f2443023f117626ab499b7451da15e21deac6f6a88112387f9764186687e056b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_e652df60ac2fc31adabcda5fdf4f19c1_ryuk.exe
Size

940KB
MD5

e652df60ac2fc31adabcda5fdf4f19c1
SHA1

6db3a53692951cbe1d7286beb1eeee66cfd6b8cb
SHA256

f2443023f117626ab499b7451da15e21deac6f6a88112387f9764186687e056b
SHA512

39632d650e0052a190bd7bc39b8ec89a30a2d23d48a208174c531d678e11664249eac5fc834195ec673a279054de982612bcd6f634d7ebf647011d580b3da834
SSDEEP

12288:6ObfA4LWOsvAYFTaXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9L:rbL3UTasqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3996	alg.exe
3492	elevation_service.exe
748	elevation_service.exe
3332	maintenanceservice.exe
1040	OSE.EXE
4964	DiagnosticsHub.StandardCollector.Service.exe
4636	fxssvc.exe
2740	msdtc.exe
3640	PerceptionSimulationService.exe
2504	perfhost.exe
4280	locator.exe
4800	SensorDataService.exe
3644	snmptrap.exe
4552	spectrum.exe
3512	ssh-agent.exe
4476	TieringEngineService.exe
720	AgentService.exe
3368	vds.exe
1816	vssvc.exe
2964	wbengine.exe
4468	WmiApSrv.exe
4656	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d206ba36205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-29_e652df60ac2fc31adabcda5fdf4f19c1_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049d46713fe81da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d19fd112fe81da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdb00313fe81da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b502d412fe81da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000673a0d13fe81da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3492	elevation_service.exe
3492	elevation_service.exe
3492	elevation_service.exe
3492	elevation_service.exe
3492	elevation_service.exe
3492	elevation_service.exe
3492	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	912	2024-03-29_e652df60ac2fc31adabcda5fdf4f19c1_ryuk.exe
Token: SeDebugPrivilege	3996	alg.exe
Token: SeDebugPrivilege	3996	alg.exe
Token: SeDebugPrivilege	3996	alg.exe
Token: SeTakeOwnershipPrivilege	3492	elevation_service.exe
Token: SeAuditPrivilege	4636	fxssvc.exe
Token: SeRestorePrivilege	4476	TieringEngineService.exe
Token: SeManageVolumePrivilege	4476	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	720	AgentService.exe
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe
Token: SeBackupPrivilege	2964	wbengine.exe
Token: SeRestorePrivilege	2964	wbengine.exe
Token: SeSecurityPrivilege	2964	wbengine.exe
Token: 33	4656	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeDebugPrivilege	3492	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3836	4656	SearchIndexer.exe	124
PID 4656 wrote to memory of 3836	4656	SearchIndexer.exe	124
PID 4656 wrote to memory of 4996	4656	SearchIndexer.exe	125
PID 4656 wrote to memory of 4996	4656	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-29_e652df60ac2fc31adabcda5fdf4f19c1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_e652df60ac2fc31adabcda5fdf4f19c1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:748

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3332

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3972

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4552

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3836
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3c1078c1aeca132051a6589de8f1f429

SHA1
e3ea44bd865edab9e675c9b987100c474db4f42f

SHA256
ce00e952971cdc560e2318cda3a7dd639f7f6fcb9fabbde0e1ad72c307559812

SHA512
d7b7ddb0b956cf26e77c23fcf7f1ec25467f3952961fe3c608ec75055cc33285365c663128974d596b84f7de337ccde7362b0c43574f40fb1a3515c85d7a269d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
90a0752a937bbb004905026262c7f86a

SHA1
d8f42ac3fd647f690600d7add21643af43bcd069

SHA256
9217f608c07a1a465d6ea017a4215148173d9d73808eeacfb96aa73c9ac718f4

SHA512
82bea7babc6bec188d7e3d7ad07c7642ca14075b796f25ab10623e9366aef327114bf1e7c8b1dcdf63fc37bc99b6ea103a9a1bb81d3f19376a46250af80273e2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
524e940d2c424fd3e33c9ce6d2803328

