0a70d03d727475bc1ca065b20f8ad7cf69130fbd2624019d84931265448cc82b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 12:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_93aa0a5b7aa9be247be2c3ad90e4f3a3_ryuk.exe
Size

2.2MB
MD5

93aa0a5b7aa9be247be2c3ad90e4f3a3
SHA1

731730040de67861cce37fe2fb02ad141a9de5b1
SHA256

0a70d03d727475bc1ca065b20f8ad7cf69130fbd2624019d84931265448cc82b
SHA512

fd4fa3ac1bb628f17c796f40d2cbf0f91168f99b597590c8a7c89b530dcabf9bf608a682774acb23cd034b9e6bb9c14a2f43aaaf2dd4ac40026416c76a32de33
SSDEEP

49152:INl7soq7sQCr1kyG2xHywRfHIO2Ts4bvDRCks7R9L58UqFJjskU:8D23S1kaxp9qRC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1932	alg.exe
4696	elevation_service.exe
2684	elevation_service.exe
3372	maintenanceservice.exe
2252	OSE.EXE
1924	DiagnosticsHub.StandardCollector.Service.exe
4256	fxssvc.exe
5088	msdtc.exe
3260	PerceptionSimulationService.exe
4232	perfhost.exe
1836	locator.exe
2976	SensorDataService.exe
4920	snmptrap.exe
4708	spectrum.exe
1208	ssh-agent.exe
4848	TieringEngineService.exe
3872	AgentService.exe
4588	vds.exe
4624	vssvc.exe
4376	wbengine.exe
2604	WmiApSrv.exe
4276	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\13e72998822cf6b9.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-29_93aa0a5b7aa9be247be2c3ad90e4f3a3_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090028741d781da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000762c5041d781da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eabb8342d781da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1df2241d781da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066466e42d781da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe
4696	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2628	2024-03-29_93aa0a5b7aa9be247be2c3ad90e4f3a3_ryuk.exe
Token: SeDebugPrivilege	1932	alg.exe
Token: SeDebugPrivilege	1932	alg.exe
Token: SeDebugPrivilege	1932	alg.exe
Token: SeTakeOwnershipPrivilege	4696	elevation_service.exe
Token: SeAuditPrivilege	4256	fxssvc.exe
Token: SeRestorePrivilege	4848	TieringEngineService.exe
Token: SeManageVolumePrivilege	4848	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3872	AgentService.exe
Token: SeBackupPrivilege	4624	vssvc.exe
Token: SeRestorePrivilege	4624	vssvc.exe
Token: SeAuditPrivilege	4624	vssvc.exe
Token: SeBackupPrivilege	4376	wbengine.exe
Token: SeRestorePrivilege	4376	wbengine.exe
Token: SeSecurityPrivilege	4376	wbengine.exe
Token: 33	4276	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4276	SearchIndexer.exe
Token: SeDebugPrivilege	4696	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3124	4276	SearchIndexer.exe	121
PID 4276 wrote to memory of 3124	4276	SearchIndexer.exe	121
PID 4276 wrote to memory of 752	4276	SearchIndexer.exe	122
PID 4276 wrote to memory of 752	4276	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-29_93aa0a5b7aa9be247be2c3ad90e4f3a3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_93aa0a5b7aa9be247be2c3ad90e4f3a3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3372

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2976

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4708

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3888

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3124
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c46cf7d8f74c118955b4cf5a5162ffb1

SHA1
492e757d619608c7c363559daa489ae93c709170

SHA256
d522ad714f7b16da59edd88eeb63216a78646366ce601794084aabcb376b1545

SHA512
a7a039cf07ef69b46cf2ac4cb5ec2624b51ac43749cea0894dd7d82c6a2fcd34065ff170257e7e923a674cd5d4c0a3ec71ce059900437e820fd864b8764bd691

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
062ba2bb92944ac6454796bd2b1b5a0d

SHA1
7497dbee090adb0e6d37d785f5e3ffc6290e945c

SHA256
5bac3dceac1628076fbbda96dc575dc9cc287b9bea2c9955a0dda4d14482fb33

SHA512
71f38c2bbfff4c253e3dbcc2dad9fde668aca964002df448b53aa7c9e47540aa133b5468457ec1f26325844956a88af8af970bd19c219d82558e0b769321ef59

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7659ac75919331606ccb877ebe515bb9

