22d7097fe3f72523a50765078594c76914efe1f11a46142360def7bee46d0b83

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 16:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_9006b1acddb28c853bef18f6c807137a_ryuk.exe
Size

2.2MB
MD5

9006b1acddb28c853bef18f6c807137a
SHA1

4c8c6c00a952858f3badf9bbd4ad6b3f494643e9
SHA256

22d7097fe3f72523a50765078594c76914efe1f11a46142360def7bee46d0b83
SHA512

03bc11c38fc8e26a626aab266280746b443ce000fc2d92aecb4200124876b4491f2d8ab87976e1eb14b99b427dd79f2a6206dfc5679d5943890dcb061968fec1
SSDEEP

49152:lNl7soq7sQCT1kyG2xHywRfHIO2Ts4bvDny8rZuRd:ND23a1kaxp9q/rZSd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2728	alg.exe
1332	elevation_service.exe
404	elevation_service.exe
5080	maintenanceservice.exe
2148	OSE.EXE
2672	DiagnosticsHub.StandardCollector.Service.exe
628	fxssvc.exe
1312	msdtc.exe
2644	PerceptionSimulationService.exe
2412	perfhost.exe
2524	locator.exe
4516	SensorDataService.exe
1720	snmptrap.exe
1208	spectrum.exe
3668	ssh-agent.exe
1784	TieringEngineService.exe
1100	AgentService.exe
700	vds.exe
4520	vssvc.exe
4620	wbengine.exe
4392	WmiApSrv.exe
3540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\86fc21a22b574d51.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-16_9006b1acddb28c853bef18f6c807137a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77343\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77343\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77343\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2db8b681e90da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f49f90681e90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d94ddf681e90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000240393681e90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006214c5681e90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e3d8e681e90da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb00b2681e90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a5282681e90da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1332	elevation_service.exe
1332	elevation_service.exe
1332	elevation_service.exe
1332	elevation_service.exe
1332	elevation_service.exe
1332	elevation_service.exe
1332	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3888	2024-04-16_9006b1acddb28c853bef18f6c807137a_ryuk.exe
Token: SeDebugPrivilege	2728	alg.exe
Token: SeDebugPrivilege	2728	alg.exe
Token: SeDebugPrivilege	2728	alg.exe
Token: SeTakeOwnershipPrivilege	1332	elevation_service.exe
Token: SeAuditPrivilege	628	fxssvc.exe
Token: SeRestorePrivilege	1784	TieringEngineService.exe
Token: SeManageVolumePrivilege	1784	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1100	AgentService.exe
Token: SeBackupPrivilege	4520	vssvc.exe
Token: SeRestorePrivilege	4520	vssvc.exe
Token: SeAuditPrivilege	4520	vssvc.exe
Token: SeBackupPrivilege	4620	wbengine.exe
Token: SeRestorePrivilege	4620	wbengine.exe
Token: SeSecurityPrivilege	4620	wbengine.exe
Token: 33	3540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeDebugPrivilege	1332	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 532	3540	SearchIndexer.exe	123
PID 3540 wrote to memory of 532	3540	SearchIndexer.exe	123
PID 3540 wrote to memory of 3372	3540	SearchIndexer.exe	124
PID 3540 wrote to memory of 3372	3540	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-16_9006b1acddb28c853bef18f6c807137a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_9006b1acddb28c853bef18f6c807137a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1312

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1208

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:464

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:532
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bc90ad5c7b3e03bf7a1ad91b869ffb0b

SHA1
9a60439a555c85df7bb7c6ae1e8bcb2eae788f8b

SHA256
5be537c25d1fb2593195a1ef61a1deaa2d9b7ae225c0ea7b7fd0a48e676d95cf

SHA512
d9f3a286342ad51ee798435544a8bcc61e1a3b48e39607971978931a2f0184b2dc055e82a7a2920ffc03383758314e1ded075311c409a3bb88fc5543d82fdd83

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0259e77f26c7cdd1958359ecb6b436b1

SHA1
165f9d7ba1ecae4b185e8fbf7cf826d1da8cae45

SHA256
266af228a222957f145170d5b4db6a98a58fcc690e0c840a556b7cf4843da57c

SHA512
d462e09ee2158a75257188329ef759456331d8bf0fd287894da4de2b4b2281b5b0632aaf9b92f541fe5c4ab4507825d612cd35dc408b631f9bc41f7a36ea2b00