SHA1
44c07bac2c39976ae1df86c55967d747f676d5a5

SHA256
acc54c78d8e81dbabdc322ead902b8ee9993344b7d9711ea0ed6ed0b78f75dc9

SHA512
854199d66115b3283a2fa11f307cbc0fcc8ddf584537ac84cbc1843eded1a543bfab1067481bdf43a487b14daf253740f229da223f05b160bc0e2a4a0aa30f08

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e6a4f8d5da3e65f109ce92fa95815247

SHA1
8720a2b7f130d7466d9ce21740a4997359966025

SHA256
13713d367214215c73a22ef02288955f6d92d7c0b9a5a6bdeae4e28f528951f3

SHA512
e86de883bc31dd86ec1b4ec5e5fe4ed8ccaf8dea40fb50c66c3d888dd45f5ceb94b2329c38db0f74b652b21e63dc09a1f0ce5e9ec434ac4db362f60f096610ff

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b6706b431953d63aa1cc19d7ede4e633

SHA1
9cb6fe34af8cb3f61863d4df1fe9758c661145ec

SHA256
fc47a617ed790352a238a4b9ce44942d7618d4bd1e173420b4df69ff7efcd64b

SHA512
9afe9f1e4bfc062d340d7c182a410c997f71751683d0bd20c6c333c9e5bf10b2ed595d5542b802a9b4729bd6906ea13147b99b303209ca4685b496b32246f106

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
13c7b81e9541d48e00f390d65ff5c647

SHA1
98e986341b61c286c838d88c349f138ab8019afb

SHA256
0e527455fd852754a38a831fc6ce1518e135b78461a4067724aa878e77547606

SHA512
bc6244ecf3a698480a94fd1013b6bef26d721849ecb787c59efe35b7d09af6ade056aea330aa869c06138d0aa9027c5010798ca45c8df29229e4bbfa54a56913

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
70c9265a9772512ed43dea902b42385f

SHA1
f30c2b569fd3a04c7a22d19e11b0d66458bfffa5

SHA256
0f4344d94bfba927720a9cfaae9d5cde5deb810d5b631ab3390d4176fe4e759c

SHA512
de96cbe1b3cdc04ba5b17b141d123b1661ea7ef4a8fac446443cc0561330ae3ab095c37161c728f2808da8868dcbb7a5eff4ee62dc1b6a6f081ae6897a828469

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
41b03e1127583c991337e542faf6f1f3

SHA1
c5c0f9c94ad67c2fce2477dc8f65866248b00ff0

SHA256
8ee774a6684cc5f1adf7b1b7ec6ee31b334f9a7e9229c0b4dcdb5f5aedb0def4

SHA512
12bac40fa5e7f6b3c2d89ddaa57e20816cc0875a93bc8c054fedbf0be91f776fccaf714ee22728b1c74453c20185be03cd40185e2caf96a11ce3f1695287b81c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1f77bde5c807e89f707636ae518d53e5

SHA1
b20289696b0bbacda7fd4521ca0f9dc9c0db7500

SHA256
1d356f34c013dcdf965a7f00213650baf2a2df705929c93816e55215fd7ed804

SHA512
c1ee71e9faa76b19335b445463202f5ae58e11a8530673ce5ca4389c46e2e3f931ada286e151cf59c4f85f2065902c76c85fe20378080d8dd5bde6d04ecf605d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f294d2570cbd05af4127aebbc0fcc63a

SHA1
46976686dc1475812e6e43592a88e1035ab23574

SHA256
8a7ac859f8da19854b1235c29640c3f0fc476c81bb58b8619760966772db1b15

SHA512
7d0b6419820ca452e06a9eec0ed24b4fd7b5b6e440860f77f16494243f819d6f29fd3db3e568b669fe669952b550a3796ba152e8d16dc8f94b6d7d7fd0e6e88d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7f4b2f845f3beaea9ce6ecc510b8f5a6

SHA1
7c739475b92017e03e31f9be9eb32c9a911e4fa9

SHA256
9eac4e8e479c09084a35a71670322f8fdb8b48a22006dff27775688b37527730

SHA512
e57a489a9ae8a82d069b1a7c696a57e656dfc0ea7ed54503ce8e109fbe934be0f485ec526e84bcaa23440dd6c686dd147aaee45cf36278f94e38eba9e8d57812

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
21d591453a055f7bf858a7f3d931c549

