cde0d1abbf88bb3104a8f54b6bbb397846df3b5fd1f3ea471999f4255d3862bf

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_fee28955b5458b18be20c162c6910638_ryuk.exe
Size

1.0MB
MD5

fee28955b5458b18be20c162c6910638
SHA1

245a5a4acef0b34b8bce54efe0c5a14669684f42
SHA256

cde0d1abbf88bb3104a8f54b6bbb397846df3b5fd1f3ea471999f4255d3862bf
SHA512

c0d9c9ef6c0c8a8f57dc349953d47aa35e5434bdae208dc2ef4121d445557cfa865bf076a60aa350d7104dd6ddb2b23d7f3c92001da06dfb24fed3634e0967f3
SSDEEP

24576:uv46agTjA09bGeE+t/sBlDqgZQd6XKtiMJYiPU:p6/T5SeP/snji6attJM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1492	alg.exe
2848	elevation_service.exe
3688	elevation_service.exe
1664	maintenanceservice.exe
2928	OSE.EXE
1836	DiagnosticsHub.StandardCollector.Service.exe
1500	fxssvc.exe
3860	msdtc.exe
1972	PerceptionSimulationService.exe
3568	perfhost.exe
624	locator.exe
3456	SensorDataService.exe
2436	snmptrap.exe
1792	spectrum.exe
772	ssh-agent.exe
2180	TieringEngineService.exe
5044	AgentService.exe
5032	vds.exe
2600	vssvc.exe
2376	wbengine.exe
4864	WmiApSrv.exe
3068	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_fee28955b5458b18be20c162c6910638_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\98c0a30274f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040a8a80ae893da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040799609e893da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d123230ae893da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b45d3d0ae893da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043528f09e893da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a96760ae893da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe
2848	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2348	2024-04-21_fee28955b5458b18be20c162c6910638_ryuk.exe
Token: SeDebugPrivilege	1492	alg.exe
Token: SeDebugPrivilege	1492	alg.exe
Token: SeDebugPrivilege	1492	alg.exe
Token: SeTakeOwnershipPrivilege	2848	elevation_service.exe
Token: SeAuditPrivilege	1500	fxssvc.exe
Token: SeRestorePrivilege	2180	TieringEngineService.exe
Token: SeManageVolumePrivilege	2180	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5044	AgentService.exe
Token: SeBackupPrivilege	2600	vssvc.exe
Token: SeRestorePrivilege	2600	vssvc.exe
Token: SeAuditPrivilege	2600	vssvc.exe
Token: SeBackupPrivilege	2376	wbengine.exe
Token: SeRestorePrivilege	2376	wbengine.exe
Token: SeSecurityPrivilege	2376	wbengine.exe
Token: 33	3068	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeDebugPrivilege	2848	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2356	3068	SearchIndexer.exe	130
PID 3068 wrote to memory of 2356	3068	SearchIndexer.exe	130
PID 3068 wrote to memory of 5084	3068	SearchIndexer.exe	131
PID 3068 wrote to memory of 5084	3068	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_fee28955b5458b18be20c162c6910638_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_fee28955b5458b18be20c162c6910638_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1664

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3860

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1792

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3428

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2356
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1208626ad6dda7d291041c14220d79d7

SHA1
7da20c32423e75345cf54012a24cb9227e08f605

SHA256
03897028f5ab1ce57e2d29ec11247ba352570d19b5d7100a66d3e97bb0aae0b4

SHA512
589c7aae891a8deea0e373213bf79368e8609d22463cc2d2f6be5dbd64685eee4d63b62292871a4dda84062a4f97d705d2cf2c9c62cf28b932f45763ca9580b6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b1ed60e2ca8c83dbb86f1f5d84536cc6

SHA1
6d38111745e7ada9588655e01e134a611ca6335e

SHA256
6eb27b57afe6d2afc7cc16c01d1ea9ce999e0423fd29ba8eff7f9e10235146ff

SHA512
40d85e981b8a22118901c0594ef079c9cc78f3d058438d4ceeee210b5cfa81e4c8388eacdf25c3ee9921ebba43f3a069142e348e8256e7dfb59b43458b729bb0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7506ef776d17f7aadb918f10db81b207

