29aec4b0fdc268b2fb5697ec78021df9366e16adb890e40589a0ff3c283b45be

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_f7acc510e7662bc0b5a946e389eee0da_ryuk.exe
Size

1.9MB
MD5

f7acc510e7662bc0b5a946e389eee0da
SHA1

0401439cca7d12e5c59f5e8ea103b7fe5974c54d
SHA256

29aec4b0fdc268b2fb5697ec78021df9366e16adb890e40589a0ff3c283b45be
SHA512

ef99a67153f09c61ab6e665cebd750078ca5647fe356a9c6cd69811e49374ffe93c24e31deb82da32bc3d8b56698e7f7c341bb8ecc0c1a78a85b6712299858a7
SSDEEP

24576:S6V6VC/AyqGizWCaFbya5i1vaYxhaOKVh1DiIz33PTgIF:S6cbGizWCaFbZ5GhaOIh1Dp33PM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3492	alg.exe
2208	elevation_service.exe
1268	elevation_service.exe
2440	maintenanceservice.exe
2416	OSE.EXE
3244	DiagnosticsHub.StandardCollector.Service.exe
664	fxssvc.exe
2708	msdtc.exe
1272	PerceptionSimulationService.exe
4940	perfhost.exe
4728	locator.exe
4444	SensorDataService.exe
1112	snmptrap.exe
3212	spectrum.exe
4752	ssh-agent.exe
1248	TieringEngineService.exe
3900	AgentService.exe
4832	vds.exe
4208	vssvc.exe
636	wbengine.exe
332	WmiApSrv.exe
4528	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\91cd8e982b574d51.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-15_f7acc510e7662bc0b5a946e389eee0da_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6AA169C9-EC13-4792-9A6F-B1B56AF54223}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77343\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002eeda2ca8e8fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023d40bcb8e8fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bfb12cb8e8fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000950c45cb8e8fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052a075ca8e8fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd76acca8e8fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a55086ca8e8fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2208	elevation_service.exe
2208	elevation_service.exe
2208	elevation_service.exe
2208	elevation_service.exe
2208	elevation_service.exe
2208	elevation_service.exe
2208	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1420	2024-04-15_f7acc510e7662bc0b5a946e389eee0da_ryuk.exe
Token: SeDebugPrivilege	3492	alg.exe
Token: SeDebugPrivilege	3492	alg.exe
Token: SeDebugPrivilege	3492	alg.exe
Token: SeTakeOwnershipPrivilege	2208	elevation_service.exe
Token: SeAuditPrivilege	664	fxssvc.exe
Token: SeRestorePrivilege	1248	TieringEngineService.exe
Token: SeManageVolumePrivilege	1248	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3900	AgentService.exe
Token: SeBackupPrivilege	4208	vssvc.exe
Token: SeRestorePrivilege	4208	vssvc.exe
Token: SeAuditPrivilege	4208	vssvc.exe
Token: SeBackupPrivilege	636	wbengine.exe
Token: SeRestorePrivilege	636	wbengine.exe
Token: SeSecurityPrivilege	636	wbengine.exe
Token: 33	4528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeDebugPrivilege	2208	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 3896	4528	SearchIndexer.exe	120
PID 4528 wrote to memory of 3896	4528	SearchIndexer.exe	120
PID 4528 wrote to memory of 5016	4528	SearchIndexer.exe	121
PID 4528 wrote to memory of 5016	4528	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-15_f7acc510e7662bc0b5a946e389eee0da_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_f7acc510e7662bc0b5a946e389eee0da_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1268

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2440

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2476

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2708

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4444

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3212

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:332

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3896
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bf8370a9d27906afb5339bd9ceacf951

SHA1
7f32007c528f9ef19e2e5a4efa86c0f4ad5855da

SHA256
894344af197f6f418b280a9dc266b0edf782cc21128c47ac1d3384bf9908fead

SHA512
7f387716dac4e46958d38471b22148be8bf812f6b57f942b171fc048d2e8e5062b1f765872578a59d6095de0b20a0e85b272ecb5f562c223ad2371e01cab65f8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
c4eb855771fe9bfbe91f6834baf9a9f9

SHA1
84ad00b248891535b42d1418707f05a4d7b6c80d

SHA256
82463ebe1e6374929615257dadbfa3484ff192e4cf2100597d103d5b1468c631

SHA512
75a262e7ed867cb369c6ff36e6b8e8f780576db9e93f18c28c2f8f7fc1211efe20aa5d1793afc697ee018b5d0d18c431ead86d94b6dff69f0dc19d8720c86f66

