ddf4b95cd16de10ac6b48d65c42d290323f1febc85f2eec8250feedacfa320fa

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 12:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe
Size

1.0MB
MD5

dea2e79dabd9d6654ca7b41fe5a1fa7d
SHA1

27399422854483bc341298b276839841481fa1bb
SHA256

ddf4b95cd16de10ac6b48d65c42d290323f1febc85f2eec8250feedacfa320fa
SHA512

52468a6002d2d547e49af98b46a7f90059d038d209ae020816341244c05791a653769ec225616c9ecd4450ccf7cf92c46c6c74249dcc5718f2c78b5a2694eedf
SSDEEP

24576:Y6V6VC/AyqGizWCaFby1/i328ab4F+rM/aXq6bJfBUam6:Y6cbGizWCaFbe/i3da1YS6ozB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2964	alg.exe
4056	elevation_service.exe
2272	elevation_service.exe
1748	maintenanceservice.exe
3916	OSE.EXE
4552	DiagnosticsHub.StandardCollector.Service.exe
2404	fxssvc.exe
936	msdtc.exe
5072	PerceptionSimulationService.exe
4252	perfhost.exe
3912	locator.exe
4692	SensorDataService.exe
1104	snmptrap.exe
4948	spectrum.exe
1084	ssh-agent.exe
3260	TieringEngineService.exe
2100	AgentService.exe
1168	vds.exe
2356	vssvc.exe
4444	wbengine.exe
1728	WmiApSrv.exe
1876	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f7e0e282990ca9c2.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000258e1a9e7b8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4acfa9e7b8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003256a69f7b8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b65519e7b8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080c9539e7b8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3ed3ea07b8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c3c889e7b8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073398ba07b8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4056	elevation_service.exe
4056	elevation_service.exe
4056	elevation_service.exe
4056	elevation_service.exe
4056	elevation_service.exe
4056	elevation_service.exe
4056	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4252	2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe
Token: SeDebugPrivilege	2964	alg.exe
Token: SeDebugPrivilege	2964	alg.exe
Token: SeDebugPrivilege	2964	alg.exe
Token: SeTakeOwnershipPrivilege	4056	elevation_service.exe
Token: SeAuditPrivilege	2404	fxssvc.exe
Token: SeRestorePrivilege	3260	TieringEngineService.exe
Token: SeManageVolumePrivilege	3260	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2100	AgentService.exe
Token: SeBackupPrivilege	2356	vssvc.exe
Token: SeRestorePrivilege	2356	vssvc.exe
Token: SeAuditPrivilege	2356	vssvc.exe
Token: SeBackupPrivilege	4444	wbengine.exe
Token: SeRestorePrivilege	4444	wbengine.exe
Token: SeSecurityPrivilege	4444	wbengine.exe
Token: 33	1876	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1876	SearchIndexer.exe
Token: SeDebugPrivilege	4056	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 4140	1876	SearchIndexer.exe	121
PID 1876 wrote to memory of 4140	1876	SearchIndexer.exe	121
PID 1876 wrote to memory of 3028	1876	SearchIndexer.exe	122
PID 1876 wrote to memory of 3028	1876	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2272

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1748

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:748

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:936

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4948

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4376

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4140
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
03d7068ec90b8580b4f44ee2b706715f

SHA1
906b32a00a95fa80e6614fa6b315091096458a6a

SHA256
f63cff58fcad9b510c92da30649da314cdbda382cf969a7a4e50d8831e6c0bd1

SHA512
0704e7a134d29366ffbb8a921df39cea7832f6728000bbe08f12989eab8ac7da32b8738f2d2538abdcb2a2bd1addcfcce48944907bacc4402dd625d27eed06c0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
c51a12eeeee865fbf3e8556f45d6bf12

SHA1
719489df3ebde7584a1215218bf9871f46840cfd

SHA256
83666d116fe7c4aee1d64eb7f1f7f4dda543f43ce0718b86e6b29067d953fd56

SHA512
1e6e8698f77e8a9305644b8d1325f2092ce1113ea5ae8f4c509a9eeb574ce4db60b2892c64676fc42658dd5926ffbf55484a1c0097fb20cf825b7cff3888555e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8dda9268a8a0a4f158fb3ab65ae39ce8