SHA1
4a4f5578ed93c82aba1c80cf66f024e4339c38dd

SHA256
55131fd1377f177baf462486c82e2c15ee1b3d218b1d65554a81d5d62992eff3

SHA512
e73a05eec16cd73df0dee770ced91231449d69d31d03aaa5528ed786dad2d80107889b36de89aaeeac4e2c6303405861719e106591431d4f818832b1719f5d31

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5d4466290feffbe86a729c3e4c589661

SHA1
d87717c5a99cc5b3fcde5f503e3667597a5b0fc0

SHA256
62744bc16e3a65060aa1704b9a8bc24225d0ab3b80bfd8328fc9ab487db14c57

SHA512
2ef68218d030449ba3a5f72418d225f9d9c32f2217af09e0fc14af2187ed1ed0b5252721dee2f1762da81eea57671847a7787f474f305f7fb29f280c34b9b22e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4e4680b7abc67521c63e900e611d3488

SHA1
8ae3aaf0593e6a16149387c50fa5150920ea8ad6

SHA256
84a464db3323f38710ad60fb4bb7790dd79dac791161afde9ecd954ffbf2b727

SHA512
40be0fa349cae2069eba542fffede65cc449ac72a9d9137f182bb232c6767aaecff133b2eacd945efd06df50314ae38c08c0a8e709528f528d56742180c87a6b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c83e8d08e97480d8a208eb733b660496

SHA1
c22c70b0a0832b52989c601dcd5f855dfa142d9b

SHA256
e81f23ca387a08cf02f8139ef5de26df9f47db0a0b4e24faef73f23c4d2e9724

SHA512
18fc855024caa09e06f630558db7af32a97507b1b6b5d962c6aaaecc80e86a5fb8e7063fb358e585ede8b0b9cb95548cc3c9259c8defb47ee9218f61cef2cd76

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1a63f332a15a4202bce19d81b3c05d5d

SHA1
f1bb8863d4ca646c18a939b062ee903579dba598

SHA256
4e774b0b7c3b716c4483c65b89b5be9234921f5543e18f9ae2b7a5ebf2502743

SHA512
eef2c249b8716620bc4062d586895c0240c81da9bdf6f63c08eac7ae75f11fca09090eeac9c54e84b13bdfeb47cf0b0d9c50f7538dc12175b0f35ba3faf56cbd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3b9ae0fc557d68210e9a3ec176cdeb52

SHA1
daaf0fc19c130c660dfcbcfa3cfea0c88826be27

SHA256
c0c468099ef9b635d13267d67896197f42cca66e4fee5dbdd0290bc4f4073f79

SHA512
63bc4d23c1b44006f46e47fea833806a863c082d20f570916d63baf9c931b4a00b416a2881001afac3274a8f7c4419a56d77ef054512de74ffa51ad202eef3c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a62c39919a2702a66a476dd589dadaf2

SHA1
6205e6b87d60da417bf09bae04fb09266e499cb8

SHA256
2be52eb83aac8b4239b25f4adfda70a0613ade93048b5f970a48a23dd3d0ffe7

SHA512
d09444b541cb6b7dc9903d6b4c98653c64447f946116058e7ca11a01a3214625f8274a688d432220faf22af827307f91095b37498a01c9f4184a776d5aec7780

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e4f8d145dd9d4fc1e8e5ec295bafeb79

SHA1
bec5832b3d35089971d7ec325466a96c9b8f2bfe

SHA256
f529744aef02488aac41dc3fea685b92fe7f77d159dd2e434d4b3da0e802739b

SHA512
d874fc7d03ffe5105d2711844ef5fcdfe8baca76d5ecd737904288031b2f4422b523ed29234b3cbf0a5f65670b93548a34fc8d803c78390ad7d08fa6273a2110

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0f7be85ea839f42f355b67ce7412b4ff

SHA1
3a06747d47e8038c4267227427f9d32bd4e29bed

SHA256
2da05b6cc9f80591f75718a5ce5ba6296a933f2e27fd517a617a638b4bc0c35b

SHA512
ceb54d6385b5626dcdee0c30effe0eac745aaadbd4c9d5da10a5c124f7285c3a04a2be40b44dce76c165c7e90c6af5a16f2bbbf1e67d3c9ac36535d82bbd95e8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f3a070a1d993678b6e66ae954edd1325