SHA1
e7b9a68777079ebe953968375349a3c33245daec

SHA256
ffdf2e72d9c3c5b7259bae625978aa23b6322e6f64d9d83e2e7f8031f056f606

SHA512
b1082542a6fc13b5ca7fb801e6f7efcb24eaf5942f19d4527b3c67122ef68ab021e7dd5006656cf24271d56c2d6ac07a8166e339989fa065974be08104201db4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
25203149627abe213843eeedcd68f97e

SHA1
d6103551f2f1c7c3064c060e5c359f544ca335d9

SHA256
7e817b5a20343fa5b6c0118ea03bf7660dd1a09770406562459791ef7e70a6d0

SHA512
59df8c4c560aee65d95a90da19d69bf4a68897ea2749a75d4993b3ad5283a2dce307a9612071d97c69ebc2b10b2042749605d650a5cd1effda6f71145e529e09

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6ac381437a4dc25fdae72b2fb11a95eb

SHA1
c72c73477ddf5ed124a9a63ca8dd52f8d0f85bbb

SHA256
1d8e1ed65ccf05774018ad56c1b0605a109e947c412388783bcd8e166d3b3484

SHA512
252b6fbf4c7db5ac43c998c98c46e306589b36683a5064f62c12e85adcf4cda1fae59024c822d243c72adc41476e9f37f59945438c18ee0b5321d139e8659c42

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3bd6eeb79383a3014f34541587593c7a

SHA1
56fb9c036fb7078701fd27d79a62039749f69229

SHA256
0946a2117e0e03a60152013aa5df1b32464a2d5d16661e2e38085fff9aaa328a

SHA512
11c79be0b5a68be0ba48c88ada83c028205e65fa6a6b9475ef86d19144904c2cd7132caf0ea447d59586046a7e8892d6523ac48d16efb88cd8432f42d9d6a680

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ad1ac74453a50e15e8dbd8fb0dc00134

SHA1
c7d1f0c52b9aef97cbd5c75dee83e881ad60fd99

SHA256
c5f8d3b8b6f0c329556b1acb19ecbf6e3d53f584826abfb1a5e5ea19fd9973e0

SHA512
726aee80bde779d7bcdcea207189904b0d149091bb6dc2cc496eefb7175d4943d2f835b82b45f34cbfe209a5c5a4bd63300b8268fba710bda2baae7731f88116

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a813a9c0be750412709b4ee30f6212d1

SHA1
51a700eb495af54cd50269a406cd362971474192

SHA256
8d141df7ad5153c4d7217f30a10a823bd349b7e796f7272ff3d91f2eb0e43500

SHA512
80b7cc762d09f2e1a02abc9596e6a6b9150172c4e9cd91029b8885bfb7a87dc69698a84dcc226cbdb7e51a97994705adf6e3f96ea3da39f45f7eddcfc9263ab0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a69cc2819e9a481ee48c869895ec7c86

SHA1
9cc4d69ef1292d0cf93d4efdeff318bf9ebeda5e

SHA256
a30e703341f4a29acfb54eb31dd6d368b044466d8ea4f662b41fc73be6e44ae4

SHA512
3458b46245befa12669a613ad9073076b31519e3c0fe9f33990fec82aaa35bda0b6a58737b421823b29b7d793d33b46b9803d1d96f99329b408e76b1cafd2c4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
795fd058cdda9d5e7a811aba499247ff

SHA1
ee02ac9acaadfc17ae015d4da8fead0e7115bca4

SHA256
3a24319f150f143274e27e7005eb02f6e1a7e7841384987cd533a7fa267f2341

SHA512
c80421857eca6dc9a940a4e5a02233fc7eb24074f1cc3035cdc86cf7b1a4cac308982dab1dce96a347f9c733b88cc112e70e5b0866bdcfe0b8ef9f9e0d88255c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
08ddcbc379872d859feeb9767ccfe9f9

SHA1
fd80c285eddd8f10135b62bfee8b5e7b4786adf8

SHA256
ec34bbebeeaec965e61f86cbc1c0595b76f0383b9a9aba8e86db69f850ffc82b

SHA512
738fbf3b4dc32e82c4184d83ef0dd958953834f36c362e584ae4eaff630636e7dd7df4ea98c3dd4abb3d6f849b26f3d925530b956de184741bbcfc5d31c64e07

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f7aedf9f50e1c28ce6b6a1cfc7812754