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
254627f9c56f73549b842bea78440721

SHA1
3e9bdbe5fc1d0ec4b3a021c45f64881e5ddabf00

SHA256
ac82c6f88866748bdf995b799a1fc2f9238186e6490e16b868fc648c1a072daa

SHA512
e6548a908595d563404c38a504e7ff94f110703c1d11f124139a593970ec908dc2dd338beb971769eff9e80424582390ee85877c9d1873b296f0ea182d3fe89a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
614e726f76237b63028675e96cde5b16

SHA1
9debc377aff26ae61bf815bd3dad8d0584d86740

SHA256
fb404dd453667f1a8a088adf6ce590532030572a7b8ec999cbd1dd9695ee934f

SHA512
0914f0734dcaccd85bdcc2dae171c8b12a315a77df84c208cf8f003b1e539e8dec2b9e5384fa7c71b14355c490882e7b79bdac920d95c9f186899e6599419267

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
05d90ac3788561254f7afa16639ad0e9

SHA1
c9249990e4e6eb7f1d762960cdb8dd382d9d49e9

SHA256
ffdcdac522b0faf08f7d274eaf743869028fe062bb5cd837f9d13924e3886a69

SHA512
437b40eb86395ebd5703adbef205be21909c26442f817acd7cabc3cdd31b43b1f60dcaf458cc966ccda0392229bf3ac8f72f92204f6f4ef9dee90a0bee89e2db

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
95625cf3847ad8e676ef15036feae147

SHA1
ffdbc194b037fbdae5e38df606d9003b88483690

SHA256
6d4d389ef7591dd50bb00efbd041b9bb6989b45fb5e53daba19b1553e994da35

SHA512
e5c14772afbf07ae13a4808dc1184908997736cad0af4725b8b7f8bc48469b6c6f74b05fc635b2545bbf676bf430e09f125413bf07a75fae492a18a5d53baffc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
cced27a3df7ab6e10697ad8978e6dc3a

SHA1
31318f209c306d328f367eece40f1fb571e8d507

SHA256
5ca1dc3c1566c9948930f7ae3ca824aaf90ed8f1d59a356ced3c0cd6c5a48aec

SHA512
9997b4d9984cd9b3738689c33747f4aa3a88478850b15888a8bea25a5908541fd79e6a78a65f4db9d5ea6d73648d7e916a96d1899f64f67b291ccd445828ee36

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
362f763e37e85a55efd42f2e7f9fd900

SHA1
0b2336a0baa9dc7d84133e819b4ec7dc099d4e19

SHA256
57a0275af58fa7d76c0db801c891ca8090398236b7d58c9aa7c70f08d7b1f3b7

SHA512
3e2393cb06ad55a406d69b121aa72ff8d47cada27ee8235e14bff0869d8c7476065cab515ae07355949044eb8a7fc25ca71c52f7d9204d22b34da9f4cb584b8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
4337a7e642a9614ca087113f5757f269

SHA1
e04f4790f1b6bc9a2ee26fb45f6478737383562c

SHA256
b06c343bffb6fa28908cc56b8c129afeb469b6e620b5d238003884d27d7e40d1

SHA512
d0560d8c961c0f308e0a54d0c79e3e1a452c41bf3741f22fcb8cf4ebc28eb5d3e17aa083ffbbd6ee1c06753593d0293c392c88084d48888fa527de4b563765a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
29555e5f0ab7b260ff3bdb0da8bcbf18

SHA1
b9e55c16edb16d1060757a3b1103bd61a63143eb

SHA256
e99d38551ef73e3b18c143a791e956ffe9d6f00133ce010ae6a8a48d736cd8ec

SHA512
3e8fe91f7c3b17d7b69aa01ff58d16392e3d1d4fbc01e785b2d396af64bf171ff5930d06cc7f923750af2116ad6a735d490517e3eae455056fbb5441128ab155

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e61e11b66b6a9a3c826ab18612e5d081

SHA1
b6e7cf3d455d5c9d4b25673cad48418868333c3d

SHA256
dc7f01a699790a6d13c06dea1350f3efc18ace198d18290104a0d855c5c34bbd

SHA512
62ed40aeb2a5090e21f3abcda863a38fa538ecb6c4bfb6dec8495101c4aa6f4892ed09e4904f6642c68a72f7657209f4d111021b3cb380b3cabd890854e53547

