70c668fc56a5338e6b7b31aa197db2847a6eaaae52f115b4d5f3b3ff0809f8f6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_cb9c7f31db92a02ba442725c9237d556_ryuk.exe
Size

1.0MB
MD5

cb9c7f31db92a02ba442725c9237d556
SHA1

0d7111a8a991457c23d8597ae8e096fdb8f5f261
SHA256

70c668fc56a5338e6b7b31aa197db2847a6eaaae52f115b4d5f3b3ff0809f8f6
SHA512

c50fa400078088929d98080227de776c406544ef42be5a02f0894b4c0fee9a5fe3a664b68fd9d29820828fece1454d857a922bc459d6404f31e4bd6e93915b2c
SSDEEP

24576:u6V6VC/AyqGizWCaFbyqt/sBlDqgZQd6XKtiMJYiPU:u6cbGizWCaFbn/snji6attJM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4420	alg.exe
4664	elevation_service.exe
1788	elevation_service.exe
1972	maintenanceservice.exe
3196	OSE.EXE
1668	DiagnosticsHub.StandardCollector.Service.exe
3356	fxssvc.exe
3696	msdtc.exe
4404	PerceptionSimulationService.exe
4272	perfhost.exe
4368	locator.exe
5088	SensorDataService.exe
3556	snmptrap.exe
4860	spectrum.exe
4776	ssh-agent.exe
4384	TieringEngineService.exe
2100	AgentService.exe
948	vds.exe
4764	vssvc.exe
240	wbengine.exe
3956	WmiApSrv.exe
4784	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_cb9c7f31db92a02ba442725c9237d556_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\10e80810c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_72093\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_72093\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1dae87ae493da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad426f7ae493da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed70db79e493da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9a7337ae493da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002feb397be493da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cd03a7ae493da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4664	elevation_service.exe
4664	elevation_service.exe
4664	elevation_service.exe
4664	elevation_service.exe
4664	elevation_service.exe
4664	elevation_service.exe
4664	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1804	2024-04-21_cb9c7f31db92a02ba442725c9237d556_ryuk.exe
Token: SeDebugPrivilege	4420	alg.exe
Token: SeDebugPrivilege	4420	alg.exe
Token: SeDebugPrivilege	4420	alg.exe
Token: SeTakeOwnershipPrivilege	4664	elevation_service.exe
Token: SeAuditPrivilege	3356	fxssvc.exe
Token: SeRestorePrivilege	4384	TieringEngineService.exe
Token: SeManageVolumePrivilege	4384	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2100	AgentService.exe
Token: SeBackupPrivilege	4764	vssvc.exe
Token: SeRestorePrivilege	4764	vssvc.exe
Token: SeAuditPrivilege	4764	vssvc.exe
Token: SeBackupPrivilege	240	wbengine.exe
Token: SeRestorePrivilege	240	wbengine.exe
Token: SeSecurityPrivilege	240	wbengine.exe
Token: 33	4784	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeDebugPrivilege	4664	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 5420	4784	SearchIndexer.exe	132
PID 4784 wrote to memory of 5420	4784	SearchIndexer.exe	132
PID 4784 wrote to memory of 5452	4784	SearchIndexer.exe	133
PID 4784 wrote to memory of 5452	4784	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_cb9c7f31db92a02ba442725c9237d556_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_cb9c7f31db92a02ba442725c9237d556_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1788

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1972

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1280

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4860

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4804

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5420
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1648bb957d71839878dd2e7f1c0424f0

SHA1
b192252cb3abc907d00c59ecd9d4d5656b229274

SHA256
7b944369ad82b7b84cba2f032a859382cab6367ac9e47e413366af91fd0e1dfd

SHA512
15e9422846b7ebb2eaaee85347b0481810e05c98d3c1dbd540c5d94b100a06d40dcec9134ec0cf5ba72b293361c72f65daa0af48ed0614e3d62e1e1616c7a624

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b2254b77ecc3d66c138afe67ff7c15b9

SHA1
ac717849fc130ca2b053bb7fcd3e2f427e2626af

SHA256
caa55b85fad692193a2c0d8b6f42f838fd7c35596664ab2858cb33cea56b7b4d

SHA512
6ca073a36e5b54ebb8314c898939ced8b5c1d3b9f629b4398791f25934dfe96b407d698889df627a163418591aff0a487b822d0bc66ed1c3274c16d4ec1155a1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6c1e3f0b05c4433743f5a23e05d72f74

