f4487457586b69a7802fb049c90bf3273787132300f816c218e1f6214efb5f69

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_0fd77907aadcc864d7012878c9a692fe_ryuk.exe
Size

2.0MB
MD5

0fd77907aadcc864d7012878c9a692fe
SHA1

a57132e684f5f792d6ee76bd40c15f8c49d7ae42
SHA256

f4487457586b69a7802fb049c90bf3273787132300f816c218e1f6214efb5f69
SHA512

e6a9a2a9907813e0be6f98f1be6d199fc2773109aabfdee3499810746c5adfa212aa8b4cb82f00036f37cefefe169c129316eff4ee24bfd7ab02690c98bb8ce7
SSDEEP

49152:Y1SpUNEHAtai3fo7bfbx5Wf1R6bJ11DTKDcCmq2seRcA2NyZ:vi3fo7jbhDkeyi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1656	alg.exe
4392	elevation_service.exe
3080	elevation_service.exe
4836	maintenanceservice.exe
1112	OSE.EXE
3280	DiagnosticsHub.StandardCollector.Service.exe
4016	fxssvc.exe
884	msdtc.exe
3148	PerceptionSimulationService.exe
5056	perfhost.exe
456	locator.exe
2608	SensorDataService.exe
1096	snmptrap.exe
4604	spectrum.exe
916	ssh-agent.exe
1136	TieringEngineService.exe
1928	AgentService.exe
4668	vds.exe
4164	vssvc.exe
4364	wbengine.exe
960	WmiApSrv.exe
2644	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fe84acbcfc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_0fd77907aadcc864d7012878c9a692fe_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097e1d822ba92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000932a9e21ba92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a688c223ba92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac27dc21ba92da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c320321ba92da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051f1cf24ba92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4392	elevation_service.exe
4392	elevation_service.exe
4392	elevation_service.exe
4392	elevation_service.exe
4392	elevation_service.exe
4392	elevation_service.exe
4392	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3988	2024-04-20_0fd77907aadcc864d7012878c9a692fe_ryuk.exe
Token: SeDebugPrivilege	1656	alg.exe
Token: SeDebugPrivilege	1656	alg.exe
Token: SeDebugPrivilege	1656	alg.exe
Token: SeTakeOwnershipPrivilege	4392	elevation_service.exe
Token: SeAuditPrivilege	4016	fxssvc.exe
Token: SeRestorePrivilege	1136	TieringEngineService.exe
Token: SeManageVolumePrivilege	1136	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1928	AgentService.exe
Token: SeBackupPrivilege	4164	vssvc.exe
Token: SeRestorePrivilege	4164	vssvc.exe
Token: SeAuditPrivilege	4164	vssvc.exe
Token: SeBackupPrivilege	4364	wbengine.exe
Token: SeRestorePrivilege	4364	wbengine.exe
Token: SeSecurityPrivilege	4364	wbengine.exe
Token: 33	2644	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeDebugPrivilege	4392	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 5332	2644	SearchIndexer.exe	130
PID 2644 wrote to memory of 5332	2644	SearchIndexer.exe	130
PID 2644 wrote to memory of 5360	2644	SearchIndexer.exe	131
PID 2644 wrote to memory of 5360	2644	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_0fd77907aadcc864d7012878c9a692fe_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_0fd77907aadcc864d7012878c9a692fe_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3080

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4836

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:884

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4604

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3052

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5332
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5c9a282f62a40224e774c9e8b4cee702

SHA1
2ff9715c27e6890691ac421afa7d38862c9e5b2e

SHA256
d66f6d9df58a7c3a933603ba6ba56ed27bbb3e7ef5593ed69843485a8a563af1

SHA512
e6f81164eb9248bb4d81a56df9bb74209a03050399d4b1960dd5a38994f4726e91f386a3ffdea9e7c7f0bc870c2152f4fe2de0d7362577860f2834f498cbcc89

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
cef7c012b6e2afd5b7dc84fa8e0a730b

SHA1
ead44e14776c90a1512d68eeb786908706dd04b7

SHA256
75c3190932cb32125f7443b8d588e327db781520f7260961013da7a91a005505

SHA512
3dc1fcb3df2bcc58a9fa0f0b7ae3b4d636d9d2996a5c226347b7e5998d03907df3c0559bbb7fa44e7a74013a359f18cf37954e7206ab2b2c2bf66f207abc92d5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e4749e61eb13c4d822e22b4b7cca60e9

