0aec1faf1416e654dd0402090fbc55765622db9fc84b666c1a6638580aea0dc3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_3006ccfb8d31ecce12eba32f8c389fff_ryuk.exe
Size

1.7MB
MD5

3006ccfb8d31ecce12eba32f8c389fff
SHA1

ada1ccb6c5f94b3d22c4acf79f3891a52f5a77de
SHA256

0aec1faf1416e654dd0402090fbc55765622db9fc84b666c1a6638580aea0dc3
SHA512

1eed955b5084ecad14564c13c67455f383703ce02a667526f4ded0f74783c0ceb5cda3d5625ba0e3156450a461e836f2f24126dcff0ecf4cd2290c39f7b6b84e
SSDEEP

49152:4gtHUujpj7AewZkZhRdhEl9dOq18F5/oN6M50R:rFhxZhG9y55M50

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3252	alg.exe
4812	elevation_service.exe
2072	elevation_service.exe
3048	maintenanceservice.exe
2556	OSE.EXE
3300	DiagnosticsHub.StandardCollector.Service.exe
3524	fxssvc.exe
3332	msdtc.exe
3340	PerceptionSimulationService.exe
1016	perfhost.exe
4492	locator.exe
1444	SensorDataService.exe
4516	snmptrap.exe
800	spectrum.exe
3504	ssh-agent.exe
4468	TieringEngineService.exe
4748	AgentService.exe
3940	vds.exe
8	vssvc.exe
1352	wbengine.exe
2988	WmiApSrv.exe
2100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_3006ccfb8d31ecce12eba32f8c389fff_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\794c764d205991d4.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e231f3f4d87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd49263f4d87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a95a773f4d87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8f7743f4d87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b95d393f4d87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092fa363f4d87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007099153f4d87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6b9b73f4d87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2b6f53f4d87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe
4812	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3868	2024-04-05_3006ccfb8d31ecce12eba32f8c389fff_ryuk.exe
Token: SeDebugPrivilege	3252	alg.exe
Token: SeDebugPrivilege	3252	alg.exe
Token: SeDebugPrivilege	3252	alg.exe
Token: SeTakeOwnershipPrivilege	4812	elevation_service.exe
Token: SeAuditPrivilege	3524	fxssvc.exe
Token: SeRestorePrivilege	4468	TieringEngineService.exe
Token: SeManageVolumePrivilege	4468	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4748	AgentService.exe
Token: SeBackupPrivilege	8	vssvc.exe
Token: SeRestorePrivilege	8	vssvc.exe
Token: SeAuditPrivilege	8	vssvc.exe
Token: SeBackupPrivilege	1352	wbengine.exe
Token: SeRestorePrivilege	1352	wbengine.exe
Token: SeSecurityPrivilege	1352	wbengine.exe
Token: 33	2100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeDebugPrivilege	4812	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1584	2100	SearchIndexer.exe	121
PID 2100 wrote to memory of 1584	2100	SearchIndexer.exe	121
PID 2100 wrote to memory of 3320	2100	SearchIndexer.exe	122
PID 2100 wrote to memory of 3320	2100	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_3006ccfb8d31ecce12eba32f8c389fff_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_3006ccfb8d31ecce12eba32f8c389fff_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2072

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3048

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1140

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3332

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1444

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:800

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1880

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1584
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7a7c544d7428675b9e9f60fd66415d8a

SHA1
c0fd103e61dbc7afc4b68027bb9dbf1bd45ef6db

SHA256
3ffa0b80a9ac176e5f0ba5b37ab0092c3a22475b2da1715554ad61436809a8cc

SHA512
2f96df03e967238889327f89e234d1543697c6b5eb8fcd558d608fb7fccbac68751984adfc16d86dc3247803a52f99c81ed27e81457e26f5a0ba4e6b3f742ffa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
984a2f608c9eef84c83cd0ca62c2983a

SHA1
d2e496cd571cbf52988ee7d3614da80aaa7c2d4d

SHA256
1a6b2f7078927e00f6bd36a547040099c6d9c083ed44e0d7b695b0dea9be7d17

SHA512
7d0f2b2f854cd71744f4e81511c32155c5a828162163a01f543320f6d1073aab7756719b6def0ccd2e64f1fb3fdae747b2c5270a822f4dd14b516e50df5ee3cf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
33647a3520a9b4e1f65993afd76cadc9