SHA1
ebf56a4fe4505e3562173802c9189c059708e678

SHA256
96dcfc7eb341489392dae989c1cc60fe33e14818485bddf8fdccc1107eb319b8

SHA512
430a3d7333af7c7f2e9b56033ec14237bed31cecae49aa8fc97df6639c0c8e5f4debac660118001019195a79315cc80c49a5f1bb7f5c1fc8656fae2fb5ea0e30

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c41028cde03051aa6e7b64e8a473203b

SHA1
272335e5afd7750bd631a41224a16d27089ee3bf

SHA256
b53848adbc12fc4300984e24a22c9df617041aba4cc094e581d17dabde27cb16

SHA512
9a10ccbf5bfb5da6464f48f128afe394520a66723064f523b1e7807ea71a2b48f922aa97dbfd44928af9b7bf8ed946dda524edc983ae46e30077cce70954bbbe

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
748e6d8a7f14fdad8f61b05acafb5903

SHA1
a0a273241666b885b5920138e240f8dc017ec2d6

SHA256
26b5a6758774ef4bf384e5c2a9682388d5aa426492d19758ddc10e06921b3aca

SHA512
d8694e240c1d2bd7ca3551f1bc35e555020f43382c8998bea65c95593fe0698a254e48bfe0ca0405ad6f3a4fe4455860d93bcca1adcf33a47eeb82d1f244292a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
29140d2c4f2101ce9bd6d155b13d9e6f

SHA1
76d62f3676424ca0b73184568375ad4283a0475d

SHA256
79778ee7ecab8be93f5ec83161a0415c76e843490450b816bc97f8f23698ed95

SHA512
8336937ea8a948a91f2cdfc505516719f914dc6c213dcf01dc0f119c7efb8b6811fcf1c8d7e7726fffa0e23b2fb3513c97f83addc48042c9e1435f5a8ce5cd61

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a123f99acd31f398afa31f9a7f984e3f

SHA1
bad7e93c06a3d7473fd3e28d6b52fd1f817f5136

SHA256
81332f10760bcba0ee4cf810f257c8b494e597cc2cd0eb6b60350dbdfcd81390

SHA512
2821163aa46dba16f8e7055649b4cfbc2d1047929c477437364a27d6d052575f8a44a4305ec0f50df5dffaf8e365d6ef343fd1c4e4fd1724bd205a165ed83b9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5ccdbd8981bb5a1d462824bdd1f9ce4b

SHA1
7598ff015834de65491602791aee1ec13187ef10

SHA256
5dc0e464745ad91c81a763a39f26e7116bc08ada51c2575eb1a0cb9ca8127769

SHA512
69f099127c61a7c3d92aa39a2f06a0509dcd5820aceefc8c325191ab3b0d3b7eecf51e74e3e46a8b2633aaa5959e15e03f521f6905ea737c9ed3e8822543970c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
16ba32f150fd9882a7ee758f006a736d

SHA1
ffe9ac9ec1bf5fb17d5d664a296c412bd5cf292e

SHA256
d405d4cce11976e369dc927f92f9ddd3161e03f25088cfb998ec9330f361e18b

SHA512
f0d691c8961aa425c9f68aea396253d6bf848af7a535fac1c99e888c71cedcaf29123b896636c2dab7b84795c187180082b1784b7a27685301681ae32382619b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6e43653df4d189d66f883e8cf6093ca3

SHA1
13b831055d60ba78cb9cd2831a9fb94fadc8a654

SHA256
925fbc6fe7ae0d8866f09e6329a89df7fa60f170f79bf418e0052f9b5eaec640

SHA512
202c180363fb00a674d59b1ac250bf804d0adcb3c25c1fddd057651fe9b8954dbf3faef47812084a627b5bb37089d7a7592a4d374c63bac0cf75d0a43572e20f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
71c4aad09b35a1345a7bb05554a493f4

SHA1
63e5b6f3d526ee5f314633c95e8bb9e543c099c5

SHA256
c3fff85b518f75724493a74259a7fb4d34e3e564948e930b014993934afa5421

SHA512
8c678f146d3512dda99c4e6ff885f2aa927023f9d08159df2ea958d6643669a8c7285aa767a0675ec059cfc49dcf9812d77d635de2001307d83e4738398c2bf6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3835b4ada0c787b064bd39df4ced026b