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b02b5d5e3bc1392e064157121a2bc50b

SHA1
a83ccab35f1347219df3fed9a00339f1ea51e511

SHA256
7b04109dddf070d94560eb88d6cbedbdfd34389943648222627524117e2461c0

SHA512
382a5557f658e0d6746f4362699b546266b7a997310cd51819f5d80d3cdb0e902b657bb141afab48b1bd4885569c8416345973f24519649a2d130bc5d41f1b98

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
472329f4829c840825d76d67acf1d540

SHA1
2fb18d449de94fa4e9ac912ceb6f52afadaaf240

SHA256
5be4e5370362f2bf53ec1a16225e2e7682652649452c3abe8fa176fe026c0f6c

SHA512
133aa7e7110fe6ccb0feac0b157304ab438490b57ddf592d624dbb472bcac6264868cff7faa79a0ca775e7135c796f1e794473ab7dd1921d06c4b568d9f9932b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2db32841d3750885b87bf12e795fb46d

SHA1
692237b78e6d991dc5848a582bb19ffbe2148c43

SHA256
d7c1365ec240598c0a8dea7a4728dc5612022039b5009f2521dfa0817552971a

SHA512
4dcc854041348999aac19c66016f0ee0e0a5a3094e1599e8def7879f60170e0656baaec7cc85881f7bb4effadc0aee17eaa7286e0fa5a24b3c8561a4fb95b566

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
28279ffe1fe65ec833c89876261d6e63

SHA1
d9c209bcbec73ac269d3cbc34e2724a3cead1510

SHA256
915d28d791236f06e7cdde975f5bed3f7c54b7a35a21463d52ad1a84a7257cd3

SHA512
14ac248ba4b8770ae24ef915a0b6674bf0aa8e7725a3a9bd237081526be7bee0136474d039be784dc3d08967cc17c8aae82e6da6fb0ee0b8462f6a14c00763f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
aafdcd276a96d1b5eb8ed0755fbaedf0

SHA1
96b6c368478cf4f2002a14a46b5ca7da0012cb8b

SHA256
2434dca4e8c67349c6f4e7cc26ba9c97ed5ea6a21ca001a1331067a3ebc69087

SHA512
d58ea48a6e9d4d708a2c8325a3628937263989f5b3fcedb7f039bf781b55059a8679d3175ab0e7ba55e8823575487d2b1906d1060c5ab5d8d8908362c0ae3c5c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8310c55859f653835a9044653dd118c6

SHA1
50018c2e21c31e7a20119906781b493190f53a08

SHA256
fb75c4cebe311f49ba8d741272ad62c57cc395b4561fe848e416b6538b0057bc

SHA512
f0bfbe8d6949e5cf88993a1c9e274e0a82c9d13b8671f1fe6eac38bea14bafe82a5cc3a5ed323402ff76009541040fdbca5176b14a8c6c9b6ef74e4e79d3c087

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c28c8b9e26fbd1b1f07c806e32c8e54b

SHA1
40798fc100217fbfcb6fa36a5a695abaac049174

SHA256
9b5b17d6f5b16bb693b921e7c3c134e0f76a28c5c040e4ff015254c189a58317

SHA512
332b318721ec6575d46db7704c0487ab2a54398d0f966ab5e1f2d4a2e658d85adc04efaaf39fcacf36abcd7c1f700ac938d0fd9c5b38b958c5d88751f5b66344

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2c99f39186493ffb21571f74341dafb0

SHA1
22185d53fdfeafcb53647af736662077633354e1

SHA256
907e20843bf303852596ebf057ca26c901510f289c5dbfc51cee53a5e538e2a4

SHA512
cb4dd80a5dc8f78aefebdf3a07f2880fc17dd262eacfac903364fc65872ea8961da8a1be4a19521c20fa3e952c659f5bd39cf141825f0a5254cdd9ee36e51038

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
967b530a79cb2612b178d36645bfe6c0

SHA1
d1773aeb60410e1dc5a1049ec5d69c4b5a9e9cbf

SHA256
3f4ddaa8e05ecaada7bfd39f1261168456010d073eddb0d598c5df8f0a5366ab

SHA512
0f0b573aa749a7e745fc93fc2de252e7313aee663e12ff5540d400b3a33173fa2ea661975d8add4b27d5fb7e3b31c6236349441e8afa98f9bff5a90470f9c538

