0508ecdb0aedb018483511de1442c26ca825ef1046622c1736199b8a5ea6b268

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_90ec6e1a35aa8f43b7858c80c367a16a_ryuk.exe
Size

1.4MB
MD5

90ec6e1a35aa8f43b7858c80c367a16a
SHA1

f54ccb475d3fe1ac9e96a0c1da2a72089d1a834d
SHA256

0508ecdb0aedb018483511de1442c26ca825ef1046622c1736199b8a5ea6b268
SHA512

ef3a8f7ee6d69c1aed3f7f2728e6260b725e35fb726c60b9f74e0ca7c538950f7998aaeec147b7eea97c07d3be61a2ec9fbec228015d87340c01a9be2bfb2d1f
SSDEEP

12288:4XD4AZzP/w24lhdMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:ZANw243+SkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4772	alg.exe
4968	elevation_service.exe
1520	elevation_service.exe
3976	maintenanceservice.exe
4716	OSE.EXE
1312	DiagnosticsHub.StandardCollector.Service.exe
4724	fxssvc.exe
864	msdtc.exe
1408	PerceptionSimulationService.exe
2368	perfhost.exe
3592	locator.exe
4492	SensorDataService.exe
3152	snmptrap.exe
2296	spectrum.exe
380	ssh-agent.exe
4276	TieringEngineService.exe
3200	AgentService.exe
4980	vds.exe
2108	vssvc.exe
744	wbengine.exe
748	WmiApSrv.exe
4796	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-10_90ec6e1a35aa8f43b7858c80c367a16a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c20bc7b646f975ab.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6A1BB60F-884E-44C2-837C-FAE44753B873}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eedfa52e072da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfd0c053e072da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdae3d53e072da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2558152e072da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008454a052e072da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2dda952e072da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071a57052e072da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007aa0ec52e072da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	964	2024-03-10_90ec6e1a35aa8f43b7858c80c367a16a_ryuk.exe
Token: SeDebugPrivilege	4772	alg.exe
Token: SeDebugPrivilege	4772	alg.exe
Token: SeDebugPrivilege	4772	alg.exe
Token: SeTakeOwnershipPrivilege	4968	elevation_service.exe
Token: SeAuditPrivilege	4724	fxssvc.exe
Token: SeRestorePrivilege	4276	TieringEngineService.exe
Token: SeManageVolumePrivilege	4276	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3200	AgentService.exe
Token: SeBackupPrivilege	2108	vssvc.exe
Token: SeRestorePrivilege	2108	vssvc.exe
Token: SeAuditPrivilege	2108	vssvc.exe
Token: SeBackupPrivilege	744	wbengine.exe
Token: SeRestorePrivilege	744	wbengine.exe
Token: SeSecurityPrivilege	744	wbengine.exe
Token: 33	4796	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeDebugPrivilege	4968	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 5388	4796	SearchIndexer.exe	128
PID 4796 wrote to memory of 5388	4796	SearchIndexer.exe	128
PID 4796 wrote to memory of 5412	4796	SearchIndexer.exe	129
PID 4796 wrote to memory of 5412	4796	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-10_90ec6e1a35aa8f43b7858c80c367a16a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_90ec6e1a35aa8f43b7858c80c367a16a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4960

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3152

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2320

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5388
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7ae644fe55c39b253dedd06e96e92dec

SHA1
8bedb34e2c08663cbb636a8b9b111036e88c297d

SHA256
e0ee55a285cca096895c91f65d983b63580d2f821adc1f3048cb893291e15281

SHA512
e6821f94560aec9390173334e9f80575e4f1bb4c885ba80d06adbc57c0c4411c5198c2a32cfdaa57aa0f75a8489a61a4bd9ce7352811fc96f842c7041751a7c1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
92b896a9970263c914b1475599da9271

SHA1
226c25dd0e7840d5e22b76e9d8589703aa1e60ad

SHA256
2ff093ca69be0c04e0c5fb3a2f38e6a58b20ec7d3524a6250aa6bf27568ce4b4

SHA512
9ee1c91521a1c8bc9e1dd9ee784dbc5a9c45b946b42b2aad2e243866411076b2e2c3a3617f75977f81a0d3118197fabb16ff9b9b754fe52767869a72cfdc7962