SHA1
ee588b5d676bd28994e10cefa9c89b9d7ba3c280

SHA256
440be7bc6f1105b5760efff2590e9ef8d8d4ae32c8b57294afb9b5039ef9645c

SHA512
16b33227c269f7abbc814a643c2e5b6b44c28ab2be56728f4b754050282d4d64e3a18e9b38c12e2180dae0d4df7ae1d40f3a7ca5a876fb1cc583a5b7c59abf73

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
031efcc8904b720d53a44002c6e70dda

SHA1
f65dcb9b436cdf475559ca77f7bc7353a00e212e

SHA256
bb1de8ab8679f57ba5a3061f78feffd6bc43880698f3936af3295d1f594be9b5

SHA512
41baa3adaeeec5ff6c05231a2cb525c34398110f6850735e9cbfa1053f6e870a5c487d897268f75226a1183dbbf987db39de7952f89fc9e06ffdf46931fe8609

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5138e85bc9a4d2c2703ca048cea87d7f

SHA1
fed071cdf28f36bd7fa1553ff770c8aa3e6d60e3

SHA256
b539293442f5b178ebed5607f3c6cf0a123e867ef6ef0a97ce73dc0485ce1a58

SHA512
7b60b72f5add3a0f794f90d11bf33ed5bf7db0942500d7d8b12bc3ac62980460f0ab13aecbefae0339beddbae9cc8d3f15ab9befd45dc0cbb686d13dc12a0e61

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0588eb4ecac2f56736e42fc6abf9d312

SHA1
a9621ca53340ca123a1bb8b4ea9ae7f7040bef36

SHA256
98d83e9a6d3b0670be2522be3a4cad195b20febeab2b9c3a8a2f3165afb9732b

SHA512
f1a3c47a6888a7a2ab5a24eab0c354201721506835e1cbc02fd23c539da859d42c95686a24bb39651f8b5ebe034336f7f88c7970925b327c0a89ca7b221a9496

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e8079cb3c67ebb79cc1c90c20b877583

SHA1
7497979fdaaa8610ade5083f39be90b254b61fef

SHA256
873ce1741fc558d3b85d87e2d8573684707382e5891bff2bdaab05b8840d5de7

SHA512
8fe52fda8795adf191e14b7623b02d02c5cf7574093221d5a0d32a42879eac82cb74a93e4fa11d8fb4ecc46fc29c5b0d52e4477ffe1dc834f47351c39fd83dcf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b1816539d11058271a45838351d9629f

SHA1
b5bbb2861fe5d2ff6a75099f90a651a0bd71e44c

SHA256
a438cd64ed0893164d6d188188606ae40732cc55aa7800e227e0ce5ca459f41b

SHA512
6c23b4e6ab6e5e02dff3cf16b429d2422f126785dc45b977e38928280970c410223d172491817a3f0bbaaf4a0fd496e8f0e4da0ed5ee5b1dc7da987a2b22beea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e9ecda55165f7bbe40915ed040586235

SHA1
68ed462de57b5505a2e0803b922ec2ee299ef667

SHA256
e209e09bc14a7cc49204cf37a5ffe2cd088ba65152a65e91d61706c3363e3eaf

SHA512
f6c73e1e3e9ccf137f9fdd939f1cccda5d3ec94e3b1fd3d1933026fbaf954b854d86004a535448caabaaaae96e860fda9bc375283f0fee3869836746469248ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ba1dbd1bb3ecec9c8d6f9798f03001cd

SHA1
6f3e9edb30763eee86a88bdacf7873340f26e524

SHA256
ea081d8c498e05dfb0dcb34300fc27b20e0b99d6928ab30d3c9a172dc552c1bc

SHA512
111ad0a55fbbbd9927ece31e0ebd3fac8842cca73b282afb7c93069d777647c2ee6b70948b567a61d06a99acc4419ae927f802fa756d657e53c1b14023f578be

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e177344a8ae646c5846fba75755cdea4