SHA1
ebd10770c68f591d2e55d0c683fe03ec5518f40c

SHA256
c3a50ad48370a730ac9fb1281f965cd7627a391613315f10ef943e3afcb83d51

SHA512
dfdc82bd1b87c6eabb8d45413ceb4d9e803e41657ed858714d03ae6d528f38f0a4f48a3d7043b7b9aa4078f7b7f7106cf839605bda7f3274e5537305b2021722

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
de250a6ad31db708aa591ee85012088b

SHA1
10c5be292e564d2a685b875730ac408a50cdccb7

SHA256
0ccbcee2ffcbe295e8217bc04785a86ce6a0f01eff633326690c9a88890178a9

SHA512
9f6dbe5f99e958844eac3bb0787fbf47a908dfc6a65287130e8e692796a16419e97b41cc48e50157f9a43b5d5db8a8250f9af7cd887de1cd99755dc8a874777c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8c9e2d2a4d75acf1f7beb67dc97cace0

SHA1
39939a5f2a61acf1a3dd08e301bf51f5cf820ac3

SHA256
cee8b377d41b1396e42e658f89dfbe6db024fe841367c945651066f2e417d2cd

SHA512
6032f5110dd27f7a3b94ef1a6a24cd032f97b5f05d57251a272c528a3ad8b6b8336f7109636b3e70ea480180713b0e6086841e03271a9f4b3dcfddff7109ba7d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
048e2c9d033d97296d6d3d76c04cfde1

SHA1
402899c8180c7216c2850b087696b661b4207c4c

SHA256
adb10f6dd75e4af61d970c4679099baf22a2bbe26fc039623820295593f9eb62

SHA512
c6ed2617cf385f145fc0683c0761637d05974de8def61fc7a9fdc9df2855b1603107d7c72043e998ca20307bb14a703aad5b65382eda29e64da107d16911a06d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
df055f347e165222f33658a9bf065180

SHA1
7d5461c7fe891e718d4420296fbedec8d64859b4

SHA256
fadb667c55682e4a85772a29ee4712e0df0ee31d1a19fb00c588fb1fcaffe0b1

SHA512
a306d0726107001e9b226f5ca45876482b58323e9b82bcb9e61b4701158d87bd345751279567a937b564ad145f2eeb14f987b7beb0f3945250b0ab2d9750d698

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
f2ed5551a7a1752f84f91d4bf7cf7f66

SHA1
98081aad1742ba75f2f376e006be87507a853163

SHA256
369ad1b9c095187c4d9150a7f3840c8d6592fc4b14193c7bbafdba3e7ef4f9e0

SHA512
4d4265a6f8914c615f4b7ba7a3c8a5f4ff0a32d3a54346ce89041a4f39a61be9802d7e89db48e2c5655426075575502d3b371bd92c4a9b3571f521e68c1bb38b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
073495de939673fe1570e2b362ddf54d

SHA1
77cefae0476c5b6205389152ce1139f21c249f55

SHA256
f0ece5350b6106307336bc625c0107fdaedb5392d8461a7bb9b90c1f83b2014d

SHA512
edc99803a4c17f0d3192c8e70b4df72327936ed444cde4690faca24350d8d7efc89ccdba6f99e1f953240caaf4c592b54175d3567ccd3dedb0da5a1aff35b9fa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
dfceaaf0214792552d05c0faa7403ad3

SHA1
434d641ed885e73b261fbab21720f275b2b9a8e3

SHA256
f61354754e43313e13969e5e60cb9f213ee4ca6cee140071c4476d5d19db42bd

SHA512
07b1de587e1cd88321504402efc9974835e5d71a29bee88c5ad9abf79818de6daf32d5b9fd67af784f2a40158a46e172ece996933e383d5e8e5e980e8eab132f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
5f0c9b348788b84ed4fae2c7b412aa31

SHA1
cff5f9bd0cb9953c535c5506d7eeba5391961d4e

SHA256
149dd03719ca995f11211aac63f0299a2963faec699756b3d13bd8ee96a9e876

SHA512
a95de27df46aacd58a38b60da324bf800027c3fdfda31be6cd814a3914480e5ed6643754782a5a78ae62893ffb735506c05bb4ab3a63bb99203d20a8a9e1dd93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2a5f98043792626a4a2c2f2d6d3781fd

