c15527b09f1c21112dc4d801bc17c2a568929ea530bd2a9159dcc007a8d84bd5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 10:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_0f20b6bdf8560424a66b4a23fdfc7f65_ryuk.exe
Size

1.7MB
MD5

0f20b6bdf8560424a66b4a23fdfc7f65
SHA1

802294fef1f6ca341a4ab9ce7ebb85fbe3a87294
SHA256

c15527b09f1c21112dc4d801bc17c2a568929ea530bd2a9159dcc007a8d84bd5
SHA512

9d9e17b1284f0aaa195a19dd763cc309eb7c57f650495335dd86da3aa8475fe7095fd2dd6db4025c32bd98aa4a6b4ca236724fa5ec4bfb38a718c9dc4a914ba1
SSDEEP

24576:6gtHU0FjpVPt7AeUVIGGUZhRxHh2W4GKSkQ/7Gb8NLEbeZ:6gtHUujpj7AewZdZhRdhEokQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1744	alg.exe
5000	elevation_service.exe
3920	elevation_service.exe
3204	maintenanceservice.exe
4156	OSE.EXE
3712	DiagnosticsHub.StandardCollector.Service.exe
4592	fxssvc.exe
3996	msdtc.exe
1368	PerceptionSimulationService.exe
4756	perfhost.exe
3188	locator.exe
4048	SensorDataService.exe
3676	snmptrap.exe
4768	spectrum.exe
2368	ssh-agent.exe
4616	TieringEngineService.exe
4928	AgentService.exe
4020	vds.exe
1104	vssvc.exe
4832	wbengine.exe
4216	WmiApSrv.exe
4540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_0f20b6bdf8560424a66b4a23fdfc7f65_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2229b8b67d34635.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a4e21c5a394da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbfb6fc5a394da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3891cc5a394da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b13fb1c4a394da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076c9bac4a394da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c7609c5a394da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001154a5c4a394da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5000	elevation_service.exe
5000	elevation_service.exe
5000	elevation_service.exe
5000	elevation_service.exe
5000	elevation_service.exe
5000	elevation_service.exe
5000	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4652	2024-04-22_0f20b6bdf8560424a66b4a23fdfc7f65_ryuk.exe
Token: SeDebugPrivilege	1744	alg.exe
Token: SeDebugPrivilege	1744	alg.exe
Token: SeDebugPrivilege	1744	alg.exe
Token: SeTakeOwnershipPrivilege	5000	elevation_service.exe
Token: SeAuditPrivilege	4592	fxssvc.exe
Token: SeRestorePrivilege	4616	TieringEngineService.exe
Token: SeManageVolumePrivilege	4616	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4928	AgentService.exe
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe
Token: SeBackupPrivilege	4832	wbengine.exe
Token: SeRestorePrivilege	4832	wbengine.exe
Token: SeSecurityPrivilege	4832	wbengine.exe
Token: 33	4540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeDebugPrivilege	5000	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 3100	4540	SearchIndexer.exe	132
PID 4540 wrote to memory of 3100	4540	SearchIndexer.exe	132
PID 4540 wrote to memory of 4928	4540	SearchIndexer.exe	133
PID 4540 wrote to memory of 4928	4540	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_0f20b6bdf8560424a66b4a23fdfc7f65_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_0f20b6bdf8560424a66b4a23fdfc7f65_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3204

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5064

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3996

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4768

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3080

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3100
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
36db3f7b2ee19d348e87e0955f758b71

SHA1
7bb86c5f673db250776d78b6f230a853316f6610

SHA256
6825df19ccb4e9218ad7f774321d6ec59acdc2bf0cd1cd744344a367681ed10a

SHA512
fcef169fe31a2eeb2133e2fffbf13814263ce7b82228df15b52da47c0c2df5064eecd328725a1483a74497d525d9842a0494b22eccc0becc1b23dbea52276aa1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bf31e671c0d58fb7417cc8a27640dcfa

SHA1
6679302599ab721f401698ec06a9577e3b8f6968

SHA256
26c5c5d7cff6a540c3a4db0f9d20d3ab5bb89cfa3f40e9aa4e8f1831b2a1ad0c

SHA512
3de817af1521ef3947d7aab10634a31c4f5e793ebdd3bef431a4c09a42104bdd13e337902941372e10ea6c3d54474f6e3aafeca74e6e2b190afa1aabf97ae023

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ff8e7ce51636cf53f1c450a3766929a8