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.2MB

MD5
cc012c04b431f9bf53c6e257a5dfe082

SHA1
205d992ce4c5ffb6d222ad68ff565296afb975e6

SHA256
0a283b7681309d5b9dcbfc1ddab00b6a1e6716e88e9b3acace66247f3e844cb1

SHA512
a29b959e53be11e0919efdd98935d86853a0387dc44edc21a111c2a7ddfb4bb3e38bad079043367b1b77262e6db9d06d37f819c8300ecb1ba8bb17663b62136c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
384KB

MD5
b481c5a6055725f1516a42f8ed82143d

SHA1
32f2ae34267c92b3b98a55e92c89378583b9fabd

SHA256
18a438c119dd67f8bbce08278509cf1c12d68941fc957c3800a0b487e210924b

SHA512
874d0ee9f4b822c96a879bf5d5330dfa9ffd3022e4f91d924064a1fd3a7983ea31447faa54d658e7bd8e20c07280b96e10f9007603581b2699fca1c461d3f7b1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
256KB

MD5
85fe7aa76bb13f9c95e4ec3bc5b5d8a5

SHA1
bc82a390f4a9c619d16a58d61a3217fffff611f6

SHA256
be3ff1fc6f8148d49c158fa8c756b749501c5fee1840879e43e172dc46a0d7ab

SHA512
767211b263ae6f4a04bb5e43d359734641dad09c8fc75a5813e186c094c014ffbdec2b41fd1953c376144a068df410dd2bad379f75c3c0f85efb07af4f4f88af

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
384KB

MD5
5768562b6dbafcdce5e9840163ffcacd

SHA1
3a9d2b1e4dad743ff29c6c260efb29ce2d67b554

SHA256
07579fa36e4dda885da2538482c20a385de03976fa16ed62ab1575706747d606

SHA512
800215ea9a40314f4a859da635271d8865313de78c767a2541066ae36d9d184889ee02a81345460780784a6ede129a4d45fac46536dff11fd490cb4f52c0df75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
320KB

MD5
3e17c663933755ad7da0528c8d9b16da

SHA1
709e920d701563a5cd17b501a8e204d61a1cb735

SHA256
bab9dcfe61de1d7bf84bf179373d44cd55849dbda9a20e3af0ff539e517da66f

SHA512
63e7cdc96c96722d775c23e8d1d408e51630432b90d6379a70983114159a6dadad87cbfd4283ab535d4741f7bb5d33c1a974b72e6fb3549440c3ded68d8d9f35

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
320KB

MD5
9ebcd11a6071a54b47d3c39395a52aa7

SHA1
cb95b2680c77893ce2f941be68c7c611e5a3867b

SHA256
805d088858cc50b7d28168741d55ca3e4de5e6f958680e1b7f0bfc1cac4a4c4d

SHA512
4961b6ecb6e04a472beaa02e20d804bc118b1675760b32703a00955d55613207bb7a4138c44517a437b2f86787ae27dffc22672dc17be68ae8d9f1432c8477a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
320KB

MD5
15a8039a049cefae218fdc1e7dc01a6c

SHA1
0d69a3b1828c099e77e5439a397b1daf4d48b5f0

SHA256
9483ca160a6397efe0e75b51278e6603783b283b68bd6bd1787ca430904533e0

SHA512
82188f0dc05a39abfc3de6334724ae6ee1516e4edb81d7cc90ebdc9575243b7cc268d22bc623d94a63c92b34cc50c6bb7de4fb15b3a36701505562981f2d2a80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
320KB

MD5
79b002bcc5e189711c3ecd5ab45ccf3c

SHA1
0b0747d3f74ba06fd5ff0634cf510ee3c9111616

SHA256
037d3c795724922382caf169af7d28de958c0bace9d31a92b506712b220922a2

SHA512
03d8bce08b374b1b5295fc57240fa31fa9920b3fad839c2820edbb7c7f32e70d76f9f8bcf92c9a2bc1b423550079a8759dd67f6f010156f6e29942a443eb63b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
384KB

MD5
77dea3a231b6b80c2e8f0b7871d92ca9

SHA1
831dc4b07744c34c3ba8977021863c29c1cea1ac

SHA256
f6134a7ea7e208a50adb0c2785ccbf13072e373b0bb0a756ec099a338dd99791

SHA512
7ab511e448903113108d417a4b9b30ec79e69c20a098e9e9520f1092b043b38b16960f49ded6b18268b074842e93d625cf89f19fba4f852084b97160a325cf67

