e5005048c71b25e79dce677d672dacd448956

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
2e7cc041a1bca0e162038a394506cd63

SHA1
a30e97f50db8923ffd3ff6707968ddf5c81b74a5

SHA256
8b55af83d03ccf18f219450fa4d91a48d300bc684e2da84531db6c03f36c4fcf

SHA512
7abd94ac8a9d7754680f7edd2e5a241d9abed9c03a1a111dc42034ae0ee4ea1b8f3032c1acdcb0195d33008d8db105d3c2546f2d41000bd4f46c79d31995d993

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ca9fa7876d5543f7dd6f5858f15fc9cb

SHA1
c343ed4b3e9bc891c215eb9714c9fca797c6d426

SHA256
8d5e5b2062db8383bb19c6bf39bb4933fdecd38e8706494e1ce12fca3a97bef1

SHA512
f7e336fba8505d69c56c42b227c1873a38bc7867919d2964640eef8a9f6587ba47b83d5645ab514fe8fd19f38932c32a89564ee7aa0fb3e5ada25809a6ce9d64

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
3682509df41977e4eafb10a036844bff

SHA1
bdf7030e6712c434fe035f67900d531d066b70b9

SHA256
51a4492056a5656329bc200c8ba6664a0b62a8bde88775a0f47acb326aa3bb77

SHA512
59e450351a8782b4bbbc464a518db72eebc9766eeb6c949eb99c1b91f1882cc670ff1d56b055134257a639900f65110a467b433fb31ebff57cdd7fe3b2c1313c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
51bb530449bad6e2826f7e11c0cb26e3

SHA1
ed8d6d164690cfaa5fee842c681a07252354cd95

SHA256
54b4ae223b7d1804f96018cfa059b7dd7a50e8c0f96150e4483b4eb3c3ddab47

SHA512
a895b0f5c980196eef3ab3b96f2a82b5a2f1310c15b4de14ccef6cadc658ee0f225863c5dc7c4ae4aa28c196c6a5690c6ffe9a56234139aa1865b9c4370d6c9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
e080a3d74c6035f015411e1ed39ea6bb

SHA1
d7a8abc71c1f21762bc3567517f26e5ed0bb441e

SHA256
132e667068b343065f8b60f2570631a532831193da44b88446326a7e79f39f1e

SHA512
bad268fd633b10601dfcc1e65e737f1152e8833365036adaa2355ad0aad77d5c024823b8a0ecdf7eb855f2c04b8948c108aeb25277ac00a8e040d1692b66ebf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d23de644d0c6a52af14d221a11c16190

SHA1
29183b82ab41500285cc9a3778f3da3c0a368977

SHA256
f340226c830c5d9d152e8c00b6c4c5ce72f99b953666c1c2e69086f5f1c3317b

SHA512
f646246832c57ce6a10998a2130ba33fb162b69f8bf5095825639f53a6621f347a16cca609f9b4df1711a6129d37aa897e4de49a3c966647c9668a18f76b1872

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9040a108cb4fc34203c696db30320892

SHA1
bb1512a63ba7dc844b82d4b5642d09f05d7a41e0

SHA256
ca7f9596a102ba188671ff58f243a466075b9d733eef3ca17c12afec324439b9

SHA512
8729510a71da5b695cf7c96aacab6b715f47a955662edcbbedf6da9f742089cf5829c5414ed59d5cb18701dd6c3babee026f0b055ddeb7ec9b228969759f0079

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
a01979a0155787684c75a5d30d6db277

SHA1
89f2fe6cbfe06e49e5dc03edd6f382d04d367806

SHA256
b2b842adf7c26c9b08f0d19e89e3a8c915e864f50bb072a7a92301f4d59dd370

SHA512
2a533206ba980ab13d12a6acac107935beb98d458ee6dcab3e0e96f20a316f2df96ef6132158212a7024fbdacc1138f7864c3e3db7ec84655ea7233c66333f5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
5a2e300c0563a35dc81781287fe382d0