SHA1
38b30418dfa8fdc1e28bc39a2b1f0b969e30d896

SHA256
2035caee95dd54fa2d66a0d0987be92c5447d8dd56db14481a84b0410eed48c5

SHA512
92151b41fc06c276f74acfdf951785bfe4b6c5ebe742b779317f9de3c6f3e62f209545777d13632e273a10fae88f4c8158f84d49018872b59a7704743686b269

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
63ba75803fba465cda97bd25ae9bbbeb

SHA1
cb11bc736e35c1a65fff342041289f778c96e89b

SHA256
ff300a160bac12d7e09e6cf51d5e27826c79edaa4727f7556821c8459e0e1214

SHA512
6775b23d0a36d53e94daf1aacb0830049552fa2484e044343356091883da978b7395bb9efa714b51f1dc9f678d633e4c24267ef0e20848aa3a03419da102a76a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
05b4c384173d9fd8778a1b6e7f1e587a

SHA1
c9831fcb4d8f66822989877be58223a7a0b2e164

SHA256
dd8746016bb0ff9911a41b7f8456286adf0855e13c2d5d2dc0f5138e096083ec

SHA512
96fdbad9bdeb3c66dee7da477b44ee124b7a5b17d603de773268884c771b2dd398980e09036e8a2ab0092fa18861bffd499d02975b0614b1c30a2049d3a2672d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
907a23e3169bf2abdba3214f1415c82b

SHA1
9406d948efd586f57723bf15dce6a2eb0509ab75

SHA256
bcff216596c64efe86beee96e9c7ffc14c076e665301771161586b7de152869b

SHA512
b9dfffdcb35cbded94f22be31cc3fc69be4f412b122188545ef9dcfc607ae1d09876ed16093f0e364be3a9ea98eb4e1906c2567928c5e0e6f8ffcc55af1e5f45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2fc7a9592faccfd30f7696bf7eb2387f

SHA1
e94836524240e1f13fbe881a3138bd35bb06bda0

SHA256
876632622a5be278f2ec4ec697cb5fc121af65cdd7c9d260f456869cc4d0f6ca

SHA512
6580b63b984590a232a5349f5f0de768c278f2f678dc4bbd997010505339fb750a21d3b2df2da888556f37caa428f16630afed1c1a2634e0954f3af69773b8e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a6a25b011d4f71076f819d581167d081

SHA1
06ca61d219c298602ea4461cdda5787f0074c5eb

SHA256
86e478ef707bde93618b4bcc4860aef7c9324357f70b33c227e69711b43bfcbb

SHA512
1a29c8b7e233767c9c90ea4b5a037f014d227e81077faa9333885d26d96b40ea129d34aec8b10259d52b91c2bfabe887e3bed250bdebb63cb1f958cc954b0da0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
051c123308e082a74fa6aeee9d32a8ff

SHA1
fbab9ad59cc09a33b9dccf6574f26153690d0ba2

SHA256
701e3878929626693da365a871485ae6566b4fc52b86d8eefba3703fef36048d

SHA512
d5fa8ad5b6ddd6d2eee6b85d0ff902b0ee72b8661f568f10aca0111a9cf69e3d9f6d236e488df154191a03b7ca479f2dfa194c3ab15a2dc5e20eed0ff235795f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
42e00f961e1ee303e2c97b9f8bc5e94e

SHA1
36a39828def653a35d7eb7ec0db52c00210cc861

SHA256
0f54ed26abf3ef659a6b3d8e091a819252d5fae55959553a6f9b0dd999ff7316

SHA512
317bbdc846b6930e5b4b18c56dcc8228dc76c12dc1d0b126fde443256deb76799f44ae6abc82cb8509f4e477fa5f4dd516ed51719372b063c920680d20a7c7b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
22b44ec3bccec392fcce391fe9fed9f2

SHA1
e762ba80e5517911f14177986780c111c93d1aa4

SHA256
49888944f857292d8acb92ab0b1adb24f1491299ce9861a93810711cc645a68c

SHA512
059881db923c94d8331313bbc96e2bb3bf65d0dc5b65a1481474ba83c597943797db3766b4ee1843d2994a59918f780b393df308454e3e6176e3e246b249bf9e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e1085d2034f644f94df55df10bae152c