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c899cf425cd8c5b7a6e0667a0c0b2ade

SHA1
6891ada43f2fa8c5e789e5ced747c3965f19330d

SHA256
a3014ce2be037305ecb4777eb17e6cbf551849aaf8a8dc7857371654ef33d3fb

SHA512
a077085f560b436c4e05be83038e50c37e93c22c5e28923b4cce62f21612e8be723975bce14f6ed63ed85e8beecc8c13a7abc50facb574e402cd46cd8de3b78d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d10f90e1404b3c70c42479099f034ac9

SHA1
78f7f49339a70e4a5c95d2822949e228b2fe3f8b

SHA256
4d50e5bfa530a6648f3a14cb2696d8e3135872b687e0e960ea056ac010791186

SHA512
809b323ccc5ab4b490d4a64215bbdb2f3a7af19581d2d602a5ee93b6b315c9f9b11651e12fc4b9bfb799572917766a8e66c6219887646328b7bb29918fc922a9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
47b1fe4c98fdea7e3c32a4695f318e7b

SHA1
9c3c494af91eb3c57e90a560484d92c26d068cbd

SHA256
29f5baec15e47c14bdf27fb0c11d8c1d4916cf4603e855490072c322b7fc6a6b

SHA512
1eaa5dd1d963983417826e41d9b950300e7830df62c6f585328d2d3bfc2a9238f39b8f3a59f7ec756e24fcaf2a3bb50678aa2179a3cf44fa25f43609d0ee60f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
80835986727f76c9101f1960526c3300

SHA1
5b1ae01b5b3b7bb2d8011afc2b0bd5960f9b381d

SHA256
156ce9c81126d85e6ec33b85feabba5e986ab674e7c55b650ff10dd1bff7880a

SHA512
5484847df560a1bfb86261653b8be1defab5277ab80f6c13b3566a70914153439412139e0d3bed57ca5db3cdf43807971274e9bc3b6a437004b7c7982c9f8881

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
37ecd97b7747472b6d71431a499e7e9f

SHA1
2417aa48b4adb544d2c9c4a45a11384e72450eb4

SHA256
7a6a698fbc5b8b90f297d9fa2da89bf0d7a93bb6947792d90a98e6d3a8e64d40

SHA512
b115696e6b28280d408b0983b3d4ede21c2514a5fb7566e6a89b61eca6f03acdad0e9e90338ceca117bbc773e706f95841d6dd7aecaa62eb278bbedb23e69d3c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
aefdb5a1dc18acee2cc8030ead6fc32a

SHA1
03ac1e14e641b42c185702fb21522f01a4c0f0fc

SHA256
f31283012b55696151e72e327953dad95d1664afd536bba66691014261cfd82a

SHA512
c90c26c699c3f5afecdbb9bacb1177811f467688a64632a9c6309cbd1ba26ada4c906d1327ed4e14b3008ca23341fc913162600fb24f69cca88a2844152faa55

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d1669030de46bafbbd28dbe63d89c29c

SHA1
7f0c8ccb48edc644c5b51ca99473ebec89f0e889

SHA256
5fb4c5de714b8e6a4fbe3474b0c8b767126248c1ce1bcc7c576c068facb94984

SHA512
1c3ce94b7784744af407f2189d75d2626a09ca78103d4f53dc5560c6c11392e07404a878862a5fed83b6690d4c9db03c57240ba68709b7f015275f9724d464f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
00d0a06fcdc2f091879d34cb8a2c2ceb

SHA1
6194bc0597b59b6ce00c3ea49d2ef66d94aeb117

SHA256
b83301e17573d2f77e97c284eb8f7834e839bc1ee194734ffa9f200d978dd5e7

SHA512
6e8abc180b39be60a4cf594891865575892943c5f9b8e5de5660b59158f0f36c6bb516501a100d6638fd5cf83ede66ea2c63d219e2dd8ce68d683ca8f01552c4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5b404a5fc76112053a656b4b6ca5c4c6

SHA1
48a8862d6ec59ad83df3f4be82173acbcdee2c0a

SHA256
060311914452e512c8c7a6d3ecea7ff820fe822175000b0abaf365dce9c72f76

SHA512
9f3118de29b23d57d4e974692d16553a524cb0438c1c759dc4b72e5734d215e2bad4bfd7a4cea4857443f299bced7ac1cfbbbdb303535f726f30f160ef1e99e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
92f4c33f35f1ef50298eaafa349e55b4