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a8d4cedfa91999e59d26850365c42d0a

SHA1
b99a3b238d264630b78848c8eb5edff4cb301fef

SHA256
efd4b22ba6d99bc9b70131f47f04575546ad25d66c6ea094ee82ce5b28d9a51b

SHA512
a4385cd97d59f38c18c18d504835506bf5bf5304230127a205cd604f8fa6e32086476fa3188c80a4348bf7a26b6beee07b16a0e0870499b473113104f7501de6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
df8023f5a36ed28aa8805a20cb31df68

SHA1
0617e851271bce4c4e58a8876d7c9b094d75999b

SHA256
e2ac48cecf4e1a66c0dcb60c3f3787a02f6ae6d3aceb9252ecd917096237c79d

SHA512
05b36b3f9ed577d52767c77c27d602f873d08382b72ed7ccb7a6ea9d6f925a899adf7ba619fa639cb63e45e17f2e5fb39a7eb34525ea9599295c6fb04e333aa6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
91f6aba00ad1aadb4defbada668445a5

SHA1
3fe77244168f5d83e062aef49870575a2d12b06c

SHA256
98a6ddae7e44f794f1d8be22430f84b449a4b20d8515719d0426012bbfe4c55d

SHA512
1089b68dcfc4ec9953736c86b51a1b4f31ac0a2a8e67fc1ed2f55fca42d999f08277e50b7587370180c13bb2e148f0decb989044b0aa4f84f07d26848f35b105

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e52a9986c82f20f74fb4669e257a1f8c

SHA1
0912c9561e7c561e0f71dbc0df50df2afd41fa52

SHA256
2e59c69462f8e08ef330979c1e374e59cada99f6c9520612871d97dee124a160

SHA512
299acf14aa4e3bf2478a91422785df6bd9c1250dc45ac2656136a381acf3432d59bf9c50a5625e6a169e2ea469996b0574027706521f7fe715fab5866b5314c0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6b4dc8286a80239abd48fe7f96ced651

SHA1
3937907477ea969c025fb45976ee26ffa3dacdeb

SHA256
533f55e194df4fed56ff6b6e68cf117b5281786786f4b06e16961e57a77fe36f

SHA512
7c5781c4341122df952a13b24871b21295dd7e2e5d332bacff966ccd1903ccc78ec344ee99f6f1986fe735242a236245ae2a882be56d5a46a5e5d8518bf233ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e7e667c29a346ef8bdca78eb5fb1d2ac

SHA1
f33fc0c53f0dd6a1e3d06d02749246fede8672f9

SHA256
f9118876a4a108bd4c3204c487d105705a2fbaff04e4068e09c85ee77a8e2fc1

SHA512
da92745088f5845dc50d182e0e44e930e4bc812a1d6b6410bee90de189fa64368331975aeca2ea90e4dfdac8ed05ae8509fb523940be57d29c0963b32ac9e0d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
be6c8c236911733c68f32901196b597a

SHA1
56ba69c1bfa76600d5f372e4b6ab5d74506b1fa5

SHA256
1503ac693cd29107065b4d4e65e19ae95792074a99ec987742620c9349607a3a

SHA512
fb14f772a6e05818522bd3fcc833598faed610c281f82e76689931848ac822e419a67d0a616a8377fcd2e3cb20a07590728f43dce7576841f0054153e77b4941

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
03ef74a2df6c08947b3c5be2bb5cb4e4

SHA1
528965b7dcdfca22952340dbb0b1735628e3c7cc

SHA256
ff60d654b61ee44fcd2e086e7b8a8b21b289b782570d618e8cafb451bb5c1d44

SHA512
92cc53e350ded3198142ef62f42ee197b00736ec3471878d25c69cec4066120e72110ed71f870d494b611c7421a61a2a3e674bd5671bcc275eacf1f7c5ff0afe

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c8adca64411f94c76cc58c34d4c4a6a1