SHA1
8216bcba55187a8569595e786b8a43a3c0bcc962

SHA256
8375e61a8793afb7c55250f2eeca918eb8bc3a5b0fbd15fec9208585942411de

SHA512
b54e576b991148dc7c75ad7c94026f58289c0371e0ac699f7dc19176042ca8b0592fb3a31f0f8480526474c514c5b460e4767e070b705bbadaa7cfddaa1d298e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d3c14bd92fa65d643e9ae3df2dbb3864

SHA1
fb08d5d0a594f5631b9aaa3604a4a9d7ae584f60

SHA256
c03f2038dedf027e96645178bf3478c7e4692b57c21d953a5f590bfc6461fc42

SHA512
f15530931061250906cca426b4fcaf8bd92d0e726d59ca8933d60ebb62d106669bf0996d8f50b2dfd3594d62d42a260d46af37b8c0cd9cc1a9d2dd7c3c108a88

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
529e035650964fb272e00bdc96546a64

SHA1
b5a40e9e3c0e3f53af61ef346bb3cd121189cf08

SHA256
ab6d089a02e4d136269cf0c3dd5ec5059e829be4a85067f6f0966da484bb9e3f

SHA512
924ef3c40abc6d513e3e86fdf15b16a13acc92bda733c84240a18f17e17343c03867cecfe55d9b3b953a6d660c71daf83b7ed03d4ebf72598de99cbfb096cf8d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
acc5044ceb25d091b3894f621d82eb57

SHA1
c295c0440621c6e3acb2fc55e5586b1be53b6d53

SHA256
4a057504d0fc02b49c382aa6b96c96afc2c6a4997e7621668604ab27d2727a10

SHA512
a876af7a9c24d5110b34a8f456081d5551b5b642ac1ea01419d0de8e758689044adb915f9c7928593d9609cf842c9f2a056ebfa83d912e6637f96a9bbb283102

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
f461b80cc2dff0caa27ba355f9b4c236

SHA1
282d02b9e59d7b823fca590fa8b22dfcf491bb41

SHA256
c2fbef96a123705ae5315f0ea6767e7b363d56124d2d64388c4b79ed77b3482d

SHA512
b2193f92bdf52580d73ccf2abb66b894a3d599690839f12c0831dc79c263ca09324a1c0b33edc0586b84d41279d042628b92fe2593fff296db7ddc73bded4849

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
21278886c8d74f6abe687011ffc0d9f9

SHA1
dce110dc4a19db908bcbb8042fbc4a27a8c5d4f4

SHA256
7a4402dfca17dc8890050e3c94a7f0afd2da26bfb33d02c2c06dd9af422165f7

SHA512
b360976311c139970b17923c31b0c128365daa848936b017bf5f3240541c307a20757e0ce0b8c26f91d632cddc0bdb3c33a41296a06981796c0b44405137c12a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1a90237faeccf0e4a49695acf31f82ce

SHA1
c74cfd471e8d25cb84998ef6edfda69a73c25a8d

SHA256
735e9fe3586d71e86db7d31df956d365ffdfc18de68335a8f973b36539cee892

SHA512
39c9bcc70728f05f5403f4b0b3927ca941b4b63dc2473e1a668db2aa294a3056cb61cc2efb94ef69d1c70409f6c9de0f1893d74507c91bb67b682a1bc45db887

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
08fa11538f268ecff63048fefc914daa

SHA1
68ec345add7dc419565a6cfd93cf988ce1470e77

SHA256
37f308ed5460c119403760b9a8ce5d22bd24c4a0c040a5d9206271063e7c4ea8

SHA512
649bfd324a557231d7ae366f7fb1b91e093d66e72528c684deceb40ebd8152372beb0011e957992ca9bd1aa7f754c6b68015df8b716d142da15cf335b510936f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9c3480f94d739cbc38fd380457823a5f

SHA1
5a9828beb89e8e05b7a3a8c3867d325a09d374e4

SHA256
96322ee1d9cca8f6c0cca80fa7651bbdbce933ec1a8dc06838c47692274fa77b

SHA512
b134a133c687f8e7cde4a190fc1b1586fe2f74082d9e544fa39e8df4b41f55cad2f8b8088658ea23f1f18d8a90f0d61a59c36bebd718aa67d13979ead64ea0f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
461bf4d6539647c8c6e13865d518c78e