SHA1
97648dd4dac480d992f4c8d2e87408dec22e6cd3

SHA256
fafa5f3e4f4c491d82ebf4b5a31d04558ff9bd27742ff4aa0538de3d8598914a

SHA512
0d02b9b30aaec140548fb1e3a81b7361b9c9da48a46cd3f018351c530cf23d3a498ff1fd47b29ec6311a4bf3f2a964a998e8f4567fc54337f81d2f395e12ea78

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bc18afb2832370fa162982d08686dd7f

SHA1
f92d5a0da72b8bf942be4c63db5ce88ce932c262

SHA256
fdebcd2457dd35c15cb10688aa731e704bae3e9da59fa395f9fd458d6ce6cc31

SHA512
9f13057a246a67a3c0bedf64e1a841aadfb41a38623d0ea2948d334f402fd65742044c513dd2e76ad63645312d96273c56405a56479d117512d4877841b935ce

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b0ad601d9c26ee831e2d1930e2a040a1

SHA1
e46cfad20f8115c3a09ab82657e635df6eb15e83

SHA256
96fcfa29da862f999e21a497580a95ce921f5bf2f05125430676c55a16b7e33b

SHA512
932132b51fc5ca3d1e82892fcb5d478b2202704b293846287531bd30e4411478fd8becf72fe6901d2ea18e3aa03479a3c7297d1665ddc8b69009862e76c14551

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
453bfa84eb939bda9c87e32280065342

SHA1
e0f47df3be2a884a28afb8cdaa7daba83cbd9c8f

SHA256
684fd2fd6e8d99d0d047bb7419ec91e3ed6ddc56515dbf753a31f9a0a6046489

SHA512
db2fffdc204330a4c45d249cf94d2329b8010e48378a99b00a90d7fb9a04efbf0e94ae11714e367937b4b8733a026334215a558c53792175e7c36c9a727f0d3f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6de97894814989a22b669e2a3b4d4e34

SHA1
d69acf10b712961727f8b98f29022b2afe9cbb83

SHA256
2b5e6f680bf240a6087cae96331ee6511525a3aa5063dd55a637b069abbd19f6

SHA512
a6431c9d06a851a4591666800b843be659e84eae2039d6ec100582fcec1823a70111431b0a8700e5db550b0e1d656d31f53ef5a5cf496a65a7ee150610d18069

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
393cecd1c868bb9490d52c236f87d5c9

SHA1
436fe0eb70353dd26451bf1025d6cd53acd6e1de

SHA256
63b5603298e80929ab27e8df55c030a16263d4c836899735b5f2eb4ca98baca2

SHA512
de621b5ad9253d96b9c78783b895af9e0210f007b15318fc0dd58481be14cc0abe64d49587898cfb3a7d2838466beec33326c44d1cbc616d572f77529e30fc0f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
55d4023b531438c0d6b407650bbba516

SHA1
933f94b0b6c9817c79935aad205a26e44641c77e

SHA256
d8ad612d8d8d377f0c66121b383d211db54ff15888570ed38a8c8eae18dd8512

SHA512
fc558d77ad3ca849be7cf0300b68f3abb7a5491aa292375f875fc8bb1d08e33a4f37811c7eaaff2c4d29f6d7eba5e5cb1e62d185cd8a5f985533fb3056b86a35

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d96c9e34c56cee38dd87fa7773c5b647

SHA1
cf8223e64f80dec2d3c8434dfac0497e39510a4a

SHA256
7494377dbfdba7d51e235b85a6708b76664c57db820225d163949a9785844ff7

SHA512
196eb7cabd0dcfaa1759da92b6aea275432c3a71501db401673093164ed1f452d1280918d7f8d5bd50820c7eb2854c386f30feca06a703b4022d995fa45e9371

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d6a96f786127ca0a9f3c11bd45d48934

SHA1
97b43ad544cdabd9b776d7226647ca1b23eb3b6c

SHA256
929ad5ac9efaaf5d87c643a17460894356a5d5ade7107b7f25f160313f179281

SHA512
5a8976302fcc91fbe5b779067a07af8340d5059071fcee5ac4ad30c8b8be75d7ed74759636fffe801ba2053326c17fefc920dc236ffa50e49cf841104123e975

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1f680233bcbf126cbc254501a8a333a0

SHA1
04409b07cc64190e0372b301edf849006aef4a52

SHA256
f143b4ba5048afba8cd82de4375fbd5de60c248b0a33ba1fb3e2a973c49cbb25

SHA512
d32b8bcba4bd7e4a90e4afd277b4df20a4f0818a2d5f03a29eacc579b192b22c7f9901a680e94c2293489aaeadbf940c822140819e050f437b13f6225967447b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0077a131679758f7ef6aafdb97a1bef4