SHA1
0538d382d65dca7cde9cd56b646155de89b8f331

SHA256
31216d726b84e9ce6b483e0b2df28c64b1b240739be47f2ed81e534e4a25e81a

SHA512
be514e252d495bce786c56ebb7fb1cea1e98c7e8621c4433dfe00393b6035cb13721c75969366a062aea83bfd81bbdb53dda0bbd93a9ccde2385743fce271bb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
029679b62941231bcf61ff88cc6ff5ba

SHA1
6a4e83b2360de363def551935504806eb962c183

SHA256
be97d9c555c7b2c4b99c367205cae8b4f2f119834066ad5caa1aacff797eef8d

SHA512
6a8e6c75cecc963e444c40b26290d262cb9342b2e13abd422b0818d543b0575545f7d1b93e8ad267a364730ce78aa151a43501796540dab89b34554aad89cffe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
c39607a3b17b41fdb8eadf08401d8d22

SHA1
4702ec812df02a059932dbc37a1b04617461bde1

SHA256
59a825bb29b9028883b83729a72e90b660d74475db2729ab0ee33091c4b76ce0

SHA512
261f46e8e65b49bba88fdf658469d302630a53072e494f347ba8077a145db83428f8295f0eb5f93dc87c0df93e95b3f81c9d4d6aef6a08f65a0f894c47769e49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
cf8e31660a5e744a14ae8d836ef4d45b

SHA1
7042959360a481326fef67784e47092e9bde49f6

SHA256
542e9928d915be9ebea4ee9963266d4b518cfe96a26f9282e167a9a7b65e3b2a

SHA512
5f73ede2559690efc221415e8ca184f56cc6f4dbbf08c2bddc12499f847a7d60d997f9ae31456ea748c40ee1629b46a46457d1356f17d6bcbf11c11c929e5303

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
62a85e69a8a151c647f5b91fdbd69978

SHA1
937964d54cb260fa1e0b010b7d00bf764e25fb72

SHA256
42e7e2a3f2f2b5d220d0faf12173568a65fea403b3cc7f6c8bf2317081e92928

SHA512
09f48d64ce73dc1f5612d0fcf2ba9525f46ed0228b07bbc07544f96fce1ca3762c372642da76559b94d03ac7f7ff72855872a9de94708965cc47e0c6b9bf43dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f675e86c6d913a44148a89dcdcdafb3a

SHA1
33f8f58121a38468516623bac9a724a90164cc58

SHA256
27552502e62d9e2cb3e7280b36560cbddaaad3e316091e78f38d064039f6748c

SHA512
c5956c3fdeb09038caa77ac80e2a24745f0f482140ba1820ec155f97806477ae2fb31f09242b4c12d7884ee749e4dd6b6d01e1c9e64a1f7418e6dd6fbe59e8ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
97d91580bc3992e1cd015ca9dbeb8807

SHA1
b392302869cc32a5fc50ac7fb8c853396b726ff1

SHA256
071f1e8760e1a5b807b5fce4731cf9283cab5a7231b66e774a4ef6616e862461

SHA512
0ecbc0321067dfa2ae847e0739b6693f8a8b7eee7e7c01b3cd48bdbabf778bc2123eba439cb3a4fa852167db4166335898bec91d6d118c4630f1052f3fc9f1ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
80b8ee5cbd8c6a77578c8c0e8ad899ab

SHA1
305d03f83052c24be4bbd07ef6421ec21b27cae2

SHA256
a249dba27b8d66d94be12d5a930893f64a774363bbd9b48ed1c00b97264b4abf

SHA512
a862458c3a296c346b8c2c43e745c3e5e2593d3576db67edcb121e8ca48d691d7f60c0198ebc96d732ae8e3de7eed49178cc21ab7d9ee5d01ffc9414763f17db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
98f623f4b74a0c729b413c09b54d9cf3