SHA1
7ccb3063b8446df9a334de44e58913244757f6a6

SHA256
f433e602b5008a512a178f070a526b452dab9939bba97d76960a70e43104d10b

SHA512
5ceb895c2121ee0778332c3f2f512e8bf2c3ad504955196ba224323fcfa9a6edff256598c6c353e9994ba62957cfd343ead83a497411b63ddbbea84280e88bf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
515e4cfa630c1b4fa73009faec50673c

SHA1
0c6c957f90f548abf810fda1b9770f67701bd49d

SHA256
afe7e41e4bfe2028c8e5bc4bc84bbc5a727861a7d9dc3d591f4993fe095c5275

SHA512
f76e77dcffaf25d41492b1957ae5b7d9c827ca944c1b9164cee0f5705133517cf5e388eb702da138d5396fc2057243228f14f344996d7c08f3000de364a58f28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0493d66a5b8a930758339eb970514009

SHA1
2a00791d63f7f0e3c5931d1a50d8655b423bcc2f

SHA256
9396d02743a9153ab39eecefd6c0e0e04802087a68244a29ac8d9ed38f479c57

SHA512
c6b124f12b93a705c5b48a7199cfc84fd22d25e30d41144eeea754234972f18d7acf255d892b63d9de21b299d3d5746ddef8b9f599c0d423211fea7d0602ed10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7093402dfa154e4569025262fe582d01

SHA1
2f64c89b34a43d325c727f6edce0f173b11ae0f2

SHA256
fc3ea9ed783b063e4b0c230e736865e7b66856af8b52f2680079dd3d8c4147cf

SHA512
a9ec0ec75c363ba3dbf4d107f0cee033e2f9d804e2e3527d745c9b3b5bbd9abbc99ffecdbe1c1a3a8171b4994f3615ea0d54dccb4fdccf46d813f58950ca7eb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1c29f95e390b0bbb25407f09657f6796

SHA1
4fd79abf1d5102c44be65042b389a57694b4ad24

SHA256
45e367d1b651e1028f68dd6964c45b326bab48eeeed4d3b888e6f7b53c12a2af

SHA512
d1ae30b11ece440c3af3220c1c1a1a5ab83688898fde66e15f3381e76b4fe1e08c4be39296b7b896e63f8a2bbf6116c074b2aeadaa07662555448c44191cebce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e30252d0bdaf73f7300e2fc14db37dc6

SHA1
b08df93151c3875c8f95bff800d27bc0073508c5

SHA256
b975c7fdbc88a10c89a4b1883b857468fa12dac2d277dbfc6deeda22a59cc5eb

SHA512
216ed77425476e9257ea72fa55390cb9047e1513a7c45a0db8a4777d5cc4998ea86b0336699406eb4bf7addfd1d25a2492dadea3cd361807233c798aa855c733

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1b756b601c8c787782e72b3eece9abb6

SHA1
f1ce2cd23ca0d984fd08e24cb2f9622656ff41b9

SHA256
262052d7adbaaed3e58203c20933b59058c518d25afbd831ca13c527c33b184a

SHA512
7329a7c0328382ccbd215508b7b85572c2be17a253df9878535cd8ad303587949953734be384779fe6617df4e130107fde6e4580de412ef58ef3d1c8d6c71bbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7e69bce46f26ae9909805e083a718d76

SHA1
b07f80eee11b7d8c105235523010e0aeff0ad78d

SHA256
b7aa242d3f8cb0de00aeb6348ff0c3dd51aca380d52a24b8fd167b9e16c6b18e

SHA512
df98ae84f5bc7c2b9fc3e9b86206b3eedb9b58ff88a4a0a070c127e25618511b0075fe360e0454694e4842ba4966e6a45c39a34255cfdf0893fc1d56684ac5ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3444d3ba6e820159880f0a136c79a8e6

SHA1
d599c78537a19b824d77d95ec941f1913693bfa3

SHA256
085271013db751916932dfedeedb027f6ed99ed9698b514fbe4ecb40d470f43c

SHA512
799f75900c8017362b9a4a963c517167ab754c4c7bdd68ca2c6ee507265406c789858ecd9617f2b67f5c9ec331369a5162c9f7067cae3495f70955441d32ceb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e345ab6965b2deef14d02acdc022f180