SHA1
a04e1bb4307f34b7d153c65dd143bbc0f978a339

SHA256
36a9ebf28e1bdd78755ae480a10242c1069d4091e03f5f66c031751e7747cf9d

SHA512
c3c5324e468f6e42d74d18a8dd9bba8aeb1f28fb758782670de439ee3ebab3f64a5b4b25ae21b217cb5b7d5039b5ba03a38447925d432e30d8bab5b593cbf2ba

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cc99ad22c1a6d258aed18b50d81cbd6c

SHA1
8b973cbf6c24b6bc7f50587d4bb24aa39f0ac999

SHA256
d634f7bce817738a5a8ff3e4a71d91b5a7c9e8656d7451b94204cf67a42f1060

SHA512
58c02d92aa6ae34c3edb3e5db886f5da924db437d7699fd780d0cb0bfd0a86ba7ba49362362745d1e1378847e22b278ec94f10610076785f9c253fc099060b51

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9306cc9e4f4643eea5cc43c357224fb4

SHA1
e8e20c017fbd6d83598a4728e9ff5fa21f861b4c

SHA256
9b6d13e1a3ddc903b4ecc5a3ed81711918fa9bac03addaaa7aac078672bdea15

SHA512
bfa0875f62de3ed0e5b2261a3077cd8c4d8b0753fc0051a7b38911c43748dc782fefed752c9f9efbe22b2193b3ad81e119411f1d042b319aeb1bedd275bb3f5d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dcde51a84a66f061305ef0c142cfd4dd

SHA1
ff90c38235d7b32f7ba19b98d87e2697bb107698

SHA256
8877a48de826a10cb924dfe6d68fd7831ddaf079566b35be871fd5ff6a2e53a9

SHA512
9e32dc98d54a362d764532d05aa4d6cfd761138686eb6cdcd532409361aa7f0e61e0b6bc10dff4f6e3d064f22c6e27495ba6154fa8dc339645d1d1c4e5e12d96

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d45ec95dadcb92e71716304d1fc934f7

SHA1
e317f345c73b0896122f67b7f58b261a7c559965

SHA256
5c0109835d3744e63983d092d5d8b585bab6690eeb1d6e86c8dff74668b4dbb6

SHA512
3209e18968354d71d1b7738bbb9603be8b06ea0bf8e580f98bfe84046b8c0bc02f2db4f2f38364c0d5551584affdc88db5c09caf2799bef183c3e8847b101207

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1f6715f61e855ef3959c01ef76e1aca3

SHA1
7ac51902fc052b68961289cea1810fa5ccbd0505

SHA256
0b8e56d9174ea7e3028de16b2a41fd57877533708df79362ccd69bf7849d6952

SHA512
6189f4be5dbccecf739363290153344a937fbc9e9db614aaa3adc32839461678c464fbb56f08d88dce28912cd03e81d1c63ee6aad7f16bec0bff7fb60c11aece

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fc017466a47633bb234ff1dcb52ffc84

SHA1
e2781c3f88eab3bd862e0351cb9993b07aa856b2

SHA256
2d9193fca30e476741878d8c95b2a05ebf35877e1b221c1489fae11056779ac7

SHA512
e942d19773cd69f3818e2f0ff86f53d763b8e94c161884f902ecc83fcc1b26f9ce38a846c229c1dbc57f02a4bd393f9159d8b820324645fa6c311d151ad82d92

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b5b57194c8de57cd92dbe6f2c1ebc28f

SHA1
dcfa569572eaca4586c0c30e0b75ea1026cad998

SHA256
29db3acbb9e6d3b743971003a2d1bb61c908b28902003b78c6d14159bf441f9c

SHA512
fa4a1c63f7cbecbc7e229207dfc04fd08e44c1dcb425c392d36aeb5db8c0182eef638f2e0e436e5e99fb8bdeb1b061b13761cc5fee9ba4ad53aa0d5fac300bfa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f9bd5f7726ba77b7a97f15c3576add03

SHA1
e605f4db50d9f0192427ac4f2db7b254d65d0a43

SHA256
84817fcb55e39fc5e5a9b637ff5760e549baeb87b66a8865de1ffe7d9cb12ab9

SHA512
f97ccc2d2830a392e252a56351566fc80e8f5ddc212276702e0ba3196f45b86458d5486694d7b112c706eab6e681a830a0002ab7081120cfc6264cc4641cc52b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d0e97ea2fc12d2803b1a16a89375af42