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
320KB

MD5
af1cf232b637e55a96bc5ed4485a6967

SHA1
2a76c905b088aac7be03bbedb73cb3517b57b551

SHA256
77b5cd7f093ad4d1dd493959ab3f7eadcf4266529764a537ee69bcd0d18ad06e

SHA512
fe5766ec5ede6938f76a23dc75b0f70ca8d556528d93b06557135a771651117af085bff58095ac70ef07b45fa40032bed19158c176564e3907bd4e6823890c72

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2ff506df2f28e4b1aa9d38f44da186cb

SHA1
da28cd951d6b25c9cf36ef90ffc1ccc75dd67354

SHA256
829725fe5502e6330c0b3348d92a07dc5d11b742a727a69432a4278edbe309d1

SHA512
fa339c2872e359b041da64126a7901eef8d3b7c4efda2f982ca9da6b19e39dafad2a818e3b6b005ac19c70406b5a0e23c83fddce1752fe9e88628b5133d3d1bb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
320KB

MD5
cd882ba7ad52e04b2b1235783df11ba1

SHA1
a29226c3773715a3dacb735ba24568106ee17c6a

SHA256
cadb602145ab7c3c3057f6a9125bd5d59c6b2cd911cdf101fb0e027a23821b75

SHA512
25c4111cae453b130c914f6086d60ba63d36ee89c32b848293aec191350d788731885d44060a2072b48e168364a83a3901c4c0e05548984284a972fdd9772e11

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
320KB

MD5
0b9d6910199ca278cdb8144aba7dfa91

SHA1
c47548a1dd80024b254c55e52ab2411a15a07262

SHA256
32bca0f8ad7afafe84ef8e0086200d2118130575a9f87b2721be1015028c9ac1

SHA512
9db87086488b65ffb1ea63a3b6daaf0f531992ff5d07cd8ec80b83c58f34c499b29d153b76e936d65e15f1e9c27906ee950ef5db98a20d698665069595319728

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
320KB

MD5
391aa56df18f4b030c3c91de4771ab27

SHA1
7a04561cff43f23af3ac9a6dd479772321cd4e3a

SHA256
f1227415f7e297c7cc618440ba0fce9b81178534ee6451e0c708caca527d77f0

SHA512
cff9d58ee19bf8fcbe8274770a8f448d9c9ab79865033f0db3c6e23d0a08880e1975a569a2280927cc0af7a3900be5599a6fd8b850fb2a6092f1efa84f59fa45

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
320KB

MD5
afca77f23fafa172ac3e9b7ab29d6740

SHA1
361fa251a17e5cc67b353cfeb38932615aaa9fd8

SHA256
3fd8f662189fe703e0e726ceb93dbb5fb6bae3e66e18afccfd503eb3208d5152

SHA512
61ffe81bb2d33b890c768d408b6d044c64f92d6e6cfd7d9511c09e90bca6141785439b87cb00fd1889143fc7520eacde41fe3be48209832f2c8f4427cf46f135

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9f965bc55bd9738f981b3034b03a52a1

SHA1
3c4abf845cd53e6c233ecd3e19d7fca306ab447c

SHA256
f282ff9be9e4a5ab15612d6583e6474819b6843d612c860662d72a35e7e90d6c

SHA512
190f5bf383c7718d236c069eb1e79213ec777c1243f5a59ea85f5355bbf686a0f8369f36cd7f0d39a4743fc2e2db5d2556f6720cb135305b4bf89ea4f009e0e5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
256KB

MD5
d4b455b6e0f02174f0b0fec5ada419dc

SHA1
5db499b59c0d50315eea7ca7e0432c562fc07e91

SHA256
96d75095b9467e650a2e65e137b99529426154932ec82f2415bb1115fd9abbf3

SHA512
a0c69fe7fdb4bb5e4f0729ae05f597ead3e002b0acb2cfb2a0f97c0d6810286f57232fb5c76cd1d5c06852897fbee3ef46b9c8ada7f4f7f6c89ec10ab79aa969

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
192KB

MD5
a6007db81be756d04f2b35a61a67cbba

SHA1
2bc96de2778406c8807a46012c0f0165dfa72972

SHA256
941d52036c21a11a48153e378e25fec8a00e83b6354af1e47a704d73236fad11

SHA512
7aa1bdc8503371dd87c2904c83542b21290b50253c84d2daf963dd3abf792a49540d0f596effa1402fa7a46ad8da1ea36fd032e61aceb8b15d90a60f7fce6a99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
192KB

