4f1e79f50ea7bfbb6431286f7c14eb4d32d3f03eefc73cfbf53ad4a41c3eaa4d

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_49cf95c4f36110c349d149f97971dcb0_ryuk.exe
Size

2.2MB
MD5

49cf95c4f36110c349d149f97971dcb0
SHA1

3e15e776defa189127a3fe717a2f9a6008d3bd96
SHA256

4f1e79f50ea7bfbb6431286f7c14eb4d32d3f03eefc73cfbf53ad4a41c3eaa4d
SHA512

488ffe2fa229a093310fc8d7cd4e0d365abc5a312e8eaff68626de0789623fda6d183c119064389aa7c774d694bd3618cc1111390a91dff037a15cd3d10504b7
SSDEEP

49152:U1KA268/Bu0uIexvjiA+OaMPB+njgWxwj1bXklVbOH3eQPC:U+9uBbaOaMDdiVqHOQq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3588	alg.exe
4440	elevation_service.exe
4760	elevation_service.exe
2028	maintenanceservice.exe
4876	OSE.EXE
1016	DiagnosticsHub.StandardCollector.Service.exe
1964	fxssvc.exe
4960	msdtc.exe
2904	PerceptionSimulationService.exe
1728	perfhost.exe
4812	locator.exe
704	SensorDataService.exe
4520	snmptrap.exe
2344	spectrum.exe
5076	ssh-agent.exe
4156	TieringEngineService.exe
220	AgentService.exe
2632	vds.exe
3260	vssvc.exe
2368	wbengine.exe
4764	WmiApSrv.exe
2164	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-03-27_49cf95c4f36110c349d149f97971dcb0_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\368938a546f975ab.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef1e4d0bee7fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000859670bee7fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed55a50bee7fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000540ffc0aee7fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e946540bee7fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e1d6c0bee7fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041be2b0bee7fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000438ede0bee7fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4440	elevation_service.exe
4440	elevation_service.exe
4440	elevation_service.exe
4440	elevation_service.exe
4440	elevation_service.exe
4440	elevation_service.exe
4440	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2536	2024-03-27_49cf95c4f36110c349d149f97971dcb0_ryuk.exe
Token: SeDebugPrivilege	3588	alg.exe
Token: SeDebugPrivilege	3588	alg.exe
Token: SeDebugPrivilege	3588	alg.exe
Token: SeTakeOwnershipPrivilege	4440	elevation_service.exe
Token: SeAuditPrivilege	1964	fxssvc.exe
Token: SeRestorePrivilege	4156	TieringEngineService.exe
Token: SeManageVolumePrivilege	4156	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	220	AgentService.exe
Token: SeBackupPrivilege	3260	vssvc.exe
Token: SeRestorePrivilege	3260	vssvc.exe
Token: SeAuditPrivilege	3260	vssvc.exe
Token: SeBackupPrivilege	2368	wbengine.exe
Token: SeRestorePrivilege	2368	wbengine.exe
Token: SeSecurityPrivilege	2368	wbengine.exe
Token: 33	2164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeDebugPrivilege	4440	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 4580	2164	SearchIndexer.exe	126
PID 2164 wrote to memory of 4580	2164	SearchIndexer.exe	126
PID 2164 wrote to memory of 4196	2164	SearchIndexer.exe	127
PID 2164 wrote to memory of 4196	2164	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-27_49cf95c4f36110c349d149f97971dcb0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_49cf95c4f36110c349d149f97971dcb0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4760

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4960

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:704

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2344

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4464

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4764

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a3cbe5c286e2f9744d62a4242bdd2bbe

SHA1
3aad115fb849ee3d84cf3a6e14e4cbadd236eb20

SHA256
96229615028336ab4e5d087ca45694fe7bf877c09dab31e04a03a93c23defdff

SHA512
583ee7a36afe9889429918bb44028b1e1ca18648c480bf905f140ee98d51bd6c6b6b4a70902f9435436603ddabbcf748de74442f3bb7c6ac12dc513a2f7c1438

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
92c950cfdd9ef08af06494a3baadd50c

SHA1
df66753e6969948a90460db534e22afc643f825d

SHA256
e4086a4a82d1dca67a3ef1753ca560717c568797496dc0775c72637335af7165

SHA512
08753925646a85cf177b19e4fa535952d2f9125ba2c9911d3ea2300f428995a4105c282b7fcf48a9e07e14993153b20d858ac8fb6a69c384f3ec60925feb6386