SHA1
a17d8b57e7d7e3cb388f2ee71be292645dfca384

SHA256
74679860d8e0009ba845152f8dc75cd7a6c7dc9f314837651678096ec6feb39a

SHA512
60b76be7c8c7290c456c2669f242a6c47c8ee0a3d77dcf649c101b0f0ecbff5ea8d27db7d636e40d15d899a286323b0226ce5e21abeeab53afae49a4540fa25e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
37420f639ec4e291ac10aa77ece0c43d

SHA1
554f5b80aad69c5aaedcdaae79fb5f5e846c5ab7

SHA256
d252f1bf587d50f78f714ef06f05e092149f132ff2475a0f76195984ccbf6aeb

SHA512
7bd55ae2d8e07965b04341007e77b57596f623a90bd88e02533e3a647166bbba2f92eafc90700747bd1f1cdf34621703346b5d4d410ccc99a536b536abb0269e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
548f70b0c52d6b04077ea39f8771296b

SHA1
95db37461aea55ca8906e37493a6cc8489e26545

SHA256
75138e7fc791810d0394bb8a277ef1e2ff9e0f6434bdc54c952adfdb428191ff

SHA512
23bac00567665dd64ed65d8b8dc5de20352d2685fd1e1f00e750c8b96d52c78c8ee2a26a5837019403c5f5dd9f7ab11801d342c658944ec95ad7dd1926ddaac4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1157585e9f2468b35b6e75a3aa3cef0b

SHA1
ee0c92208cb0e409928d39276278d97b9bd8b860

SHA256
bb1845c0480aa5b3dce55f0c294bd056d11aee0eb06c86b3c00847927dbb8a4d

SHA512
b59e6b674bd8877cab189845157ccb34a759e632ff76e2772ff59964b91b0e2f724737b72f47f2ffa6f4847cd12acae814770454031e634c1e43fc9cd2d4abf1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
eaa266c0d8848dac8e0f43bda485876c

SHA1
343545792233ed8b42d66f6ff3aa57237d05ca36

SHA256
a95212b05ebbc19c25630844f381129e28860074cefb033c2436b69e48fb3b03

SHA512
f60713a1e37bf52772ded706aee527b97f686ef1b3e638df55cec31c540f5e71d7365bb0238e53dbd90c06e5c0c6056539d0e930911a03039167aa6550e31135

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
209738e8b821f75f5148c4293d4a31ac

SHA1
6080b4de23b4d54002c2c32732d16cacad6f53aa

SHA256
50a25d72be3d615c24067dba326b9dedda7179ae34eb46992d8de26770538df4

SHA512
caf3b616a992f9e00ebaf389390b4628fd7544dc381ff69325b1dbf775c3e098325fdb624266740fb147a1cd6f8621de3ad9b72c140a9b1f4f0cdd26ccb5e365

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
39cd39059bd06deaf29437769dd2999d

SHA1
e73c3eb7bf31fcb61d9765bb81c0bcec7ccfba44

SHA256
24a4e810ae0709c351de6262c466873f01fd7378c1977ab6c23beeaecb0ba5c5

SHA512
b5b63f154c1b98b4bba1f7b94d8558f62146062d4a898b6e8110989ab3c3798a662d2fe3ee8e73f61725a9cba5ac56b5d80ec9f3093751a885470d7fcbf78339

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
21e50b0a80979303085b33a04cf2b045

SHA1
93ee5bb88e8e306cdeb439719753101ef23d78e4

SHA256
6ab3c017348116b92fd8238861b8fec13b5faee23a8cab35f80f8e3ea0e4dbb4

SHA512
29005a327188ba7d6a0d594c2008560e01f10a034d8cb3d6aae9c9f17fbb1508a8cc2796b6b0987d1b24cc6ce4b8437f34166aa394033227f4f9a4e897e4d133

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
52ef905991fd79b63caf266f395997b3

SHA1
11ddd20cad03192d5cd2523ddd058dd687ece648

SHA256
c0d89563db23e0a4ed755af2bcd87b3a7a9abb75c075738268b6b8667c5c9e5a

SHA512
ccb8198e8fd3546c82af373c4914b0d830c01810604799ba1de13fc8f6c0dd1cea15609fe7a6bf8d40d19cefc8a983bf5c13a0c65e41605d8fb205be8389fcad