SHA1
a4a34858600f3b9ceaa178b2fa4e329e7d25dc6f

SHA256
72541bed740c67d78f6fe5746873a77d9c375284897e5e9e392302c46832d491

SHA512
93595314902810e96772eb2b699b5b9f0c364abccb3f8bde6a0c85159da8f176b0a6c1cf7cb05b9b5f996cc90403a89e32b80f85aa08a8d2402eaac8e04704bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f20e234eb0b3e3c3658a168b8c8f5921

SHA1
420a178fd9aee5fa16dfc93985f1260c95a2d3f8

SHA256
1ea3359e52c9d43c7d86df091783228d29efd15612154d3132d765c3b6c8bbe0

SHA512
993eacf20f46089b029a25060b044fd5aca93e1242fde1426689ec342880b017daf3bde1dae8a49bc520287bb8f512f72b694cf7ad7005538cf50cfb2c5bf28f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
108ccf648303eca86f4aafd564fb5e58

SHA1
a50f73a5b1d5ad895dd222c7fd2df39ea386d1f0

SHA256
f35a2c4aff4e093b79d5e9c665400ef99302e15fc374cd5e8dc2ed76c9e797c3

SHA512
700dcb89bc5584f3680b2ff2b4cbbf77e3f7e33ca911245d7315dd612853fda5872db4ac420a1eb2d4b7431d06d95b2236023d81b87b864df666d83715a7c2ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d4588ef3bf2951d6845451162ef13b23

SHA1
4be05b15dc234113a88a6c08c9bf4cb0cb1b1717

SHA256
a8256b5df67bd4b264b214cde7cb0c61a2b7c1fea4c8bb8f5a176ec165346962

SHA512
2fb6573e73356e8ea257d107fd351766607f9dcb85f846f2dfa971845ad3666ae81e77d7e02f4405bd8eeb15c684602360aa817e6c15a69c3dc6e908fc02b154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4fada279ecd3856a81a28fa805e9916e

SHA1
e3059ec4791ea71809d2ac08018935115aac86b4

SHA256
883c1ec4219c8070a17d86b7dd3667d5ff5d8450c21a824425117f083f11ef84

SHA512
fa6a304494c60e7cb0bba45a57277d8c0622debf7b710be11f78ca2722f94f0ed7e82baf67e335ce2e122d0e4e5689193589c75ce9fd1074e1909d5f7a079c7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9ac4c886836963c800179ebcb39cf990

SHA1
a2e1251545a9404eb99b16997ebf6e12081cb025

SHA256
e805a17c980a73f29eaa1c7e1501f811217ff2e1ba3c62fd5dc674a30af753d7

SHA512
7051513726d26bf4d30c114ffff6e16b589bf4700a0c7d22e74d8816616cde03fc340a872acf118440f3e087df20f8b59a161003fb40582b6065585e0c6bef52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a13c3ae1eb963d04f4b9b8fa6f304097

SHA1
d3dbccbef3f5a4f357c0ec5be0fde70da79f0763

SHA256
cc84614f9fab300703c4b0f4f82808e56a176f416ef41525f2051a37a3cbfe59

SHA512
ebcff510ef9960196729997085f13a589120f143b8d1221041c6ad94dda1a511f01647141545f99a65f958de202a0c2f4cda34e89a018418a4f2d26a5c72c50b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4d8ac27da1de256d61d986cd6a834b4b

SHA1
cacf8c25926ace0023309c691ba6fee75968dadd

SHA256
00a505fea4f06488ec294a0670eac8217a95d9888b1115d7a33715d73f8b5c6e

SHA512
4db5453b25b589d48ea3b9f8899f718b1f82f0329f37d2ac224faa563604e3ad09c22c65653b12b23607871ec65b9645be02014449167e391d8e30a92baad33d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
abfc0360d8c304166edcb34697cd1491

SHA1
c8e917db6c3c1cdf2a4d6273dfdb4b497797b43d

SHA256
44a16689312d3e32712adc99d7dc9d8c5dcee03dbfdc213edfda1269049d18dc

SHA512
dd7d2dc2152a17e98e50957dea6538f505bcdc7c6c42c95a05b8b7ac91a3d7f454d6450263e83f806ff1413d09b86ab02581c1e0d7d1ee1c40efc4f2e0acd318

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6c16e4803cf3e378f5e5db9deac2e5fb