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
59592777d5108d4cbf9eaf2379deda6e

SHA1
0642b16d01e6cd9d610bec5cb829d76cc05e3d99

SHA256
658cb620cebfbc38731398b059c6277173af7c58688cc79ccd4b596433b0a949

SHA512
f9fb8bbf49bcfa5cc307ae6e4dba4f299f27442fea41eb0868fd88294e3deeacaa5a09e02e35086a5ecad8734d77d17ef2592b44001367ffd0bfbcd66566ca6d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e0fece875630e1dea604cf17b784499e

SHA1
39a2a1082de81fdf6ea1beef6a90bcb639ba0bb1

SHA256
f3d52ce62bcc88a1520c5b3ae363c58ff205221dc090a69bb8f4a666ea343012

SHA512
cd1098e0da85bbe279d3fdb8385a43ba356bf78b8a25a8861410c2dfdbf4448e399585c38c6c5441ad00c6ab03ecbf053b0662f01dde4344ae4ed38423edf544

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
27fec8957610fd000a3ad88f642bccb2

SHA1
46e75dcd05c421d1b32a322016472da31de7edb5

SHA256
ee54f0dbccb6bffba3158796e971ea5d5ef2d3eb5b1b51e6383f6c925bf846d1

SHA512
0d2e4c72ae5542424534eb016877ae8fa411321eb59a1e57562b1c99d10015e8278fd92712deee8be23562956ff343000f608ce3bd2e66b1a9422eea033e26b3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6a4c3d4a0242d0af3778cfdd9439863f

SHA1
be14b0cc1452770c3109f8b3c35e3df19012c199

SHA256
9f9b7481f8ab7ee5e9ce6f8ccedf9913eb90c8c29aea52d0ee35713829cbfccb

SHA512
c0bfe3bc826b9975d15d06c0a8538c91841483772bca95b2f9099ca167e4ef406af91e3fae2a3311a0cd65c73a339bdefecae492aa4ffc007e932f4b302c53ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
59ea1010399e8174f13a785509c6af2a

SHA1
0e742f4c4766ea2fa77a693e517d3730d16bb2c9

SHA256
085c492df53ca16cfbcff0c7e5d0383996e926ea811f4cc88212584cb6a4d75a

SHA512
8e900264aa9684694225706f11fd0f66b997dfa6653fdd6b5b99b28f120b68222286fb50a16f1acf94be4cbeeb1c9c9660a734f61fcfbb307e1561bd6801b75d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
89510d4b63c3c5de38224bf1d0400296

SHA1
208c3fe612cf2e0b841f5c1b1505b0f02e696307

SHA256
74603d7215253ae4b9ebe3ada966405f9e0038ebf7e50cb07c682531f6facdd7

SHA512
8bec6cd81f68236b7dc83a0128e75a76f0be69f5f6448afeffccb7e246c302711df5ee193038e1ffbd0ea00800daff88c930a24967cdc098d935c2d154b00b69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
df6f74750f351b6f352549e64a8d9f46

SHA1
5b0615dca005b7521c9c5cc8684af5011587feb2

SHA256
fa36c351349aab3d24f9612b9b617a31c668546349e792d50ef3b453d1c2aaa4

SHA512
7ec9aff3e6f2f8bf5afc5202d41533d20b1b0be6332041c4ba31c5e743e7c57bbf3850946d6ecb89d166c12fbc2908c649b43926dc7ba411cda36fd2c7ed0b1e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6cfd9bcbed4f4b9fc5133e8f7ded81dd

SHA1
8c82f25529558e192d75da1b45b6a2169b48e383

SHA256
449b711fd504156ccf870726012a4adab25a4ad7129779006053a9aaa7c79de6

SHA512
539456769ef9323570339780a540f81dab5267281261e69b2cf52d1f2d2e8e79ac8ef70ec7766ba697c652b85a86ae3ccf4b2a298a163712c179c6b1b90b6f54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
db628972b97459aba60ce5d2310768b2

SHA1
e5c4b8ee5e0b76cba670eab88361a24fda42c1fe

SHA256
bb95da6173fe65563a88a20a1eb0868528dd92f82f4b2cdea601f2efcc81e96d

SHA512
d494dcb5967faeecad31b6c33b97fd0aa6f74e8a0b053c97d031c595e4ebe596b7b3866b73938f6f5bf1093f49d0523fa892f1d9d94bbf2401a2d8fa770f93ee