SHA1
bfcced93fb01106dafb4d8c80e18640099178ace

SHA256
6f672b6fa7db194cca913adb9c891e5023600f82f8475f86f20a85c8a516911a

SHA512
e8aa8a4e27278878bf1b454165882111ac247084d0a89d13c2334d7f6f272912d4bc72765869acde32f43ef7c5fac57d9d4dfe6cd6adf833e1a72d70d6d462d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f7549b02a3616f7478dc7684e7dc2d7c

SHA1
267ff881f87dc391aced7d2e22a05e6f3b14196f

SHA256
52705cee4308080147380b54445a0ab02f56397fa19ecc6940770e02d86301fd

SHA512
795219bd2f02c3849680c49ed09e40af3c394971ebdfde4f6e216322f3476402f6e66b9e4511f6ee99ce1f3996cc7c87b8a3fbe5f3fa6fdb29ca7371ede65b94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
900a83f0c11ad73038b9405649b40f49

SHA1
dc7a4e7af80a560a428553e39b3d2ac4f5ecccea

SHA256
c042690e6bd7e5df7f3c3376a4bfdb7037531e1d272a0aa9d1e9e1047b19672c

SHA512
c2ad23dc18d99baeb7d324357138a303146aef58ef94b708510e704f8272288bb3aa5e41f8e26910e5d8a778acbef9c5c08049a71daebfb7465ac3ed572ff91e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8edf675ebd81fc4945f41f74a9f3d5ae

SHA1
d2a9d545191d984232db89b1a12b30d188874dfc

SHA256
c67678cfc6f3cd728bbf00c1f2569b9b8070bf90eae9bd1144dafdcd1b5f0195

SHA512
8857f503c907c0a32c610348dc166cf8da556f0582612be3f4b81527da16e8eba1d3485f8cf6dd1f6e93d70a2e696abd2e0d7e178d4117e6bc992702fc7fc8f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
17b72fa6e0b839bcaa5ceb8633fae14d

SHA1
e1d2124940c6faed298844c507101ed8fb24342f

SHA256
c3769336ec2a371b80f06bcd3246ef716e0d39991190a0b49950692f4b93c3bd

SHA512
90d863489f53afa67aff59c0eb0e3d048bfe899ae9f88990c00ca25f083893f1a970bf28153e8b0c02561ce1075697afa2a1d9e8a440df4677a07f04471e5e42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b9c96bb44f91b2c1f7d78c76b247e33a

SHA1
bbc0a50fa082d17413af838c1cb1f2faca599dcd

SHA256
20183a00a5015fc3b89e726b7b9547f4ec826a13b53cb9832f910f66009f328a

SHA512
5f6756aca333cb5a808db7a217243b8763eccac56cfbc6c841dc158d8916da4cc95245938452c35a134d4bb609095ce1ee5f84e80712a220b5e06807183cd94d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
aec39fedfb3a8214f49a930f9f6ba51b

SHA1
9270e0d4e39a89cd915e8d48c113e51f8e77826f

SHA256
aa42f0de1da8db19c137261071c22d4310d5d24c65d0027f4423a8c9bc5ecf7b

SHA512
1550e0bf8dcd3ab18f2f9087cb60138d55b769965bd8958311a7ec45e4073ea51ae03325b2e55294c658b251caf38d2dc2d224e05e9189f4eca42a9e966b8d6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
5cc70ff1d5d45a6113b70b486e2e8177

SHA1
e070f0ef240ae27e11cdfe4774dd68099380bb67

SHA256
796253ab92648134e40980346e0469404ae39a9723639f2f28d46fe1bbb39642

SHA512
04ac5c9d7c5ee3f43ac556d4a8c2028cb1fba0f45c0d631a4bb2779e847ffdcd10b160c8683945ce1a472395f4f0217ff3034d4660ef11b98d1b092119415f1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
0c3d957e222cca01d71c46b4be20b7bb

SHA1
b3c30c7d13eb1c5e53a3c56233c3df66662701f1

SHA256
2cea51631d489c47a666441f11fd42f4ec95858b31fad93020e496bbc67f58c1

SHA512
bbee6de873428e0c073799e357cda0d7c0808856484fdf366b7693f6ed8e7c273ee7ac7339ed2bef1ad9790b620988aa192f1e8053f581478c5020886e4d1f1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
8cec69b2fca7d2a68d2abb59db13591a