SHA1
e34b3bc4793a0bf9549b35eff30a8f1113ed9b85

SHA256
2a1c7ff4ef136f51081dc4b58b904f8aa9102d576460355cc985b65b971e00ae

SHA512
558e2bb3ef8bae32571294f0a38b944c0b949f71434cb67ab0a7673428b37ee8f3ceed34a026ae3b55d213256b44d4d749c6b956e71c359b690b35f2126f24e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5ab3dfcbd8f5462916e42b3411f50d9b

SHA1
6c8ac2d172d60c8e8b78bd8513044a460343b6db

SHA256
5e0b09e0a740f547dd93e3196536654ab5e4f50483e23a835eca9cc57dc9d033

SHA512
5c567a34b146948d7fc64d75b9824443da5da1e91fe758923fecb3c7dfb60c8e5a152f20ac6a50918c6fa88dc2b7253f69850e04c291921e931ce0fe9b728095

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
cff0dfadeea1d2fdec1408340a150648

SHA1
65fdba2fb3c2fb4010fc420bebffd84d7482fa42

SHA256
68de35f66f4cb4d4ada2f291ca4464c6d41020c40e13e5a6d1b9a65e87cf6feb

SHA512
ac94afd525e5c0ba6f9abc8814ea5e14ef39cc76971dc10cdf8d2b0b860ffc2cabed84a1b9e3e547892ec0e33514efea44d9937994562c9c7bb3fae9e9ec2965

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f1204d0b0d3d8898db3190a763d4fb90

SHA1
748167c457d03c601be1b11f2247df6fad08eac4

SHA256
fc3c77a003d480906005a6835617f22804075979833c558f7c7c25d28bd4996c

SHA512
3e40aa9432da88f732fceca186ec288a6172fdbee156835afe05dc75f31e826bdf2d536f0b04185fb588e4134125ed33e35816f75ec1fdba419fb610b5a0643f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
692e05a836f45d2b20c860215710a27e

SHA1
8a16800bb67e3ea6cc783a341401634840a53c87

SHA256
2aab5f0b0dc6299b40608b49f4bf74e7a10dded65bb927227a232137436e8286

SHA512
ee0e582cd9791099c9d7ebfcbc281eef7ad670e7b4fcab5c4a48fc4700c6eaf387dd4687025c89ea2e20deef29f7d4d2525e1dbf711990493c474a98d269dc42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
00388c2ab74c7b5274f98e151a349a91

SHA1
bf348c8cf5c2444db2303aa8f047b26f7bbf124e

SHA256
461bff91914698764ba62527c9b799915631a91f2a52fda3eeeb1d807d832298

SHA512
e93f632485e89828cf877da5572c58867dde734ec8b9f306edd12c5740ff07b1e7c22001327e770d0b9ae5037cfbba2fcf0e3110bc8e21d95d8e62631ce395ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a5679c8e1f58ba6fce28d6a81a2ba2d7

SHA1
1e4a4ca7f9c27052ea7b289cd13f80c1cca5fcec

SHA256
34e46807f659d4698e15d7d3dd03480311fe074676600a339324c024f1f6c1d4

SHA512
e6998962ea7eab0910ce91c9ab972fd4824f7c30cd2e757c8cddcff6cae654a64a8dffeea0d759013e8965e93b7e474128090defc9761b2f92f826c538c3cf05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
3274e1f36d308e8bc97fbee3f7315da4

SHA1
874ecd2f6fca2d9f00305e3fc08391e11f080bf3

SHA256
f37a9e1bef0075d59e4691cd3bf34216f6b0ab5dfc20be614b31baf679180065

SHA512
587de9e555f82da6d80f4d7cdf5700055a656a8dcf19aca6bd638eb0166f1dc0e3a33f1532f850fe8079be32b315a63513d008bf235733ac618afa7628bb2ef7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
2ace194a56d76e37ed40f6d602195923

SHA1
a8c7333af99006a550b983b7ef86fcf62c9cf770

SHA256
d43fd88e764421b405d283d78cb056b6c3a6e227332e95495f9a32e05886bd75

SHA512
79a25dcd6cab2996c0559ac2b2ee4db890802d0ae7e1c1661ef79e2d582d244a4092bc4012fee4666b54b707a2f945e860ff6a37b4c330238b224293f1fee8fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
fe7398424a5d9bfd0f5c7b52af77fd7b