SHA1
81ad39a5c5461c38c38a2dd1461629fa08990c9f

SHA256
4544bc07fb792d450a13eb8062f91e14641add75e784c9895bfb81c301ca82ed

SHA512
ad152183cd81881ba7fbcdb4f331a41c6d0b1d650e20a4920f9a447b238c680246ed18a38c420950a8870469bff0b2561f68cfa014ced1b8747637e198824534

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8ea66579844f4aa7e71e83682ca8f74b

SHA1
b4f5bb41aec33c5833f0bd3dc611de51350296ac

SHA256
1dba329d5fdd6c384b80acd3424ba1b2e0c73cbfadf96b55635027c66767f607

SHA512
3f507d0517a0fd34d5d5f3009a5f0334ad6deee5ed8dbdcc6d9aa5514203dbae3515e83daa02e2f29af9351332e021bdc85d42e64be2e19b6f07f83bb13b2ba1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b9d74ab441e1941d907d6b6b28900d1f

SHA1
89fbd5dd7aa39fca6b9ddcc5a6e19b7559ad278d

SHA256
f342fe737c670ad64ff27b3b2997fea098b8b07fe17b980961722937bdbe979c

SHA512
9c811fa7e71653c6a431e44c471ffc2123f7e18306b0fb632e4df4227ecd16f57eab357a2d93e7d05bf70ad7684009f454cf8018737748ef3f8029f18a583fbb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6a49156e7e9b2cc1d98f49c18e40584f

SHA1
13aa21a3c22e32e42536ed738392e7073f08e4d9

SHA256
ca9b79ce994985bcebfbe25eb88bbea4f514f3d916d444d186d4d0e8ebc2afb4

SHA512
dd98be88b781a72ed3e50899b152e3745b76831719e25e53012d8ffec54ac1f840a4c99186115dea1254097079f836e7ce68d2cb67b6e554153369d73fa723d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
946a4533420010e79cd7df31f3a44e12

SHA1
5bbad14f6bd81b4ce57742b150180a6cd81babc2

SHA256
237e3bead97e2e852dfd34d67245ee4a431f52f67a5036f80616e31ea6a823b5

SHA512
3c4f8fd7fcaa40b64841334c226bc50aaf43c6cce42a37b11a86450949df964a551765d0f841eeec549593879454095549b3b75ef893c74dfc9bcc8c93e7ee6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
82e58113cd734f84ab3ddbdd43d2ef75

SHA1
9a57c737be8eebc3d5599a5945923eb2b8e77621

SHA256
b3a1b1b178f74d160de56cfcff4a2c3b34a0ca490520af077f9e097cd2bdff4c

SHA512
4aa1e0315dad0289ca40c5db5bf649441f3bed21f46ccebec95d5a7db80b01221478dfb5daaa591e9766722ed859419dc88b344d5bdbe53ffe703befd019caa0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
950f5fca1abc5e4197c6af0c24e92d24

SHA1
073083bb650bf0a1a3349522998072bf9fb54f6d

SHA256
c9d1095f38f733dcf3468358bedd492f3c78c3a84dd4f23b5ab5bd0ebecca53e

SHA512
002fe9e5ed1c6aca52c2726373f959127953ca1f4ea033812d5781c4b242706fd9c8f969ca5e6cee18aa4cf5f2da90d556469bfa46afd9805aab973e23f642d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9173ea17f20aba0faf76255463f90eb5

SHA1
5a61fc6a463b370b5fa186e05bad1b0feda87348

SHA256
88e4048b787213b994de538ef94637deb0b6fb3288092b219f2a52f0a5443d19

SHA512
3a225b88b93a2ec00a7123e69bf0f19df919aebb519d2833280c4e77d450b6e3f1027a1e2180518fcb705793c8a7f17695f2cf11c5ce174ffd2677ab1906bc04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
97b2f0982dd1b6617136c353fa30c242

SHA1
41174bf97a3e41bad40436c03a35f9cf2cd2c718

SHA256
dcd4690dbe0921a6cd9c1d7bf204e37a6522be7f82e42245a6f01261f31d63d8

SHA512
4e1ba9c50438763e24398577ad6bb948af41779fcb77979337bbe06c6bf25767640ed1968ae230758ca8a27a78118af32866f57253a7e0187bd85ce61e023fea