SHA1
44807e304d1a3995d7cde83345cd5bf31467e6e7

SHA256
058afeea7d3eb6df4024606cac55b38a276ab3f9bcbbc5627fbd0c8aad1519ca

SHA512
4ca799d75ac4e1270abe544be1bb26679599047a2de5f512aaa2c628bf31816c280b840ea1e738f5348fae98b64e992e788b752e89ae64591911b76304796a42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
0ec012688d7212dbe5b68d6bae4b47e8

SHA1
fe15fc3823502e81d6e96503e36fbd0d2e755cfb

SHA256
ea6207201bfa0050177b6e911c7be9590c05912deb9d4f6b4d0c84ef2f295ab7

SHA512
302081a199c34f6208b8d8bf62708e6a53c7a86d616c966b6de0e4f455e7b61fe6aa804638e422d56adbd1d4f6efac83347b5023802d5de51800bdfd92fa2dc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
7d95a4e3a29d8da72907c6da6fce148c

SHA1
18694b1dc533b71e1fe6659ddfc8c10b4737121b

SHA256
d15813e17c1d9b6962368041b8708137d5eabc25decd18e410846ac0e04e2fcd

SHA512
51495e40fc98322acce7daa652fd14851a828eabb1829381dc7d684f04800982e2f9b20a2a9d3f66740c3a4a4092e1f9f8cff090e8d502057d6bd1b519dd0d58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
e086cc3458322a8bc939f1e2d891af00

SHA1
78a0c91174c7701e35ff607c3a8be7bda2d106c8

SHA256
ddf7d8eee63edf3ca765b98bb7f35fdcbcab593badea5f6c08b7d788c4cb3471

SHA512
09995f4198840db080bebaa68cc3979e7f2b6718d1a0b42dd14980aae0602ed71835a0e295abec61c4f5bad4e0016602090bc9b141c5b02c140fdae2f8c6bd20

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
180d85305c77caac4d29d0d1d199d526

SHA1
8763935379eecd5bda59ec9544d70fce002048fd

SHA256
e9eb7b25a74e888f0f7cd77ed5f1edb4703808c40fee9b7f7112481925b006e9

SHA512
b6c94a153004f8e9175ea088c787a3a8e33fa56aaa63e959f802dd7f9c0fec3d2ef2aacfdab7147f37c14181b610f58f5744d67c4e696d7ebb9b78bfa6b5b6dc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4618c937d1b9ad51a1b4992f6601720c

SHA1
f40198ec8ebcb246ad5473eed9cf08e75296705d

SHA256
1872537f6359a89b328bd56261569e54c0c77b0dcc606aad913370c6c9cb36db

SHA512
ce96365ce757b970ad3859457c9a5fd3651f9814b9850a3186b54f5f3d454ec8c26491284492952215184e212b3ff07ad9573ef91b6caadef26a5dfaf33e3058

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f74f668d20ca3c5fae39b3162e6006da

SHA1
bc97fa6f5c1bed87ef93203158372dcf6c9ad580

SHA256
4a2cdd8136bb4c7f9c379ad72f176de6f957b55652e8dcc0069a75a669c0371a

SHA512
ba04ab58c20cc2e5fe2c8dea52d1c5a338d2d7c0a8a91c94e8743c02ce4f5fe0529525aa1c5fe8ad624c7374be63aef59e7fb2e29befb9e4e89d2cf04dd477a1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
20b61068ef19c1581916d3bdbb29f8a9

SHA1
911ce24ce73580463a52cc2b6ac5a4a726cafc18

SHA256
9d4d13cb1b29108d3139dc7ad9381df37f7110941d5633d5af05150129b6a794

SHA512
9aceef2d52873ab8fb5c18dfa0a0be17267169c857092c6cebc85a3a1bc58e90765f2e13bad4f8b37e10d77a765e83e077c7cffeafc8fee99059c4dee5fbb129

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2e95d36e00d1d62e6c72f9bcedce6756

SHA1
6cc9d6d718d3ac6c2103e7296637235daef41250

SHA256
a7af74ef82125698eeecada319474db415cf1f1a03e8063392d88d21c31d10fb

SHA512
bd91087e1db7dcd4b5b7064a35b50871a895660a7ea1e2f0da32a2a26443688c74677099bbbfb585b5284ad49fb4c345305c2a251b7e5672f661760943fafcc0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ceb53ffc1c427b335bab4e850eb40e91