SHA1
25fe4a5a62fc162cffd174b8d08f43b37ec37592

SHA256
569db9b8fcc8b288f88c96f43d035acfc939975fdded5a4166da30521dd89110

SHA512
b392d9d7910e15dd3c1280803a02c32f2eb44e548ed2f844853008b1f51c58f85917085c7694949504d642e2c0e5cc9e7949874062f4d474232699a32c694801

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
c04be9f81134b1ecff464805bcf84196

SHA1
e30c11b122d844c8d7f278b1d36111f2e77ea2c6

SHA256
fa36130c5fe821fec64b11bd1126196cd31ee7981d2f23f06c9c4fcc458305e6

SHA512
828a9d0adeb8d0a57ccd69242ec0fe150952d3a9f5af1780cfbefc4d181334c4435cf6bacec098d103ca87ed76e7b50247ae8bbb49923b0d5081900346c919d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
d4c9f27be78f346ca45c8844edb010ae

SHA1
ed836a59cdb60f39952c8a607030d04a05c0baff

SHA256
20f8dcc1bba057fa262571c7ae24dd2267b26df30caec6707fb8ef1c27aca4b2

SHA512
260e9409d5884614f99ca438c9596d4e14f0d3be808b3d2458f3d80acaf3e4bf51b2cb1454ad40c39c8c4dc412817e85158ac539df27a821a8ae8df5e277b6dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
a2d80c954fb2c4247550798c7f1ebf12

SHA1
4718611274c0dcfe1ad0238ab64af70ecbc9fce8

SHA256
1c18a641e9d98e4d18df0b51d0a05ee2436b3a5231edff0f55922f20db8aae9f

SHA512
2ceaefb909f8c99705724f92be4b0ed46ff74d13ed78e545ca4cd65d39eca6100274e42a361377950bc21c346e2d84580f593e2017dc5d1d7bc798a895e9bcc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
730f63b2b56669f99351363c0498c521

SHA1
839b7f43e01f90e07494716343ba9da2dca1e346

SHA256
d9bc8364b98fd75d582fa9a5f14d91ac56a32771dd010ea5e0097621c6a72f13

SHA512
3f993f7b8b2fa58b65f3c62d351b0b4a715271acf5bbdceb3060e747af3843cc63ff9fb0852e873b70b387e996fc913a8685c7c3120346a5441fb1547b587983

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e057227a943676271a33607c7a3ebd10

SHA1
2f6d60d64865aae4c90b835a449e5be5d2fbc272

SHA256
6dace68785e603e55b2197a072c79fd65bc1e4ae61b5fd07fa71dbc83532152f

SHA512
cee1a45d6cc81af62ebbc411161c720aadf5d1ce51442d1ab0e0545efd18783d5f5578911bd47919a332c353507a58fe88ac72e78470fd23677bd1d42712676a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
388f1172990fb795383b747bc57b4cc7

SHA1
aa966a74401c6dd74b7b189d8ab53099a8d3b4f7

SHA256
6ed44ee9a7eec6540e30d091f4a29f587cd1638bceecdd5b7b293cf8a621d38b

SHA512
6213f4a7fa428801ab6e82b22fa49a831f5d81b229dcb15d2d19ed675eb9398ec6d5448a70c1cd6e7c0728955d76ea057d785278d698f902f10c80e852500ef2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f08985b33fdd4e4c98c6eaa359fd482d

SHA1
4ef45c598f3ea5547e94c800a5b120e437d03ee8

SHA256
81c83577000d98fab69b148ee6a2c5274163d6f1178ed6f79b93517b30a7645e

SHA512
85f05a578c66f3835518a9774a9071408d40d37befe2b7c3987a3b4456b6f60c0f210b4008f8a62635508f1c6636bed3f495f9c11bd75e4d1656d3c10bd2c2d4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7aac6a474dab0deb919d5802fded87bb

SHA1
a8e6bdfa3ab02e5b0e40fc87c05f6d24b1151ba1

SHA256
ee712d98fd52ef303056dd4dffdef33f09fb446f1992267fc1e9f6406d772282

SHA512
6f27fa9b0606ae95f6e1cf8239aede21729cbd0b213b106cccf1230983e94e3278672311a8f61a249ab8e855563957f21c74b6320c81c4e5fd585512a093decc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
366b2fc0736cd55122b3e89abcc88ec7