SHA1
d983071cfaa24132443b46e3a29b87b9cef34e61

SHA256
2beb4880c595dbe3de9b5d4e042ac9400796ffb8cf0c512a6912bec01a03a563

SHA512
8ab691e4d83bf3e669a87e48a11fd41090b1d669dcc52475adc20bf0a20676a3a9669f571d82fc553360b10fe992d19aa221c0296262616f2822a3774a357a14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
44242fd96125d81744991630bacca67c

SHA1
adc16d3a71eced916812d77677684758856cff86

SHA256
e489cd761f6574b1946a8e3f8ec5c74136498e306df00adebf05a8d06c3f77b1

SHA512
ad53bd27dcdd22cddf10c3d23333d64444a2a1e146dffde54eb322acb309f51477f2a9d38d1b0f20bebb1eebc5f44b491859768154c43fcbb3ec073b7bfd2e61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f4aa775dcfabec09caf11322a19f4aae

SHA1
12687c173162cf4adeb7b73c395014b4755b50a0

SHA256
51bc6292f246780c235397bd36d876c9a5cb46def3143a4834e96d9b0cf30c98

SHA512
d65f5fb0907870e229e95d0f4843f22727f10330a26b9519fe42e1b2bfcc5791cd74c631ab142ff8b033d00c100df5b7592a3be9e6952f63999ea3d209c03a8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b620d816ff9cd4795eb11f60124f7e72

SHA1
6b7ce2a26bbf77b6971b9bc6b4dbbc0abf1d2335

SHA256
dbb1b59c0b965a31bbefc5cee17db6ee84f9f9223a65beb9bdab38fbd7fae311

SHA512
a2651b27f5e7f2366d379d75d64e3b4058d26927834d90983dd74eaa83b521bcd54d9692a862370a1088ab710051d47e42a4e72f7e018a39a2a863081b535aba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9da3ad88129d9e22665532cce7fc93d2

SHA1
91e84a92088e321352c093458d22534b5effe251

SHA256
74f03a37d185a32febbe288ecd116d62c2c8f84e9bc0400443d3bf388291b822

SHA512
7b26d89c9ccf44eed0a82fca28cf434a16cbc88e7d19254c4924be4f42bb32ef4d70b338c00e86717c181eb0c575defc104f989b7a9426d077d726f42cff7322

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b15b66ad3582752d46eb0496ad22ec3d

SHA1
1e1896637583c8b9670e332a6e9c461358b42629

SHA256
f09d6122687f7e6f6641e91c74db8fd2237934284dffa27305ec5a14ba90ff40

SHA512
382c42a3b2a4d69ea6d3b7cf335f2b8d1fa422a5b08d65573f7c930186bec96d9e891cbe28407723511a8a66eba017928fd7f8333280dd6bc4d33dc293dc9e9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
38493409eb9a2092780f0c5afd6784a4

SHA1
1466fca436dcc38b52bc6590009612832439db62

SHA256
7f9ce208dd3a673087d399bd9e1a2e33da97566f61a1fef00aa70ea4aa722e03

SHA512
9e587167bb2d88a0d7d9b9596e613a589742ad159a0c8e346e6aa3dbc8ace7584bf2c3101dda4866a6e3223a51c99673273773d155ce911d372ed8045014c09d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6ba8ae8969e3774b688b817339ad98b9

SHA1
8aec3034b7c0f7b9c922b6585da340cf76c8d86f

SHA256
475ce9a07072b46a919913dab96937608a03400664222875fe233722bd521d1d

SHA512
be40c07c740ddaef68e5e26e9decf40766bc8dd02a31b34e152211cceef3fcefe14660e052a1515b30f9c3cd353bbbf3e51b1d0552665d137657b928a8809c0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
145edd4a37745682eb50dfc63454ab42

SHA1
fa56e4cae27517ec53a5e4fede7cec31962e6f19

SHA256
ce5a6c379dbc82b10a82f732414a4348dec208df5394e98ef827be3c399bba3c

SHA512
67b423cc029bd47c081f3d6ded8d971907d819574ffa7081d9ba0dacdca9be0c5dc6c85126bc7ac05533688d1391b0b5aa482c303f2079eed8cb0e1696879c46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
adac6e3ef080b598b537eabe3f00f1b5