SHA1
791b3368b72ad74483bcff42c2e56ef4a4b7217b

SHA256
5adbe04a0461fa92bbdb66daacfc0c1dc4436a5c0e9595e0e9ef789bb2cbfc15

SHA512
19ffd8994e82b2263f3160bf3253b790395f13dae49a23a103e0fb2f4c0343a264d158657ae21b34653934b9aaa55758573f9299f6edc3666ab236e27977e3d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
66bb79ee885fe0a260b349ecda678c9d

SHA1
02bd66f420b95983e3086b70a1425d5fd955a946

SHA256
33bd63911bc366d9819194fa478da4d4eac3a52a37ca3d8e00afd40643cf9b59

SHA512
9d0079d5e6c3c75ecd7539551158ca43bf67b3494f90cbb22b39a1114c76f2cca2c04c73c0eccfa12e788a0978c45ed34ef36d57641b39e8948d7baef7fb48c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
af7a815b4ba4f3af66e799b5384b48f6

SHA1
7fd99501093eacae86febd7fa4cc6ab5a6420225

SHA256
03b10e299b7001b398c19899c8a2e8b846cb4857b2753fcd4af920189b3844f7

SHA512
26a88a332c1f5a7047f06fa437586e31d8965b79b6e6e616dca08869f7c1391e7acb94ae48e689048a68b1cb9ebe34006de62df6bdfeceed1b36f73b695e6f22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6c2b7059654bb9bf26b1c5ffd0467e44

SHA1
924da523bdf47e5743e8d795308dcfc32c0531d2

SHA256
9b09935df87b5b28c089032a525a2167e6c96f402bcac2f2f2b921257f1e364a

SHA512
97a45a1655bc9866cbcfc47217fdb7337f0337ce92dd9bf92894fa3c46982528fbc837b7210e8864bdbe6aa46796df468bc98050fc10ba08be6fe70424929667

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8770cdbb44c11135c877a8d6db4e824b

SHA1
79c5f67aeffceba2e1c1e9ddfc27b07e32a6b6e9

SHA256
b90cdde1db393091b8dcd5232a25626b497a6a6e64bd3b362b1662338a80b7ee

SHA512
18bdb57377ad4b7c1c4ed50b0bc104c515960c594313d05de57da5743486140162a0a713f71431671b1f5c24f8df1f6726c03c9484202fb75e9460120fb1ac7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
74c85a979221d04f907d5f28584c7ba2

SHA1
b61913e89e6c0d17f3c8fcc395569d2bd0499f2b

SHA256
f914d39a2cb6690ef1c8e34d8a6f6c340b49a07941f75772f4770da2623af750

SHA512
149a5c8c11e7ff8cceb6efda735fa265f426b2e8e0bad39d08d9c2de6db42f4841a7551f5c2b980a2ecac13c7309469164d2e9dd94532ee730c066223f71740c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
9f0d7d5dd34f1c3a55456b3f86b088fa

SHA1
8e5be3f97725f350e89325e8aa85bb7164132c77

SHA256
cb8fbc356c72d7ef902761f300a2a3f50a90878e087e9708b5bdd35bfcf67fca

SHA512
572c95cd16fed77b77df1a91f1cde3fb8d4a637f9d184ce77d3c48a37960c4d4330a0bb409541db64fe353b131a97c479df19270186f4b68b4d41bc2245726f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a58fff72065668fe4800ea7ff1f91215

SHA1
6006ab3ae9d4c8578345bedaf9eb49465c429e6d

SHA256
7585a59bc9582c1d176dbb2b4ed11046f77ed5eb67967e2da7002b21f50da68a

SHA512
c26b0a4e78840075abc5b47133fd26407104f8f036b593ecd3a20768e7f4532af438a0c0b4a74924f8a32cc1cab69b6f561a64f3cf78f479b9ddfb2be11f4d5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
eda697c2267404a7d8dbc84357df8ee2

SHA1
df0bbde08248d19370b10a9598bf357eea43b4cc

SHA256
0b94d1e699cb339dfdb5eb758fc917dab12d713b7fd9d3051173db95056ec06e

SHA512
9291d66abe60092d02b8e61a63e3bde66e256a835fc591bf9590e4b10526f4cd4721f16006636a8064dc36c25ac809b3a9a6081f62f6fdcf9dfb58eae353973c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
41b6c433a2a37b0eaa8ee3a04022d75c