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ed86530928812a4595893bca563ecd0f

SHA1
c7a35a3a28784b6fece60587a6bc46eda65818d7

SHA256
4d78e27171247ca9ee87e0f92bce17862d30f96462d3799c66c15b32d7cd64b7

SHA512
c7253aa0287bf9d7f74626d6b2b3a6e1e03544ba6cf538766a1dec9d9e85921e46e07369750deda777850419237f46cf43390a309fdf607921413cc1c38554d2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d93905af75e0ee773010e0e06a13e2be

SHA1
f04d81a1de058a0edbf37af27062e89d2eda41af

SHA256
0c306fc0518704147c4c555fad7dae5a41fbb167c214d3d9f060d844705ad902

SHA512
95c7343c9db488a03380b58167225ab1e3521f893faf4a8da407c255f6a110a2c01af7be8f753af1d32f38c688c747c5e8732f4b731f8fdd782a468a81edcd48

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a3f04ea02f65695e81713ac07b5a8d4c

SHA1
2f8ba4f18be127420493969ef05d4ecab07cf606

SHA256
ce3b3a1a3aab21101623d5734dc14da1d22df9b8997761093e6d8e1014ca60f6

SHA512
7cb7fbb3f2a7cffc1fc8c956fea98dd759ab03d3e061ec60a3bb50487b98b7bd808588792c8c8445ba06072e0de1f928b30b7ad38dbda0c187cf0115e64ffd6e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
6b093d4a5cde4fb048f3d972e524b335

SHA1
39c494785da922f1007e939e3ae3ebb412acbd93

SHA256
cac2b4221ae956a279c447b2968fb04555dfd21a280d4ddd632e1e975acce397

SHA512
1109cc5bdaf61b1b4bf93d0639f1a0b6c7a9ed988d6d8d9eb800662ecf5d0a98a38bec0da8e6d9bbf19c502c5e813c242f9bbbeaa2898570fb9aec6a95ad507a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7116d79d30c06e5d5c8403463c454597

SHA1
186f64666c9b14241d1b8fb8a98a378d2493b692

SHA256
28a18e7254e07a1bd8d88b81bb33110370457da432a22f47c0fd57fc04ede593

SHA512
088c658c4a8030eadea183eecfd90b3f23fceb78b4b15e4e1f2852ebdc50f1077e2cc6e3cc8429e5206b743b3626ea54de94d9013d2a5e4f080ea286d24906a5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
69d501f50af694bf825006b83a9ae57e

SHA1
68b1e72071874871363ddf851f0bfe5f436ab592

SHA256
b454f7a187297a51c9429285d88bb1194894177362e55f1dc0bff2290e890ddc

SHA512
4d3a8be50e278c43b8021b164d845fd29dff0c60a8c3d0174ebd76247c44e9f256150c82c3a881d19e023ed71d8cdc0e5e0881f772a0a205b2295ca46da0e3ef

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
31e84bc58f47b4dd0f8cf6d57c6bee83

SHA1
1058c62c76d9dfdbc881a42d5efd4a79b52bdb6f

SHA256
b91d13eed24c4165ec6a4143ab9c115f47dc4fa4cafca4456a8e1e75ec2b419c

SHA512
25f5e77645752ffed1600ae330e137af6b4ee9dce5f77e462949d9d9de2dc758ccd02c8bf461392e570578c2d5a66ffb18dc483e94e0a0e6857c2b9a1d0ecfad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
cb2690160b0fc2a5dd6098a75a2dfbd7

SHA1
e9a83427d9354c4bdb355b7fa4db06ace687f487

SHA256
836fcf4b9a201d020df36606bca32c6109870316cefd0133f036b19c88abcf3c

SHA512
0c2fae66a5c45d59a62d2bafd1ceae9dd72ddbdd012bd944fd1c6bf9e9526ec039f1e12e7c2f516472ab8608d67546b276e4c5525066610d1970314e3ba85175

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
7fb239e271dbcf978ad6d6d4577c8f31