SHA1
7d69bba326ba9e60b3bd2d13f2a62fd0c09b013e

SHA256
d6112c2e0460835d5d6e326cd95783e1ed6684831174855b67274f8ac2f0dd3d

SHA512
94f6e81b72f1e2dad040d02d6e2b78c1e109642d7cbdc0694036053b5f71d2c6804a0aaf507ab06d836d6ba7ab490423bd79771632cb979c7c96c047d200fe03

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
eaa3e3543ebae814702b7f91896bf74d

SHA1
74b0ce9d06c277803ff28f86ca412d1cc82e03c9

SHA256
ebc7d73ebce37bdcd8abb1953f3dcfe47081535ebcf5c438476e2fbed37691ea

SHA512
68085e9210cc6df28085e420c958550c559add21fca7c596b963bbcf1df995482da3b455e356482d2fcec750f14d8317746f90cf0d9e77e11ac008ea56e9ca41

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8e6a24673ce9332ea6c845bef1cbb5ac

SHA1
79150e6065811762d80afbc6d6828122a6ca1526

SHA256
d71fb126d89686669e428ada4b5c595c6e36af30f6dbcb660157872c1b4b8ab3

SHA512
6d2d6768bcb1d07e191494b2cf962227fb9883b39fa4f5d030a84a063407a6c259c1944f0153e0eed4394e939cdfeb2ca2309ab33857cff1f1b22e3d702d270f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
17e2b445ea79da0fe43232f14351bab8

SHA1
4ae6cb03cff9dfa5fd550f1081577377eba65cd6

SHA256
2c6678612ba9e52b543e8d4260f19a74a9c7767f168536c82e3332a5233c11fd

SHA512
2fc333356ecab3a1fe7fae9e49bf8ebe9204e8888c77a2ccef51086593c444ecbe5c112cd46f53a6dd0b6b56d3711b054ea8779e41c79143a74dac87228cf284

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dc3000086c802d6cbd799b183f59e7df

SHA1
fd25302524cc0f0227ae3cb57b13af0c491bdd81

SHA256
42151afcfc36d8589d9be4dba28cac8bee0a806234e255cdd3135c92064b31b9

SHA512
814518ea8f4e6a4c3c966349f67e0cf88456fadd95a05c43f13e08dee781cd754b2cdb1706cc709da1c4fb04dc5f3c1ac10e7f6f7100b2a22d28192d07f5a820

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
93248048da7e5650a0615fedd3c837fe

SHA1
824844264714d134b0b95bc209b64c5e73ef7f35

SHA256
cc2a14a23360d1b94901dfeb6b2c67b8f4bf3556e70eb760c1cb566d12a8c7f2

SHA512
251c839da9ec3b85c1675fc6712e06312f1597ebddfd270996ad2886284e9399bf9698e38a2ed917c803b9ffa4a54a5ad1d29d2dce60c851ce682042c2472fae

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
47c14b3d0d0fbfeaf6b9cd838f2d0d18

SHA1
e4107e139f4b49cb7b02ff86fa008a05ed0772ad

SHA256
6b961648699bc822470af3eb7be636b728232d149a589a12b439438f8bb4ca02

SHA512
88b5e8745412c396502d773014feac4046bfa1b5abaed1982d1d682424cbf3c4c085507916130cb9bc58347995f7d2e5268665b47a41c5f79bdb41decb31201a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7db24d76d463006e0eb1bb413bd0502c

SHA1
9c2a141c2f090a9ec9f85d770312b3f166aea72c

SHA256
ed83ef328a6eadf3b65abf7c144f204ec5ce63781cf4c2f289cbfa900922fef5

SHA512
47cc4f2ac28c51f624431a422d9737392495bafa8febd38981b685408a5a895565cdb17f5ac5f654cc62267a9322649d9f7ac77d2f91bcb079f90aa77383ac2d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6dd98ea42ca5992ef630908e21da06c4

SHA1
b37616263e976b75c7af5fef8fb3eb1f34378a46

SHA256
14fc221b63ccd47a6abc506f21a38eda26c9e8ac5c9ed1e6cd5c0c62f30e47fe

SHA512
17e5e69516a126e2c7ac39c09e2be21d7cee01fa715d786763daa5b3fa73bac7679698af748008590a3a3508ac186ddabee17f977940e3a428193d3a407af3c4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7121157287a1ba26c0e5e9eda51f25f1