SHA1
7652834b9c2c95b7dfedf0f6f567dfda18c97387

SHA256
38bb050135f53870038dd9cc03d101ac424f845cb69e18d761d18fbae446c156

SHA512
0ae9399e4be6c51c10942aa2ac846a80aa6a782d1cc18bcd11d87a11fc0f71365718baa58cad1397aae24e39e55648c21ae1aeb93b9f5184d1218e8eca5cfbc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
10bb26b33a581db88a0f20a20e31147b

SHA1
f299e37ac8d9e57be2b267a5495ecf112e2968a0

SHA256
2ec752eea15c9e994f1d957b94489dcc173019050344a6bbf6583afb96a37a01

SHA512
8487873e49bf8daa807db7e9f642ae437795682a97acb4117d6a3aea1bdc9dda12aa6a22e47e0e74fe4b7a8a19422cf564035d0920b97bc8545ff7f45019113a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
52f03c3c695a11c2cc27cc65563cdf11

SHA1
fe1a4eb1c298ee2282bc361940d9d6b856cb7f17

SHA256
b5089a4b08a3b28e37ce39c70dd43f6f47fcb47b80b59ec5417a06087bca0c3c

SHA512
bccc2b27860722d1b90df0256a513f96283c43714da6a0a451f9c635afea521a1457c7ad94e912ad86aa8d5e116df1ba2264b12efc5c79340f5e947d0f5f4109

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
fbf9621c05b827ce84c922771c9b1b3b

SHA1
2d839236adbf6a649131f6a536a14b35b9bde875

SHA256
67c03557790d0850ae753f156eff5eb07f9dcf749ac5a8e6ecb2a4954cf60dea

SHA512
fe170cd892620702eb3047448155e73be8dbd3b60dd3da1d7b77fc59ab46d1abee770f03f8ae35a050d09c8253245cbbd1196523bf79d883444dc21eabffd82f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
019394d8cfa538a34ffc5f70e8cee4bc

SHA1
bb3de21bafa8eee69e0cdf0637b6afa3840d0fca

SHA256
d6589535c3431b4008e017a47589f4cdf7f4261f5f7898bb328cae2bd333e0a9

SHA512
3c07b2db7ce4739dbb89607a84c78ffa3137141e481efa566da20777c62d8201b64ac1b8bdba2cf0fd3b37509a95f379f722632ed9be64c464979f78496157a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4585965726c53dbfde686865974d78d2

SHA1
3d4d4352da557508eac13812a5b0035383a30280

SHA256
5fd89d61f78ce1f4f5778d3fab6bdd101a75b04ef8eb3c68590ee507fbb0a2e1

SHA512
663eea94b6d22541df50b0e5842f31201fca4559ea92a7ed9709385b77763f4ab755c371e3010d75a17356c471ae4f892b14597b7bffd5f3aff7095d1e793ae6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a923e518f6065b0e5f6227c604d125f1

SHA1
1eabea3217c49503d9fb073e2e1065502b1c4344

SHA256
adfb765b985f081a10f9f65904ede3bb72b1eb226c0d8465467744f01b4a0f0b

SHA512
a2cb81c9e3852a56f6e5684e360fa31d40944c5e9074261953f5a53d0a043f777b361214ae91fb0209e468a09eafb94d44e0d26eaef693e0815fda1b999fe867

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
84e067bedd93eaf5ceaa6d11ef562ace

SHA1
64ec4f3c3ef844aa81ecf832af9bbe549f5555ba

SHA256
051651e94240fca192c4dcf472a2f7e33cf541e705b9e396a65d9644a34732ba

SHA512
5dd33fe60099a9888ab60043b11c2e3848e01b58d12706649c70910a0d414e44accd7239e51d93d12f05b441f17a54d672038ce2223229590fc91556add81888

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
876261ca18d7e8c6b718ea2b0d6a1ca1

SHA1
92c9355aa106e1df4471da059ad08ae02326ba73

SHA256
f169f9e0fd87671ff83cfdcb14dd0ec600174f73a4617d2111ea134ac359dd99

SHA512
1eead65d410d74170536184a3fff882f66150cf0d5aa31007f87e7f93d8c965ed314af17ca6e1b301e777abfcdc170373d7c9f49f74cd02a6b475b5f84d45c18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7a52ad0934ee2a74878300c31a1151bb