SHA1
b8d316ae0ef58da3770f371f39af8ee6e462e850

SHA256
f4026b95cf88a4c14b64e21056ba814ec11e4a2ea88b971fb5a9ca118c31d623

SHA512
18ac6599f8b84bf0f4698ee775c0c8f557f58dd0be80d4a3db973607980508d3e720b5681201ee5395b3433b7ab0f31fa80e492f69dd76a8226aa1f80610301e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
24be52664eb457eaa63d2852d1e062e9

SHA1
bafbf4a4d7780ef0c8f3b26e2233c000fdc41565

SHA256
69ec1b7ecf643b895beddd8c9ac50968363b636afb836d176ee7464b6d99daa5

SHA512
0a4a23c30437b3291a48655d085113b3dae8dcaa5d6d5cb9bb6e0ee30ea85e1b37c3effbcb241a561aac47fcc00329c1b1eeab2cefc0233a840d404c111c9eda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
a3ce5d67d8d55795645c937867ce7c21

SHA1
70ec51dfc9764e36d94a5b69146453725a93ed21

SHA256
3934aedae21d9c0dba84bfd24ead5b8eaeb658aea7da74e0f476e7f04ddbe907

SHA512
b672f377d8ef0e6619bb6efe7ea315cca6be9cb58445307919c9e774c79fd33a56de2fab06faf7444262d179d89534686dcfa3770ee55c2b3f0bf7ed826e82a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
7ddf0953b75ae0dd4a2842f7c16cb3b6

SHA1
b87d5bd13b15280b17051ee5b63f39671a99e853

SHA256
4999ff891aaca22eeb76cc92c560c0a856d26542ed913d088a25ddce753e5cc5

SHA512
5c7bc8c478f719f27edc7525870fcd1d1b24521ad919a877fc883bb02152e842da0d3eccd7a54870fddbe97ac03235b3e75b51f9c12f9f04b17a004d563c29dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
256KB

MD5
f45dbf1118d597815da36923120740e8

SHA1
d823c60ed677146dfd7bfad9575f71c4800a9304

SHA256
7fb69bca104cb4d4ec87c63b1ea86a421a96c96f178cea5ead9a4c731e9ae23a

SHA512
b93fa339dc689c98a3a827fb5217c9ed07a74937fbe427c26817fce8ed974d875f0dda39e6dc0aebddf2010f403ad57273847bcfcd2aad27c71874f822d3c0f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
256KB

MD5
fa5cf6bc02b8110149c28e26278a5694

SHA1
122e16dc5f4a2c3fd1ae39a0b7e6a267cddbd646

SHA256
a7a8cd0438e1e6ae0d53f6f739e47d93e4514ef202384fb1106d9d3b4cee678d

SHA512
a45a479ecea4fcdeb26ab3f36ff6da9cb201016529a4afb6962f84148a137e3e5e76c4367410c620dba4db7976a217a68a176f21f78f4867d51e78592392545b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
256KB

MD5
64455201477fb44d946f54a4ccdd6a04

SHA1
5070b81541e5307ce69e77089d1fde96699e406f

SHA256
8197b6c8bb9a96f0cf4c2fca304d8fc2413d2eb8aaad79cdb174abaee72478d2

SHA512
ca0ecda50a9f25ceb7e001865940ac8b956c5f5e8cb76b53f93b751e739779a40b4fb2d7fbe465b0e61ab56716dc2d2d67b09e20b1d09cda5abea29541fc3b0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
192KB

MD5
23302386ec79fe7f7279f44f43fbbb8f

SHA1
8b9cdd293360f335f5580318550b90cccb5eb82b

SHA256
ae55e9103c0bea1380308bcb0135d7d8c693ff158635f54b4a2b1b0e1e5b4f14

SHA512
26cb622a16031e266d011c1f34d161889e1b68b6fa5ffb40ee33f5d02bc6d5d83c2d82a4950e017bf94474f3f2e6de8152f0f6cef2f0d4840a7b4d6011f7e3e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
256KB