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
33167e968d67e11df385a3bf0c8bb05d

SHA1
f58e004641e571ff019d32b0837f5671791ad282

SHA256
72de0871f9be27f4dc0b3d6119bc5f7eb0c8be644a806a52ca72f87b1269c0b1

SHA512
47225ebe5780aafc388ea5eaf992f422dcac1907517ac6f3c82ff4292d550dd8a674e8085cc651af1c96a31cd0e418b6b392393f974ddb3aa51d1a0cf825817a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ef319a49b0cfcaaf3657b4642756f8a6

SHA1
9a1f479ee5a730961e22faa164aeac840230e7cf

SHA256
9db6d74863e9a106eda0382c6a85a2e883b505b4abd6f81e288070ca68afda7c

SHA512
b411538a6f8473bfd6ffb577437fd085c07e241cecfa86c26cc2b1bf32863a903f1300a8cbce86f9bd810f62125e4d2aef9d3382313a4eb08357916892f78964

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ecbbe398b3a2de17a0ffd9a212348892

SHA1
6f76d7ade3083bc5c0b5df0c6f8ce9a6c581d615

SHA256
994f75094845e91c2785d183f7d432ef02e105d2c23aa64c69092de5144ef485

SHA512
38ee4cc2bc4923b549fface2fbcafb6489e5078794a1719a9604b421cc2dd34a8338325902804fd08f8075be9e04a7412a6e82f34a63c2088f04fc1f93519448

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
c96ca7b011290239596248c28a242be4

SHA1
add9d8baeae0c3a9314829472547f6fd6e325312

SHA256
956377c48140a905faf48b75a8c8794ff94864b492a78fed68a1d0773b5e5cbb

SHA512
2d4c898f5f12542305d44ebe80b6ac44209c08ce5002f7a81402f1222c48f70c18ce3007bf2f0c652a7b4c8374e2474ee63bd5897463c70ac6abbd4e8425032e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
6e862da485aefe54b672600b6cb4375f

SHA1
74e5b20ec7ed9a565ba1b6892c934aef5cd0b727

SHA256
82434d6c77da15083464c757968db7b252df875e4b5afc3e8e63dafb23b4b463

SHA512
76dd5da973b9e54fd09c6b3c4ee66846ad77b354f848361c51a4fca5980bcb48a0be35996173bba80ecaf79f035f8992942a06b0a3a058304dc2bba9130b194d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
df19850c94f8a6e68087abf9aae0bdfb

SHA1
a663a729fba01724e1d5350fc8d6985b57b3d01e

SHA256
8b2293daf89740308013a495ed4ecd9c8b0cc8cc3c9506a49aa167d11fbc6750

SHA512
2ef6c6c2515584978c862dc8d795dcdf1fe99a568feaf5e4d8c88be5992ce618aeadde3f398cda14918a3634d8bfb3853b7619ce07b1fa677436dc4737313f4d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0fb4194c2c6ce5e047076b7d59abcff0

SHA1
f2d142d76782e278f57d7da0d7bfafba04fdeb60

SHA256
dcaea378bf51cd7ff3860dcfdc706450540b1f0e70c77799ea905d265214ea90

SHA512
1f9ab0aa245323f587a58c1e559935be30e2dae1af60c8aebb0528211d73ccc1f080b095bb9d5c822872b5187b392f701f14bb4d5b1cb3b91279825ed40941bf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
a56429534299c80c0b5347f9bbd99fc7

SHA1
2df90c0e747e09e31e700b74f0d0f7d3c8e66c5c

SHA256
edc288d590447b8d38a347c8493fd64414d9d618b4b982df104bcfd073860c90

SHA512
399f1217dcee84679e0ed90149d4ed8c8a322d5eb1082672defcc2b026accae325362657fcfd19c2c95dc7b4c1cf97ab0d9e4c25c5d8486db40ee2c7e4503825

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
92342d4430ca05b0f763c52ef86b3e93

SHA1
aae9135b8dc9a9a61dfc29f98ca6b2784af68bb2

SHA256
03b904ef8ef02a9733e638f7c767eeabef3c9a23722abb8c323672434690ae7e

SHA512
831ee8609f4802c478f597cda476bae6131df3646d5712d4213b13d32280aee95c1ed2d241c567bf436914e619a7f5c93b23cbc17cea8fd4d12b718064430ccb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8fbfdc28c261256562f04a37ff0b934d