SHA1
019b2a2c3e784892ce6ce3d6cb2c121ce3e0f5e6

SHA256
5994b2fdd989572797d440c984467603b9229c1ca71372d1aeb9562d72c703cf

SHA512
8478efe23a6734421df66e736996cc177be2ad0a3ecd436a0b2321061467438084fd4e87c18576a5d0c906b9d51c2f990b49c0737332d61536318595ca7f4631

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5fa005246cdf56ff3be80cba40c387f9

SHA1
8d12fe5ad94df8dfbe92701b9552520b81930a45

SHA256
ba9130d6a19ebeab6e2af791dfca9be6e70cdad5a908ea56eb033f06ddfbc99a

SHA512
e97c1c05222d00b19e6f1dfca20f88b296d8d49fdedfdd0b4e08d19512954cca175865a67d21193d3d7ab544e7d3d74e572687db9b3d4478630a3afdd0701851

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
443d572d683507bc60c893db8fa9e39f

SHA1
c773ddd87c28268cd496496d3dcd408a60ec549b

SHA256
870670b22370a3998c1ae9116ebc63503bc794cd1be7f205793079a2a4808242

SHA512
5630e87474ec91a600c4f6b041efb2fc072ca6144a97e7bf96cf413c976bd7dc729f92addc508c51dfda52ef33a8f1214864a36a8b65f26396419c3518070f13

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0f215fba53e0d705f614a6b86fb6bd6b

SHA1
46e06e37f8943ec5f141bc6fbb8c7e1570af87ed

SHA256
9710b54cca0c5f06185b169f738a70b2d762200784a8629fb0b309f2cd0f9b52

SHA512
b6856d47ed37ce5090cf1fac3a77bd9ee6ce2c893ac941afbaa1846a6e8a93ea26010628086bdae57ca4e96c433f4775ab05becf5b9a2e3997bad9dafdbed368

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e18cbf5d64634a2fc9f4eff10e36ae25

SHA1
9081a4c3bcd5c889c3974177a7452ab20302980a

SHA256
ba615ba8dfc78dab011f533d77e7e15a43f27a2f144880aac15f834e76fa6456

SHA512
55f077e58f7af49da0e58efbf54fd1a483e5bbc70ab0ef41785494198b6e5e1cb9c7c65aa8d453b3f8cb529f1395df811d3df624e1446330f1d93f5787141e10

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6b5786ebfd9c24a0feb05b6f88739ede

SHA1
b811eeb117e7d99dfbd1b66da744304c64ef66b4

SHA256
4a9ea41aabfad2404377a8dc9ab8a06d32abebcdcda9f666ccf3202240e752c0

SHA512
2157018aed1a3ad81640f04a8a3f7733a46811e2cef660c170abfddb329448cdf0053a196a6cefe9fe42269d8942a53fe62bc203ea2f8321b939ec011a8f0521

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d331b95b31f640bdc2888ebcb483f210

SHA1
35287df67de802ad58fd51fd5c756c796fc0e60f

SHA256
fc2c4ed9ad940733ee8576febe89cb9e8f69f0ce2a949cb46a330ccbf406eda9

SHA512
f579e9f59e67cd6d042e8d5a65758802a5d794a3f8548d5d08c5090eaf0ceaa92d96d661b72c5b2f33b09b13ec37fe55a4623bb7a2bd65ff59f64892773fc94d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6b6003bb14bdb0e401d3b594175b8a54

SHA1
bdbaa17e1e048794e16c80d727285dc7221e5d1b

SHA256
15426d2990394c98edc455592f35afada93f49c27ec5a8df7d46a071b49175c1

SHA512
66e1808e3e53cd2d090f76cffb11b2b607dffeee3ceec62ccc7e5e7fe5c8b3183b6a270921f3e3dc884ee919e836e2b8f8e073654a912957c1597a1fbc8b1dce

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bf78ebbdcac147b7c3118edb58f316db

SHA1
47b62212cbec3cb8b7e8a622ef63fb37e77d9846

SHA256
97bbbd806bbb60008116212f43aab22c77f2f0ef7507c3750222b631c0b75284

SHA512
7cf0967b060d9e6ac3fab25d5194681275ba2734222e07fd9b1634bef3466fdcd45ab1bd36e9b8b4dc3954e61108db6b864c18da709588dc17a0b6b5bcd83c96