MD5
37c2da372c4c32f220aa37e140a16df7

SHA1
6f09dbbe8228e289c74882add1f2b1d8fa1ce21c

SHA256
1454c71b5e16fba307418e53583bb6b8c09f52a407569340b4e6a0efb89123ab

SHA512
a858672ea0f01eb927ece26ee5ff8a30a94bf27c436817e408ac901cfbe880e67b6909545c8bf2b0639fd2fd974e2970ca69dc2ed40d46d0996995413045fd52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
192KB

MD5
6229c3f16e43fa5e87b0c65857d8e74e

SHA1
c4885ceb78755425ecb75cc3f5e828898a8f7670

SHA256
c9172aa81539f28cffb45ce77b04c52ac6940198f72e5c9b63b479a23516bed4

SHA512
5d5b855a3718565cb3af6c359701130860aa8a3c2087533544ee3b50810b4fa10cde321bf9a84dafb75b5592f7b8e177a1758bb1314cefaf68d4e5ef30dd202c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
192KB

MD5
f3e672dde2eceb73e93c58d9169e6839

SHA1
a18f3d23670d33f289c8c68023a48b47eac4fa47

SHA256
32ebad9ad2c191085b41aa0cfa50947339aebb145742a219ff6198f4e87944ea

SHA512
f7ff1d39446d1dc19e0a456207c57b17154f369e965c48dd9252071f201157b9eff9e4e84ed3d3708bed4da44fd7341c96fdea6a982ed1294912b0d3f12fe7ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
192KB

MD5
a9c264efb2b28290bdfc4427060d9c75

SHA1
87f7c81b20863a43afb6104a93c91255ebd8a916

SHA256
c6e73823644ee242dcb57340c5ec800e10540c0ed4bf5761c85fad218f1abf65

SHA512
09adef28bf02450274f94c87df1b78611d694f7172ccb32e19786639f7fef0d7723de3184c298bd10f941ebcb41b3993e17e151186e7a2799ae016ebf210d7de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
128KB

MD5
01c3167e372c1d00b6bb672a8bf461d2

SHA1
bb40eb26164d0467b213cac88462c2478ed887d1

SHA256
6eec9eb612f2c42d574d2e3da1779908238e19b2d89dba2ce3fd95299fe2516b

SHA512
2728534f5bf93f6870e183e1cf8510e47a39be9a74a7fe5770c5fd178eb60503919618a796eebfcf6875c0c88eefbb479363685238674754f64247dadac588c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
128KB

MD5
67485d92fb0d99dc228b948847a5124d

SHA1
55393fbbd4313b7efa1b7511646ed547ffa4e397

SHA256
3a99bb663bccac5436e6f32ef7feb1500b5ce45afeb559aaa9997dff4d4931ed

SHA512
71bcf253050649347bad9ec71945f4d87d5558b00150fae5f3a39e777baac0a860d55f0420112d92bab0f9e84d58340cc22ded59112afa8322a3bef28187b7d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
128KB

MD5
98149c37533c882ba3067532200be621

SHA1
e0214eafb59d885271fa84ac4d6f32c64e12375c

SHA256
4c10c9a410bb3161da83987b5ce0b815b5703910069d7321c87bcfb5cae52411

SHA512
cad7f7d48d525c18fb4c3002e116090c1757591bbe8f5067f45dd7eebfb97c7f36ba45444b6fd29dc06efddbfa037e717b8e1af67111ed8c7bfdac4fef96ab5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
128KB

MD5
668ed089bac9c4bb0b06552c3757e99d

SHA1
574cc7bbd0af0a8c374b3869c7a576098c9eb6a6

SHA256
1bc8dc6f65d90a6af3eea2b1d07a6629ae703fd4f00cbb332df7443468af0643

SHA512
2f631f4de6f0b42e4133c97446d81e082db1837a246a41addc52b8eff3abd131ec2a05f07035f3c5ac4d97357fec1adfd14a14f9c1f2f91c8c41898888a4f884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
128KB

MD5
61c975b8696356301897aaef086f04fe

SHA1
d409aa0d42c494e9c61897e5947728db7b21258c

SHA256
02d928f0d2b460fe3f76dc5e3bfdf21a0e9c744111de5e616fe29645a2dd20bc

SHA512
bc0cbc392587fbdb4329669acf470dc9c56366f170968428d6c9c1c47799c7de5dfcd58d7e2f9a257d0d368af79407fdb7539a3db2bac4402a09e666aa64702c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
128KB