SHA1
2b230eacea0ecdd77a5f113f5bf4e9d56009bf24

SHA256
b23129145820e5b83aa437c06d24b18dc8746a292db8e985d31d1fd183b01d4f

SHA512
ab709d08a2fa757ea90bc2666fad53f268e11baa311eba83dc1c437843de79c2e7174b507e32bd77e61b3aab640607d92f93811aa8a7a305e03291339d8b65f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4a883c05c5e24f2b21767be454df2432

SHA1
d2b9c6491f89ab48db12ca69afbda9afc57ab96f

SHA256
9bddb21ab9f78e2de6efb4efe03bdcdd1529cc64abb6a8a6b90c07386c2c7e50

SHA512
1b9c85102fefc82f617fa01dedf42fa0712bf01c51d884404b3f6df1b95306a903e075ddb90ff56df774e6b113dbc3853c78437c73bcf1ae9a9ba41bbcf621cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cf92647bcc5d987d6284af8bc5e50e3f

SHA1
17e478bb8bd3ef12b1d3377e2efddc6b41cf457a

SHA256
813662b43745e0d836b06de2fed15becac514fa417fd371618b48b18adda15b0

SHA512
ba24e90f5780b32154eeff27c3245ba402af3e703e0b4c7a8c9619cc853d589be8ff1700553150bd93820cc878a7d054f0deb0961917959aaf9462b7151fc8ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f910dd58f8ebd0705da2ba6a08f41c86

SHA1
4aee15bc2aaf2dd911b0e01c5be5c4ad91748ec5

SHA256
fc28d3ed20632a063a4aa5026fc0e4d082007a3bd656dc88724e920f12a11a62

SHA512
1748c7db64f62ba58aa04cd697c74ee7fef119a4f4535797833e5d4f21ee4c8ef40bf30590ff81cb20c72dcebdf8a401df4ebc828fb8c14f37c7aa5afaac7148

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3474cfb7b21beac2b81c88cbe8ea58a2

SHA1
d705484fea3bacdd8d2eb869f614ef365b279e75

SHA256
612dd32585e7c93555aa8e09894d4f795df83bf61c080c3f5e391f336e5784d0

SHA512
ec32b991b69c1063cf28ddcf28596f6819a29b0a7c8deb0637e865485410259b394bee7290f5a1e3c52e2acc03ce40c238b1002701a09800884b9ce09fe26292

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b27dbea2600f56091c0855f83901d125

SHA1
eab0d94413030a2e2d3ccb41d16ec22720a77366

SHA256
3cf556cfc5d6fe3c138297110bf34ad82ba7428018e876192b0acdc84838146e

SHA512
659415bec214494ff46a291f019fb830eac7eab31cc629d27054a99557107601a92051bfc2542b049046acabe33333b9720f9bd3bc1bf3ee73834560aa6397b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2751ce74b7c99fd120ac50568da40428

SHA1
60093ac73b8429d78a873e25a58636bddbbf75ef

SHA256
d09711862de0637aa067f1fa1e194f98dd4c110a52275961bd5323cb6b526abc

SHA512
4acb5f6f7d424f67c55e0e6310fca568b772efdb64a4503dea7d2b04a4f577ff6b05205c305003dad4fec9e93e0a3c4e397f40ae328060e1a4d9b73456c6712a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1d9d1a6a470449b1afe65517564125ae

SHA1
0b3936a8ee97884c8ea56561ef6a8c1091e4b8ac

SHA256
c374ef2a1fa4692f443ff44e391e29466afb11d11ceea12bbce46e223ae15e2b

SHA512
fd0c0ad34a0d2b819d84474d136cfeb33b69a256069a189d56eb2922497b49f82ef2bb5248d2ca0091a0a8713267885b9a163b08f37fa32aa41c9364dc6c48c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c2ec2c1f8444e285a30ff012812c6b22

SHA1
c782ed750ba9c816898041ab4b1658e789ac9755

SHA256
58d580c43fc0cb2a90e4671104d0d6e7db3b544855fe7fc36a4ec01ed0555b5e

SHA512
f40f838f9263222c9656df0ba7e03868022a859b708e3ce861183ed9d2800512a1baa6b564f76f4ffe69b793a5ac480e5b3dce4ef9e0c45e9d7c8f23bf00c7bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
35aacbcb2eeadcd5d1cf5abf16cfd30f