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cecc4dbe32a691a5a125f4e26912e9b0

SHA1
d4aa16a1ea752c8e047f0b804afab87d9b4c7415

SHA256
4cd18aa060cdcfb7588dfa988dc167d7ada671c73d2ed525bbc0afef85abec1f

SHA512
da851f08ba10afb6d1dcb7e4402fc88ed0b4ecf13d08547bf3a2f4e3ae24497bdc8665f3377f49d46dd4b237f70319ff29f5e4c23dc6564832a18b2e4d740946

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9ecdc08de22f9e54b9e8f8883313e229

SHA1
2b55fd32988d3986419f3bee882902e55994bc41

SHA256
cafc1fbd38926df380d435316fce1ff9c6f66a2c3d3b363d9cb295e3fad5abe2

SHA512
8c3490e9e9481ed7027d4af85220b638f3432205d8279d3d0891ff610b01e32abc7520717f4601578d78b4d824a0601ed6e2ab307d0d4796ca8761ef5a1982d3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
cdf75b0b2aeba7b707fdd080739d33b1

SHA1
66bb0d1dd091fa0f7c4639fba43eb6d74201d561

SHA256
8c39e7c813d5cc654a12a8ccf750dd67bdda6394cf4988649f69a5dcad8d0e48

SHA512
600680bc96027b3bda2375d1ed025d76ad070d7b3971870c517b7b00a34fd5f89106b4b0b2c67dfa49a0dc123edb05d3eec5a725b0a4cb6d7db93d7f106fc079

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a3f4cadae7ec1d32c5970adedfab7596

SHA1
0bd92cd1767089c5619484209308724d1ebe8b9b

SHA256
32db3d681bde735ee30d7bce6d4d187f8d2c33c24ae98faa441774d48374dfca

SHA512
1e33c4eb3c28028979e4eeb0474146a8745f66bb0b003c5a65618b71cd8f3d8249b75d7da9822576063f2923e988209338606a183f56388e1fa120eb72cf0a48

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e8080035d49b0453037b1e3f808566ce

SHA1
cdaa1547bf0af6947c80652ad9272162cfe15b7b

SHA256
2763a2b8fac6d7c2a30ae07a5c32ca662127e966a2fe418a83244597ba80e570

SHA512
3886779f637c0eb71b64bbf8d5aad59beedf959f083cee4b6c29cb8a6351bbf9f65982ad075c9a4eb53638ec643022d20f1187a26c6246a2a0e6b3d2e5bd526d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
58f203d943c6208475822a1f2252aaf9

SHA1
5acb0bb5f5fd1285bd49f77f9cebe398a4e407b6

SHA256
bf6d5f0d390406da47eca9af0788ae8f7040086a97c85d016f6921d965b65703

SHA512
687e5ef4520dbac87491ff5144dfa68e30e37ebbbf5dba82b97451acb9351c9812695a03a16649ae3b84e4660580e072971c381834377824fb6695365d1cead5

Download Submit
memory/404-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/404-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/404-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/404-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/628-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/628-254-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/628-261-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/628-268-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/628-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/700-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/700-416-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/700-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1100-399-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1100-406-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1100-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1100-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1208-357-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1208-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1208-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1312-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1312-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1312-279-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1332-34-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1332-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1332-26-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1332-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1720-405-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1720-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1720-345-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1784-445-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1784-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1784-386-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2148-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2148-65-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2148-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2148-72-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2412-362-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2412-372-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2412-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2412-304-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2524-310-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2524-319-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2524-376-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2644-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2644-295-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2644-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2672-309-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2672-242-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2672-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2672-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2728-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2728-229-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2728-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2728-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3372-549-0x00000179B9EA0000-0x00000179B9EB0000-memory.dmp

Filesize
64KB

Download
memory/3540-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3540-467-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3668-432-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3668-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3668-373-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3888-7-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3888-10-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3888-14-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/3888-0-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3888-1-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/4392-447-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4392-454-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4516-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4516-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4516-331-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4520-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4520-429-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4620-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4620-440-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5080-56-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5080-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5080-61-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5080-49-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5080-50-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download