SHA1
2c4c912fd64c20ab3ae1bae470de0b5d3d139998

SHA256
9b2885fc6b18b6cc83415bc7bed4817aabde7fc0d426ee6b91ece7a218a77751

SHA512
34644dd0cf16f7e9b20baded716a98cc890b5949aa4075bd36a6f556346d12cbaf9cfcd03dcabee5b28c73b9334fbfd857cb88dee329d377a3ffc0278f8b0a04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
41a189f42a9c12efc8668ae7ca65bff2

SHA1
985ac9a51e66546ad778e764268f1f6a40221ef9

SHA256
9f86ee61b193822ba029ab2dcb42c1873449a76a8462992b58ddc2840ac06538

SHA512
3519827ff90cef56d771e3c6140c072f9b03e74e4b2472ad14884c12c7ea612192ee2c9d605615068281818a1821bafb67b2a8c4df15a671c739c18b2b90d659

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
86ade620e7d63c2c8bd59ec7808050f8

SHA1
58c1318546e005c4942dd8750a58820bebe77a1b

SHA256
707a07847341450eae8848d3e0b1f9ac9418927a623279faf8c0dd1aa77fdb84

SHA512
8eb08b94f4cfc0712f23da8a589cf380185b04e1e999a8efff0d539c76135f9c437313b8b7becbb92f510e7094e0b1c0e0caf18289f96f25f5081d0225ff0104

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b61db94e4da69d0cca7c5f89a66b4c40

SHA1
4cf71b46fc7575492f36c364b58bd016df50f5a7

SHA256
03fd49db42e70406c36af2924f94912d9edabdb5330238cc3d93c319ef010977

SHA512
058017843764bda66d6338d9870d4a52e839ec7591278d5905e8e56ea196071315045db9c518499039dbeeee639cfb0ffc95f3eb714f669ed59b8885c7cef189

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6a61cdf4b604707350d763ab4f8f5c02

SHA1
f2ab29026b13da4de0df842671507a11d59e9e56

SHA256
b34f25c7eded864a5de378677187793ca2b1139e6711f7cfa578c406605950cb

SHA512
187f973b1ad9cd4bfec4f6b1fe9386b0c3ad29d5aecfd16f44312c3f1c7645da7518221d9a100bead0362b59a97122d31a4378a142ca5069aad06f0b13d0c89c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ffdd53ba0f39d7d347ddbbd74297a8f2

SHA1
c96b28c0b50352e08d9e853b500398ca6e5a75a1

SHA256
b7e00f7f8af7774809b86b9006413da0bb376024fe199f404a06978ce3b082c7

SHA512
a54e748e5851c85bbe409916e28e7bd34de0ad7a3ed16eee20f029edacc15e7da70e8281762834441f6530be42d8bc2e594056f588a2a411b59e8b6bf77e865d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a18548b92024a48e90db2139bd88e49d

SHA1
967232db4e98f31b456b623b3b1c3f8a3d43ee96

SHA256
0958a4bf34323a973dbc22fb81e73f34e29c8fc4b830d46e2ee5cfedbfd6d7d8

SHA512
c0a6b703a330393bc779ce5350530c9da7594ce205636ad8d64632943fceb8e949ad2a337f28697d896f703a6ac3daf00c9c090cf3ebb0005ffbd681a3534290

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0f1556d706a49f99cc2ec943734553ca

SHA1
fa7c3056597ae5502111952368563a3991bd91eb

SHA256
996b2e20f7188e329cbd879793227f3ef570e28622df990ecadb03df46c8362b

SHA512
76224dc6005d9ab5479ef9b6480cb0733d8d238191b196c4b276d797bb766b5284060154f37db237c96a406327da4695a781f5c6ccbb19c2c54a63a51499e7a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
7a608d917fccf407c2089e7e8c5194fa

SHA1
a3c6b5dcac24aaf35de597387691b9cda6d7212e

SHA256
4def9b5a9034510bccc00d7964d1d37cda8538a440011ad8da053030e67c40ae

SHA512
db88f353b29167b5539ce373aa36eb99a44be9cf6e7323bebae7ad3f3b2a1d30420164ffa7a8035d41ea612ce87bb7c4ecc96817330b201076c6f65c542fd4b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
cd3ed339f6fdb8f7f14331458d09be7f