SHA1
6d0accfc952db7ed4abf654b675ac91810de4c3d

SHA256
32a81d6c677ab57ed33f9c2ec82bceba26e0a1a3fd582d20fc8f9c745f6bb02a

SHA512
d6579fc3863b5d6bc539420de4f19deebb309212d3aa65ecd59c8891bd1f2cd3e1a7906e0aac47c6285319366bb2fdd361c370d1ebe1120967fede7924d323ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bc03c6d14100ad26608fe3cafe30f7d6

SHA1
2500385b1c6bd81e33427f3912280c774cc1ef1d

SHA256
c4716c595a9d20d037ce526e787f257c19fb41504c91c8022f997dccc2595df7

SHA512
ad53d4af65d072dc6964ef20626eca58ffd3eaef8bdf0e0efbdbdb5e1ee8009198b36cf6229ce07248a911f2bf96fa7a318cd9271a97ede33d888b6433667244

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c6042c2e80f063012802acd8864bffa9

SHA1
7a903f26cf725129c90db6708704dc7ddd253ce4

SHA256
64e0bd882079101bdbe3e362e537a6d17726a7b9470980cab64218715d13d8cf

SHA512
2c11472a6782a63e19f6c0c5cb05b9b639649d19ea6fdfc9b331b023b211ccb2cc1871860f113153dfb99efba997f57652757e39149f140a33effa67ad534254

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e5774a1661e956320cceeef8973d98f7

SHA1
e333969a560939ed348d653f434fb61c2b261887

SHA256
d64843181b144f4c74869b51bc7ffabdd0058d5c1ea5ca713f86cbbb6223fb4d

SHA512
77d4c806425b926c595682182208175d237f4c70e6b8e5a351eb98688ce28cf5e1c3847e963c78152a304bd7a74bd02b9f2252266681c2a559ba6fea75326ce8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
82b20df1f45fedfb300d777e26f034a4

SHA1
1144aaa9de8992a04d7a83c72c9def22c531d892

SHA256
58edeef4d0805fa78ecf22f2385b233b23db5b094361b73b9a2fc14412651910

SHA512
b939b1d2efd8e53947909fb2fdcd4386d3facc8212238a4eb972f8ca152f38a9018e2416686b585992f844b88dc2d3823d6446d4f5a802bdb6d9edc3f892237c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2045695fc212910a15260bc9b26dda49

SHA1
c0439faad6faf0b7351d386650740298bbfd1d83

SHA256
3b89b867e3826fb7552acb4ff89cce808f693aefc17a017a2e6b10ce355b3c19

SHA512
987adceb1b52c0492be355da1925039dab999819f509537331baefe217215944938ce3c80d944b07fcaefbe5339f39989007b0d2c7343a8a4d43e07e72e7a52a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
68c0405f09122039be332428b3e997cc

SHA1
d2363c1446de9a2721611ee1ac4c8bfc978933fa

SHA256
ca93856107191d83d02a134568edf0d8f9906fe4e1958965bd7bc7266cec1a3d

SHA512
62e70537b5d84440bdda75063d5e6bae9893adde8e54dc0d2618d28e3ee2787b2daf1a562264dd6a05a7fb413472f9e41e0c1ae8833ec787ada2da45e93de0ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
37303a69d2bb0306adb16be6945d59b7

SHA1
9c4f7d8cd1091413773d9213d58dbb46f9de5a3b

SHA256
991834e9262eb4421143ef095faa12736c667573f042503e283a16b1bb0aac93

SHA512
b626c9e25a3c8ebb1c1d3367982d8745dd6841152be44e7a9e7a51caaaf6bc0d17aa0d319423721b81ee52bf1be4a7df4f7c2b11c6ebbcd47f6cf96d2852a738

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9dc2065df947c48b37d3c4b0557db99c

SHA1
880dbd512b193e6dd95c604de48b66026a796a70

SHA256
9a0472ba5106e05626fbc49c01a75a93c338a168296a8015d7a2b6a8858d6b54

SHA512
285fdad90522413e61b334282ee59904fd208683f1493bd63b8c0e54485f0ad2896013fd5e0c781e2401f11eb9e778a5a23ccc8b4e5be0776c42e3653932c05b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2a6a1b52d3e9b22fb53bc280fb06a956