SHA1
6dc6944d3d5ddb6b44907233e318047a08eeaa52

SHA256
608912940b2f99fd888fcd8e196bf5ab9610bb5cf84c27e23c8a602452d46d29

SHA512
3fe5bb96d2baa2a2aaaffe18fa6cb3b2ce5b691afd34d89e58f441d2489ba57d5a030de380968e50df0b1fccb1d73426472a64c499dd3ee1381c962aa65a5075

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f6a67e5837160b1eab6172b82f6f9186

SHA1
bf349d04a28287ebbe4b3f5cc7fa9ff7597bf589

SHA256
4c1157fa6741fa93a74c24266c124a2dfc1a729ebf583658b1efc4f631e780f7

SHA512
8f631ceb58172bea343e2731879c5ca6df3766c1a53265d3535935dd8ae63fc8a841f439eefb6a515bf45fecedef740b0161b7d003083f6ed7721312bbce6a4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e65ed9c6325be8a7ecf843ed0a8e823e

SHA1
f1a405d0f83166ff84d5852ba717c3aab83820ec

SHA256
0d15bae6702ed3ae22d48e6f4144278a53194b3a47a56b27e429ba0ddd7abcbe

SHA512
7b2ff699f3b5d6c85d42de91156e6f3bce8b977649250a74f7923adf93dcc18d33176611dd018f64b3442ea1fd97aab6bcf703ed740bc4a73daabadd89b85ea5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5115aceb805d042b33e51d930b3c9832

SHA1
cee7bacb8de33f1a3d427d8a23e4135118fb328d

SHA256
182fecbe27c296814ab0d20207b0b46d29fdbca621efae7ccd2751751128a863

SHA512
7de536cfad4eff9f60e8ce967d8714e621501ac7fd97ff1753a2004a625307425b50a754768f975ce440561c477250df598a69571d278d7e64ba6ddca97a0ab7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
bb34514fa0e5834fa56bd090b3413c9d

SHA1
542505213d3ef0ef045b79b6aeded892bacf9977

SHA256
3a6f9b79ac7f30344c2eeaad5ca8537dff26609949c025911fc742a15359ad49

SHA512
5528e9e3426b7c76c9c46a7dc3ad7b7920524d33493d8568161c2a8dba58bf293bfea1c96598f2eae55e2d470bfa98c94b8ae6d45bba74e25c81dc047f51e011

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
dd704214d90262dc4646ca130c2b47ed

SHA1
1a6bb51b1aff12b4cfd37432a1027bbbeeec9ef4

SHA256
44146075a5417b5d2afbf50d09f89775fca3cd72748bb995d611223a2f3f61d3

SHA512
871b86798d82808f2a5159ee04d477520e6b99d25d70219cdcf52197775b09857f31fc076dedd37c77195f72edf4bbddbf8fa915bd6fcda77b2bb243907470f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f88422e040b66a8d30fd2a17ecb6429d

SHA1
4fe1de8982344df61f4b8189f6c804919c857ac8

SHA256
18da6479d93cf86ccbf496079bc2a023a66e55658afa13301b15622abc94d397

SHA512
5ec015143b17f12611e60f8d0c86e5f799909d2cefbbd12655f9e286267199e48c28b5c62205ec8cfeb81d1853dd1c7ca3a271e08c52ca4d34119f17a16dd30a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
103b264763e2424a89490aad19ff9611

SHA1
2345d9e399bd5d814c6e5a2454ac5042841962ba

SHA256
1d3801961d74d7e6812d6abd1b4d0201af92303d587022ac708f7595513e2e06

SHA512
1269814af333dbf26a1ea27687e271274d8181b47a6fdcf760f3c3102220e91128d193f67a55f463976f7df24c841731e822e8bb26b48334e4d80ff0290353f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
65a5e5838db66e107aa9b9809b63ccc8

SHA1
54ffd7af246fd8fb703ef8a894716e9b8053b449

SHA256
ae9d5e8d05518351e2f87ef3c62e387e45e64a9f98ee562b65e15d7c3c893060

SHA512
c1a5896bc6546e2ba30f1e11ff6c41db023768175ef3d9e04dd7c8ab617a59630cca6cb5da2c3f00c309e4daf5c6819a7ac0c0dc6dd0e0d460a31f63aca87f4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
3ef1e24b0d4054656e438aa4451e3123