MD5
ad9692fbd364051bba4935061d71653d

SHA1
1b3cd9fd4556939f6a45a8d3191d2698135a7718

SHA256
d5f7c717231702f193c84872e109f53bfa7893190cb47730ecd2c33ee9514350

SHA512
b605288e82bcd5685eb4c8cb9398696191f5bbaec348d867a25c2f14b5c2b0b15653d3efdfc32c926473888abd0e681985d1d83335820d1b8500baf43827600b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
128KB

MD5
3f1be95d166234cfb2e9a74160edaa22

SHA1
a6e3ef105c7b53c051a6341edfdd1bf3f8ed569c

SHA256
25b6ce6f9d2a31e03ffc9c45f338da966bd7f1fd0134e8b3e2c0c42b457185a0

SHA512
f8623aefd601d9e371abd64c4a5feca06c4c9ad26e5d9040e0bd5758323d8850cc70372c12f01568f377b772658f771efb34b4c638f13e78ded3dc5191587a6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
128KB

MD5
7619c081e9c9e4fb4fbcbdf5550237ca

SHA1
8e5a1bd86b2b406f289ea1bfa0dc000e2e6efb73

SHA256
292381ec979a0419e597d7ad2131c5a6bb3fb71900473e8bb959cece94f5c820

SHA512
232b1c87243e384581f5c62338633192f7f9b79e11038668463fdf24e954c0a0ec42b1d60880b28e3a1b2b72ac6da3006689b0e5ad7971ea729c61a161ac4cfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
128KB

MD5
4622947ea5114bb1b66e24061e1c2ae9

SHA1
12b7d2eb4698624766caa43b2c755f9d61798185

SHA256
e68593f56aebae715ce0a569c83256a82994eeb302c760ffdcea6e6cc1e66cbf

SHA512
f900d19c7b77a8557587dd7fd0e4ee588dd62d0555e0b329c163a7650b726ec110978efaebbe85c8e69cb344240e0893031eb1b3105b238af53b5563f6962a9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
128KB

MD5
bd73334e77c7223b4ab410bc9b83b621

SHA1
20e4cbcd9aa8816c064c39ba1fed5bb465e79cee

SHA256
67d6efeb67c845e0af81ffe8eb1ae9314ee6ed1c019b0799e4ae13c4517cd845

SHA512
e3b3cdae51dd7278b0bcc7a812d19cc0325ec33cf4eb4754815bbe272d3bb0217e750e3f6c9d7b810d07d9c2b9f76d1f673b494cfc61438490fb8f1d7f34481b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
128KB

MD5
4086fddabd0eb2ff80dde92198512ba4

SHA1
010f4533034f17f50813594dc97dd0bee6107d39

SHA256
d66c671fcbadccf1a9dcd09742e9bcd0400ba3828aaf67d8de0a3c65846ae2b1

SHA512
2775e82d6eb4ab905a66487ec6ce9e6dfdd7e5df4a1d6e776cce9e371b77982bb519d04bc37ce515e951367cb809ce3d456f2e37ad2d8fef762cd0ffb88d8025

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
128KB

MD5
3d108be45c8bf383db8730e83b3c3449

SHA1
05d48e313bb8a08339716f6c64902627e2e709ce

SHA256
8fae44d469ad404289d0adec652bc282761057625bbdc1a85ef5524510a91e2b

SHA512
b3811331f05b2019cb34f08d464fccabdfe65235f2bccacef396a36602d88f07c0b87ff7b73d791bd6c0e00802949f1c33466f0b69f28c769520ac24f8e11c82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
128KB

MD5
1b6a9127897753075cf94a2edd65822f

SHA1
65f4f37045c0027990dc1cb66153462613ebb2ac

SHA256
e7ea2e98971eeb5e33e5e5b04b09a60fcba81d0096c2560e6b29dad5cbf20c22

SHA512
1371297ab785e940d4852c976b3299dd5292a827be76647a3e02d867793aa252d13d79413a3ed8f12c7014a45b0cb3cdf18b5e0dc3c2588e3acc23541685d348

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
128KB

MD5
a28f59030e300eedf6b3ae5e92f261e9

SHA1
df818ed12f4802dc7cc74339b7339ca20b1fe716

SHA256
2072d7f9ab9fd27bd32eb6f4e0b5314c4216b7cf42f1471541b7d9d9c7fd562e

SHA512
8877b7ca30af144202a3edc21f80816b5ff7c6bc80b0aecbda88fcbedb8f20718c2944a924e4adf330f9f25ccce7691acb8befd641c2d7f13a68396192a7ae89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
128KB