SHA1
476c180e9840fa8fa395c603e52a10c4508954ff

SHA256
fd5a29fdeb0419b34a03d7502d2ba9130221e45b0ce3712688b0741dd67419cc

SHA512
4182f1bdd5a95f3a5519cf70a1afce23b05b456e8cbcea55c2b12485bca4a9f60e102700818775f9434f71a715c6ec0050c217aea8207c1b525c58b9c4cbf4cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b90fb05e5e7f57eaf3d46865d14e62dc

SHA1
6a459f88f0a503b4edb49139d1cfcd7e5098cca7

SHA256
876e10fcee20f808d8cfc6f52f5b721fa648d4ab8433d0efbdddbda39a7c647b

SHA512
7c824ed3bc698af8804927d55cb304aee86fb48534cd71c9d4b2af31a8615d46af23e10ce9a362f008d5d23e2541a89523831f4088e86d141df0e0bc54569544

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
e315d02895d0de0d0752d3025558c659

SHA1
1355cd5c6d7570b04290dead19d1d3331040f54a

SHA256
3a3bfa7dd2b056c8cd1e0f50aa79f7117808aa4c4b89aa18aa74e714334140f0

SHA512
d3f85c911fac90fbf8632e6ae522118718b774f0e819911acb07d43e79c26c8281aa3501ca0c1f075efc6808191535df21fbc6d53f7b4c9299178b90c552c437

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
1dee3857de083099a6cd6f8dd5153f6c

SHA1
7b121669f1dcee55d9c9b806470f8bc15f6f4b0b

SHA256
8d0a537da7193444a8e20ee04fa4367e9729089d0ffc1d70ac10290462230cb1

SHA512
dcab0e16a3d6f6c95be2493fa3554fe6241d71456a1c7830f902ba0e6b912edfbef07158441936958e4214b98cad8beafa55132e5ddcfc3264f4923c64782a88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
32f820d2a155aa8a0dd80395236042b6

SHA1
36777e80d3f3933e3c7fb02c545daefd521af363

SHA256
1afed72ac9eb6066d752f52d04e942942ea9b2a77a24ee672ac0cf7919046c20

SHA512
492d34794bac05743933158a6802f8b17e2ab7833f83098a7a9e719ff756dfd095e495319a0da7cc60671d5e47c2d67a991d4e9d944f1dfaf5806632446d18c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
b96e3bf41c4916f7be322738e9fc5cf5

SHA1
125f175cd139abb2ddbb3246675b1bf9b914b965

SHA256
121841a71b37153af0f3d83f6c875381aeb74e1e5e722258540d99f853881e57

SHA512
4a664435c69832aa1638e7aa66929b6586afab224f5bc5aca7640c6620bb737a950fd2734af443bad6317eaaa137c0f66c6974c63a4040be1ffe80f75f8832f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
226d58cd85ee8c62f0225b50ddd88f18

SHA1
fd5635d6e85888a3c7756da41a0fd8f4f054164f

SHA256
d529d69d5661caf595d46015734970946638f468f60d5463acf690e47acadcf0

SHA512
36c149cee5ba0f7eb662b542d1a64b62e629d28dfd77c412bc70cb34f3ffde6d5960c9a0e6f09853a2cc0e5f75c14a55e0d3959ae41de82282683b798c232ceb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
cca7fc556d237f9415438548c2e85cd8

SHA1
b9b1cfe033f085a973d2c5c322cedae43dbbcb9d

SHA256
4c8a44a65ce600a73b8ac2107b9a515fbb42c56343b2eda57128ee243bc2c236

SHA512
78981d80d85c2125047f6b9c8be573eec5a762343daae0841c5945898cb5057258b8f7895d3eceed551b0f07cb252310552857d7e801f7b54d56174866d08ab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
1dac9708b9838e68766b04970da2bd17

SHA1
388e4bb6a27eddb42b64e7ef1b65ac67e9e348b5

SHA256
1fd0dc082059ad3e951f08757098f3ea81736bf7ddd2eb3c110aff67bd156662

SHA512
ca351d80fad3571b541a7188bfd2b33628a0c34b2932e36b86b462218af88836eef9b7d40985c6957f3f3e712aee5519ce444c0931db914bfd599444179d44c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
3e3d2cb5cad5fb69b2ea0d835e66043b