SHA1
f9a5ead137017d25992c81a79ccd7256c3660fb7

SHA256
08d17cc555e5d12c193576a396a4b5e569343bc4d6721de1aa610257d8d175ca

SHA512
77210da92c5aa1d0fee8efcfe1d8c7bd12f08f3c730430cebbed8633bf32eaec2f59ebfce561badcf8f883424f44a6474b4651383a8b74e9048a7ee381040f53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
94b68cf09d2b460cf3eee2db27c23fa9

SHA1
3e48212c00e6ffcb4e2e648f453a0464827dbcc7

SHA256
d4a8711dfac35df9bb15eed1c4ff6106f679f11464affc23c26a553921895b1b

SHA512
44da5b53861f89512f6038a77deddd73c07945c7f9f7b153c09150715b31fa5d29d271d60777249e188b198b13a77e696773a8d164ff0d8962896ffc78c70b8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
01ab0fda0e6d3f65fefce25abac7f5f5

SHA1
c38e1cf28a82be1c6cba28e12c8c2cfb3de2aefd

SHA256
94ec201bbf2d005c864196ffc9602e24233f9c327a63872e5286b7928a31a804

SHA512
5a11580ec9d90b72be89d3fe5e0467470949199067544e4eb0f1ec3e7dd2b7e7cee2cac3b0a9b058c2d88d2c8991dddd1090e123aa6b388c425d7b839b9c0993

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
b3b8d0e849e6be2cf58029a7e41ce95f

SHA1
aeced95c600d8a82fd877ee1a08e065fe04eaec4

SHA256
1d199e4432de02a78689a4c0c430b3af09cc4bbc1c52c47c827986cc136f51fd

SHA512
bfeedfb72a52acae11a9959ac320071aeefd6fb790c2720bdb888e1b8fc78693bce357da7f45902da9d788fb8b5c90f3f2e244d4f8ac9fc995d140f3436c362e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
78c62b7927f976758075ac171b4f7e55

SHA1
6319076940a9cc98d780927fe2996111fcdb8803

SHA256
4400a66e3d362d941cefb4d32cd58eba8287291db2360cac81e0b7181dce276f

SHA512
3b491192f2a7aa24afe356dab9a57f4579fa4fa27c56c389fb8f0a22454e8f2f0d1e72181262099f39111c5f23b78bededca72f5d24030c845df09ab065d3a52

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ccd39011c94d7e58e9ca99978265daf7

SHA1
f5acb94f71768d4eb0c875ed42d6e36455b97d6d

SHA256
5f492d1a43f94ff40a08f752cc14d3c57e94431e287d3dfd4e290aba405c51e6

SHA512
4608ba5158f6b7b728ef65fd0674ce2c8629211f64ae592513053e8eb6b45ea88acccc7000c67ee0bcd9a4ab16e708d08f1582e0ef0aacd5b0d04a61bca87c04

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2921759cbff2031c2c1d8da8f382a5b5

SHA1
5eb37fddf3ba327ba3c87a95d02f85cd2721d65f

SHA256
b5e23d40ba75c50be5a4d88df07c80abec5a7747250a334cf0663747eaa5cb8c

SHA512
5b8e2197b35501978c25faf59d8c677e0c4778308301d711b5715b748437db8b3724cb2b1df9170fa5357adb315f8a35618f426500bf7b7e3869ca5dca54da6b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e014c9242cdf21e813919b295f029ab5

SHA1
0d75f8163e8a9d12348b8bcde2ab52ceb3599bed

SHA256
ac0c6447004f03f92c98412252518960a19f76346d54457303916d30c2bfed95

SHA512
e1e8d6fc6660a71d01cce54f2320d41dca1f3994b6a21f2259f561e8de5fe24b8ef1ad69e91daae20df9169e7b3b411a101330e1fa45d24f85367f31ba724f1d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
64666eefefbffc12ec6c5c468d80409c