SHA1
bd607d72d5f63056111af1734413e7fc86f20913

SHA256
37cbab4a7c69db20b1e508d7bcf38bbd55c8c73121fe263af94dc9c41db50a75

SHA512
c2de4e1f2e3bd052fcb5f8fd17c3227b0bd2ad7424e1484b5a73a9ffed7c7c376e007564f3046500bced6074b28e0b72dc3d911486f19d7870d0a885d3c54423

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9067b646bd27086aa496608cbff940f0

SHA1
9ee367877e9965cea95586a2c863decb38d379e4

SHA256
ea189015c2cdd650fa854825553e40d79a645d517015b9e21579af74684453cd

SHA512
50e76054008166f227f5bee194e43a91fd8d160cae9f586e132edd858f8f93ea7ca4d7169df4199a9d1efed959236b01b97c6a3d6e208b17aa1d50bde96cddbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bef2189afefc0935e5f8abe51c1ce960

SHA1
97bc5dd2b01d08de002c0054ff684074a568ac82

SHA256
43beb55e4492ae4ed1c1dc2f1b92ec8386f5338c975354f8ba59ab9e27bb3ee8

SHA512
9dae80dba9ed827fb8cb2e0d96dc7b4d1a44db4e44db2b4d710f109ea4ad20e119a0275acc323c813628a07b17b69a62ca72cc925c730392ff650f34ff8a46ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
821d62d0beb602977b5ab30532463153

SHA1
f70f0448c6c13db9848e82dcf72edf6104c5dc9b

SHA256
6de763df1649c9d85669181bca77c0d57225ef6e93f0adb3854d9fceb18f41cf

SHA512
9e398d5a5021a5a04e5f1a46b5cb092991324347ea171b74c4358d972c6d3ff5950bd3020a257461ae4127bef7e6bf69a714e63e6fa2fd23735141042c76fa6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1629beef7c2055efc881f69fd61f3e12

SHA1
00f9322c20324e548971ddee4063e3affc7dbe6a

SHA256
e42f21474485af8fa5d65a3c197d5fc372ef436d6b96bb7f6e9902d96f4e9b0f

SHA512
6100354e5aa76162a4f23904e6d6addff00fb10ec4c0c21384c9dcfaba1c7b8cabc2eb0a2ea0c51eddd0bb27010339d523571c9062a66ec36ca282071f111764

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
87c3a1940cef9010ec158a6d91e4e8f1

SHA1
67b2e6042074db2bf15e2d7be2bad2d17283f3b5

SHA256
39039c18f34a6a2fe562133800cfc2c99bfe084545479d7fd877f54a66db169f

SHA512
d3e6e62106b135b403b96a7aaadde89c07b63d0baaf376ad7c25302e76c33abaa66efe6e50edafe3107972be5dae17552159ed8a4701ea6c2eba8f61c80dd485

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
10a6039babeffd5049e32ed253ccce87

SHA1
d6b46abdda069340eaf15ec2e54ef3419e51eb4d

SHA256
3d5804a4518fc53ba40765c22a352a6041d1f79605a200ab7a6a3b26c77197bd

SHA512
dbfea4bd14ece5d7bfbdfde5da0bc650e0a6ab6f733aa4b8d1c7da6465af68a089917d2e02fb188efca582a28b717981ec0530e70614f077aafe99c5a233b210

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d3dd739456a78973ced5a2ab4e847c72

SHA1
0e8b14203590e579958ce1558649d72422887152

SHA256
f4a94173cc00acfa960e1d33f964547e3683ed62424d4dd7e2e4c17607a84822

SHA512
6db640e0312e1fc4121e48ec1baf97b3ef66e3816c9b6ccb463eee5c9e9cc605e83be5b8e38520c163594b2ed98e360e8e5d53325f09428c3c2ad690d7b54c7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
69ea7201257ab1797ecddabc5ca5917f

SHA1
622dfe5d1870d2c0dadbbf4379e266a2c7d4d55b

SHA256
9432f69952fca689d63bfef874f21d1f97f0949a958c2813ad4795c600ed6dc6

SHA512
d2fea8dddb9ec621007f7d23a441b212766b468ba4810b284ce3be4ae3c3e3e9095a5ef7e4b219a142ba1dd3b00213bfad398c0907e745c58650f931f24df7e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
19789ba4464d7b6574d2c3fa6a57f2a8