SHA1
6bbf7a3ee07d8710d9fbb45700987c0d294c03de

SHA256
b3b8980d51abc026436d96a4c1e10a9723b8adbcb6d5ab2b31b84d3957ffb5ad

SHA512
58a94a7d4b1202428aae6e67dd05017d1c37a24213e82f3324ef8e381c6932b5d4fa53ce4c9516a1989b47e65e20b0ff49b02f43df64dfc4b2c8dbd29ccfa95d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
548fd29a351d7f6c58a46fe5abf80068

SHA1
2d61dcbed904fb79c47c95661d9588600f0010c2

SHA256
3a4a46494fbdb3015e3215126c24a7667567567c03d3002bd4f92ac6e0f6e177

SHA512
635cc8a89da41e238db8a4801cf341204e244c955f5a7d578dc37936f2e0ee94eb36bc08678f7ce26b9553641d6724fae414691fcfd3ec17b38ad8bdd4d1f800

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
4610317e1db62c3a568c0ebe8e0538ac

SHA1
e3da79d1ab8f849aa7b22d1f7a6980374dfc1f17

SHA256
b8e3bc70b2b934bc92a9bdc9be0642bbdb6820a0d01536e338c3bcb99a4ad729

SHA512
0dff481792ee3ea72b78b82a64a42f346e9fc65d34d9a25f2e1b2fbc44328250402a1e7e25cb6aacbf2980d05595f3f720c81de71621976af665e1858a0e4eb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
352dc9a8228d7b663fc6e6458b0fe7ad

SHA1
c1d2beac75a8f0ac190bc7e6df9a59033d4822d8

SHA256
9647a45012193c8c94cf85eea4bcbfdb81731b670da0d91eb923ac4b917154e3

SHA512
bf704e1a2bba9efed8daf5a4a04da2913f1c5201c3475ef5bb8fa65c44c0e2656b7a7748120af831c70792ceb2739ff3fa0807ce7e977932ab47a45f8b7b417a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
cfdf3a891df0a9b6df73cdae862fd0b9

SHA1
aa8c0104cf13af27f53fde4602c6b60461375c48

SHA256
b321856f570c481bf95ba4be5935bc406e38beed649e5a5bfad3b75b67ee42e3

SHA512
aeb89056591114f82effe782dbf85adcf946dbdaf975f82545fe5557d0d39ec3a27843c8ac40b6c608a66fcc998d48ef020140c9a53d8cacf9cd9baf0c98a7f5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
23c75c4762e8493daf43d4fbb98a64a0

SHA1
3935e2b52429c64bc765bfcb36f5c1252ac80981

SHA256
d9929edd90c13d5c135c670c903fdc285f6ee2880c900e9e5b0f8821468adaae

SHA512
91d0b01d8f45c8af712b8f2b449bd76a24e82bda997f920f40473660c8715afc762fa48a6e4e82e7431c74da0a4909acb791286a2271d50e359750bffb603a93

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6ed5a45fe54d34a6a9dfc7fcdc6dec4d

SHA1
24304a4d3ed6a31a06918d644a1d7123c96cd0c9

SHA256
37311aa293463ffa28ba5d774a12ffd5325eb83c30b6e950aedf618a77a0888a

SHA512
946776456551d642b30b8084d45e5f0292445cec0d766806657dc4df669300fadda9863f8370b2c97c13687006dff73862728b49b72f01ab6a7a79e229bae801

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1cba78b2fb4e7fa5ce4a641f855f4675

SHA1
64896ea910c83208d1cbfce5c3e6e341d59650fc

SHA256
0eff7c1c24a13768916f708bb218adc000e7ca9dfd0089ba2e0ae85e9a8ed8f7

SHA512
5fe20866d658d70762e1f2e99e69eb3df24b2728919ca0e585cf70d0db464ab5d336259d4d57dd8b01116247c6e64ea8ad80960f1ece4e34f82aeb6cc941057e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
34045847819d94eca92a5831f8e1c8fc

SHA1
f0292b2efd334edbfc983c2ed0c0d2812961d369

SHA256
9bbd7f511a244ec6b84918edc60fab3e49d397c5f75f1b430705a8aa916cf236

SHA512
516fd5302cee8d1bd14bf631b9ab53d73f03681827d4537c5d8b464acf83c022738d48cb267f902a5563a0c02a774c26fcb7c816496ac79313431148e13d29a6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
21fb9a51243e11a16423b8070333bc30