SHA1
11da3bc0597c582c7b4b7eaa808a4877bad5ce8b

SHA256
f5a099c1d4a0000951286107e0c5aceee117713e2892d13fd22dd7b9fca6ee04

SHA512
aedffabeab31de7beb2f7092cabd6b99f23c5b0bfd5eb3baa14ab0c3f221d24f891c5e5316b7a7c1d188039f3a8db84b79916fda4f0a72c0d39f244a6ac063eb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
381c0db1f4896d039eceb8b8ebc3f99c

SHA1
4874d82cd6993535a51234b401b92a38e97fcd34

SHA256
ee4ca094ac7866974d3f609c324fc4698fbd386a0c24a5f2ce4257cf88c6d0a9

SHA512
a309e930bc6e47f7584af9abf6e3863307bf3d1f90dc9a65470fc8de167adf0523066bcf7c7d6178ed3215daa833762104cba53b8e47741f86823ce4ceaaea67

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8c9b9d281a6fd8117cdf7649788c53bb

SHA1
3ebd81a49229f490baf80235747d164089334087

SHA256
d14959cc323009b41847555f676ac7f03cb5bf633048b1754781fc28f14ee04c

SHA512
01c1a522a93a18da811f0917c739734984fecff69a208b8b24aea76383b915d71a3746d0d0dcfc4385c3cd7988a434c8f71f28e163525cf0cd28f4f4a697d38c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f9245ecdd7a846e282ab591002d19294

SHA1
cbb0b68ce43ac39669696d1bce4f19a9ce1c5553

SHA256
e10d00d9fc27399642ff8aaa6debae955f9b2f79e8c66670b86c989d7449054d

SHA512
f5aecf6094ebaa1c3c10900ce72db23af34d7d93f1b2156123e2b32d4cef84dce53abc306826ef46d5b0856d010b7f622365252b0a0ab8a03eb437e09a0a94dd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8d61ff3909de55f96eb4a2d22482041b

SHA1
04b4628a03a52316faed3366ea40357152bd3459

SHA256
072014c7133cfeccb037c9e5194ffec17c401f63f38e5cfab73dde5ed7e96bca

SHA512
8ce90fd8e6b78312586af9638c0d6c41ed89f8c96acb60e15d826b8ce8d67914c87c3f4012f674cb85d271900ba2a6a74407b7934a5116168117baac46df3a52

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0879996d4a99deb7d5e43ccef964f778

SHA1
52d61d92b160a0d705ab86cdaf18efa2bd5efd60

SHA256
54e08556b48fb002fae35ce740bb0d6055b003ae1bb1e8e3fe16f5a759b72f70

SHA512
e497611e481459575caa5b1fe81e40b6b638a313c24e0c12468fce2a350e287790f303c03cdb03ff662d1d43266a0ba69f21d6fb9256b4d5793af20bf128e885

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
741cdfd243de18403789b4da637a1a40

SHA1
d1bb83059100118ea74578c97b78ba6f04a26b7b

SHA256
f8f0c104579a1e0e4d797465ba21f3fe62d3a6639c3358f32c767b40159e6b74

SHA512
5b6e3551042a25dc45b772932f30475f68520490f667ffc414a75d396d8baaa04c0f3785b21471a6032f601b7b6026028ee110c3a8d700719e60ccffde8114f4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cf75aca1e6799bb8330ba14dd2ce6ecd

SHA1
022c715f31b02b1c218d0bad7404ef2521a41f86

SHA256
8aa5ab3f07c1ddcd94d142bc4a0a8619383e627e577c8bf8fae91ac4d2bb81f9

SHA512
c8418330254459b95d1b687a323edbcee637b5e4c8d7dc64c45d398b159a7b1eea2b4e5c9674831825a46c584a520c1eff1d0cd2f1e3cb78ee8b33dc23e0bead

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3fd4b689787efb3c3f49dc3436f42a0e

SHA1
834ac94988cf52f041b23d5856472fdabd32821c

SHA256
2db69d3c09b98e205a4e482bdc32b634cf5e87e0056c08d68c48d155a9fe38af

SHA512
6dc4526b38044350e086b567906b202d828517382e9018c5a28711c1daca5b34a427a9f363c9de71a83127a0d35ecf7ad2b279ac5041652dfe2a98f63fda36d2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fcd22af0998ac972d684eadeb9a7b478