SHA1
9393a17309f1ba2e317fc02a66e73f4d48c5de0d

SHA256
93f14011344c812d89435a13fb7ce2f0e0a21e8f626cfcfdf90831d321d2dd2e

SHA512
9514a556575d132b1da382da51d3dd6c31cb3b430e865179d442aac11fcbd0f11ae8e2f35b851e9bf005e79efd8c8b29c8d9b2cd3f9c4942537be19b978b118e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
58cb5af95a9cae8032a29ae1688442a4

SHA1
bb27dce03f23012d2acea2ca54401dca1d72f82e

SHA256
d6d7bc803f205a6189d91b00eab3a5b8e2dec05a5c324df8ea9b27bba7b3d053

SHA512
876a5aa4f1e5f1f5a1033b95a3f8e6412c70709dda91b0c1422f54c2dc67df5f7656f65d5e617018b9bac2057cbca5012e3aaa36ab2db981dd233b18b27422c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6aaef6231844b6dc0694f5e4fbf5b560

SHA1
055233f6a467713aee84af7873eb02924f83502e

SHA256
39c4d5cc9225b01c6ae56e7a000b6df9dcc63b685c0160c8633ddb7ba9830ae9

SHA512
0b7e1c10725f54e6a143b55c8237dca6db087567bbd8bbc174e5e9fdc54c8df4a640dba9ffb76880d0d0d3518cdf5fdc3086303a4757268cd49d3da910b5f90b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
15435a9a400652711dbbeb39fbe08732

SHA1
70b00856f27d3fe2fca59fabdd6ca932033046c4

SHA256
1e533e2e56b14ec43dd7dc46bd9b1c04b5764aef9e9fa2ee5d958197b49e3453

SHA512
f44cbd6d29de28cf4a61602d6d67df63c3f946e783cd5a60fda5ccfe6bee2260a34f62ebe27e811227ec2ce361f08f9090b23f55662709a9e6ea5f3b676315a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
bd08785b90bc420f4ae48503bf956362

SHA1
7fcd2e582a9e2a8fc74101d5d5ab4650d3cf82ac

SHA256
e6b773bd6d87c50401f992c287cf73f77ef2cd24a9d7a84f829a39a856a9c026

SHA512
dce4d7a9ca068ab0354d9a2828d06c0727dbfab9f33ecec7e61022788bd6bb1e8fab2a67e1ac6fa584f27a6c07e8e654916002e5ebdcb0bf186980d74195b094

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
364db129f6248015e42d97f82872fd09

SHA1
f273484ad7b86412bf1325651e119b8cbde968ae

SHA256
90723da4a27c39b08e67c23de15fd1bb2daedda14c8a58344e1ea197f1e29d9b

SHA512
dd37e653e1e2102ebe7ff781570b749035414863ed07a86e952f2f2c364d354734b456a20d7e80075eae0974314486be7b896c171b13b6449eeba33ab827deaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
56ec36509b50d314017b7b33c6a74b62

SHA1
a446b3bd10643819c1a6630b77a64a8b621b60a4

SHA256
fb26fe137624b7cd2df51baa6a58bfd2c1d51bb194a13157670cf67c3e612435

SHA512
0b164e52ced1dccdd4432caf9b47be07480e9018de1facf01ff24057d755d0d96e30c4dd213f123d52af2d28fe97b1ff0b8c10d58626205ad4b9763bf9b4c368

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b9355048e4443065aa8cbb70f76c160a

SHA1
59db660963df4e8f084c8ffdb3f4d089eb868db0

SHA256
6c096460673ceb52722e2780863777697e4c090fc79b93be483ea51a709687ef

SHA512
274573d10b7397b182921da72b1b430443c5fa8b1143a2d80261f85fea1872387d6350435e93a15c86306563564dcd96a3d7bb288fe4220f4b445489e62d15c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
93a54717ae0d6be5e3a3d8c7b3c90d9f

SHA1
75ae36dc90bb18958cab7951488f4f9b71f78aa6

SHA256
f8f6cafa1ceae5e6ed1538312f0dfd01c018a5be24311c31997cc164c4d035f8

SHA512
7d815a06433ce56e14972b344bee0b18044f3ac4ece33fa998d7337e2a6dc56de316b439e3c3dedac4544db0dd910b3389c61678d282a0f700a0dc0ab424e76f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
01be3c7696d236ed8717c861d0943b12