SHA1
1a244a461849fbab31cda5fe79955b6b23b28480

SHA256
4949aafc69d846250020966919e434ca1b4584ae3b693c81be7b4e2c8d78f651

SHA512
2424104dcb413ec6b06fd94819635a7f40d514bb55d7e598cc6dbe18c7f79bfca1edc057ebd727fe7d865b5ec6a310bc6f6c2ccbfdf011ac1269704d7af0ad95

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ecda161f012eef2ce48fbf3b1b3c782d

SHA1
dbbcfe62e868bed87334c232fabf6ae65070f3a4

SHA256
420c1694d3b4a4abef47b648ffa08a93bd31079cb21c1026d41970cb57eac4ed

SHA512
06222bde184e519b8bd1d3aaa34b2ced9be63bad15282d4cbee1a24e35fde26f1c0aecc847bf9fe10c347c03f5038487ed3f1cfeb1239e7b21c1a396c44f799a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b47c0f830c1d5ef6def9dd97168b5f8f

SHA1
09e0bdd33de87de6be15f71ca91dfc286f48a46b

SHA256
a3743cd10c2fc418f3a25a092ae75fa6fd2007683c67f6fa694dba268cacd0d6

SHA512
cb154757fb345480bdf861626dd5df19a1f82b5af3909740bd18298725b12cf180f28cebf7b53a761ad25a4a4cf3a2adc9da19d36dc2cd6cf598a9ebe736f9f0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5b85243ddb2a5b890a1d39015d475507

SHA1
9d1c06785c6e34177b2b8e49a041741d1765e5b4

SHA256
7eefbf4d149a786f98bf704ef58852e273a33bb17fa790179ef19cd4f295ed76

SHA512
25afa4e3f4829bc7af255cb75345e00016ad019e1a51c8b9f4c64a441ef679eea8f0fd70a1e81b8a02e169c28c64f6d54f12734d00af5350afb8c66d49eaa60c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
64ee6489a5064b8882fadcf457f02c37

SHA1
63f600687416033d714d3f218fe9cc36fe6b8864

SHA256
936b954ec445bbe50848fd9ce04997476b122ea475ee2e9f444ddd84ba2ef8e2

SHA512
9bd16c03e5ce663b9279cfdbc10b45739eec047d2422114c56beeacabe1af16505db3c8c4e254b14110268c979d7f082b624e8536bad43be3f316900e3a182f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6f8f66184966e3b072ccd90bbaf332f3

SHA1
f6477223ba8028a62cf2b573e64799c644d29a5a

SHA256
d73b4ab0a30c622a67b73379b154a94f573973b3964db5c1b20a78adca2f7871

SHA512
88926ee710b643f26cf2cbf2924bfb41431acf253269ccff686e5e3be6efcfb5cf1d81afc4a91cab01e42e75e1a320794c7990dc3c9faf225c75ee1ac1abdbbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
56e600f0c95919fcb49ab661110a5af8

SHA1
2069345dcf8b67e3abd1ba0cd788ce9579ad9052

SHA256
9270fff1c2d748302a82bc1e4a8e749ca03d681ac6f797021bf33b93cd81814d

SHA512
686ecde6d3ad16fdc9cd40acb24525286fd9f91083efbd738cae675dad6ab6dbbddf9c32299618c7ce99a205a8bbc19d62a6339c4aa54797698f9918da48a65c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
436ef0eb9806d7e52dd3d131f647696f

SHA1
b6e72d5d373cc99eadc44fadf766fbf2fcf796fd

SHA256
fd691c90040b6c76f21a3763aec3693e7ebb538db41fbfbeb1a153dc17c6e809

SHA512
6e4f44415943a832cbcd5e0613f399fcc98e813058edde5c5ad73566da6f935aef603085e0f85327c3a9cbf7f00d23e646f9b67b638febf11dde8328598bff4f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
95b66a261b5cc305f19655e7306c30fc

SHA1
601e5ae49667aade295b927f72721a7a624eff32

SHA256
cdeb3a87e50a51dac3d9dd6a055674ad365878c7a218e7c44c65a1dcd3156420

SHA512
7eb3bc10322b8dcf31234eda33abcf28cc08e2c1157afe20a8f1a4f76719580c9b28b2e08d439359a6c60c95fd660e43f4f5c3b6822ae18007113061c4b40318