SHA1
a43c2ca48a3222328883c78512dde67689f7a532

SHA256
4b753532fb7a1e1f3071d6edef3fbf00f6338379b469f9bfe8dc3c004f5e77ab

SHA512
f8822731435216c5c1d71bae8f95370d59bac8b930eaa3b6fd3e2314c9bbd9b19dc8a47e6420734ce522345a1b57b49471d7d904c2dc51480febb85890dc4843

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
148afad38776e00296356a6cfd41250b

SHA1
2a5ec3479194cf955060534eb64d605aefca9011

SHA256
ed4f69c1c3bdfa2d6b900df7b0ff59abc26865456d74972ca75ed4b6f6210898

SHA512
93e726529f85d55f24b7705e690ffa9ea2cafaade5d49ba598a12ca690ec3520ac241c0bf3ff7d17b9359284d9265688aedf6a6296087881bd31e0a472c8288b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0690393fdfe2dea0f7f4bfd90a31aeff

SHA1
833928f0075c3db26093db63cd6b5022a2e8d3f4

SHA256
eb802617647789851bd9a47ddd3440dee617d1f5c4de13bf8a8b242635929aa6

SHA512
f53c6c326526016f85cb39eb9866991298fa52fd14f044f7cd5fe7d1c8c8af3004cce6e2ce6e64d1c020a39fd6cbd88f132e59d60525f4680061d8c511f66f4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3b04c4bd31c753964614f58e07fb003b

SHA1
f7a1924f2a92c8e25506bbc2a812643fd014bb06

SHA256
7c2d4696b6089a44afb1abf432f7dd1b6db4734c6bc7b95fe1b70de2d734937f

SHA512
6b7d0f237cd64713542e34daf1c1590c8e186df2f4ea73d83bbf276ddfa5477d39729996665149fb8dc07c2a9286de8493387f7160ab106bc4cc2fae379e4c67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
18d162dfd1a92567c64d1308f9c7683b

SHA1
bafc0458afa9a2c896bea9c1b316cdbd0959c968

SHA256
5077de63387e223e4ae39c0895a97ee0bdb1306edcf9556c1744752ebd1ef171

SHA512
fbcce8eb33e1684d261f9e98f0e248a06933bacac9466beb3212c32ad29315ab44193c52cd6001e42749bcd6d2f452285e8c25ded2d1487572c06e48b454dd7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2967d2a7084a9c538166f68760f9a4ab

SHA1
8df13e50daaa56d71f2d68d7892cdf8aac80ba97

SHA256
412b110575118260e67bac0754993db2625492927a0c2cc38acef064a3b9092c

SHA512
dbe318219b712359335df7c1f5e6bc6164f463e146072aa37fca1a064fce9fb6e3337ff9d61a3e8f6c7c1c52b91bc0c7b0fee21816c727f7cf35b63ee4bdeb05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c4cfc3fcde531e0b9a8df0e72f0d66e1

SHA1
8f5f6689cbc81b8a587c1c9f4cbe69a4067ba565

SHA256
90854d5f9cdd36b1542358de3ab94eb9c1a6517c7995751a6d008b32835a5b7f

SHA512
7bb0d235f21e23997c6c4ed0547ebbdbb1fa3021192f049b3dd5a506371d3e748ca7cf3042a5dbf7d86ab79f87e5abdb8d52ba96c7d8557a9156a9c29aefd68a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
86ba77425d39bcc81eac9a6ee5cae1cc

SHA1
4b13631f55ffcdde51f00a0a8baac3342930b0db

SHA256
02c34fd2baf3442fe7f9fb9507a249d11b404f2afcb145d55f1bb9f9af56e98d

SHA512
8d0d2da6d91d35a5ea6ac4155af5ac75012743c6c5a83b749ece5b0c986ec12c2392382b54b55a2bdbf9bccc94f2486c8915a264d5d10f6ad4ef549914380ca6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
db4bb78dbaa28bfc123ede565e6503c5

SHA1
56cd8b55d8abec4d03c22ffb24ce2e587cdff3de

SHA256
51535f52537b219ec17f31ba313fbc911c3bb6c31f13beb2d6278baf8435ae5e

SHA512
138b87efae2c390f48fcdce7f2a2dd15964dfcd62d058f8333312b6c72a1858721d9d561e65081371fbea39a27f2f7719de3e1d63ef13cb29dffd9fcc60be583

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5c58b6eb2d8835544c9e7b23095cce84