SHA1
0cc7bc7bf028e3df6541af2a1c9cab2bae29ea3e

SHA256
c46ffb89a0aa799366e2384fb2bececc4cb4ce71f51152374c084cf517bfba20

SHA512
2090ddfea5167e67ea58c949cc42c7251b1da4b9b0bd1bfdb5402a5d15bbcc61ec1319d509893c2a93deee521f9c208847236f951e402769bcec09cd972d6644

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
dfbecbf95b7c96ac836cfc049e963dd0

SHA1
da0b9f4490a31511320a4b0d7ba3b742282e5c6b

SHA256
bd15f21801a1213a69aad849d951a49e8c4b6d6865571f43a58c46247b52c55a

SHA512
93ce094b8a1394a3357c12edccdee67cf1d196100ace1e67a9ce937dbbcd3d653c596562e937e24df6690e3fe68d399882354bf7f869e26e91894ec932195d30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
b6bb747832daa3656ebe247874f6b9a7

SHA1
8bf9c1b4902ee8dcedca7013fa716dfb7807ccf9

SHA256
130848cbb6f7d39c1afd3af4f8a5a91f552fbcc88a7e382ab699b9fbc2e05e5b

SHA512
829986472262d3693d2e573532bf688205fdd3d553c0df3e56064c78670cfdad31a160361c3abb4f9669eb9e8b4febd6beda6983b1331e3484cfdad33310a57d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
1c1b648553cbd8bdfd133418b122783e

SHA1
74028cd5986a773c2efc65a7c3cdeb9139d0db19

SHA256
907bac2a171a7b1d4ec9b7efb5ce9a5bfc4beacee42825cd5251afc42321cbf5

SHA512
103415eaef90b3ea9c11add0c3a565b01dff3f0943446f8da05b97256a535099e2690585ea4f3446899ceaacb1f3ff33ea675ac1ab24433c49d423e48c818081

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
7924b64434bac8333120dd79f6df8d40

SHA1
7bb14c867af30533647ff2a47b35de6cc7eeb3c2

SHA256
412a97fbb7e8133eb9057ee23dfd6a7c12f4a81cb42558f5c05b134bbc34874b

SHA512
ca6014cfc3f49727e0f90da6cc8f5899417069a3bffd3b5f76fb3db1ef9a3c6e97ffbe551e3d0d2b56ce6bec60be70d778e884e39e9a156d2b5707d40f7dce08

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0cefcfe198e86d9e7a1afe59902097bd

SHA1
e0ce95957bfa52b18be2dfb96c109761c8bd11e9

SHA256
4cc6a3d73f146838b8137a250be5fcfedfb5be894e8c78295b2cf2bbbebb6e2e

SHA512
249e3c87aaeee054758b40007741b068410e7252ebb099f2e5969a20b6984ac422075cb65984f314fcb2fa1453f24f66b2ec4c27a405eab870355fd929067538

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
52a5ed670fe893065ab41c2bb1177771

SHA1
001a252ab9fbd700da2ba7697df1e14016fb3148

SHA256
cd61791d2ccb8df6e61281308c678a52153a1080f4927c70aa467a08fb4e56e3

SHA512
ff4206c49249805e9721a4d2707c524450a7b537022a2b3a3c00a68e5eeee7d10121300da883dae261401d6a3e6c5f525c06371028d29b3b3f2c27c7760bae22

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6c70a3dc0704079103475ceffcee40c2

SHA1
9e9da5f6e99874751270816c0c1e1e800667d92e

SHA256
1b3c2abc8046dc17db9eb285c2cf260328a030f724383aa75b4af2e7c7085572

SHA512
177fb4df94e974266a1cdbb9cc79cf69578bb58a154e00243efc656955e6e97db5c50a5251835b560badbb45a3f63dcb3614a457e4d653855c018e01cfd02caa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6101bb4090dafc597491704361d21d93