MD5
c2ad0a2f2eb3f2583b20cafcf08eb500

SHA1
7f7c0578d630d3091e5eb6f919b33fa633ae4474

SHA256
89bcc8bc358fac7d3091987822185243b3eb45df9287be5bdd6b5129e44c883f

SHA512
4d1cec6f84cde08777eefc4a693db1b1162fdc3f2e0e1be3955f8cbadc598232a4e810273e4ed4bd4afd8ada56af3d904bdf0f3f714a0426f6d276988affb679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
128KB

MD5
fc3dadb2a61887037d4a817b09804795

SHA1
77adba0b1eeefeb34932e222da740c73411d44b9

SHA256
a8e0bc4d59c31f513886a630d8f276561e70fd5c3d819e90867f89859ccb73a1

SHA512
4f09b4f9ce85824cb57ce7e1ea660bed7b4d15c49a8eda75dc4c0982d558ef602f5a087a6661b1ce8333be9fd2de008135063fd46bc815aba9cee27510208e26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
128KB

MD5
f79b462d4221fccdb5d6353d7c2ae60d

SHA1
bdf0e6e8cd13b8d13d740b40e4643dcb569a6aae

SHA256
b7b62df75075a3db29f8c6691c795e1c3e6738303b18f0b8d45b8c1c4c4cfd80

SHA512
08ec4813bf5e3b59546c6efbb64de116396f98bd931718261071030d6b70add36ef9b4c2d2f254918bb5d6580a8efe834633b91a1a8954fcf5a30ab98415384a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
128KB

MD5
4870366aac1301ec475eb1bd26d417b2

SHA1
fe1b9c1e0ab89d8d969635b76b65735deded3c37

SHA256
33c37dc545c9e21356802819e92da47e37c6cd39b1a8c8fc9ee5ccd2a2a0b618

SHA512
71ed0d6fcfa0f452c4ca32e80b0841cdecca013e15240b6ab19785182fe4dd6db69ddddf2acd816a5330d5e37086e41d96e008a4d58dae6ddfb0c43c7601e82c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
320KB

MD5
93d354a0ac9cd404494e75916a281f60

SHA1
81ab59f6c8dac27a7b13e8640069d409c0ef809d

SHA256
d1bcfde21d6b6e575a13cb6dbf094a444115d6b7e8c368e4b9b3edb9205266ad

SHA512
d6b235efae3a2cf461701dc4d78034bf64f8e7988dd1e45eefcbeeec098753888abbc4f438f8c0a8164585c1e15a4415c0b55d6bc10a69fc4eabb3efe3c9c342

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ed0ce99693e4f69c0c9c15ddc8243c25

SHA1
bc165c3e1f947d0fe6bbc9f1f0027bead25188d8

SHA256
694cdcc2a15a99c8a1b9898657cfc9daa66c9612a863253a1b3b38a3ea9d0fe7

SHA512
056350483a6c0952e551e2c493888bb422eea6d4ff612deb7bae2198d9efe4668418fe980c44f98c9646ca90113d117e989c642f9988460c8ea08b562b6d2634

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f0c24594347395fb421eec224388f1dc

SHA1
9db75e6f0fb82ad43e4623543c9bdac490e05663

SHA256
19f440d73ee6c3b5ce89cc938fe0eab9b84c8664ce315ad7c3562bbc6030fecc

SHA512
744968c414add74f9248a2c78398b2aeb4e8d3b559f2445ffe6b0d5b0ccdab4110dd10ba5f31b3388ce5bb1c50663dbb765a588c97cd442cae9094a37038fa03

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
0c7a1f9c6328af1df9e193687bf5c359

SHA1
f16f1ebb50687bbf11d92350d2bd55dbbf4887d9

SHA256
1e4730ff1fa67b83892f8c9f7b6e5bc476b5438b5dd9b74d5a291b425f1463f3

SHA512
74aa43d22f48c7c48c3d3bb7cc9e3a8c332b85d7784abef5c25833a4682a5ca7e5511959ea3684f7b20625d7d3a6563143821b81cbf648883991395252015b95

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dd926997dbb574d97347bb5e4e0c1612

SHA1
f8b408f40fed30f904abb6793e57e8b295111472

SHA256
1cceb63cac759dd2470e1245f8341293749bf8530753e55d6c1a9d7a96a88795

SHA512
0454c2e24f345790f192aaf0435b9c6bb40fa3faefa82b3bf3d1c1d77d0de9c7830e288ed9ed6979d22be9150b9e30e19a94b5b4454300f38962a6d82b1c48b3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e988e970630e80c021340883659f695a