SHA1
5a33cf8aa302a59a12869028a222665427df1fb2

SHA256
b58e50ebb1c0622782ec3205cca828cc7ea91d2654f4a6cdca064c8f280bcf3c

SHA512
6eefd4251e1615b9c11979d2c5c60de3fd97d1c3a23cef5963deb1f8bcb8ada0ac61eb4e5001758304b1e7b5ccfc267c2950d87c18afc5695e9b5fc92c45b95a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a11a68c070a892c0c273144f2a8f7fad

SHA1
21b590634dae62d700acb858317f0a3375a3583b

SHA256
c274f5b8c1a8d9912ce703e8094285958cb65dfdec1ba1bb0e22f5be509286fc

SHA512
0982bb4f93c509cbf82dc73115f7f6c13b4e8c062a75b52dbb81ac15440188a1c55a2aeb14209af6703568f3803b567c1dfc954f2d188fafeb667738d1bfcd9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e9b09a92d932fef26e89cbf5581ad421

SHA1
06fc813cf7e64da7ef5640e08a3f24d3c2c4ea5e

SHA256
92391f1f4e1cf6dfc865d6c1c9c286b274d5636035607b2a3e159f2aa4596011

SHA512
dd1b6a869c711c9155f8f32a2595c94e7fb2bc17c042762729e27b4eb6945c973f1b13692e41bcb2aabfdab0b2ed7885d6d2fe52431d47aca1f9f42bb0236f60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
0fcaec290c62d3efa68d5e818937ef43

SHA1
6eeb01b1186ba366aa962594c35bd08bdf630b85

SHA256
8021c4d321fb9185605f4cbc44efce561847428755bc4c0c434b76bff37bdf2f

SHA512
c454ebbc3a93859fb969f7efb1ab5d0694ab22feb9dff8bd308263027f9a135dd02d57679dae2d86918686dcf6e32a07a00eb0321eb6ad6383485e3bf63f4f83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
54da873db0559538013f6dff468d7f59

SHA1
275a14f9a13b59456c96bc6190a18ac2807007f3

SHA256
e575026ce71a16c9d92fa022b9b0187e0e817a100e45d76c8825007f11d784d5

SHA512
32796f78d8eb229d9a349adb7889eab7c2789fc6b82980c8c00637dc7286aec3b05fe590494410c0a40cd27dc9f9a4ab274df98e38d5f67101bce39ffa3aa197

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
dd119fe2c82e772bbbe18c356308145b

SHA1
1f6a48d283a158b13453bd45d1d1f00127ba8530

SHA256
4696a68ac90ecac672e06444199afc21ce7870ff776a0727dd8cb33b945d9015

SHA512
83617754709f361e30e2bdccfbbd19976efabe6f93dca71a24ce2a8bc30656a397abb4f9a0c6041879d5b9dde57f396f2f7f66def4f81d199be596cac3fa9390

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
119a8c70c6bfc228b0e88255b04ab9ba

SHA1
2cf52930d48dedc1d4226181f66ec74e5c322754

SHA256
f9276fea592a6325b66cdc359b3f7f71f2d0be0100ebf01e1d1101eb369e55ba

SHA512
01f7451147dea8710d8d7783b242e246d6801f100c64738e51dca3ba5395f723b648b34dd35a819c9c1a42cceafc36dd69175b18c6bc0167aa6d06e598196158

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d046c9c7b604e3a718cd33eb0bec281b

SHA1
115e514de937e3698e840cc76db40cdf5a318b3f

SHA256
6e29729c0c25a8b02a6245f50b0060dbc941f9f2b49fe885801e11c70631083d

SHA512
001ea2424d60b4997504ec9f1dbba4775d23519dd9c7da45dcfb92dd71bcca64967f1f69c8e21a408378c7136c7cdeea4a2cf1e4eb58eec1b142a3416968e26b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
94f382396881bc9d009bf5cd856966d6

SHA1
c229902e0e1fc119ac1a229d98a3db2301ca560a

SHA256
776a08969817035214f030dfb841103c9fa8230c973c6bd146231f7121ae6515

SHA512
dc5e6f9ee70bf8c3b46358c4d882e4953dcbef5af70039482b887d0c062c883bec916b494feb948274d078322476cc8e401819338a21ff1213a80916fc6f7353

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
11adecd83c9d8629f4da61f3abc66c98