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9c354c54adc81ba90744e73a286db446

SHA1
bd2c75d0a086f5bc36be9469ebb56b7abf7f5d5e

SHA256
00f2e1ee791c7440883719ee4c6d8c05a58d3a37a4bcfceb0eb3515e7a8fbea6

SHA512
5a9d1ed6fa723ac1a93866f13fcb00f74f8406328501d822580310225d84c56965bfbca9ad4bb86c80cd7546354d4d27e9f3daa10a56e909853faa952a6c9cc4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a8771d3efce41b649295906ebb57ebd2

SHA1
ec1dc949f425c22bef67d4710ec45dddb806a915

SHA256
ecfc37a334d7c82138e9b3ce411be8215e312ad11317e1e958f28710542c8f5f

SHA512
dc601b2702702d2e81a21d985fae1a7802c59e61e42352a2c46604165fb8c45cbc219879682633bd5299a94078f9c8353f3646ad15d7da75cdb95c8d84b998d9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
213c13541a3b88cdba3e2f847449d748

SHA1
95dc34f13a04fe835ebdc12e668b94b9513a3366

SHA256
cc9686c8c2c004465e68f9462d1e705a8ed29235989594de7851b08f088af1de

SHA512
102f2af45b71111edbda916d08e0bf4fd99f72b6ef7a2c86ce1cecee7e507726d12581bf966915354047c4eca9104270f7eb015eb8cb8e318effc3407f01f40b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1768a1d430e0b1a54a6916c65a1ed05b

SHA1
66b83b0ce399bab12ee3768704e07cfda2da0ab8

SHA256
05bc2a3296350c5bfef226439e4ad46b98729b71c3f39e130cdce7f64035f3eb

SHA512
7863fc5201befad2b3058e24c1c6fc0cb9afd6c4f26e66954dfb70df7ea91921a4878028e9ed6a51df39eadcacf0977b9ca9edb8dfa7747fff2487d333e64549

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9b66bb808b10841c2fdfb9645ebb61bc

SHA1
c921276fd30be0ac4e6ae964dc1b34d925f5faa8

SHA256
af193d058bd1bbaa0f8c82ba45856ffc18464d0d1b545bf43d9c055b0c4925b7

SHA512
4369d33973180567131b3f3125b40efb172c512e0be522b16d716c3536da4ab636d2183f353eaef12fca7c1e7f95828458f07aa35015390f140e95dfb03ede3f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
55e9fa0bc5a5d09e500c0fa2b5a59235

SHA1
9a852412770481bbaa1b52ee48c4a9965b30ab2d

SHA256
9b904db89ad02e4abb6333c92725f850bd5f155db8e4d8f11c9e6255211d0e5d

SHA512
af723a75d91fe2d7a38d4ed147ba67b65b10af7a939ed51a0f0becd2bc93550e2063c942141d73f408a23e0fc8a40d42faf05a74a53bd0193114d2d92ffdf4e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
136e5d06e125013966fa2efea093373b

SHA1
d8e8012d6d35fcf126fb209292c1249f701f9926

SHA256
90e0b15a8258631d4b99ff1dc141bfae07c94ca3a45625f9bc040f6e60d22afe

SHA512
5edaaf6bac9eee75e05d3121b2d096561555056cbac579ac99544cada01b8cfe3f8f66a15de2d4f910e6857af411ef25b7ccc9ce4782eb5c4400f306ad955c5f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
70e58090d0bc52ed3c1ee48d4c8ffa21

SHA1
9070be37f05b859157f57debfd919630a00b7438

SHA256
8f014c6ef18c01388effc5fe23c1f3e255d0e638a0bdfc27f426cb5b0cf01eac

SHA512
284c1ed1bfcf4ed6db77ba737aaa4a3851692d1443b2a842fdfb2f1cb48aaf03d712ca2f2d161f96dc5886418c46ae1cf4cbc4a2765f6d0cf0388da6eacf34d2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
31dd34afa601102a2973393d7349a71e