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e75d5baf9207983971d4637574887469

SHA1
cc050da980adb63c81b3c663585d3cf6237f9596

SHA256
7796e5fc61e701f4713463d95129870435a2246e9fbe2eee1c27571c104b1e9d

SHA512
ec8ead758c663eae36a220d7475168812ea931efb95e3970909584e66246c55d09bb8bb4a64000d418899b93c51456fed5ae5a66bf3978d467b1f0b86a741074

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b6dad828e72b12a4e12c55c0ba7342f6

SHA1
9f9992028c732806085e19a197118359dc49e16a

SHA256
5ac7e8c51f068ff2f0505fff3975a2ca6cbc8ba6356028eecf22281567e0c2f3

SHA512
58c9f041504dfcb9521be5c16609288022e86bf41ab0c11e5fe8dc36350538e8293f056855497eb45c209249af9ac7da2fb359a5366ed5d562296eb2060958a7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
bb6d7ae0eccf17998673e8a2dd0a5f0d

SHA1
aa13bd1f4fad1b89368e9450315fc749432aa692

SHA256
df74698e09777ad06fac8f017a065dad960cf9e15305325da246f3750d538bbe

SHA512
2c1405f15f2f60106f0888e6c5eea7340a60ce0a97bf19983d25f93516e080012f0b1d7b106f336478a2fec90c44f326b8f7a02cc5a4733527cdd65e0f55ec9c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
ce4bd46a84b6a7433246ab2eac77e6f3

SHA1
6769fa38c5bf994cf34711244c9db1aa540a12cc

SHA256
f675697552551934941dcf436d78cd6a63e7b2ebbf56f56972eab1173d44d597

SHA512
bb941b5d08f9e8e8dc33baa381742d11898a65568cfc6f4731e14b162208f0db175782dd579a242ad14f55f00f1e453acd7cf93297073e20470ab309513da3b0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
ca7b7e550b90ec4592f94e4cd61eb148

SHA1
43f3de2df321bd45a5509f4407b704bf65ed6e64

SHA256
073982c9c4a5b371089aef1f36c2c54c544e0b27d05d6b3486cdf6dae5276999

SHA512
3bff623067c163fd66bfe4c0f2727160bd290c4d8053669328331d5207b624bf77987df696250d149e644f6a25d15602f548b6e09af5fb8d66192247fc00c73c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
2c68d468d5199a1d5b947e385732e870

SHA1
878a8360c0eaaa4e8dd1e9ce95b9154294cff12e

SHA256
1dd4c4eff8a3214fccb5fcdc28ac8485469ff354b199c0901a27eee231a57e63

SHA512
078439420f8f840a6790e2af4358fe434ab20a8b368541f7be66f4f427033ea4665f3570b1ebaa9bd2cf7f63c444c17551356078a4d1c2f0909a5a2c7ede45c5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
45e870992c4cc3f3221fbcf70cc6578a

SHA1
83f52c5c587e8f62c09e1fedf74a4978e8c5d4d3

SHA256
adf68cc7c22d668aea4a681d2890fed1fbfa464c1cc93b3bd30659f78addde7d

SHA512
7082ec681e6979f8fd809b54faf1b3bf64f76d19398a653bec72055356e192d3d0bc3afc42c525bc4e7b4836b7b1397392ee9434bc58ae790f3d9cc9f217f181

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
222b5a6fefd408ec9f8ca2647c7abbe9

SHA1
360ee3f320becff0d9407939f0098d9c7554be90

SHA256
79145aa52e80a3ce883eb358a7669b4b8ef1d75ebc187172d7508cbc3ec40c88

SHA512
d16f373408037d470cd5d01ed942e548a2b78d074a544732186207cc42ff4e8a52a3a145eacb4b73f6a5e3cc6a7ae60ee10dc9924b79837a5030d5f7f8db7b43

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
0a2483c6a89ae52c6f4498b4e58e36e8

SHA1
0d15bb259c8b356b7991adb97f134c21db7f1261

SHA256
8353b5b112878490b255f38d53b8f71002dc7981fad03574746cc20536679dad

SHA512
70e8d92edac1239749b9743a20353a31e651a1941b24f752453346e3552d6cd8cc2428b6e0700df44788b013b864ea5bd6bdc277a86c4f0d35059a6f54e68fd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e808cd54b648bfc42835de824788da57