SHA1
153abf8d89d8dd2b31bbe7e4c8b874dec81a69aa

SHA256
d508f15a7be995039dfde7c8fe4d5211097255849c695399373c4c3701e639c7

SHA512
9da71755d4639693e3760a71b3cfc786e2eebc78ae01f28ec55b865cbbe229931d718ec8a909d4059c7b812ebd145fcee7847af3b2225401f63642dbdbe9a1f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
519d4a5542a9bea4f006377918eb7c7e

SHA1
b3b6c3dc5bc19ffe250d905269760d40d144be62

SHA256
187c56afc5eaccdb80feeb56c0f71d7fcf74d2397e4ad5b4bce46e7b461d85cc

SHA512
b91078bdf920ba77a275e12dc0526befd94d93482b31d93558c70a648d5381dcf2aad1f6c006bd1b2485edd5e36e0973a7238922e5f5ba75097dc3457f0cc448

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9ff2ba926ab04f3fb218793a660fd758

SHA1
1628f473de651eabffbb1275089c3c3127dfc009

SHA256
b20ce065893ea784278afd21edeabea2bab251672baaabf8c4b8b188b460e537

SHA512
3ab69edfd2a84b8e3ee67f16f7b9b8f547873f7bea37960148a8b4bb44bf22be7d120ef09afa8672766aa2c017e680c53fca2efdf3f77a3c57aa3688b71581f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5d83760edcf6d2fa7e2270c9d1875a0e

SHA1
0b829fe2de93defabddc10bb8089d9d64b39db6b

SHA256
0e389bcb237deeebf83e078ee2016f5c789675f20684b42e61cedaa9f938207d

SHA512
7406e55cf1796cf30305cf3ae4e41a71ab3a0c0de8c3c82e8cf05e0c3f3aa49afd94526ef39a6fc8cfdc514e820be459711c2c51f574ab08998542c4bcbfde02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
542f378a9d74e50ed9141aa15bcd83b5

SHA1
fa84b3672154ca576f4d51b75818ab37efeb57cb

SHA256
82ed82ce1e83bdf65c9fba14ea19a3e8ea906d177284285041ddf53e1da9ca1b

SHA512
62fb69e6463b05410c80a49596ac4b7a6f14945ce9a42ddd3c6a7a3a417c5cb79d249cdbbc0b0585f0a31139f123725e3a540286038be261bfa956fbe2271703

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
3c2a75fd0da34a07a893a25ea4ce1e66

SHA1
f873dfc4b8e92ef4ac6430255dab5de2a6be2f66

SHA256
457334fe4e25c29a38665d3d08dbdd23e554479aeb1d62aba0b69be258a0c037

SHA512
0592a48d8f44bc4948690ec165f0682ebf3c542c11edabd9fd6fd34fffe71545a481536281e8506ea507fbbff61b22d8caf056b8c0cdb47b9f9f0dfdc139a6fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
048f057ace17fed8cb4c02192b11f36c

SHA1
b5af67c57d49606778f44497a200d456797812ab

SHA256
1790a150c2fded02c262cff3f90db848dc4bade3db014990e20b2c538893150e

SHA512
ec31f78ecb7e94a12c5019f209b9899d4ba55ba8124e20ac475624ec39de79bd4eff3c66079d44ed472e7d08d9b8fc3dbfcdd6f30f46d5ef5789a27341485024

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
70065fbd52569d98fc401dc27e4279a9

SHA1
361803f57fdaf4399847b5d7c97e6c95f66d31f1

SHA256
90ebc2566ea83aff9124f722a909689ce5855f1a3121f01b54d35d733c220f45

SHA512
84f019ad93674bd62321533ae7a63d8024361be91d3bcbefc7a84872def323219c2faa66db87f3eeceb21b3f2d9ffb64c12d33b76940d9eaf3874f6701bd577e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
0f2ba4113db87300160f8b0d910d882f

SHA1
18b10318afe1b196df708ce0b1b8ff0fc1a272eb

SHA256
3c734fde63fbde8bacb88971dc8f426f73bc8b14daf179832a1976be4ab9828d

SHA512
f49649ad61d1a353310c51b7695ecce4051beeadd8ff71cc17088761c2e9c7f0944e2c2df7287b37e73c3fe4a2eba60b9361d5491240b95076ec71b9fb912718

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
8088a5875d8dae118393c9b30198224c