SHA1
65aa17e8c969f163ecd0fa35944cafe904f68238

SHA256
d58c6bf208ee54e5f31c7b5d69122cb3738236a2699012cf32fbde6ca992d729

SHA512
502d752493eaac3cfb4a12628e10c5c723398c78131e5bf7898ee4749c1c5ef5de35f073fe13be4c27102f85c46fc9d391827bfba02010859ff241653bed5dd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
30eb8073b56c9ff3fe79166e97ab1de8

SHA1
a26cfd3b2eb9d5d77249cf9a3cd1f6bda5357903

SHA256
37e8823fcaade94b66086b2b5a244af77c5ce61af4605d1e2545cf890f768e92

SHA512
5305f135cafa910d436d4950bb85d25941d95478f0e27688adf86b8ea659c49dc18fde97b6e8bb0aaad96837a426428596551b3e13868bc3055f067bd2a92f10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
164561dec367aac0d3a27f63279786b0

SHA1
7aaa668d91569043289fe63bdd121d64956c2404

SHA256
c5773a4187eb53b03c9a0b0da35570a2dda52d3059ab74fd0e6100380d31a159

SHA512
dc23d660cd06f820d12235bc96e08dca795fcf40e2e86ca03918caacf4a3227e668f18ad04a8de3f59e0d4fdeab478cf4b45ea7dbf857939c893e12281e14c96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
f52e24e9865e91e41c0cf61a9de4831b

SHA1
2ed3d2826aa719616522d0fb3504ae503e69660d

SHA256
e4524afa580e12d0b3a5d64e17f613e3bd7cd70027935efd0374af2dd44b6e65

SHA512
e5439006892808dfb62ef6a9e89774fbba23d63db23e03c5a1ce5cc19304ed7c4f68453b6f7553f69438818acca8b41c1a779d148923565442d732b88fd291b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
067595f10882f98d9d9a3d3890653dfa

SHA1
6be80ff5a86540322d010460e3a0ca537c8da8b2

SHA256
5d4d7b12cc0dd8a7b4cce2dbc2d80a5d995e53e2cbee3d527c5e51cae13b5fb9

SHA512
813d0a350f2180dd4b61a5f2a3531df134c062e854cb351d6feb90640f96eabd8a2cc7c1e7cfc36dbeb35eb2bed6564e2c5b79d9838001fc0633337597829478

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
d10798cb99b3cb3fe9fcd038e16f6389

SHA1
5d4c812aa8099e7bab39d88790a9dc500755595e

SHA256
bf0cd21ca65f9bb7268244c449555818ddce917c0f6d0cfb077f588ae0c8d291

SHA512
d4f9ba6f0d1afdcdf7b6a668cc36f69364e6e6ab5d18423212d1e749fed1ac08e0eaf9f71dcfb3754926a2aabbecc6a2ebf8770ec5dd6ac35de1631639c8b896

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
56b3da0ddcf14c8355efaaf0fc2f8200

SHA1
88c840c1ee3d3f9bcc2bbce27d02e739b7e0cfb7

SHA256
22da5eb4aafe62352308bfbaddc6d30021f71b7fdd5c8c2634ae41479ecbf3eb

SHA512
5ad0fca6b78a8ee7a612b854eb78b2b192171db7a79843c2c9837a7e165e640c05ce716b1e4a2966140cafa970391f52de26a6f7001ff44e10c66184c0ee6aee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
5b60612f6691f903fc085245a81de3d5

SHA1
4377bd8b7b20f9225ddfec9b43a00c62c7538718

SHA256
3d0062b787a30eacca69d2e199b220d04567b89820cbbead43766908eec5236a

SHA512
7936a6c8b798126af19d0c1e00a92e10f9502ea497aba038300a9508084e0806368d58fc0a71719157c732dc9e563c68a13bb7548dffcf09437f1fddb59b2e6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
43347d2a4d6e9010e3c1a6f3e66108fe

SHA1
65121be62f0fb985da736f2188bacbc485737f60

SHA256
39872d9e7c53937b164c30c4fb9f65338030c324aabc53db9ef0dfa112d11522

SHA512
35d4befb36f963392ca17ea378f1b2b7695ce6bc087d0a48a440f04914163b2c94ba464443986750b4c1e2b3d710c8e6e83fb5b63932c8a902fb86227fbe43a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
675f8b2c57c38a3edffc6548180e04a8