SHA1
2742434ed1782f235bb4c906905e8b0c8dee96ec

SHA256
ce4b092b8eba2f44a2fc4fb90967aa64fb3ce7c43eb77fe33fef11d24894136f

SHA512
77c54355f0f1317b62b817afdafd7d1fa77af5a067181ed0921831bcb916b83d3698b77fc153392f5170e4e2a7b2460ca302f320f3eeed4740a7794c66352d37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0136a739f611deba488a7d8f463e3e0e

SHA1
711627de65c4f74e3e6a67856941f094865bcf76

SHA256
f31f0b6c8297128b8eb70072829692da41277df852e151a336b76cf77aee86f1

SHA512
fea2ed339e8b66adf094914b8c165fee67fdf8a5845d6079cbc5e3eb72b4e161877a3ae71e335b0e81d43ff2e8eefccadda8f214b479ded4930b40734e75e06a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
04cfab6795c001dbae017d720c5f7721

SHA1
51f3120f18eafb58f3d2b567c2ce61c97535f2e4

SHA256
dff4bb55eab49a7b5a253c65267cbbcd45118a7e55d06d8dff38ab7ed4ba5cd0

SHA512
e7f936495ff9eb8c362fc88dad97e2fb58aad8c1f5ffbe0b5af146467f3b32042dd1f8f7391c74b37dadd5c3b2d4db3323863da32ae26d24bfdac1410331cb41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ad27b90883180cacff0e8e7ae27fdd40

SHA1
3244eb90fee94f3f917a74f3f4b6ad4c59141136

SHA256
8ea91c5da698cb1704dfe4da5491ab355ba9712b31be687b107d6d9935ef417a

SHA512
937048ada094f4bdc04ae6abaa5d7f18ed527c5989ba2987993ae411a8205f697baee4f9c637884dca54eac7f1c78759ee4ea864d8e3b3b69b2ae860c1f20aae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
696ce8eb0b608f0b48ed002199e936c3

SHA1
11435045db10d5ce4cb36fc68885f3f77062f44a

SHA256
e22f12879157e0d89a1c5770a5c0700438936a25cef67df348c37b2a4827e58a

SHA512
d0d1d946c5e96e9df0ee40c042374b41ecba26dab203bfc05a150f1887096bc2ed9fc3fc7ab05ed3e8a5082f91300382ed48f16259fe0e82d5db1f0782120c4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
78f76313b74190221c1dedb7a6fbc3ce

SHA1
bc9df898646e674c125ee2a2423d64c6ae5887b3

SHA256
48775e9729f91e470b88e199615ab523a4a710eb65adb029d5c0ac4187ec5084

SHA512
01d13f8e6cf6c513d5349139c7875b9282b43c1f2bdb72f1bc87cdc742052c781ba4fe27569ef6cb910c56dd9e8519324839c3e0913859a6619351dc0522f799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4b0aaff5dd5ffff49cd14de3cd679b27

SHA1
fa94240804251324bf08870662028924dc04235f

SHA256
0e6afc04467b9f79d1fc678337c03870e9d170a16c8f816732f66ab23d3d0903

SHA512
70937ede16d02880b690d3dedb63c52ae6ab6688ee05b228f7526c4c49df7e86e2c620ef09275c2e35aa2b7df9a792bd42c1748bc9f0955cc52ad150f5d35d5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
892920e7cc5eaf61b7315a1da963bc13

SHA1
aa1f83ba39923c336e6cf3a30fb426e47dfdc435

SHA256
13f69e9548c1e322fc876ae7f5acafcd47d5451feac694570a14987a1a2be691

SHA512
1a74546d0870dcd773e5b440415c77de7695ece25f0d5a05f6ac6dbc9bacaffc102b685e5ab18af86666e6e384484e77a1830c8539552c8dc3beff6d8a249ef4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c3252ed9d93ba5cc171c07c8c3653f6f

SHA1
036ef0224a8e988264d82e21b766e238d151faad

SHA256
b740bd467f96ec0244fe051d6687a1888c7705ae40140b3a24c2fc84c845cbf6

SHA512
0b8236a8b6409c8934ff4805bedbb920a0497ee1017037ec1a9ec3a79d85f56188253d7eeeae13d40c29e06315e04511f38c76d2e44899b95ed573fb7abcc320

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4d0b949ceda5259a53187012f2c3302e