SHA1
4a3d98cd5909f7776abb378ce62a00b4e762f417

SHA256
093929568af1d466564628c84e41f9f273af13178fcb2ceb908cfd00e8a22129

SHA512
5cda07452e696071b47d6bab407d1b5b002207555339c7b7f3f2838f19de6be0ecb347a37aa311a4597e676ea3edb2681b263b8d164e6de081ae9f29132f112a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4d779e6a9c75e163282a1a613446b266

SHA1
234c0d7133ea099e9b43b3314581e1b3f17e9447

SHA256
f11131f8e2fbafd2eaf17f41c8e1d2019b406a14b6cea17b3224cd9746c44d27

SHA512
d489aedb1a4731a26ba0eb3d24767c1f1edd18dbe04fa14f1e071b12f1a78d990008c4e0aeb5f69b6f49de1cc3cf3148a57b9ffe4085962e2b5a1f6365369902

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ad17446ca2f3a734de6a004a4d5f5c22

SHA1
b1e736ea80cd7d644770ffa24dabb8165f107904

SHA256
a97a3c0b7d7f9216d314b41d2553f262b29613cba29ccd048468fe44fab1c703

SHA512
9d1d440daeadee838ff12454a4313e21afae9bb3a291f1ca7a1cca368b80039c0c8bb82eff7d03a57fcb587211c22073c387abc033f4c745bb3b1f9c4b6c1c6e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8020358ddde8284f54cce15ac792d049

SHA1
65bfff798241f27d14c8ae0e4ec2a27da3c7eefa

SHA256
583786ad1e73af716093f8490b8020953899c826be4994695f36b474bf80c9e8

SHA512
45dbe2ce5ed52ace7837dd99183754497ed7af50de001985d00106f972f3f472d71898a2fe75cc97bf82e33029c491bca6b88e447b6bce5938085ecbeb51835a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
581499eae225f0c92f62ce3802d8a9ab

SHA1
e84ab2b97f559d379b5d6581ab318b072df3ce28

SHA256
be86c2da6e2c8729d298861ef1b1cdb86ae8b1b656bdbc8edf11f9f6dec51aea

SHA512
49350693ef8ee532dae1682379c1311458e6dbd374f313501b9d7d3f84927da95492976c529c135c3d16cf1581a90886b8edb691724109cab9626ebd8bb9fa5d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
72e6e7e24bccdefe8ec6672f4ae52bfd

SHA1
fc97d61819ee16a15b12f1a10d4098457d5b142f

SHA256
252fed9dbfef6cfd1bb367913947b5d3c010be9091967948f8c13856e9c6e393

SHA512
b7416ca74c11924a9e8c04f823e5c145f7cf595ac8be52b547b6f20cf0a21002394bb356866146811147539850e79be7cb251eeef15a73eb2b31a1d4244f24e7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e832f94cf5be2ceba2ae2fca19674a79

SHA1
30fe870737f8bafcbe56729ec6c1b7ce76440b4a

SHA256
194f9682983dcde9efd1a2838b9fb4c0bd1434a9c8522c83bdf1cdbe1d0a2715

SHA512
e4398ae226a3e70ddda9dc950fa1e57e6127ac643b85dc6cf766c089ef7091c0175e204115884bd7384e62e48a9efbe0223d8e71ed7d16326960fe6411c2a6eb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f947e339c57fde8e46e412b690662544

SHA1
dda595c416fd20e36d8e1f0c29748cf24ae0a421

SHA256
69ccb6a9936694f2c75ca4a1b05d502ff5efaaa1cef4ed12a048c6945f3620ca

SHA512
bb3a3808e6ae51130ff309325de151988ca4ef503fa867874db8299073b82fa69552640fc061849a4da5c119a21b934b5df32c4aa26c4d030e92598711c842a5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
08290b0fbea07a708e233351134c618a

SHA1
5bc257de44fcaa419d54d2454067fc79edba19a5

SHA256
45d8161949e4684c3a0f76c40fd7d8b8a5f861d1ee316b308164211ea24cc2f1

SHA512
c5d705c85c6620ca2911aa85aab0ac9b82012553fe436a8423d307d420b9424fadba24b8ca4d17b919a31374f9a7c4492f32253f334c698ba3e4b647e34e36d0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0c8d4924beb0cb633b6d98a84abbe695