SHA1
7b71623e6a419ab400ab1257f96ec66ca21431e2

SHA256
7c88f4f182fcdc27dae35f31c7a4175e519542cea228c06f69c6c1b75cdc048d

SHA512
74abea69526eedba5d32af4a990ebfd4de07782d2e243acccce604034981a37af4fb306b5b77b25b4bd35b74076c6ebe0b421267ea108ab94e3521db148334c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
dc4960c92e57e631c8d64db6994d3af1

SHA1
f7727e7de390c981ef3c0553bba7be4f42432771

SHA256
9593af8f04153dbbf818da9874418633d320d957899d20c1a55846518d95080e

SHA512
b7586ab5329ee7da27694a4c2c5bc03026de347245970a8f3786ad7311b1a973de1f19f3f01fb22abcd5205ad6ea3968188722cf37687f13dffbd940fd2f72d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a3473b8ce5ecede9e291b0101218fb0f

SHA1
f61c57f8d46a28d9e3ac31613bc9b96d21b0e2dc

SHA256
7660d11d86bfdb1457ca8ae18a7395aba7328cbbe8fe07653aa268a59f5d04b3

SHA512
1d7a6b952f220bbd0edccef65e5ee14a9a726270de5dffa0de5d0605f0db3b44a9bd86072b550d6a18d75271cb299e964285801a33e817a4f9db08bf38b9da8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d91cdcd8af94d627adb0b99f756487c9

SHA1
c983264ad601d0f2702ac3664dc576757d702c2a

SHA256
68c9d04ef7e02687ab87b5edb71f917a0fac85e45582a8312a580e72988216dd

SHA512
99205c6ec22dd821bc86b3b9e2fb6f99900d10112e28697ff11ea8c27c445124fe578397293d0e9a3d8e82d27dd19356a9634061eca0dbc1e2ee55b77bc29be6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
0e68a786f84c8566e7adc50a80a9f75f

SHA1
b9ae29efcf9a797e187d568ff98b2d0887eedc59

SHA256
48fac5586cee67154862e75b419a3d12db546fc564ba917c8625c074f3fc4267

SHA512
b4af532495ae33aebf3144de5549d064598d821057b7dca2db87e65cf202bca6f862d1015b34f173ca792a211b6edf3ff14a6e5eaea761589b929353f9ed3608

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fe8c1bf2b0f064f10ec35d27c0267a8b

SHA1
d18ca9ea0cfa6b542c7d5a38defadd9434a8987b

SHA256
cf2648a5cb36f529d9bbc4e89f84ef24a687825de4c2d5c308b8de683b60f747

SHA512
1e4fe55415d5ed87ae5f79da84bc8eee645e16a1020135d1bf0f7ebe3471b2b0ed6945867ebaea8a4c55bdb57c1fee3c7caaf47b81b63b783e727f7f38e3975d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
41bad24a2ba4eed8f487f2f663809963

SHA1
221b50039fb634058c7e4960d77d5d7d153718c5

SHA256
104ccb6156c5625cb2b30275efc194a8022f0d14791855c7a816ea7263583624

SHA512
64cc286aadc9be78c7823d73235fe3fd017d697e95b12e99b1e4a2b54a8701c2b87ea3d57660b617387126a7bb66ad9680dcc8e97f2d9b3307c224271358dc75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
625a736f2839342fcb02839f1139d55d

SHA1
267a7fe2f02c78df0908d45d26fdbf000eac6c57

SHA256
5e3a77136f199df57e07053d3cd136e417a3933b79c69e5524dd2cee1ead7f40

SHA512
e3d20e5d4adbff567ac029ff863c7c49692b20485aaed27c162f5ef48bd02ed8e2e7a84a30998e232b16181dfd85fdf73b86d945b8a3648df336f16ac596ffce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0081e6b8eb275078b46b2b8f9f0b2b08

SHA1
e1e235051577d5a609b0081a73d9a4309839ec5f

SHA256
be7e42ca42f89b1991a0b73d975482381f2bda30e4fc53b24681a1db24df5a56

SHA512
be2c67682c5af0f0d7008e341ec1f98071fd15e680bb62b96c88b3cdebda9fdb569ccf99e10c7032b23ab22cc1060d6a61c36265f1e8e22816d1e7eb0e3fce63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
dc887b5ecd5790a634f4517f91363cad