SHA1
0dbf279634487cd5ba6172213d96c5b2a6cd53aa

SHA256
242b2298f74a1f4ac52675ccefde7b6b7685fdbd13415311f5cbb301074502c4

SHA512
517398a4b3c2dcc30726d796372774a58020a7e0328307033ec2e7e861bee86c00c2e0596d1004a188a509563db95ba2fee89f0aedebe485b0742f9afa90cfbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
c1c567b528c67b84b5d526e27ca221ee

SHA1
10d44dc2d54b4bb6fb1eb028437dd1efc43674ff

SHA256
817a0fac4378f7729b4ce21dd48cd2bc4a1a8162578a32b1b6fa5c93dce9c4e0

SHA512
8d8f51c8b137e245f058a3bfc87859a4dd67695950dbd0d31dbb1c009d3c40bc58056585f79c95dc50d80471ef0287e972934746491e976a86dcef4915d04590

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
a6e7cdbf0c58b2d19c78fa83544d11e8

SHA1
706a1a3f54dfa8af7378e563b4807abed353bbbd

SHA256
4d1792f96cf0caceb58edbd21a51d2d12b617a2d2c1de1bdd9af40ab8c54a1e2

SHA512
e0f60b15069bfadfc4b000eef3b98b87f4aab968369bb504a28405c2754d0ccb5887c244c0172e574baa0a53d1b3f3afd11504710af75297d3dc5f0a9a2d26f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
376326d83e6a40e68a308c275e87970b

SHA1
303fb6464b820eb05000dbda5d693b5d7b181d2e

SHA256
54c130b2004ad9e7cc92497b91f90b8ccdb19e93721f6d94123350fc0c19d92f

SHA512
af822091d92d438fd872ff231fbf86590a65a2c7ebe1630a325a8e3d6469a73350b5bf402a4e2d08c789750c91b35c0a4e5de79c652737e899f001a812225057

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
07f583d841d2b4f098cfccd9137c7aed

SHA1
3e5610258f16fb720c5111b01265cb10752417dc

SHA256
0605de4cc9a4d53e4a18fa2255a97db18abe8d3eea937c615322763fe09517f6

SHA512
78004018d625c4780e992739b2d86c9194c8a310394e8a23140b18308a6a0c441943cf5db08ecfd9dde969d1883ea33666c112881033f9c6c2ef3180aafe66b4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2894c1eed47ec55894faa3fce936b701

SHA1
8f15a351c0c69794ae3f964cb0b0c78768460ed9

SHA256
49b9b4918bdb1b30cd90c58666366ac9a31d3254f296c4ab1b93897d1b3abb1e

SHA512
f8b7d9fe8f2c6bf3096923453b9289fce73368704b51f41889b9d5c9231094dd7191ba772699793fe144f2c1e8e47a9f7bd2b1c2c3daca42158a4e5bda327403

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
995a853696864c9c44b9bc0f604507db

SHA1
580f928a74b190fccc760f60d2a476f67a30e4c3

SHA256
4eb2ef11a0ee8802bc6ba9fa0ccb71061dfb6282ac39c127721e2f7970ea7bab

SHA512
d7ffc020306a372d32e7dc9f012d1fd6a9391917b8f1ca5df220672d7a5887e003f306f1576434a0be6b359da0e5efd31d0211b9c9c140fd36210e0abfecb660

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e71a0e2dd665af18ce94cabd463ff2ea

SHA1
8c9255fe4c6d97d693f44b464d57e055be097da1

SHA256
1375e34d23067d89b9796f99cea0726cc5f8bcfe64bcb815da112c0517cf1d44

SHA512
86aaf5051b5d5cbce3cbba77c7c4d184b3f68285aef1833c44b186bf8a4875acdb4d275dc5bd379351602398d45a454559c9d1c429ebefa29dc5c97000a8bc55

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c99f553f6753f30a0bf1874fbf4706ac

SHA1
9ffbdf3a57887beb84abdf82c917e49a5721288c

SHA256
d4945e14b3685b5c644881bca907129b253ce2a56d72da61256d71edb88c99dd

SHA512
83575d6f84da375a352f92aa359f418f8b8c9d333c1e225ac1ae3bf936f1e22aa25e763ecce69bd6614476868c8a572f42c7bfd8e0383c32e724b42e7851a4cb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5da25edb511ed7626b66733523e50681