SHA1
f0dd3d760acf67f34d69167d8bf93520c367a851

SHA256
74e982a58dda894234f604a6487d5edaf2f02eb8a4e797a6d676d9fe0ef42a50

SHA512
d67fa059c3dc0b8e35e959b212c0be7bd74e955dbace1fdf2de563159fdc289273a30a82a6cfb098966aa919fbb54a60b0c0447ece9308d204ad0f0fd731ba1d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e9095c14b57e7da48ea41f151ab47221

SHA1
b1da890dc647e32c0d49f64d746ff4ea16ab46c7

SHA256
d1833398f5595b28669d7da4ec18c87beb93f168dbb11c539fc53e40818c1aa7

SHA512
9083419d1097bbe96193748efb55fdcb47ea4234663c17813dc922df1a4313933a562e15530723658d070f70d6042e5504473fec271c48a1a92d5533546759b5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
bf8cab3be7568b4f0d77335a691f3807

SHA1
2b69b2c7186095823fccfad970ea74993a9734a1

SHA256
9295b05fca8cfd133e4cabc4111932e2cc0aca1c4d8f1d7304a098e262c2bbec

SHA512
d7f7514d033113803c92d2a71fa059212fbaf52497790dcf1cc73c5b92040c12b0a3dc9b4f74f35e687e44f2df43f0e71d183864c880d52b3d6aba3e7381c21e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c275a25bac2d275b3f5b2085467b987d

SHA1
7ec89f5034bb7528176bf4043c02ae7fb53a11de

SHA256
e224dbc5f43ddc5148096d109c3fec874c63a2f3d21f9b14ca491e6be63d9435

SHA512
40bbf6e28dd9c816669ab2a50788517fac2b7cd581911d3d353e1a6584340bcb7ad75ca02ea122175c88a3aecc955076baed362a8244339dadcb24c58d1432fb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c3b6c9b66d0907809cb6e2f5e3511744

SHA1
bb831656e3e033607656f1ccff1e20df47be6cac

SHA256
733d91af3cbbee017dd2f7ae38a1a6bd1df30be897cb9c5d224cfe43e5199a8d

SHA512
cb6ec6abeb3212dacf9220869a3df9066ed7cb4a910b29d576b6ad4ef2d016e50cc98b20df0af41d6714bd96bf52313c7fa9c2d4a203ba9ad30105134d308677

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c14bcab46a9fd003c8859f1f5a7885a4

SHA1
b17879396eed3de1493842f3742e1b558cea631c

SHA256
297c15419f4ffdfcc23d8a037b251ea6dd6a5d6bf1d9412dc87c8901eb853692

SHA512
73e0d59c972b1230b2fef2a92fed496b4a82ec99cb101747f14902f2bb67b70ecac03da72ad2d4980f92da6e5819335c3bc88061905405d620bf68658e58191f

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
f90f69602293d1d9dc92bdba76671ab4

SHA1
8d1e2ab1ee594c1bb960f15d11de6ba1a8c03799

SHA256
44b085ffb5a22dc2803ac69d8852aaaf9a48f739c186597a9b07fb8efdad291c

SHA512
ae171b9ba1144b618e6b6ba64bb1e99abc9576680bf8f146cc6d875c7dd29795095fb44e97d0a7b4e8d47294819d8532dbaca5af7134dc6eb5d9554b5faf2232

Download Submit
memory/936-338-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/936-343-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/936-281-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/936-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1084-367-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1084-358-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1084-429-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1104-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1104-401-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1104-340-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1168-411-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1168-405-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1728-443-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1728-452-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1748-62-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1748-58-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1748-51-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1748-64-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1748-52-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1876-464-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1876-456-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2100-395-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2100-400-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2100-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2100-403-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2272-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2272-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2272-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2272-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2356-416-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2356-426-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2404-273-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2404-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2404-265-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2404-257-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2404-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2964-23-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2964-207-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2964-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2964-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3260-381-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3260-442-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3260-375-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3912-304-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3912-314-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3912-372-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3916-67-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3916-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3916-73-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3916-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4056-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4056-28-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4056-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4056-36-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4252-8-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4252-366-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4252-301-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4252-1-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4252-15-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/4252-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/4252-12-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4252-7-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4444-438-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4444-431-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4552-252-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4552-313-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4552-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4552-244-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4692-394-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4692-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4692-324-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4692-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4948-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4948-352-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4948-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4948-424-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5072-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5072-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5072-298-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download