MD5
cf728d08b23c2180f2db020bc55344b8

SHA1
acd699869942324f5e3aaa7b95b3c0a4dd7b16ce

SHA256
aed507e449a69addb9095149670d4a47dbcfa68ec408178a84eb22b539973d83

SHA512
7dbd1b41d3914e059c05c9d72cdf53007b3789394527c419f7c23cd3e28a29f2e1562e73e719b788f96567bfde03423433d3b2e7ae5d882a39caa074e4d59948

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
256KB

MD5
46691ecb4210c1bc0875cbd11a31e2c6

SHA1
2a57323da2a8ff54be6b6150de1418a6cb9efbaa

SHA256
b4c8bd6c2d7fa8c16ab154e4aa10f0555074db20e093a2a3be8e35dc0de67a31

SHA512
720db3141a6cc4b839108aed8c662bc55f49bdac6877db980f16504f17f5a021e87de7dcdf38b8fc287259a516e3ca2a23650d468f94aac991df8927226c1f21

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
3aa2faa5a49ebca4e91f520e3f036f50

SHA1
90784e27a9b77b0e37990fe19331eb0c4408373f

SHA256
f772415ae9a06c3edcb84bc9b215b15afcedaec09b9df272b71a60e90a97ec3b

SHA512
cf78e1875037bad8714b273be9c67952704c30f0a424cc073dc670da6c01897f48a2b1f80c2efc6c867ed07692b84833ec9b414ebf3b25153c17f81b32e891e7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5672dd8044ef5e56a5801240ee8935f0

SHA1
95eb3a072095c6b10ace6a24918497c071453bd6

SHA256
b9eb6007870f2db152810e84f9ef407e15eecd8c29b22e66b97169537b83f4e8

SHA512
76fc78760fe337b0bd55855f45fc6ded25b12b15201f1119872a805e5e21897323e567b0939280059cf2973d87fb4a769c05bcfe6c2adc184931476e69eaf2e0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b94a2807298bb57516f28711fdb7a26d

SHA1
cf967d6d841308a67b9781fbedd73114f584faea

SHA256
bfb67167177c9a408a85d30948dc72b10fb29f252424a3e02cb07f2e9e31d7f3

SHA512
ea9c85b1e29658fec3cc78a7f597cb713171060c00f0e55a5a2c5f9753227d8a8e4b0fb5a22c9125cc697aaa68a6524b03d1357faf998eaa4e37e3ad7f1921b5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
26183a0c97943124d508521f92460e04

SHA1
076a1cfcb6f24b3ab0cfdd5d51b6867d82466b22

SHA256
3c2588edc0e8a1fc6423ddf5c5e82807201e7c20ef66357ddb66f0808ab67350

SHA512
ed5163e7c1dc81d6b67fe6035fcb708449219318916a0a8b0e8859af371ab3f6b8ab4a74dab6c7f4af9df06e22336d2786c006e010bf0bdb3ac72ce30118b8d7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
69a4954b73b564bc6459d43b567ae6b3

SHA1
81ac6f0ab7d16e993f249613a092e36e5e7f3f61

SHA256
916b48d814196ee27e721611e7f4b8ed0a86ba546546427d4989eabc92038f4e

SHA512
bcdb2e401d65104cb2e270e50975817c4d995699a63e6699004738b7dd90a25df51ced4b40673844f9d4b3b467bd9e066b03ce21b84fab1f2788bed73656e97d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
807bfa96edfb3661760cfa12a6e9ce13

SHA1
7c4073f890f1dfc0eac0f56873f54d54784551f9

SHA256
28f54000c8b9cd283d5eae6a70220bdd5a8c35fe58ebab64a9b97c6ccfe17ea2

SHA512
258b81194047792b4d7a66770661c25489f9027bc06d33a7fcdf919f1b0e0068fd152b51e8102f6db2bd69432980caeb952a7e35ad29ab54166854e92b112247

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
fbe8eae8047e4b9cf31a24d338db49ac