SHA1
c07094380499c0beb125746a9c58a8e40fe06a72

SHA256
db7342f5ef144f9dcbe55e1abd05567037932c48bb2083e8b47929fd3a02c9b0

SHA512
ac60c1319a35990b29b4c64e5ceef5c8505f17d6c5e29da573c0a3c1682094789902d4868c4d9eb5764aec8148389de4e76bb223bb5496fd87dd2e287596d2d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
df822912d7b5f46217c31eb65525c751

SHA1
5b43b833be7fb0cbe1b006cc748aed84c88fe496

SHA256
40e8f86d4577c19bd15855441b9bfca9570ff2edccd11885da6e86838ab9cd87

SHA512
c75bd33a6be5b6fb2e81eaebaf7d7fd53a742e35eeb3fdb55ab6fc16dc684ddb0be1cb528534d1c9892249d5903d6fd713cbc8f8fbbc43bf1de00b285d2e6656

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
b8c3e3ea261a27e0c8ba685bc59761c8

SHA1
cee3c98ed3722fc6fcadee4048cb816534427876

SHA256
db5c2dd22a4cbdb7dcc2a3b67f9c0f19bb4b3d76d2fdb11dcce6312a2a0a3e99

SHA512
70f64d751d1fa308b3a47d4e2719589f724ea7ac80f14f3a2fd0759bb739266d524a09166c6c23d578779a9262930cff2c0feb6e306307574c953429a90f610b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
7b7444439115cf3898b1f67ff656f1bf

SHA1
dd82ca325309300c792d7d85c3504a721097c4ca

SHA256
7124e2ba97188e89788ecf72683a1e0621c2607791cb836edcb9d758cab6eaa9

SHA512
33539c9f8f604d0db9bf9f7a4fe8badaca9d479abfeb0815a1128614e67d5dcd19d88b33318aec5d29e4b91216007494b4a0dafbd29435dafb26dcbe8f31610a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
02d52ad5395920c98236d78c49fe2ef9

SHA1
e084f4a21032c38b95f9b7ca54fae152e226340f

SHA256
5573438fa935463e03f7633f329e16526cfd5ea6a296ca7e9a348d6fc8d1cf18

SHA512
e740afe0752fec5bc2b5c1a97eb20bde690d6ffa9dafaa401ee37bc63ca50cdcaf9a7a67f0afdbc5fff0d71312202e0346a29683647a10a78a31327da36fd72b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
64b6ed92c96b6e677f92cf4e96547c8b

SHA1
e46924263c76fc09984432101edf09660dda38c2

SHA256
d1dd496cf39e31a4be081bac318339e27f06dfd616ba9823283c33175a8eb3a0

SHA512
b0ea04355498809c5f5a7dea4f7c9e9cde207f4dca6124ff6c940a54461745f45f68c34c7d19d41aa4d990f651ea1f382fd0fc72bc9dddfa367a82f4046cfe33

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
607cb4fa234aa7a9932f2e23614ac708

SHA1
7b4108fe6c779e723a4f898752cca5770df3b2e2

SHA256
ef5d1831c155d6419b592e80bd831a8f0a61060676a61aafd6e24e36c3f792e3

SHA512
ca3a6de7dcf14c0e741abf4894ef5b9e5c5e277c49f288c0d9683fae581712a910e5b7fb735269d265b88e76d0c3a62a3358b8f1f4c8f8ed03ca863c3c7f7645

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c905ac081b686cf163f75c0f04114e3a

SHA1
485ad1a23bbce291cb51e65f4558de00dcea4a07

SHA256
dcd207562f5acb996a006ca6fb48ebb39e025bd67d7ead418ebc41c884c1c6e1

SHA512
3f742d6a3bd2569501d5d7f0ef1882d936f82c84c40ef87d5a5ade77d8973f302dd7fd88ffd45678a116c0ac23485c69fb001f1dafaa7abc23af91b5703c9f4c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
2958b5dcadd8e3aa818992d9f839d900

SHA1
0bde72b0410c9a953c34cd2ef59cdc45e9595126

SHA256
a2becc621615ca58edea9f76ccaf57095d1f176be911ab97184cc41e91d39e99

SHA512
961061764fee10482f2f36706353d2b8c05586d11f3e4b51c2d28f3a77cfd685a5758f3480978f4e5c7a7d9b89cab85030e11e94fc3f76364e4f2a2f6e4c175c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ba599de49f4478df0a18c4ae1995ffd8