SHA1
3519e80a2eedb279a46c748751e59aff0afb5257

SHA256
08defd4c45488a03ddb683cc150d553fc4b3e2b7a52935cb3df6c4b1640922a2

SHA512
4e71fe83c694d2547a16cae59a10fb53334d8a6eae3fcba3ce71d85556908cebed6e5a3c46625085e408236a142d8c704a55147c4f6a0ee137c14a3a0a2bd663

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0503ee5a80bbd7982d31c157fc5d1262

SHA1
a6e293ed60ed44ff2d5abef975f726ea07e09b35

SHA256
dc5e3114892f7b40f202d5382396935bc088847ac0a729d13585a4dd9e4c0173

SHA512
3339ea200a51886698932c266771b5a07d5da85f7d3f9a02c84f3386f2f258c38a8c7304373feb6794660a0cd283b6dceb34a619d1a22fc882b6270d6e5f892f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6651ae5f11b9212ec6597dd967c79e99

SHA1
02b09b96c3e6e9a2a1fd1269f3b727b3f6dc8414

SHA256
9d98a7baa5b9dcc3bcb1bf5cc431258a6d002dea04b60bc5ba9f5544c20076cc

SHA512
478b426bb77f067b5d012f57b75f74e9e941ae48695beccb72777afcc2a8a37c2f8ffc381f46c7550f19cff2d71326c9f905e17be05708867137cf9d968677fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
eed5e7afd023c0410a6851bd5aa16b97

SHA1
9082c966a1624837ae829f4a754ff2ae593fa613

SHA256
ee665a73faa21cca391870ed74ca7107940688ff833430be76c62b119d8a8c31

SHA512
200b59cf35fc5b90e7a75377d28092a7cc6e66c7fc532665457039d3b869804ad1e27a2ad20983639d0f1419d031b63550646990fc0acd552959b81834808978

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
877f49564acf1f8819dce1a39f0a2e43

SHA1
ef46c16aa1e3bb203eda84770a5aa722eccba173

SHA256
a305b7d1ba336db77ed894052142ad7a34252b8a719d898d5b8d93f6c641969d

SHA512
b1dbd373ce06cc3732eda364114e6849b6172eb34fd718de703d3151e4b073ce64ad81fe47a0480e627e54d26c6b25438af82b7418e7bf876b2ba37da47e27ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9fe0274efbdf424303663d472c65c65d

SHA1
f1934f550f97d67438c819c7cdf4f2e41b579c4b

SHA256
f297bd815f672397188f8b4db3bc6760dab078696f7345448f0bd57d3849834c

SHA512
28e4c47cdf73e3e1be9a2fd1c6452fc691c1a48e88559a3ff70e9d3a1eb1446db73d0ba36b1ee1b4aa87efc096503f9aaaae8685948f23ec6c4d0f40fb5657a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
21c16ff6279103a9df75561068971441

SHA1
c89ac1892c799b378649f143cc2047c250c5fe20

SHA256
0c771bdcf10c88bf27344cd72cc4043e9cdf2ad477594a4a9b6a5ce06bb2c12f

SHA512
0dc863fd18ad0576f0c19d3fa5cc82ee0b34f23e897cd0517b4d26d6b19b32bcb5fd20a72b2dd2b476dcbf78e2f0655a0dccb6e9d104fbaeab069486f38f7f2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
816e4a8b9aac4cc7807c99a070c2320f

SHA1
b33e531417a463fcfb7d54903d0157c5aa965505

SHA256
e22288489e22f2beb6219af1e6e81bc5cb1b2a3c0edf7f1ba1337e779e9e55c8

SHA512
4200a8012d1756d412c5119170a8f60a30eed4e0b7272e0d4a2fbea06f8ce238127e711f14dd6fb8360372c3edf0565ff04dda4b35bbf0f92a1505697c585cf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
7ee3ba8b636c8a94320b851f30d593e6

SHA1
4228e266b4ff8d9cf9579a347d82ae267c37e37a

SHA256
4ee90ddd2f53e5538321baf18d4d2642b1317915cf91bd08a0ac82fcf00762c3

SHA512
029ff8979338470790e28ae4b5c8ccc62a430c44190dd4b3bbc2ef520aa7a96778c4942368fd22d9ca6181ed2a4945553b57bb031b7e6b1788a67a5ae4fcba7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
e49536febab4a76899f3ecc8c81ed60f