SHA1
d3f2bc302b6d54f84f8558fca518e52f5c8f346d

SHA256
14d74c518b6a60a3ff3fe0710dc37ebd5150700fbbc82a776bfb066fa7ed4a82

SHA512
fb4cfd41e8c1a0cdff5338cef580b4daf3f82ac2eb1e36c6640871de04b4acb27ec9924a6735b876224d5dd8a43afc4be905f57aa38d4fc238844a38ac370507

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0daf7c6acf0e1958205c462fd3d02b7e

SHA1
96c7bd6ab35a02d608a5928ef5d2f2547f77d242

SHA256
992935ddca25d055b9ea4b587c759e6f11148fa1e14245d5d79a141f51b3d4af

SHA512
20bdba65bb82ee971b0ab5acc45f6ea24375d927c34509e51dbc24c3e1b638a9f60c27944273b97ebd7247ae3a0cd1c9fc63d6e04821e8638baeb0f8d4275f0f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1bc39ca33d07136e0222fc002e94114d

SHA1
70342486fdc42048102ddf3d31a3c23f3a068539

SHA256
344db08c256f0c2c73588f3dab644e040e1989623181cc5e1a2cf02bc9e6e416

SHA512
fa190841a9ae275e68014263bea130455dac3c497cd9dead55438e05941ca756f9a61dbfd8351650e15f40691584423a6bf9ba2108836687538fdd3806ff1925

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
83306638b035267d27fcee7fb81cc4f7

SHA1
a30e854069a343a24bdd753666680fc3a9b98bca

SHA256
c0888b1c8437c2b2f7d34a4d74ebba62a572cb359ac01e0080290de75f4f828d

SHA512
d886abebf21b380c0afdb3ebda73fe0ec64266fa8a73485d432f880bda5449f1133480e5b8d9749c7e39f1096c0bba309992ec67649e328f34c830f8bafeb8cf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f07d4201cc26688646579c22e6723a36

SHA1
4391349112e0a3fd17abf991a31b41a0b2f25929

SHA256
001b8a26827a0d75e4c08a8963244e6a4580252504903b2fe9c0f17159b1736f

SHA512
05f0803c7196a32f1c09d53493c0da7459a7af2fea5d8fb955516ab83971ddf2d3a9f0e9ad98c0a31fa8b611f1a515a9a2575e5a2cbc2161e8320320864e3d03

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cf2857dc0edb8df3c8945f162ee206f3

SHA1
04159b4c839a90640c594475abe420317d5692cf

SHA256
f0602bb2ec4bb77c5cdc571132834586367c272b4d46997ab5bac98039742748

SHA512
17b214b9f1273ddd1c42d6fbb8920736667b1682f5e6212afad135d3fddde348f3744779ff270a4e75a6f6314f4cebac22cdb50d8f1b9593df9b345386b47086

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d10ddc9107b183b35483bbccbaaa121b

SHA1
752c353cdc21981ac91a31b1b76517973528be24

SHA256
1798889857e91a8a92067cd4a76a8557f54cf2a467a88fc89fd79c5b51797d15

SHA512
4f80aa157861e002d35831859839efa3a4fd14e04ab136119e74743234b8a232a22fcd44508e3b03c036e4c812c6f55a3ef118c278c12f36455fe5a862153f3c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a351a161de83292a286136072b855904

SHA1
65a5aae4780499ea23a5ed4f76832926bde1b0c4

SHA256
79c2fde0768be0f21d2841ec6ce4051b52bf0e9ccd6fa62f129740370a9e23b3

SHA512
4660b88dcc3a2abc8a993acb7ccc9d4469be68c24352b27d03134366a0f44e489fd245ed9d758275ea6e950c276a88694efdede62a3a569993a2021c2eaaff6a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7a1e8180a19ef9d811401662ae9c4b7f

SHA1
72544fb973fb83f26fb5c8c27233b6d9330c038d

SHA256
8e57d3e8c648686b7507477ef0a993f341a1f973cdba88b89d6058f3beaad781

SHA512
ff6950a7b3d60e7b49136ad21df111f1c7c5ef4f6c6b7960d32229618cd04d8f6ee50ec5e653c49da91bd6e246dbef770fbfe101f77dfabc42ee69073b950b7d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2899ee0ed3392eecda01652d30ce4ea7