SHA1
aa7ea1b7bd6e84cfa19d152d9d34e3ce8f2a293e

SHA256
2df73d31fee0c9d68e27c8ef8864f852ca4ee6e444c0e830393a608c0f866685

SHA512
9b43a91467ba0204154de30651c9de7d1125a3514bac21543df2c622cad5ae66c90ce0dc7f2be996a35e6aa618659c16a44ed00579f80b0779b5ccd57e9b38a3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c7267219192dd18acb2cef911a8d6967

SHA1
5169ea9aca3f25cd8df2fa25f04811f3b488f93d

SHA256
bd78d68a05542085c70459d49bd3ae213afdab755a543b1ada10899b7ea22e55

SHA512
abaa70665bd1946e6854a45f7865b90656f5f9ab32378d70de4cc63e65f596680509dd28ab813509cb5ee2e38035393911c242159b82092ed77229c056937ef1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
60966b8942c05ef52c15bef25a5091dc

SHA1
ee7768661bccc50317a146a4bc7f4853abe088b2

SHA256
c495dbf43d3b9f0c97d14841c3f75df2fb4e7eaf19ce9cfa4ef63e7d5923f66b

SHA512
334677a8a289f12ce5b95ef5697e07368eb5a10fb5f9ef0e605b3726776044de19d18d52efc7ca777cca2774217a22bf10c4a7d5ed602e45737031e552f84595

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7db18d81dd298f053f8c4e4995ce3fd0

SHA1
f201597f14d1c29bc0e4e254b4a0ee08cb3bca41

SHA256
7a25291450dfaa5b6cbd0110a3b5030c1de47e16d91f323856c9e0a64893230e

SHA512
5af50f620bf641a88825c8c3a5a7e7f9d59caae0ebd20376a984e0fb88760705e5412041cd5366046182ffeb5273713c22bd652f30fa61234a0f05987d90cda4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5e36640c4e271d7d26e77dae776b72b1

SHA1
643fb7e388d616610e73c5059cf589b8f60831c9

SHA256
e58e6b2db4e5a0d816950ea0e034c9547eb5bd0a5ccc077fb1b67f8430319b10

SHA512
42375dc1578e92da09f5ed39ed0e9ede523b61d70d6a2f0a06866a81b7d1d226ee4010f8c3bd1b6a9d729985fef76419d6c39f802c6138eb346ceb97249edcb2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ccd6129c16220b8ce246e5c04a6b56d4

SHA1
3d3fb10f698b0fde52d22504125b8b73a43504bf

SHA256
62af13480a7b3f49076565912737c8aa8afe08c4cdd9b55209c38ecb4ca3f22d

SHA512
d9216ef25220d4819d121c7eac93c152bf3de655233ba92980b771646b5e55d9d7f0ac0d38a8e0d78d48b3a5a50f6c901fd5cb3fd00b7c3e75d5c5facad02433

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5cbd4049681e79cb15980c785cfcd8c9

SHA1
043ecdda12af8ee2f49f17ba5d21747ff4e2840d

SHA256
d5a001de98fe4fc5e5c589d0b75ad27fefed1ee7796498c059d16117bafd4903

SHA512
0aca7bd32081edd7629bf36d1434327bdec9e61450f0a4e2ce679ac60362c284ba43474f995b52831d2ae95ed90ccb133c0a4336776bbf8cd155ba1eb47c72a6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
262a34534e499c33e9db35b1502815a4

SHA1
d4c39c0f7f5bbf92b1fa1d8253123d20a69456ab

SHA256
864ab96df24d54c966eeba17527ef8af0baf71f87aa7edd74c0800d5e2ea5215

SHA512
25f4428d42344a5ebd3a42364616e8001210306f7f9318feb224384640ac0da473938f7f69a29d875309062eaab9f4e5376897f450780e48eb260e885ba63825

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
c87be0622d854a6fc904524a83a097ca

SHA1
253f9ddf319fd42bbc192b3970eeac755756f59d

SHA256
8351f99aab5b36aa90269c6698e749ba392c1e8f7d775c9dbcaffb0be78c82e1

SHA512
1148469805fe96b0a0868c13f8fa962a20877e371c5f825b3a18aba9176d16ae03397bed74f4de7c9bc54e326e2352be639babce6ee14ebd07bd7d6a519fe57a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c81f6f1e7291f01a4f744cc762f7db9e