SHA1
240d88e3b30686420ec9e306333858587816602f

SHA256
49cc08568405639297e6bbb77871cec0640190088edd4b6d0a3a5a689ea876f7

SHA512
1df47517526ae41b64db3ecbf4fa0c9bb08755bbf4237e92c8c811b311a26d4cb64728879ab433d1b51fa0d8a3c9aa13e47c489155beaafbee04ade6077d6e3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
449fb20cb0ae4ca31c4feaf5d10a6062

SHA1
0915d769622377d9d06c8c80f44eed9570f36d75

SHA256
bdcc9e14bc8d1d25ac36044bb9e88b412b4de3e5f723b4a310f1cba7ae20da1b

SHA512
7d9a39b60f436e1ab64604fbd5d02c352ecdebe81149c8137513d443b0df4f3cd2daff066b2b703f8199a130f50cca364172105fe8b7752bed8199946d160e6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
2cbafb7d512d23166d7fa89b2c6024aa

SHA1
4ef4feb1adac675f247329fdd559aab9ae774490

SHA256
7be6f6b715f50a4788eff3847c63ef28b6e81cac36f902b7fd6d7ebf7bb7943c

SHA512
4f546aa672a72398c590a1243c2d6ae797966a3cf14e97c0e5473cd3015aa35aa0a1530b922b269121b780fb65b7fde7095f73e603753938ea42bcdcd2bf2382

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
5e2629afc624dcc196d416da2bec9002

SHA1
47ce30fc75354e1ad3797b876605088bba6f5cc5

SHA256
c3bb09dc13947b7845db412d02eadcb95b64ff95b9a5d32dced2d2a688ff407f

SHA512
650c93d53f6bdcaeca5e7cd9c138e00777ef93f1e19e1b2382e7cc44c6fadf4082922b020f1c9907283be4fd74a7b5fd44939654e719f6c43fa338d1a062238c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
39bc1fca7abb9dccba02a1a1836a34bf

SHA1
407453d1821ff6df49a16ac6cf5109d03c9ab97d

SHA256
c866eb84eb208f72231fe79c4e3a5c1ab71934f668ceb9f7461e75c0646e2c8a

SHA512
b7929697f397b0faa2fb67da82cf20142ea2e5fad6123be607a76ce6f9dd5c8e310700281f751dd238703d1476c863d2453b50d256f3a6bbfa8152d9b8f1a08f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
5cfb21bd2a8675ef63288dcce887faf0

SHA1
b8d3ddf3655c90e2fad385fed41750dfb053d6f7

SHA256
60c1e2c1be8aa7a8846517888738849f0dd3db430471fffcf6044d8ec2db4930

SHA512
d1e0136c16c6b004d043ccf667c4c6d94d6f5dc50ba0031ef8e1564486b9f715b884783015f9b598c26662208a469dbedd4095a3a871f26d80770eac2296fc44

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e162b7a328a3d6594b7731abf60a1c48

SHA1
746c6f8054cefe4494e10040dd6f33a3e4fb2016

SHA256
5e46c0327785afb584eb902e84614a86ef7240dddec428a54b2bc444d548a685

SHA512
890e9e11f5a112028de2a50623c5a1c971d08de8f04bc6bce3e3e71872c35af5c75708b0185247c9a28f9553657b7c50e657d124cb2a880aeca2da019d6a4623

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
60f2f242794f7ac4857b6737edf94b61

SHA1
12cafbfa4f5425168c7ba2fc0b965270bed458a1

SHA256
1a2f49c35a6923e55544602a011a016175904632ae525bdad649a43e00e1119d

SHA512
4ec3c79ab22cf94da32d92ee9c9a46870513b462304efc90a90f5472e46f70731adcce164e6ef19acf79c549fc63944957f5661cbb0bc7d46fc2a37d1b19e493

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e0ff7795a6c4b0a31eab0d416b8ca494

SHA1
adef5f08536a0093aee570d77a69c4cdf72d37c1

SHA256
398351f5c669319a7bde5472e143911aceaba4c09d28161aa686bcffb7aa3006

SHA512
cb24c7c0db13bdd63b2be882768f26beb6a7eec6ea97a1deb7c6c624e281fef002e4be088de571c38425890138696095f6a70855f262e8e5f86e2395c34b43f8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0a8ae1b47813cde75c0fd358072c6d95