SHA1
2445f706bc58da2d5452fdf186678e362b0379f7

SHA256
47121a4a8e63af24c1bd8d7123589e0c95e0ef8dd3bec808de8d519d5ba89240

SHA512
3a651f5fbd975ae8c3870ad72df5d2f7e5b2b620fa90880f68a656e0e7b1d341bfc4b1797f67d2b0b923ea767a67fa76f53a6dc8f3cf5f198f3dce5a65f1314e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
2ba0d1cf8c91c3547a65a0c1d093cf4f

SHA1
ef13d13be70612230eb9ae7c18ea66aef4ba8c66

SHA256
e13b6d73008a3852d2e156048aa591df3d4af7e2d98c06b8ca239c6a612d04a8

SHA512
824fe22f56596412969577dd08c9945b61936d99e7c933f53085eea9c8fafb72625650e530e30f3f5f606209120f0f6a53393a6bb890b80abbf461a688485667

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
6124f45702d3e3fc2b04d3912b17e42b

SHA1
89583b9d13646d66a606ba156a2052f458506b04

SHA256
fa2679c4afb8d8b6acf52b4b77d981da251d0ef3cffc96846b908c13b83dd89a

SHA512
eeb1d7e8b307c55fbbe3b5f32d0aa56472507e2979d698216c5b434944255bf30e23f54da0131682ffb2d7e3f3be228632c7c401a4c41a63fc1cb511cdc67b5e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
5f951ea1bc16822e479831570f4071b4

SHA1
fa419bc9fdd806edce3f9921a16bc1393072a576

SHA256
cf9463ac5f55e627aaf6e56e340239b5b889fb45e4e3a72830df8b184fec117b

SHA512
288ea07c738fab42add3f8ed3af01b04aeb90ce3c29d7da8eec8116f14ca9eafb9aa7832db03acb9c9c5aaf51ed0d58e3a218e41448cc2afe2545d232ca2f46a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1bdc64017ef07c90f56ec746c6eeff78

SHA1
bd1c715133188158264ffb926548eca7c6604c54

SHA256
140bba3acec45edff23462cd80a148368add05726990b7885b63dc3cddd2f2df

SHA512
2c4ff1d1c02feb46ebd7b9c9ee8803d0bda0d0881f676e9552ffd26be58f66e2d48f4643440cf7c17d769401e5dfdd7c6fd38668420a6164316e1468a9e85629

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4b45b3beed446ed4f5c2998c7d447d0a

SHA1
b10db06e3beaf4293b9e6f3bfa2f378d5bb31b6b

SHA256
a2420cb777669935c24e39c5e030a07e9cbb150866c6b74d0935d26fd1ecd04b

SHA512
d7242c1607e7e6ab6b6513b132799c9e604c554c24ddac598157a411c21581e68f0207ac3e0ad2143df88fc066b2b3d6dad80d7d2147b273e7c18b65723d5d7a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
883180b1fceab6850860feaeb5a413da

SHA1
a727cd2663ec1f47aae2c3dd0959cfd8f1c400bd

SHA256
a654e9e5f8c6752da7d99cd60d36a44643302fde19bf40116f8cdcf368f1ae27

SHA512
7649cac26e941e9c0ac3acf4afa162b69ce5d970dc79eb639fbc7e147aabbda858956c82b6c77805b38ddd602c1577cd2f95ac9b8bdaee8c4c42a5c09644e307

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
0ece16f16f628094656d4570129681b6

SHA1
27e893c68545e2ebc13dd23b8fb7937a8a2c0dcf

SHA256
4ad5f492c43ebfa5208a541265a4d0ec6b487b6deb7c600db51a66d59ffd5845

SHA512
ce3f081a5360537225ee09044bd4175f3177925aef13f42764bb2500fff60b07b7c7e8814fa1db95027494398c47f22cc07e6a35dc20d5517f2593b6210e3e5a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f23dd59332eb9bb3751db0663e7bd423

SHA1
9e77cdaccad6bc9ef6ea0de06b379da042c34f76

SHA256
efa47674b95c78146cde2b9e0e3cffe9ce0c3b91048543a59ac858834ee7c975

SHA512
32a24a53a42ea8ba70490a67e157439a787348173ef2d8d7bc1b2152c63127fd4e1525ef162df154673eac55e97dcda43fbbc294ae404cb998442f5a881a9218