SHA1
9351a04831d7d8aac9e49c8710ef80f0365d3452

SHA256
bc71703564604d3e0507448e5de1935f4b517266de30731093d438928a20294c

SHA512
565f9ce2c65406cb25510103dd97a2d7cefd6fdaabc9a66afbe07989ceaef832ddc7b1c49a09aead87dab4a45261471e557931608d3234c8574306a06d2e3859

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d2457e4f5101ee1262d62b67c4a8b955

SHA1
9e8abfb9c328f3bb70c207000760527759d5b3b0

SHA256
8130ffaab12c8eec8221b0dff28e6735d1c14878e4f7c53b30c3d38ea2e0bf9b

SHA512
21fdad75cea1c07c32268fd2a692727a437567fad94a9fba117ee8ce6519069105e8cadf5a9857be82dbc7d8f4a8970b6e4182251273c0c36a8f377a19c4132a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
55cd6efbfbe541d0f4903daea4a968ac

SHA1
23b0b39b84a1535ad71e0daec699ddf14a1c375c

SHA256
12731265d45760f18a51833eb56c462baf3ecf36f35746c64bb971dfd8111366

SHA512
4fb81c43ded8c772cf3d7e9fc1ebbd464f5e55b5b7db37a8726860e15679875d38dde37610ba8a43e51aaef3ebcb4a517f2f5817d739987bba2df99964cb904c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
4234d3265add7226342cbd7ee11da704

SHA1
7bf5b531e3e9e9db900275e009891ca22e959943

SHA256
99b92a5db7c52dd34de2ce1eeefe29eca4c485ef89097e3c41b3c37615a4384f

SHA512
555cc3043dcc3ed49a5054ab5b77c53299fcc35e3b95b73cdcb0b3baf446121214b419ffb8d7a5650b7c676fc8757305c13545605e94a0eeb16d6e66ff01b5b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
115d94b08a5dc78562d8abb6acdcf651

SHA1
1eeb6be864be5cc03ad840c17b7328a4e535a876

SHA256
cea0839c4f09780224c9ddb5aabb6586025e030d44636db9040e73b4b8c86ccd

SHA512
2b62a9f6b9d46a5c9d52162178841b9dbc2515385823af8cdb561f308f3ba028c73e336af759154beae0f1c129a3ad972d3cac4cca0cddc7b8009f212bc28471

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
dfeca813408a015f5e8db9db3acd3187

SHA1
a2f41fc9f94af6020e23f9f082f01ea74ea6ef11

SHA256
11a6eb188f95c8008df91715e28d8cae55744e9b60ba255598fa4e50884cc78c

SHA512
d8ce3575b2049870f547b8f99d545054fd8e092639fe7028988731ca7e9d2e8851c4744115cb25f51827d59baf09bc7602298d02f3a5080e1c155e713486c77a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
b4393e272112d11b11baaafd959722b1

SHA1
c055af00708e6b013922a7d804a30a0a73185b6a

SHA256
0cf7d99738208816c1c99d922e85baabf42cbc0b391308183f01d1a99931064f

SHA512
9d03baf24e841579a36afce82b92df1b8f6e46efac24d44fe1deee976462172796ae753a494a30e93343872917c724d322dbd829ee22ed05e8e6b0709336e7a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8553866465a0ae1a9cdf44da45c74bf9

SHA1
bfb1fa3cf2b6d662b1cbe07af999025086c56cfc

SHA256
72738fb0d309bf2f1ecc13cc1c9c0aa706385c4d6f2786dfbcde158cab7afab5

SHA512
10547dcf9ba5879944a9a44820760a4ef761765b6e1e7d9821851f41f9488175b1a38014f815c681de8d1bf50c88d6088e0c26f9fd34d1f235faf65689ce3ba9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
fc812ce8e0ba1e2bab34f6bd5cc65842

SHA1
473f2e4e20ca56c0dc7954d6fbc6528c0fd36267

SHA256
36a440bff4bf2321ef669355ebdf490179cbb5571fadd14894cbe9bb7c0a7325

SHA512
1cbcc4a4d94bf89680ee763ff915c4d57b5439da77a1a65a06d3fac4049582a50249f43d8f8d10471dec399b2b408d8ccc93a093acd6ab0c4b777152ef5777d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
c39121f4029b6cc76acf4ac8c0ac4660