SHA1
5783e66d5a5d7fc51bb5a7277a5f160093a5b321

SHA256
60e0c080145251985491025c4d869f0754071f17a344b5cef3e0ee6fe6fa2fc6

SHA512
9843692d9f188b4daf55ffed2efcbb94c3d14ca62d195b2e703b2cdd6df7ea1ee3fffa6dac12d47d3a5737fc97bba6084980eeec656269ae1f4a5c236fbc1c9d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
989c662870050fdf24f8be02e3571cd9

SHA1
64b64ddc8adae25492812f27217ba67502dbac75

SHA256
b83cca1397bceb2b7930017c74b9f49af66067a7a5276e3563442cc720bcd7d5

SHA512
d43a2578236c0d49525719197d6e6587060c7d0541ac0bcc75dbf79c7ad06da5dabc3c470164983979effa29ba37c72a1f361ce924c38262bcc7990cd35b19de

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d9e705eb8354b8a45be1901cbfc95397

SHA1
2392984f43ccb989d7481d44116a21a8154f73e3

SHA256
92143657be03479b6b3554ece37dba3e0a5f6d3385413041f58e96e7f7631c44

SHA512
4de9c33aad69f99bb35a61eb019a45aded6a8bf2024976c69c0a7bab1edad7791fbaaf287c64b117b2ff1295973b8da67b306179294b8b95327ef8e58bd90c73

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1d8b1d84cd3982fff95fdae9bf81c10b

SHA1
286b5db5dd4176e381f9741d2b9eda6f0f94a9e3

SHA256
21d0e977b0da55fdb16e04a6cff1952c0a611300a6444697a8f5f3638b305801

SHA512
c7ded35ad1628e13bb3c52df17c9032ce185dd15cdb9e0602c140abc5f6a92fa9847052d59d8442f03f3e07f597aabf7fd334a108cdfcdcefff77c7dcc622ac4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7d8b564d2f6f2a9bc79bc06c5976aa24

SHA1
ffb50c9db7e0e26f23940309e19b741fd8ef9858

SHA256
fb8babea74f24ad6d887a4bf7ea66654e98fe5e9db4818219f16072e62cff683

SHA512
e3ad03cc72df17c30da9f8f346ed2a3ea16cb58bb00223002c6326b72d113ab18aae066e1170a483d8e34677cfcf47a8426cc24dc106fd0f230d0a981d6a4530

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2fc40816d12e0bd41b82b11dfc49b524

SHA1
6b4afa6d0e9e951419c52b6c1f5cfe3756b8e128

SHA256
6819478b256b70e8f272fcbc1035479f298d3ddce9c1e1b1fe107d39665fdb33

SHA512
2b098ec1af77dba48d490747863efa38dc5deda1aeafaeaf9be8a64bb3c8b46f98c456df3be7901124ad177c56787645836b134a09ac0d1f38fbd789378b8fec

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.1MB

MD5
7884bcd2b80e6858a12a7021e7b36d51

SHA1
85529178ffbccf162c0eab003c8de7dcfdfc53e5

SHA256
baa7590fd12bbafd7c718ac1666886d7f1d75704b0831571bdb0e7d137d90399

SHA512
10fe0c274ac539b956dc020ae56a385c1027267f6c4f01c2ac95d57c0b490ccc75f7bd320f9ab5ca92fc409993a79fb821dac6277c463af8a9a49e3467c4fd0e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2d0edbd5df7d2c22624b4a1367a56bc4

SHA1
02063fbe5352f403f81e6dbffaa4ddaa691d038b

SHA256
bb992ee5e70c1267b8f0a0175d2ed6b14f4cf9b34124e41f6edaf1b419373149

SHA512
01c38e1cc1195077f5a28e64aac9a00734674b855ed87a8e3f9ed0db4a1731f710b7f79ed736c740937031585dc8e0b657221c7824489148a8db46947640e8fa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
438bc22ff000ed0cc0d2872753453a7b

SHA1
e6e8cafcb02360024e7cb008a7adcda0a6df0c08

SHA256
b9f3cd16d8fff7299030a4c927139d46e73ebe4d57c61ea23ef4badcccecfd99

SHA512
a4d550d22b65c3647467ca88c358f2df4eb1cb2fa3136c006dbd5f9f82ca7c9821bbdeca994b8a6ad794475b1ccc460ac3ffcb702ffe042d9e769e7c766d6354