SHA1
8a533294c87edacbd7a7930338a1c7fa0901de30

SHA256
0142cfb73616d5c38936365c9587575b0f2eeb6528c87d084e5793fdd2fa07cd

SHA512
71ab3c82ceed90ff5f5d59ca9084bb31eda155af35d9e625804040d086e7bc3d9d6904c5ee4776cefe049b7ceef9cbe22c6b7d7c9ee013f454156bee62f9e851

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2d60e1cc7f9964084f1be11304342fa9

SHA1
8a8d6bdb96b8c17295cb52874233a37f97a8aeb5

SHA256
a4aea08436c989a760653951ff533d6adde24d8335ac7b43683b0fa8f84c7de7

SHA512
9a9e46efb0ed423d2edec644ada67be66b1e108539f8fa4e9ad3447537627feabfc91031c0350c7d474dbedb1d15ab06f17ecd175358cc250e8552301003ce48

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a76d872dabb31a8cde16bd97ef122435

SHA1
0f00b5e77ace7364a05605606f7801de856fc4dd

SHA256
025c6fa8487889ec386a194489d9c2c4748b9f94f035d7126c9e0d0c463c586d

SHA512
1a5d6e3fee4bcd9a9e8a67e5e80cce2be007f2f4cced2b0b57d66997b2222edab5cd1aec7bec041f90edaff506e41470565d33f4962440f4f4b251fccfaec475

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0a4522315e3ad19a2296e1cacbc81c8b

SHA1
3fbbd75106daaab275a0201c0e53afb848d28ba6

SHA256
b74511320a3e41bb8b74eb1df45e806e67bc7e3bce6680baeac2f0f61b5bafd4

SHA512
db1b613305e9b587c6312f99a014a4445f0f1e6ebeec5acce3922033c435c8df1176c6a044d4958fa67cc824138667c535eac211966c04eaa0fd918b7c61d5f3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a804e74860c8bfbc28394821509bc244

SHA1
190ec989b76eb3b3bff576240fc051e5c12b135c

SHA256
4d4bffcc9ef65afaf755e79c31b686edc49f767719a0933174fd90f9573d9487

SHA512
3577d3d138b36d9ccab8cba291c43f0d7ed7e6b7c8e26adbcfc11f964110ec0068e3af2835cd204aa97ea9e85a523d6a95f9e9e2c3231587c474057a25f46f18

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
632c876baf1586295245d3a1afe5c286

SHA1
1076e0bb8d718fa2e1c789c43dd7cc2fc0c15a82

SHA256
19c8e49fbb144ca9cd798b40f2d7d92f65f0b36f8b16a6443f4b97b052e32fb4

SHA512
dfbb6bc154d27ac31f5a0042281ed5de394ead6806bf17f02030c05f337a5da8cf420646147dc3a51940876b66093b6b9377618a850cc9f15c3e12fe6c1f5cbe

Download Submit
memory/8-422-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/8-416-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/800-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/800-352-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/800-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1016-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1016-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1352-427-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1352-435-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1444-391-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1444-324-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1444-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1444-383-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2072-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2072-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2072-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2072-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2100-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2100-462-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2556-73-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2556-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2556-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2556-66-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2988-448-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2988-440-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3048-62-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3048-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3048-52-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3048-58-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3048-51-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3252-16-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/3252-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3252-23-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/3252-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3300-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3300-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3300-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3300-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3320-549-0x0000022056DA0000-0x0000022056DA1000-memory.dmp

Filesize
4KB

Download
memory/3320-548-0x0000022056D80000-0x0000022056D90000-memory.dmp

Filesize
64KB

Download
memory/3332-338-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3332-273-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3332-281-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3340-297-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3340-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3340-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3504-426-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3504-356-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3504-366-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/3524-270-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3524-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3524-256-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3524-262-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3524-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3868-7-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3868-11-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3868-13-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/3868-0-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3868-2-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/3940-403-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3940-409-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/3940-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4468-379-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4468-372-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4468-439-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4492-369-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4492-313-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4492-303-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4516-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4516-399-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4516-340-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4748-392-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4748-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4748-400-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4748-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4812-29-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4812-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4812-35-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4812-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download