SHA1
1b8891adf87695254f483c13120e33a873c9df94

SHA256
0226d6bce0f1f096556838eb1a26f22161d1f835e7fb8cec2302ec8107340b97

SHA512
8a9e6d3bc582ab2419a39e5736175e2f11612797339ae6cf12aeb09dab619c7fa8514815c15cebe022925fa626061831ae667e9eb3ad12b61e57ba0b722a964b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
b97ea9be5912beb263c811b2f202647a

SHA1
100d3e09cf40dd363e503383b6bc8de668f9f0fb

SHA256
4ff31ba9d9afbe6e409aa067f78e8cb5985e4c5435a25e222f86eda69591d290

SHA512
816cd2e63bc7e5de8a5712fb782b027c046b94deeaee3d47514b0e32ae3b79de1a9f8c19f6d552c1c98d5f09163c6d2c60e9051bdf336fc875140926c77e982f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
ba0f3d9cadb79a69b8c97569c45645ad

SHA1
9ebb860b6c728f0515fa1bde61bbb2b49ba7b3d0

SHA256
e291655424d72cd2340ebe8808f8cb42c40e12056c72fb037351c4dd8710a907

SHA512
2f6c2bdfe3f8b1a1eb867ef1d31d0c9afee9a6f5a1f23969d4a688a910a359c497b6e7d6635a9b24ec7dbd29eb14d6f426deaf4b1e523d74c6935411f868d00a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
cec9ad8922125572ba346d48a9fbca25

SHA1
1ef745f7d760feffcfd847e5a76222c8b8f44f93

SHA256
976a7a857a6c99f3558f454d26a0619e85e85322a0d40723116c9f9c81f2ba1b

SHA512
b0a65ac3e1d5d3f40099729ac9f469168e10afb8b975984ff270d9031a5d725ade52bd9707b34fc809007f01bddc06bbb80b072b32cec00536949325c62ddcb3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
65b79f98a04cd9e3105e809b6da6e4c2

SHA1
ec99d06b60cc136885d777c8300bf84bc19afd2a

SHA256
2b6a3b0c4c4be822396d85540a139d76df55bd65d157f3ad2ac8056374e7be84

SHA512
048805316f7d2882aefc5f6a1e3c4451d49333ae8d8d426099bb74f465dc70c7569fd6dbe7451d381e75c62494f4d8390ce6bb713d3acd296bf883caac14fd37

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d587c1c72c3b5ca6bc87890b028a9bfb

SHA1
e0485267934164eded01b292f9f22d4193b2a2d5

SHA256
1ad7db9f15581a23c42165e8b2863f8947884c8ee01c471edc8c3d6116dfd679

SHA512
1207f75e1c8bbe2d3aa4be90b7d51887130b457dcd5fa8deccaa1a174896879cdd011f80c5104dbed95cb4ec6cfea1bcc1f7a05a71b1af47061aeec38cacc91f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f4357c6029650b957b5b142273ebc347

SHA1
6bc88f89ffa60e1164d6dbc65a60409404f06395

SHA256
c465f27d222b5cec4ffe69085bd12943f032dd66bf437f5ba1f6d508dd23d527

SHA512
452b6f322d94b384d141005207dbb1d8498641846ac3c625758cdc8431db7b1a6e23d89c1139d0aae8579b08bdc8e7e5f33890a8f64897e2d7dac303faabd256

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e358cd0a6d1ec6852659add7addfbe00

SHA1
ec7bdbe56566ae2c93186bb23c88eb5c077fc4e1

SHA256
b75651080462796a44c62af7e4d8a6dac610bcfa7e4c23c5fb1375c07ebe1f20

SHA512
a1849d8504f075b9aab7d3e5b80b9658226b57cc807a9a1efbdf96c386441940dbdaecd47af9c3dff8c480236453394a13a408914e764dfa060cb93f6a691a8b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2309e0180d0810e4fc97d6ba0e61f804

SHA1
0e86973fed2d9877d624a1a90a58b80cffce7c9b

SHA256
bc00b849427c6b6512d37345683f0983c477f395db4feb0d3d526c569d425525

SHA512
2c608f930934226ec8ad8ad1357feef5b066287645e36c5730ac90d0ff71c6803d89c61f0a23b4a9fce2c03a91d2cf9dfa04f477e1ebc927bb7640f4d3c65811