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e3cc79ce58de29e9af3a6b7a72363609

SHA1
534c42be5d0c68efbdc2f8348bb5cbc4c9c073e4

SHA256
effecbf7963f155167e52b81c8661c1bf7e460fcae2bd5a9f13db486d3d918a9

SHA512
59f4a4aa56c2c1bb29cd4d4e8e589fa4d68540566011db8fb1ca7523ae397a0bcb503aeb8fa0acd9138bf309d853594d7cde82f677727e01d126a0ec3fa3d4cb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d3471dc9101b86effb336f8f1a1350db

SHA1
5904e887338242fd11b7ec35ab18370aa6198a1a

SHA256
0249698fcf060a5bb27d63a38550ce7248a28c2b0645485f784b3fad9f397bc5

SHA512
bb7cc81f89b4d26cc1c64b9d1d869a4778c891ab17d5fa1cc36f7b78c74c1a12278619648c9dca3f5e640656e68595ece79d5c756d8fdc4ed63da21e5af963ce

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5fbbac21c8b641e7b81c6e31c6b2a736

SHA1
40eb99796df5f6c0cd66b4366c6895664bd4e4f5

SHA256
8029ce11251d52c43e7cbdfbfdda1349ebaa2369f8c85a1af995fa250d55f6d1

SHA512
b6a39d3f8a336f96d4890f6430746e21b75476544bed9409da74b37073a539ca96e748e626a41c9e3658d93e0f25359af36116d82132fa275a627c2d0f982769

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7b84b12748a3c0b2cf165790418e4aac

SHA1
a5df2965510f711f6deadef283e32d87c7a4bcff

SHA256
7143ce77a61d0499e73f50b5ce5d30ccc70bf94ab3dd993df5f08d9ce7319597

SHA512
45bd19f27be2b4f8437cf7863c1d795ac4ec6065a6b3f11accbefd625e37cae92382e65d88c1264db31d65fca08d8227457ae3a686e127be37c9276555522495

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
5f06f157fb06705c7a0546bc64e9a9be

SHA1
190af58117d71a4e4720e8dc547204231b616f4c

SHA256
27830cfac53de820322190fb33bf48d0786d33051cda3d6b8a7b084a11451e88

SHA512
db54d99bf811df7e80c0252ca8b75c656c0a02165d028aaaf4a87c3c7212dd4badda6db3de9a8e66d5706cbf28b62903905b479b31e1df4af748239b4de8e2a3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
44bed52a65ebd245bc7986a382055660

SHA1
a7aeaea0ec88bb52b6e0f046e6c5822a1798bb9c

SHA256
eff9afa307509aec1546e732047612edd3fa3f0b89e355d0b76e525225fc44b5

SHA512
9865676bfd926e00456718cb47b17dfd5d017b9bd1223dffb631ff4e89c679d665c37a7403f9799057263a238f6577cbbacb234e05b55fc837843107a0f943a0

Download Submit
memory/332-457-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/332-450-0x0000000140000000-0x0000000140287000-memory.dmp

Filesize
2.5MB

Download
memory/636-445-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/636-438-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/664-258-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/664-274-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/664-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/664-267-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/664-273-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1112-408-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/1112-343-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/1112-350-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1248-382-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/1248-389-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1248-448-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/1268-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1268-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1268-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1268-42-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1272-294-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/1272-300-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1272-352-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/1420-15-0x0000000140000000-0x00000001402CF000-memory.dmp

Filesize
2.8MB

Download
memory/1420-8-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/1420-1-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/1420-0-0x0000000140000000-0x00000001402CF000-memory.dmp

Filesize
2.8MB

Download
memory/1420-12-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/1420-7-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/2208-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2208-30-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2208-29-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2208-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2208-36-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2416-241-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2416-69-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2416-76-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2416-75-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2416-68-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2440-60-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2440-63-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2440-66-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2440-55-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2440-53-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2708-272-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/2708-283-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2708-340-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/3212-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3212-362-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3212-354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3244-314-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/3244-253-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3244-246-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3244-247-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/3492-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3492-17-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/3492-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3492-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3492-230-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/3900-406-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3900-403-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3900-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4208-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4208-431-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4444-334-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4444-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4444-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4528-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4528-473-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4728-315-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/4728-380-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/4728-323-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4752-434-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/4752-376-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4752-369-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/4832-418-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4832-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4832-550-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4940-367-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/4940-309-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/4940-302-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download