SHA1
2d6f7df7d4c6f17b398c82778e40604a52d29a7c

SHA256
850149b13dbb42caddf50cf11afe89391eca0df3e7f93ba98999b5fa26edff9c

SHA512
ee0d2d1b83e1e252307e53abac6465841d9e0fc122ecb2b7a444fdfaef255a0c95a80c3f4e0140c9c64b36b6e29c6bf5d97ad27946d96b761964f972dbce0ecb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c6f2891af83fcccaa5334c6e2987f40e

SHA1
7fee5c4a0cd04bfcfff4c274c6e59f3fa630056c

SHA256
5549e737594810f702363d9d5bd8bc8fbf55c1c7b54f3dfd727d7874f9dc0d58

SHA512
b1a9bc4b55642779a8f0be88c64fe933dd3baa0ae18466156aeb415fdf4939f790230511a9243d319c06b3b0077312ed6dcedfefa51f271e3df65e1ad242880f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e97a32c6c11408a11ea1f243bd8e8598

SHA1
043f24da128d287645916394eeff0be5f0f86c43

SHA256
1c9e34663e8dd39f4a3f7b6941dbb0d9a2103c835dbf411968dc076d6fa60639

SHA512
0fe2b7ea24bb0d17190ac872691c465c81964ae1b47072f849598c4bd9c059b2000993f04800c6714f05eb32f7c3c09d208fc35e46a4534f7a8e3c16becea155

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2a6ba446f656c2a6315aac0e808a9192

SHA1
671e09779dde843f0e827a8fc33fd912043b4e34

SHA256
23e8b6670615a52b97f3c48d3fa9a6673d77fd004a48bed0a71822fcb65ce0eb

SHA512
edd9b8c5f8bc7c3451387adc3f0a5ada8c99a2d4ca4f497b55a391775367c208eea72ee00b38aa43a9afbcb316a559032257ef3b9fa2a7e0d04cedc3181678f5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
649ddb1d63d0de0e073412e9a3e8ba1e

SHA1
76c5c41797422a076b6ae506d321efe63db03622

SHA256
2adf5ad35d38fbcf6f885c287810cf54fc0af55936e3776d83bb6bf212a4f56b

SHA512
c698bd12510db62231a7c07e21b12de8201209e30a18fa5d9191ade279877fafdaa604d303a2acd7b7dcef85f146f9e055421d9284ad2981ea63da8cdf55ffad

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
000ffd51aa3f90ef77957ae6e9ebc121

SHA1
4b6bff4d3ec2435dfcbd8582111e70e847b400a8

SHA256
0aac5cc2ed313b861491f54de997d0cf387d49ff857c712e1a3062b90337f154

SHA512
22f6cff7fccf273663f9b4a9ee94162b3c1e958777611aa60c8421b38e84ef999b06e17c716eae9b8faa63769ffe197ebad8be4a2959d77de2abc29769464508

Download Submit
memory/752-542-0x000001F6BFE10000-0x000001F6BFE20000-memory.dmp

Filesize
64KB

Download
memory/1208-366-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1208-356-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1208-426-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1836-303-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1836-312-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1836-369-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1924-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1924-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1924-249-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1924-250-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1924-243-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1932-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1932-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1932-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1932-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2252-64-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2252-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2252-71-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2252-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2604-449-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/2604-440-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2628-1-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/2628-15-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/2628-0-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2628-10-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2628-7-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2684-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2684-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2684-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2684-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2976-392-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2976-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2976-323-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2976-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3260-295-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3260-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3260-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3372-56-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3372-59-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3372-62-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3372-49-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3372-50-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3872-393-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3872-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3872-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3872-398-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4232-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4232-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4256-255-0x0000000000F00000-0x0000000000F60000-memory.dmp

Filesize
384KB

Download
memory/4256-262-0x0000000000F00000-0x0000000000F60000-memory.dmp

Filesize
384KB

Download
memory/4256-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4256-272-0x0000000000F00000-0x0000000000F60000-memory.dmp

Filesize
384KB

Download
memory/4256-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4276-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4276-462-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4376-427-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4376-435-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/4588-409-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4588-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4588-541-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4624-414-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4624-423-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4696-34-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4696-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4696-27-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4696-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4708-351-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4708-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4708-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4848-379-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4848-439-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4848-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4920-338-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4920-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4920-400-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5088-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5088-341-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/5088-279-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/5088-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download