SHA1
d1fd1f55292a8549c3a10cbbdd73becdd01bfbaa

SHA256
172b589aa9666d7cdfe75e0a565c18ad60cdc139fc7ff22e53e8fc2fbe28bf33

SHA512
79f925bdcc222d88483917aeff645f2d119548c60e77791a09052a41bcf1dff2e7356c8e886689428a86b22da253b07aee56e0ca9a9f5ef09f39756102f5f377

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1d6045b496b641ac15b3dfc158d5062c

SHA1
fed870011f2af5274819bdeb1f1d93022794f654

SHA256
bef331d5437e61e33d1c63749bfbc85199c595144ac1c29a875a8a015bc929a3

SHA512
c29b787d34ca24dff77d22538b8709da14bf1ec2144f9cdfb76c3a652d59439302a11e11a3a0a8123ca378c8f81c62d5eeb39ce1ac0f82a32742f4dd8b5f412b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d5c1443a0c9dae520b4d55da1b66ddd9

SHA1
5c12c139bf8178693b6f9a0ba7d0f55010f7ef15

SHA256
a2d6a77d21888d0433f1ecc0925d43f07a45b5208b6e5917ea2d7bc2c2b3be77

SHA512
608071742680f178e8a81d1b3ad9f8205a7704fc232d9433abbb567f6f34383af47aa6bdef1afcfb07a6cf9e41a7fba86d5ff52894fcacc2766183c0a61459fe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
19696849b630610bf9bf88f1bf72db7f

SHA1
ca0565d61a1ab01dbaeb120b0a1e430368ad5373

SHA256
4a6d5a81f89dc0454ba10ffd8d0a3ee48e2e93bfc74bb904252a1659dcf6623d

SHA512
6e1b9cff9a172e915f0532b30329fbc547eefa75881eb4390f953b8fb27416dc9b4d871fc20b038079664ed8fba081b6c51106d8a8339de9d3cee08f6f2c9dbe

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a551117094a6367048971d8deb0007b6

SHA1
bda5434720efb68192f3ba7cabe29fef563211c7

SHA256
3e066facb6e8c0fe2f18b1d8b755dc309bb28159c90a25386ebf95a6a8f93b60

SHA512
3b5bc99a4f01651ec9eeb18b37a188b2033af1ffb3be414135c0802c01a82f6b6844dab882e3b6a64554ee5c563ef5fffcdff304caa36de560d11ac93ceee29e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ddf1df4866bdc6f80c76530f22857167

SHA1
bf695e30ca7b9b9d6f17c78022dd656a88813932

SHA256
856addaf82052540c1af5b3a5e469a7f8835aafacfc4f7a8d94e816145658818

SHA512
06e7c82688ac0841a297008157564f8715d57c5968aabb343300b836a2fa6a59aa33e0eaf19c42ca227118139b46675d79e2448e2e66b30eb3cf65292cb8d2f7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
44d5bcd9b4fd13c4a83ab4b53d14800c

SHA1
6a65d1eb852bc3bb7bd6f269170c377ed20a8866

SHA256
428e91b28548cbec23859d5481f4e32da52371a0077ba615daabadca2199a027

SHA512
97521ef9d9f8662a88d41a0771051c481c425974343203d5a15f1c40fce6a4fff5c7a3539a57e2312eec5b79a397f4a6f44ede5cf40970387335f012df0585cd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e85c9432957f541e02a986165ab4bb9e

SHA1
2686c49f838c35a3b9a99573a69a9b15e77262a6

SHA256
fe0c783c1a897ea434731d8cdb4ad02bcf5f0971fdac5445038a14c6b1cc555b

SHA512
e5803f2fb8180bb1c8617aab512ca40365af9512a89445d216a63191269ccf977bb839131e82f472d81e0181e38bd98afded60312335e00bf06bb0ef1a6532d5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2a6326d0e75432f6b699a4cb725b49ab

SHA1
47a4f2684579a5056478d5ec252be82c3e8fde8c

SHA256
7324cecfa32a6a56b0acd0e228679f07904203bacf2cdda6b56cb8a4af4347f9

SHA512
a8b35f9572d7b3003b856d51b1ba5c317a109b351b9801159e9d1b4fdc55401eaae4ed48e64f7b9ebf4624958a1cf0015adbbffd2be0f368bab72e84e13ce7dc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8cc92cac55597cde8dc6ac84ad9e4e54