SHA1
620bd2d9d8c054e4fef206fc89f0e0257e0c373f

SHA256
52333ed39a2c93155e4efb33e210f88b4c7bfee4c574b631da030c0f3700387d

SHA512
06c766e37c38b893da37f0f6a692cab7d62d6920caeefd430318922a8dbee9b719d37df2fa912bddd2522c5a3d8079ee6caf402089f0cc1fbd252fac457001d5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ff1d19047b1d4ea38ace981af1d41809

SHA1
db330383fc934d368084c6ca8b870c7b6fc468af

SHA256
59ab7139ce2a196a4bc0b06641b8738b71e92825331e0e1a65d9814fc22497a1

SHA512
d70a43dcde004f61b79c68a4318541a2ac7011bf169199bfb4b125d9982a91cc287d73365d7d8a4d2ffd037e11c4a8f8d3e1a1bf9febdc1f96b19bf305ea3a20

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e28d98a7f351a4bd05490d3af3e9e7f0

SHA1
8d5aeff248fd02dccffda23cb460f9f39c453be9

SHA256
8e82651efcff7072850980ca45102c4c4501367b2ce0e07d11db538519b9881d

SHA512
2b283f0b2e141384ed64b641dca6f78584218002764e9b3de7b1808bafab788d31ab4ce4683a598fb63d3d21455142eab8b89df039b7b2dde5c271c7b51a2f74

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
567c8d72786e8cd70e963b5996575d34

SHA1
ce7e0f46ccccc20b410b64acaac796c2b6f8c5e1

SHA256
e776ef5f5d01e3172498730841634f2062481dc3c6ef696f9cc3ba8944a7f6d1

SHA512
7717a71513afd7f8b2b91f4c38dee55b576b42cfc39530743dc372f312a494771230b2b21aebdebd7e32b983cc214a0b85105cdbf189fb84938e6f8dea0153e0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
842b2d176d4ce36c8a37e8e48d2a79ee

SHA1
15e6740d1331d550e9e454e5303ff65164ad0877

SHA256
ffa3befd9f4687bcc43fc89e39476230c66946b009db85b434962e34eb7614e1

SHA512
45d89dbfe89208270c84bb945957da758eeb3ac3af5c239b68c3da0b045524b5e7def7249ab1576c1db46f6f5e3d8c5d966d961addb47793e8bede33295dbf27

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d33ef9a3cb98dc72447e205355bfcd7a

SHA1
7ffb7b85b008f193587448fa838aa0cd0e7d4282

SHA256
69a4b113b74baa240e3a2f63caefe06382f48dce066896ca885233b139ce71f5

SHA512
5e2cc6c9edf1c03a3203c52af64ff6e3dfe029288ec7858149a6962ab777ea2de791037940f90f30e071e7e9e3f0c079a2e36238289e48614f5950a2afbf74a7

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
9078d9615d9c2b247373e9923a7820b2

SHA1
d0999876e866c1d081e84dc7448e41c962217493

SHA256
716019db5965ff4e07faf07aeaf0f61f0669db3c9826f22f208ac2feb673ee83

SHA512
fd1ac6fe9e49b903b24a4cbc251ec91bc83de17667a4ec8a289cd8c846e376114fe1cab08195aa66c4a6b41e4035c53e0dcd63d08fb54984af2f019247938144

Download Submit
memory/720-399-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/720-398-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/720-393-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/720-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/748-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/748-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/748-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/748-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/912-0-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/912-1-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/912-7-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/912-11-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/912-14-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1040-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1040-75-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1040-66-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1040-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1816-417-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1816-423-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2504-366-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2504-302-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2740-340-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2740-283-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2740-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2964-430-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2964-436-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3332-52-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3332-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3332-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3332-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3332-67-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3368-409-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3368-542-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3368-545-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3368-402-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3492-35-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3492-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3492-237-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3492-36-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3492-28-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3512-427-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3512-368-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3512-358-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3640-352-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3640-291-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3640-300-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3644-332-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3644-401-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3644-341-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3996-23-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3996-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3996-15-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3996-233-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4280-371-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4280-315-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4280-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4468-449-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4468-442-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4476-373-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4476-381-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4476-440-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4552-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4552-353-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4552-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4636-275-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4636-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4636-258-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4636-267-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4636-273-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4656-462-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4656-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4800-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-326-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4964-314-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4964-253-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4964-246-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4964-247-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download