SHA1
fcadbd8963b1b2ecbfc9317d86b34e42b2552db8

SHA256
dedc43d8790478271ec10d3151e7c1cb017eab966d060e93b4eafe80eed6b236

SHA512
9008779c9d3370d11d718beee3f3f619a8bd8c1243760a498a8ce0cd66afbe5423ceb21555b7a1b1f61038662cb86bac996e9f426c4a0d96cd09677839d4fe48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
53852447a2c2864b188ecc3b02073b34

SHA1
41167286a7dfd5ee9fd71d0a861404d2d90d28e8

SHA256
68174900f94675c9fac889dd78020bd2bf5c20d515554979e0db48a558103b9c

SHA512
74bd2022949772f1e93a426f790b92ede6b8848258176ace756ab08075dd1356ae1fcb6eea74dcc6f1f4c3e1d912eef5431bef743b204c378a38f815cded8c67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
aa49fa1835cf1f943519a379aadc9aba

SHA1
2ec253d1041d4d68b75df6148750d6bc750522d6

SHA256
e3cde8667081408707c31d43b55ed86144998c3c012e7f81b38c845f640213f1

SHA512
696fbd7d57605d4ada290cfc16bab49effe974ec92653262a761fd23909ac5ca94104675f445ef8426885fc1eccd9d0ddf84bb24a423457c1a58308b881f7b86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
afc5c25ee22f7a8cd8fdd8d416aea64d

SHA1
578f4e4042a0ce8ba7f9d98cf277a60d14d8edb8

SHA256
6e49864b59612211b6c78181319858d60ccd8faff36efacc02146bf6d77bba32

SHA512
f058eddc4404c47f70df17046eb5f97eca852262621daffa6d7b0d5ffe70524270d92e15b5959431fb0dfaee2bc77d80866a1451204f0cb92c09183b2900c0dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
576a888283fe4e263e7b3c6d270d7f53

SHA1
deb25de3c17aa2625da6672bd9cde2687b18acd3

SHA256
4b4c9b54be8cf037741e510b876d2517749b586d27837d7cc83c373f1ea827b5

SHA512
3d6a44f8e3290ce02d79a42881ffdf77c1acc8279c697e0febdb3802f1b87df8c4b06f66955d46e81d7cf0f7c4aa7fdfbfc5b8f9858f8035009bad5da77532f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
99d8dd20f4bda6779c4568b0ea057d85

SHA1
61bf55330a6f93518637a4b21200005e573603ba

SHA256
ae6097c22437b30feabadc92baf4c07b171a2100465e41237676d58ff60040de

SHA512
c0d6d3c6df509db1586f7b9676411fc648e3bf02a141e19a12d2b10891f3d7370f40daec04976b9eabfacd97c8a35964014e1c8fd06de9cb0f36fcc4bcfb29f8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8bc7c314644b3df313ae0910d642b929

SHA1
3e5541113122d9571b2d2a3ba99320d9bc06a383

SHA256
490eb3b2298f0301127e1f28c534b62f8814ccf519d2654f2a92332153b2949e

SHA512
1a695f4769407f891b6fdfc7f77cc935b4b73ee70a226119857c561ee43f3cfe3c8bb7a9eab29c8aeb7693587aa65ff25709b97ba9191b14bf5aca1bc80ccf7f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c30982020964c18fa52ee35b379f661e

SHA1
ab5dc5bfdb95187968944df44dd147410aea4c71

SHA256
c1641267930f489b8f9acdc139374645909ca60bb3cc5f87fd01f74dd246bddf

SHA512
21d34af28abdd2c4fa33a00f244965637c184ee7e2cf84286c53fe4b52aad5471e475372e86c674854ac089a72871e602d0deb15741eed998418e34d659963a8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
def264de8d8471e98a9e83e223fc97fe

SHA1
3614b5291d3f85217382747218c7206c8800981c

SHA256
53311d9af8ad640983fdb1d4c2b9e9ce765cbbad136a82ead1526fc405fef150

SHA512
13743ac0d92fec104dac4598615ff9e911e2aeb34df51dc0399f8b64d600118d45e44dcb106ffec1750adcdcdb5a0871cd3a1a7754c35880b044a6fd8b0b991c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7f679993ac8c85fb5cafbd5fa894195b