SHA1
2323f3ed1d8fbd3b4f6233b14153d66c280bb764

SHA256
b938e039bc55f37a6d70a0155f1be88d33f6338d518fede83badde80c43346d0

SHA512
c2d4174f35f2031676878c757fe276c7e2dc5a0f9197c1bef5ccc153b13a8a0b6dc692be901a513314365bc39d548d2043ffbbb232fd1f3eadd100e16358c19a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3b93eff6c295f22a7fa3cbf30e502af7

SHA1
162bed09c85fcb47f0d551b17d2b905af30761af

SHA256
b41c697d7e084897d9892823ac41b19581a29c5a2002514cd48a50da7fe0291d

SHA512
037d053abf67e870950165138b182f875398f08b2a01868b667b4c14d3d5b70718e41f90739ab7b5305f7505d69a35f080b554c56720963cc62ade4becff422c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
45ba1826855fa73fb5b174443b7955d8

SHA1
7aabf90df13196fc9ce1190f07604383dcc9c1e3

SHA256
2b1d1914e042b1bf2c8d0dede77455e3c3e97c9ba0e847bdba4c27ab3e16c17f

SHA512
a3d377864e8e976568b99792a3e3654a2aa794ea24b7fdb02b42ba72d4e1150403d9f3102f2025adbab4823432c2582d37a813eda45722184c21ec0518f737a7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
90272f851f3e4374be2547e854690ed8

SHA1
34de194704b8e04862cf9a728a032acbe0a91e6c

SHA256
98bb5859ae7f03fdfe88b12e69c683882c28620dfb0b3a2c1225b983a38f0843

SHA512
2b08cc499255d05b45d489eef59d11559f4c569ea9faa14c0280a5489bafce8f5c0f7bf79b7e4b6f76ee1dc62acc50f1188663555f0454a89b99c7e0731fd789

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b82a51b1147703983d9e62f480d1c92d

SHA1
4be70a93500be98e3e740fa9a8d8f44dfba8e3b8

SHA256
52a706621fa84d3ce60121cbcf85b4167107a188a6056a25bbf9eb929e1bcfec

SHA512
4139e597baa9f82496baeffd736a800782354f608a0ae7980956ba823f4834b0804faf1e30c87afc77d92db2427da9b0ef2b06adf482d081b6cf0721cf7f3081

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fb27300144164e6bfba8f84b88564010

SHA1
14afb4ebefff2864f9e1020742ff5a81f0434269

SHA256
4d3191848ce5d4cc21d338c071ccb1e7ffbadfd4005f8312376937312de7d4a4

SHA512
f5fca382d43aebc049b228c495c232c4bcf40fdb3d955e4448f8c77244a9c307e12356f50121055a68656f637aa347fe3d38a13900823226d2a195094d429983

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
270bd6cb08e1218c5ebd4555d31e0290

SHA1
611ee73db565e35b0c54502583e8143da9057796

SHA256
831689f509be3ac759a5f839d638eff9c68392b6524fce34cad4214021d9cce1

SHA512
4b0d5549e4d86473163236bc371d861303340ab1ea1518df12926e819026c4f7ea1d0cc1493b5f71da63ada5062da90c458bb3f894a2d1bd020f4a462c58c1f1

Download Submit
memory/456-319-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/456-377-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/456-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/884-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/884-266-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/884-279-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/916-373-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/916-432-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/916-363-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/960-455-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/960-446-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1096-406-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1096-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1096-346-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1112-71-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1112-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1112-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1112-65-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1136-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1136-445-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1136-385-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1656-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1656-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1656-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1656-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1656-227-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1928-404-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1928-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1928-398-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1928-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2608-331-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2608-550-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2608-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2608-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2644-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2644-467-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/3080-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3080-233-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3080-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3080-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3148-287-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3148-295-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3148-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3280-248-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3280-309-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3280-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3280-242-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3280-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3988-7-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/3988-10-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/3988-1-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/3988-0-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/3988-12-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/4016-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4016-254-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4016-261-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4016-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4016-273-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4164-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4164-429-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4364-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4364-441-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4392-27-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4392-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4392-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4392-34-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4604-358-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4604-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4604-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4668-415-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4668-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4668-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4836-49-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4836-50-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4836-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4836-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4836-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5056-304-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/5056-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5056-362-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5056-371-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download