SHA1
309104de5332fa04a76abf397848983f95ebd44d

SHA256
34d1b2a08b1b6448911f1be5d04653e5d158b26a7fedf5195369dafe4353e77e

SHA512
e278134377c72b2e9b78ac068842ea01027f3e7b5bf34b3fe40722c38cfccd001029e352ecfe38872ed57715915a6ce8b5ed8024b8d1d498f38b7fbda4f299d7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
fe82066d662cd0a24d1541ba6d000ef1

SHA1
816915e07eb2e034e12297b63bd9b3b4b25c2663

SHA256
8dffc7705a5f6a4f28905d7cb1c27f3d1c1b23646961f9d64f9100017a9ac003

SHA512
7422e85407e875ef81930c930b21af94d24a05096e1a12ff727c2f5588ffa0fcf5080b7ffa132a8516c740318fe8ee67e684844d25d7cfc636850695b8f8742a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ba099c3abb0646fa40f7adec64b8964f

SHA1
107d6456997746c07815b117ddfb40e186342ee8

SHA256
9563ea67ddd6e33d182878fd8692b725a050ef00f10f7bc87202473f3c3b7ea6

SHA512
19a54783cb1e8563d3b1e4de466258efe6e3c4c1beb5e885eb2fdc53f7d75448631bd8ddafed504de6e49bce522da627fec422237bacb425343a220261fb3731

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3476f703318131f22dae70fd09ff1ed7

SHA1
9fa810608e6a08e49ff119ad01e4cc1aa810c820

SHA256
1e3282aee614b399eb5bd49a0f328ba21cba867ed50a0d05f751a467403cf7cc

SHA512
d66bba2209eadcb4d609a1d4cb5b1af2d09cdc396689134ebc8635dc6c47737e9de6de64f7222f81f6eb1c7a891b42d80bf3b5a3348b8f2a6e92bb4ac9b17992

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
83c849ccfb52f2d05754cde195924259

SHA1
76e8cb9d7002897961e060c122ac480dfac7da4a

SHA256
639fab59be499ef16b0be43669ff0eaed4e39b701fc7eee667a45c0d3b1a2d30

SHA512
2dd477f5b821aa576fb72eeb907ee6a08894741ebe0975b2defc7640d9db2e09bbe0197a56a40fe44289c21fd7d4f66e4754e69c4d032004f9687e5aaaaca147

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
33b904381960a52baedf46b8666b5578

SHA1
7f7812aea266b76d06e738ba7710a282eaf0b036

SHA256
58ec76502926b6737b87ed7f1c49f30c2f5fef2fb34010753ec2cced7d52b189

SHA512
841c7bfdce012c3f6e451098044a56472a9d57039472eec88909c8ac251d781fa540ac89b8a26d6de70040d5e81ff60d1c322db7bfbad167d4c5165829fffaf8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5d3e08bfc985b322099f6716c3d003ba

SHA1
4725f07f1cd52dcef4b8236c720c07a3b3f78522

SHA256
71ba96d241a1d9a3249355afeeaba444daa845c420fa971bdc1dd0377fee00fe

SHA512
ac78fd22cf8507235531631ba4e95a05f7e4b3ba07e1b124ff7393c90948d78855c8a040f4aec45666b1ec61a2766c0d4cebf05f321fd0777b95581c057ccbdc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a084b71bd410fe7b5a2ad506cb6cd2c6

SHA1
f5a60bf316c959c35e4af9bd3ee0752b775153b4

SHA256
0467b1828b79ac0534d0cc3e039f317d8852428ea9e42666e28a24a8a604867d

SHA512
9916718437e510484f53f77ca4e38078912ec02bd494cee62ea582773c4f9a376b057df32d61b8d5229f162e6eb80cdd57ebea61ef84b963e396770081b219a5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2290fa6cddaf55d72b14148357e3ef11

SHA1
d2fa228ec38293f755ecd911f4f109de6b88b259

SHA256
c0a62c01f4f011e08d9ebf7e562fb7b0043fdbd10da979e55c02b8eafe3b4220

SHA512
ce890de1aaae581b6816e21cd504e47b6d2fd6f0b0749af1de4395bf269e3824716d2ac95982bdebb23c3a78053e3af9b5756e63f44288a12639186bb1939eb5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
41da653b73067920c588cf951b8fd64e