SHA1
8ac5c99f5a16090bb42b0d9a616bbf95e86946c0

SHA256
ee1e3d6601997af68eb0af0d7e756e59cb94c7cf0485569d5fae0cd9fdff620d

SHA512
8c9f355602d9c680e84c778011e38b1677fe41d504efb3a28f154bf532667f4e50c48d6351eedac2331b2519f8433b93708069528bb6c50ddaf6b636885f8162

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a1a431bbbdc2b16c94e941cfdbd5cc01

SHA1
fa8be9423777c78458ad75fc413dd93442e0b7ae

SHA256
60669647540fe93302f13ccf6757bad7f2c09f843039ff34fe1b44250205fca4

SHA512
43253965c28ccce249ea55971ca2238c389293007907eadd4c6569599ad5790230e2bd6b395445556c3fa099385ddbb2dc35858577388e3242c3cbd2e2e890c6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2d4a8ff4074afc0b46d5c9c093d17496

SHA1
ca534657b01e3d031fb384d65b99f6f82a5c9373

SHA256
307cee9bed276507a3564e070287408ad04cbb348654cdcff2a263952687717a

SHA512
e87bdb5bc823fc6e3cf6f331e87540318a12686ab5bc05c4760d1d1c3d9ed80e465062b901dcd171c0994799a68e102d630804c5849b454bcd18804e29faa552

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5bab00697d0b7c60d6c89c08d87fff29

SHA1
ed6c993abd15e205d83fea72f042da4f1215e535

SHA256
5e087372421a24f286673c2482d10c2b5d0dfcac7f7fdd0057e16ea385641a67

SHA512
e9f0f1dece81d32ac75af10c743ccc15e1eb124dd3ac5d58695ee6fb9eecd58ef8eec0470dcd6f4f1719a56ad3d7984c12062891b2391651f93214222163d4a4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
63b280ff6b0de581dba4bf86d967b3c5

SHA1
51d2c2377af94f4f17ae8a2060a0ba291b77181d

SHA256
c32e6a7027974cf382ff62f10817ef34ced6be1d15cef841b5e6d99c8d2810b3

SHA512
a1392e9cfff3a464ab8dde0ff407fa2eb0f68f73558a69827f3b247ace0bc472ff41b308139a9417a7ad35e932d85cc576d20bdbd1246acec4b0d3b30cd1d804

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c287e4900d2ff284beab8a1edc2587dc

SHA1
1fe4261b11aaff6375312085364c92c8cbc4ee44

SHA256
b4f49b5a3c7be632fe6bddcf33879fd0dfe9dc9cda7cfe70f16a0cfa3a11aad2

SHA512
7f7ce52640466779d4a5968e6f1e806855fff974b6218a090c48fee67f5b5a6a67ee967b313c11b9ea83e4d366dbac0ba34b50717e2d5bf6c7c5a8ec2afc66cd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9dc468a4572d8f0019bf4c15fe4024f9

SHA1
ffc8caa58cb75efcf7b22d910e637a92c4202595

SHA256
d653b621fe47a1158241604b19fba1ed6a76da3757c18787dbaba20f383e6fe0

SHA512
822ae045129f96531aa4c551b6f0a546e3516792ddaffb83bfc607e5a671f498dbedd1f3a0a1fd1be1a0ab7304d731f86bfd82003940f52d15b174e461437cb6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8bc3cfb29a6ed3803fac112da4bdbf76

SHA1
3a903186c1c2ab88df237e7d3bc5fabb98121501

SHA256
88f2d6cb47bc25933460f9075354717e1fac5dbfda4a23852f929cb025ce6c43

SHA512
fa93817e152302a324d07d8a81ff86ed78c201d7de6c7016a10ee0b5a8994309e98789dc25b255ecb8c3670e854015f95e25c327d87aad70eeb0c65e171360f9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ccfdcc816df997dd430fa5b88505c748

SHA1
00a45072fadb26bb8d9f967ec7cdc5bccc873b94

SHA256
fe80b3cef9923af9e828b75c624ff309b94893d70668dc83410fd232a27ff49f

SHA512
3f1f0f3bb0d4d31734a648b013f597aaf52c2166d90100d53af17d061e4a2f3bbc8ebc6b0ae9bf6aadfb62e19cfd78790316677830af44e34609a483bc235847

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f5a2b7eb8d4e993aae19ed58028d05b0