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
89f5ea7719c5199fc3d7f3e739f911e8

SHA1
ff4e855463a8c09a318ead16ca9af5a8f186010e

SHA256
6c1a52ad8b602c501c3c89364e4306bdb1585c13dc7ccc7043fbf9c59e405ec4

SHA512
0e6f74cb17f81eef8ee45bbff68abdf3a258b4c26fcc9583ec3f29fbf273aeff0b1a7fb0cc878f40d812550409ec969ffda846e78b5515a4f3e9d3fa4d7e7457

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e364b4528363d5473fcc8a1b97e67cb5

SHA1
0846ae086df42c58b720f29b08c1f33162a8ac3f

SHA256
82976acde18c6e31e9fed4fe14828b682ced8b708aff646457fcd7934fd85bd4

SHA512
e4b6b2c27342f5875a214216c1913887b240116b85cd677202cc394c5bd1c401978b0e940d926b96e7b56afc26138eefde58737009f95ad6126641bed99b553a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
acbcec58e0842df7248bf4675af64212

SHA1
d7cd39ab9ed894715ab3934c3faf1678b1630731

SHA256
e52f5edbf1a5cc019c41cb5c2303b5b3d2e5b61b6238b5d229a2ed51dd0462d3

SHA512
a4e8f803fe9c6b44822ebb1650209da0ea38cb21c6ea2d87f43d2c029100e8e654d589945fed1b464d91d58d6dbdf9ebed65f1be20317ef118205a7c598c2fd0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9eaf0e12d4601b71b881ce598e01d5f0

SHA1
c54ecaf2521464a91e51d104103cdbfb7ccc6e4f

SHA256
c7221383538ac07bdc0cf6f33285da05fe2ca03de2a2ea27deebf31970e54405

SHA512
b90376631bab4ee05ec100dfd7f36c02da02d8d9c2c90dc732bf3291b858c62ef8ee246a0571fb5c7a3c78d08520f32a601d9b9e5a17a41e5eb12129b097ef47

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f9a8e56c56afb40c7b33c56322f331a1

SHA1
c93033e00be29af07722821749e42b04a2cf5463

SHA256
8f82302f7b6010a14cf69346f7483363493c2da937451216ea88d331313432fa

SHA512
6dee54d2c9ec2f6b4907cc62ca5fc696dd4bf53a24d7ff8d20eff312713f4c8a2b7b25846e169d1d1a2189a4ae169e453cdcc3cbef994f06c3ddf67bee47c20c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7df55a69f5a3a601bbb691e327800c8e

SHA1
f926faed322265ab0de388ada2c36f7737d1a702

SHA256
415a9c8734984db659d37b57a9e7dc0156c80595936e9993e357371f96b736b7

SHA512
7e166a2265566387e1a76e4eab506c98cc6d4f12a455a89216b18c41df5240856ab3f35ae8c5986a2457b2acaa34a7667da9a8f98a7127e0a553db6ce8114e0f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c4e0f314fb5bf84587f076d32bf7704f

SHA1
030160c74c9274ebbfce19d1d8e894ef4229298d

SHA256
b154a40ccc3ddab0e89bdaecc115592083dbf24083f71f673619fc8bbcbebc67

SHA512
aeb1df0f4ef77d93e3a2e2eb4efd26bd95c724f3fe8aead208b87cc0148d826d65d703c6beff4195a5802960267d680870e3a4355d5f7532a873bfbba557ae73

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e85f6eea3e4cb3989b3d5a065bece958

SHA1
cf47bc34d88ca09fec5aa7ee20593d281a21cca0

SHA256
90124d3d4e3575a28ea4eaaa94c97e04b0906f2dc06dd41d2eabf84532209fbf

SHA512
bc515b5e8e8d1a833199609a52bd02ad3dfacf521e407ef898a4e04f366a7da670afb4d5631a36bdf983461762bc894391944f42a4b2086315441447db97f7f7

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7fa6f1bf9597ea689fb0a41f24598787

SHA1
b99e3dfe45c9fb025ae1e00c78e04a8a94b2a24a

SHA256
c1cce76eaeeabd208995a9529c5e0d8c52e61eae533961d229359027d23f8b37

SHA512
4ec0453c85c1b9408c5a4ca8ce62e53a33710ffe767ab267e80f2656cf54e16a73c7a278306feefd122a9ed4398b2d037a800fc555342f189b58cfafe199dd5b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e48adf8fcd87b057145d5f7ec969b7d8