SHA1
03c456fdb7efe0232c80f00e03ad5da7a0e2ab50

SHA256
0d29f58a9336f86d9be1f1a3b12db01dad28050996906d7f7a7c2222febcc893

SHA512
eb9869af73903c4834db7d9ec898b121b80715f4348ec97916ca6c096bfc4ced833c67a0b60e2edf8c8c8797af853b153fea5057103d4a25d68f07858efdf7b7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
07f71f961ed016787275c4a256428c6e

SHA1
1952c446bed8c1ba4136c62d0a9151822dfb01ec

SHA256
34981ea23a146d1108c2fb5886829b7cb41200bfc9fca1276bfe9e0968909b4c

SHA512
54898e567dfe2c60c9fa262b341aafb8127618747d47f1400f88160d41cd15403a8c85653a3254b54dad46725e89e7471bf9c29faa1767acb71ad20505d707ae

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ca2b946e436bf3db0164d05a905a2040

SHA1
3f357dedbe6bcb49d4e6c5ab1caf44af4a470226

SHA256
68f3c8a09097d03f0901dc40217cc46f216210aea1519d5b707fd7e84cf50b6e

SHA512
d954c0f758ec99ce03d756085735d12bfa2037bb34355e5f5185f467b601511f9b3eca3e3d61d970813c0ea43edb1b81ada463b8d3ccf3cb7c5da9d8e610ce0d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
4a54499f44ba3118c997f4a613a6378c

SHA1
896b5456b2739946bcaf919520d534d4443c3f18

SHA256
ee765ccf7356e501aa6457a4439ad1d9ca92dcc09ee2ac4e0983ee7cfb45d0ea

SHA512
b25eba2de1c22b504401e491812d024e59fec1d52ce5b91a7c84c223e1f87a851e8c901fd57e2fd8df661cea55f0b29b865ea4df8efb6e04478c0cd2124aa595

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b8133092e3770681b63160dedd2122de

SHA1
268e6e0fec53506c98039391abada5f6d6d7e8e3

SHA256
1d3b734f1e21c37911155443746dff3639baaccdc78dc6515b21e13b7f3d04f4

SHA512
d4d49e5b6f8f8b57f9911afe81540e80fe4131a4678b176495562d7aa224be5442cfcda93491f81bbc0cc834c9c1e23a1b3d66a1a804a76bf0e042ea4d592700

Download Submit
C:\odt\office2016setup.exe

Filesize
1.2MB

MD5
379cde28a9233375243b41c69167e9f7

SHA1
6f89c5e6e20ed6e053838a4e2058eccb8c6ca7ae

SHA256
fac5007b5ec63f95eedf1794b347f7da9a60708995f4a416eb727ede7eb7ce1a

SHA512
88a16ed462d676872b27f8316eff3ecdc5624f3df81abd19ff15925810f1fbdf4f185f1902124aaf381a7250187fb5422c6ef061d17c95ba2067a32742f9cd3d

Download Submit
memory/380-373-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/380-377-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/380-437-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/744-438-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/744-446-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/748-453-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/748-459-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/864-340-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/864-274-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/864-282-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/864-348-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/964-10-0x00000000034B0000-0x0000000003510000-memory.dmp

Filesize
384KB

Download
memory/964-2-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/964-7-0x00000000034B0000-0x0000000003510000-memory.dmp

Filesize
384KB

Download
memory/964-12-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/964-0-0x00000000034B0000-0x0000000003510000-memory.dmp

Filesize
384KB

Download
memory/1312-253-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1312-313-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1312-247-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1312-246-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1408-363-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1408-353-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1408-298-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1408-287-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1520-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1520-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1520-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1520-42-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2108-433-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2108-427-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2296-424-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2296-364-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2296-356-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2368-369-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2368-309-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/2368-302-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3152-407-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3152-350-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3152-342-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3200-411-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3200-412-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/3200-396-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3200-403-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/3592-381-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3592-322-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3592-315-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3976-51-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3976-65-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3976-63-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3976-52-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3976-59-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4276-450-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4276-382-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4276-391-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4492-334-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4492-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4492-394-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4716-68-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4716-74-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4716-75-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4716-67-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4716-241-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4724-258-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4724-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4724-277-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4724-275-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4724-267-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4772-230-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4772-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4772-15-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4772-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4772-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4968-35-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4968-27-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4968-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4968-237-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4980-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4980-420-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download