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
10b4c76ec1cd91fbcbcaff70045b244a

SHA1
e93913784cf9ccb6581e7ea12b5ed9e58bc97793

SHA256
ca3eb814002cd1ac2ad6cc4007ef7e288a3716d34232a84a14f23a42bba6a058

SHA512
8beb38ce87c20fa5a3f0ba4114ec3315f7c9974ae40ca513abaf31b5f513b89a6650e78246cad2c367d9cc947c025426f05fde04ba0702acfa6913db856a5bf2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a2729db42a003b3978e62554245d8968

SHA1
6383fbccdb96af09b8631e9ca3ea2a41e2256597

SHA256
e4e9360ff4fca6889136f4aee8bb4f64a6a846649f58013e3ecbb95ab6d9c4f4

SHA512
d7d3dc29b48f3eb2067ae28f40496951d3d33b724c1e9a4d71cbe6045059b7dab9eb53936e0e9133820783fadfeb2fe92a082efffd6645b4b398b5b025d38c91

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
25b8f7ab811eba44cb1b7a141bb107ae

SHA1
0fec5e3db00829348ea27d9ef74f1b7366425a21

SHA256
bd7d01521416d328a04a12ce209f8899293ba9bdd69b99c597d64f0fa2b812b9

SHA512
394a7ae6ca260b7cc799f6a1610d390b4d650c254a3a42ad49d361a92d95eacf5eb4dd3fb8954fdc6ea2ef36b085268e757bc65012e7b8803617220c74a47edc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e412b8f4e1c4e31af906bb00d3ef2b09

SHA1
40a95e2425013a60f29baf70495a103547894992

SHA256
9a67dcaf0f68711c7592f00df044f4e7e7954322f001e69366ca7cec1f18d359

SHA512
49d2ca1a05adb1ed5c55fcb88bb137b4b940baa45fc2ac511863ba83d577936705f31dcc55c98d2e2a519b28a7a391576a78cce2354414a71d241b3a77b63522

Download Submit
C:\odt\office2016setup.exe

Filesize
448KB

MD5
287dc89baab0ba4b7934ba2452134b93

SHA1
4ba245cb276e36c630d07de8c00b98f57619f8b6

SHA256
779100c9c10434cf0a4c9b14c247ab987f32e3be81a276e06952d008914b3746

SHA512
f9441a24cc76d0b0cc12629db9016f252cb6017e2e40dbabf5e3e2d6bd55ea6eea11390c738d9f4e0fb6751e48165688939ca67d8857e32272eb3fffd2ebf101

Download Submit
memory/644-0-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/644-8-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/644-14-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/644-12-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/644-3-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/956-291-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/956-298-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/956-352-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1000-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1000-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1000-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1000-42-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1520-549-0x0000023E1BDE0000-0x0000023E1BDF0000-memory.dmp

Filesize
64KB

Download
memory/1608-423-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1608-415-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2292-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2292-436-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2300-462-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2300-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2548-368-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2548-358-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2548-427-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2692-29-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2692-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2692-37-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2692-36-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2692-236-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2708-371-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2708-306-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2708-315-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2820-302-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2820-367-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2988-443-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2988-450-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3028-253-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3028-245-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3028-313-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3028-246-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3124-340-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3124-274-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3124-283-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3376-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3376-399-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3376-394-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3376-398-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3400-401-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3400-341-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3400-332-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3448-374-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3448-380-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3448-440-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3536-265-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3536-273-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3536-277-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3536-258-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3536-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3876-354-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3876-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3876-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4100-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4100-240-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4100-74-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4100-67-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4172-411-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4172-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4172-544-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4668-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4668-327-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4668-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4680-24-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4680-231-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4680-17-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4680-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4768-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4768-53-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4768-52-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4768-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4768-66-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download