SHA1
124d3783eb49b4730b37326d69b1f8c34cc1237c

SHA256
e7dcc588deb0a4690fa13501390225e9f10229287cc8961d6779462fee0d36b7

SHA512
c4714fe2a54267fa87bfee8fe929c9b6cdc92efbf20542e81fa825ffe9de4c07fb9d19209a42076b8a25ccd57788675a77df1052376679eca65bd556873a8cd8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a50fef4677a1ae395905e0db607f02f5

SHA1
84f7bc74d236bd91dc8aa52eb068a38d988a47e6

SHA256
2df2799674ea2efb27eb955c6a558e51740daa3e97a645b89a6045081302fd90

SHA512
c152c3d2169fc6026c95bd91a39ceef973f3b4c2f6ff18b0b8b3724ca9ced69ed69bf763e618bd5e022afbc8a628a5b23aca8ed6f82c170ef72473d4e0b6b215

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
36886488899cdb27d522f713f3cee3d9

SHA1
10d5f575d3b372b46b532c5937790e23ad0116cb

SHA256
abe303444e0a579df1983d63ed5ad36c0599804d9b265c7ab01d7c941486023e

SHA512
73e966a2bafab97e3be410ca2473d7b1307ea10ec416771d63dbdd47198e7d014c96dbe6752f95dc811892755c46d128b5b63b9148320fa662bed041159a7b8b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8ff8d0e058e6f3d00956c87410f8e055

SHA1
658efa31d4de5fcceb2aa56d7b327fc2964cebc1

SHA256
7e0961fd3f0565ce4fc13227a654719c89a9a126279f88d802d4f30b25196f19

SHA512
cf2ba1b79716d92024e91fbd1197536b46097f8e4cffc3b5ba41f9865daaa1e4a2dda046bc895f7f03a2a6d1ed1f7f178ef542c65596ec967582768d63dea2c4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
40a2b3bc220923db700cfe9c59f402df

SHA1
c37ec60c165a6eff584329b016d30b8034ed895a

SHA256
86f342a327cf0d1a98d0bd28c1e9aac26b5f9d5db45e844e5d34826bad838624

SHA512
4031bf957040243e5bb7d3156e0637df30d371a51be11908bf8eb7822ce816de167f370276bbbcff51ef1cf4363144bc3aa6e6587c9a8546c2c56c9c9ddd8ece

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
03c23287c6d1d657ab897b0a4f8c66d4

SHA1
56bb6b0645b85181efc73e53ca20490e86f16cf4

SHA256
56aded54850c8cc43bc86b61faaa6b170e6fca21f997da3315527d7f7581716b

SHA512
9cccde9d6aa49245c3ba1f0975aa98653785b72fb97e63cc2e5074b8253f970613837fef2d69602aad127c788211ad087bd9def82e6fc6f3c8c63290714e7965

Download Submit
memory/220-407-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/220-406-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/220-401-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/220-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/704-332-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/704-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/704-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1016-245-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1016-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1016-251-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1016-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1728-375-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/1728-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1728-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1728-306-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/1964-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1964-275-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1964-273-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1964-265-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2028-58-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2028-50-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2028-51-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2028-62-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2028-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2164-463-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2164-470-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2344-360-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/2344-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2344-354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2368-438-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2368-443-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2536-1-0x0000000140000000-0x0000000140251000-memory.dmp

Filesize
2.3MB

Download
memory/2536-13-0x0000000140000000-0x0000000140251000-memory.dmp

Filesize
2.3MB

Download
memory/2536-11-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2536-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2536-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2632-418-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2632-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2632-554-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2904-288-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2904-297-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2904-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3260-431-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3260-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3588-22-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3588-228-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3588-15-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3588-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4156-382-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4156-389-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4156-448-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4440-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4440-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4440-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4440-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4440-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4520-340-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4520-349-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4520-409-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4760-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4760-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4760-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4760-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4764-458-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4764-451-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4812-380-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4812-313-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4812-320-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4876-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4876-66-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4876-73-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4876-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4960-347-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4960-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4960-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4960-280-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5076-435-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5076-367-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5076-377-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download