SHA1
5f4b331871014da3dbcf51cd7c726f3bbc1855fe

SHA256
cfc8f7ba05044f80f15f5176804815d1822ac26aa79a2a4cac789a6431505d2b

SHA512
0f862e4010d02c11fdd7cbb7af0181604cd993950dc5c3a6777f9fdb7c15f1229366f1893125bfa9083856e592db2f5a0d467cb8fc84302f55b528d6d6d6eb03

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9557d4f639ef6e6ea39f9117c74431df

SHA1
f6eed5444472131cc1cc27bf2d1400c763daafc8

SHA256
8baced67023773c491dc420e49178cec8b8946abe288ee4149199ce414fbeb12

SHA512
154f2c277f2d7a377e4c2be86eed305ff829ddeaac6847f0187de83625b48d17c1838acd808ea283db072efcc55143b1e54283bfadf9d274e7b3dad83df7eb7a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f8a488fdb9e38aba0c34d8cd1e776181

SHA1
b13756671fefcd1b50b3a5a208aa52f6a35a1635

SHA256
de0b29a3afb9163c0987bad6400cb994c18c43405db3544a8bb27de91cd52cc0

SHA512
82a7133f0ea546a7ed274281739035bcdce537b4f0702fa5a5c3d7c8ee2b1081a8662c15120bc179c57fa9a63ea7cba22deb9eaeebab2b64438d47b262f76873

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5275f802cdbab75235e49f66fdb83438

SHA1
4bfbbbab7812123ce80ab6f71a9c306af20d1856

SHA256
7f207dc3c7f599fcfdab598dcd5018fbd75e322477029beb2d77d4bdbd761cbd

SHA512
5365aa052eadb602db0acb461df950c53e65e7c7e5b852331b42620fd31e580c88db06122e74d7f0f515f796f739824d88babbee3af03977c79309d8c27c0df9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ef6394507ab55f704407f28a508bcb40

SHA1
d0282fddd268bdd4d1ea89cfbab5c63f29131eef

SHA256
0745d4fc9a466be7f2be56ea803c39bbced201e35d3fe75b864491ed0efeb2c1

SHA512
3a561aed33440d8b83dfacf8cb9532b7de3a3c1856eb664b19b1f26ce70a9fbaf5c948d3411c9591867a65a4824cf19598a15b64811d670192e8663ed65e095d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6024f721fe92b45f884f3c5cab305dff

SHA1
340143f6767308cd0a9d40772cda14182251d7a3

SHA256
df99f885f8057350e9b4d2e717967f96f35096f6b8642db37b94e8a1da8cd2e8

SHA512
2f9fecbced598307be7bd9edf88b7f4f6ca8c9c65822673082de15897478626aa503565af61839b90df1cb2557b2e870ed53408066261eb533b35cdfddc96bf2

Download Submit
memory/624-319-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/624-377-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/624-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/772-375-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/772-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/772-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1492-228-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1492-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1492-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1492-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1500-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1500-273-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1500-262-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1500-254-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1500-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1664-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1664-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1664-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1664-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1664-50-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1792-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1792-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1792-357-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1792-430-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1836-242-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1836-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1836-249-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1836-309-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1972-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1972-295-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1972-349-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2180-387-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2180-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2180-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2348-8-0x0000000002130000-0x0000000002190000-memory.dmp

Filesize
384KB

Download
memory/2348-0-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/2348-1-0x0000000002130000-0x0000000002190000-memory.dmp

Filesize
384KB

Download
memory/2348-12-0x0000000002130000-0x0000000002190000-memory.dmp

Filesize
384KB

Download
memory/2348-14-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/2376-444-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2376-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2436-346-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2436-406-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2436-336-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2600-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2600-432-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2848-28-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2848-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2848-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2848-35-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2928-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2928-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2928-66-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2928-72-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3068-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3068-469-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3456-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3456-331-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3456-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3568-304-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3568-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3568-373-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3568-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3688-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3688-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3688-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3688-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3860-335-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3860-277-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3860-343-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3860-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4864-457-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4864-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5032-416-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5032-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5032-549-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5044-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5044-407-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/5044-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5044-400-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download