SHA1
e7b9278b9c8327da11283958a25bf9089852a772

SHA256
f1f9ef89bcab8667e123ea0681541c70506b079195e44f8966dc433f9bed197e

SHA512
6a389ae0a36c12a740704ab8b65ed8187e812c5c0bc2f72f4cff064e8d949d0c41a3c6e63a8453054b019685e808b1a7115142892f253755285717df2b30ea61

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a675c9ce517fdaa8c26c659a8572c992

SHA1
f6721e1d0ca62abbfeaf7bd7a7b5e740792b9a6f

SHA256
75eea123f0de3148a98a439ba60c123be56eabdb116b9754dd1bc217beff2415

SHA512
29dd517005173dc0b32db070733e0cc127c0ff764174ec0c5b4ea5773fd4a7aa4398767ec64f9161a07a27a8f9b34dd2700ae39dbd77fcf4418d1cf434b47c74

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d37fcb8146188206a17077b4da06dbad

SHA1
4b3e43e61fff64168cfbfa7f709f59f357a59447

SHA256
47316207640c1244255c4d8cb52260b4782dbe4bad4cdf3a277395d50c4c0500

SHA512
8e1088d545c1409cab3255bea3103645ab71f638dedee23a3df295c414d75d67f09e924efeb2f79c00897df7ebf46d6a9fca89407ed1b53962644df9d304fd8c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
237a354a1fbe294f38d919b413920a1b

SHA1
f7fb33dc82b871c89bfc7287dbd842a9a27da0c8

SHA256
93bd1481c4ce1e39819100611aeccf93955b402380a9ebf9c972adfd65dbac7e

SHA512
24ba2a7076161eb96a1231b18eec1fdcf28e16914ed510bb72ed1dd59916bfb72eb23383834a961a6c97cf3de1db570b05f08a7134408d2e9a2b59e3b917bb8f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
986479e816fa423583c22a79fb236085

SHA1
30b9993396b064728b5799d0f2727119bd136e7b

SHA256
92f843bda83e4aee8df80f39a31018b271fbbca2e2e9112f5174b66c2260cece

SHA512
6ea7cdbb0808b26099d287d3e9ec46c1350e82a91e526a4f2097a78e6c43cf833d328dd4873d884766a9c0ce46940c388ef9a6c024a14203e8bb5d3ce5c247e7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
75121ff67e7a6e96178a0653a1bd289f

SHA1
65b082cdb988dd919f30ddb29778973b1b5db668

SHA256
1cad7d0f7dcb87ee61d9956dc87bf53d4fc5672091e36d15894982b7104a3d2f

SHA512
4af361914efaee2a4ada216f9c5c183fe51e2de6ecc0451af7f594322d911321d7bac0214c9cc34bcbfc0fec9120318df67d6e1ededbfb37102a65d61749e0d8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
637d8c2e4c5c9c3db65edd2e45f1a3a2

SHA1
90bd4ff34af133df28278467be577e1e5036b136

SHA256
3bca526b0229e7ffb0230cba2850e7957ead86025dbbea366c6a170b2131cd5d

SHA512
0a99afffffc702a7384598df8b0784d5f82de78e145843feeaae2fae42349770f2316fe752099e863162ef3e9aa99a60822b96f109a0a32995fbbdac93c79349

Download Submit
memory/240-445-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/240-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/948-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/948-419-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1668-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1668-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1668-312-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1668-246-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1788-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1788-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1788-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1788-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1804-1-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1804-7-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1804-11-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1804-13-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/1804-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/1972-52-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/1972-51-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1972-59-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/1972-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1972-62-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/2100-402-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2100-406-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2100-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2100-407-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3196-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3196-74-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3196-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3196-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3196-68-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3356-272-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3356-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3356-257-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3356-263-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3356-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3556-341-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3556-348-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3556-409-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3696-338-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3696-282-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3696-273-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3956-451-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3956-458-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4272-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4272-301-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4272-309-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4368-378-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4368-322-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4368-315-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4384-448-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4384-380-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4384-387-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4404-351-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4404-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4404-298-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/4420-23-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4420-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4420-15-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4420-22-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4420-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4664-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4664-28-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4664-36-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4664-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4764-432-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4764-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4776-375-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4776-435-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4776-367-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4784-469-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4784-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4860-360-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/4860-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4860-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5088-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5088-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5088-399-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5088-332-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download