SHA1
7c0de04b2ef91e3fdbe7fed08241d39d8dc7057e

SHA256
a5a43468a81039fe554d861d2999111f6fecfc48fac9c7aac7baa1e378839499

SHA512
ffcb1773203a82ea420ba7425f7f611d270f5e9a2d61ab7b6656c0df831c86a23371a0dbb43c54d6b3c2df59deadb891c9d313f3ccff984db889bd1390bdff66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
1407ab96808a088a4d7194048a0e1806

SHA1
ddedc43354f0f104fa7d786a5a0221f586c08f8b

SHA256
4a9f52536b462da474cc1dae78b6a0de6bdf6f7229045c296cee132666d0dd95

SHA512
fcb713fcc4952cc2a804eb749d411389615099d3485ca3afc1fcba37c6f6022676f53fbced6f1884ceebc8de93998854bdc0c478c4918ee9e81e8a1f7f96877f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
7a1d84e0ae0538549f433246bd9c51ec

SHA1
67f82b09272baaf612e7fd07c3eecfcbdba0b3f5

SHA256
81e416973b2459bff10cffc566fc763cbd861daa4280a224e2213040ae0beaad

SHA512
39d77a82a55f0d3882d95914111d1994a5c11a98e600e301648ed4099c1cf1a78b50f5585bbe43e33e83dc2fb79dc9c430a4e6678eeb1de9a59eef329073cced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
fd144f58baae3701ecfc97ad48871628

SHA1
80bea46f73affe68fbeb41eb6903ee356e6f298d

SHA256
bb1e57d12a7b1c1f3e653030a857be91ae18478df1c49bbb3103f9ee04fb0041

SHA512
657a57840776cb4cf9631154a7a98957e2059c3f29bc618471f3622c324e3fefe1d74735490e7c17ea9a6f40c4bef0517a5ed5ff63fa7ca5eb5988ad40c6bcf7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8da67a371916904624c2f2f60a71aa89

SHA1
b071b8db9e690e28caf53e5dba6f531d04b91f46

SHA256
fcdba490f12656b841356722b80043aeb4316f0c7323797f53c9fbd2f78fecbf

SHA512
9ff415858e66f39692007f474c2e296b5d23a380f72fbff7b5d6cb812de3844900f7ef46a05c2958d49952d44cecf1b9ae971d1f92677cb523f0d5fbd21169fe

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
804a66725a39c3efd98e617d82504f37

SHA1
b19e817ae205f083e5483c86f3bd04199e457e05

SHA256
aaed5f5ce89a05b0917ac74eb14a1a29bb00525469cdb4fd0cf723228d135a84

SHA512
ffa4321a076071bf8f7b1d91273f91c99e5d4877aeab9e2392bb4f01a9d5dfc4d5a7eaabcbddc4d52c8514cf026bc16cd5d38816fd7ce23b385ac0ccafe522bd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a3c807bb30f84e4b86c0a8e1e2e4c947

SHA1
5d86e870c948e751c426a7d1aac95509ff583676

SHA256
18e1bceedb8c9da748c2d86ac01f908142729adf5fe9bccbdbf90e394c1af8f7

SHA512
33c50887cdb6e73d04bdc91b468e66c6e4dea7e6b3167a82979b36a11c68d6c8e311e9f9826c267dbefeb1f124772d4e860185f7c4af5b9b9120cd193c7e0bb0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
765381a6f54f23ab727dddf3dabbd038

SHA1
e3fb9071f1daa4d8df379ad11021f7c5c4507128

SHA256
08a35987184071ede94ec110af72033f702eb21a6c53d35cb93baaa4505fdede

SHA512
a60bf9a07723265ee7d8097b7806849e2b891d38c5eac068922128ad38c4a41c04c0dce4731e7be9d830c5cb8494e06c8265caf16f1d2576bd6f3d994e7028bc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4120c4d67d35b6115fcb00be81a4ee51

SHA1
40a1c87bd94c0e5a873d46518b3afa735f6e1f18

SHA256
c08dab6b4392135d10a2b032c4ea632433836d99610ef6de31af1efb8ccef729

SHA512
8b1665ef31dbd6e88c3991a025d3a5a548a00cfca04650c0d1c6e2bc2ce73ac7aee81aea6913301adcf925e082e4ac23e9c879482aa7bd598726974c48e446e4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5e31c425cf94ba5df33c3dd1eef57b4a

SHA1
2977ca1b260b314f636e385ae769cc4db99f0dac

SHA256
05b5fc1307c49f612fed774b5bafbdd439b9ea81abb871ac9bae9fb7cbe2cf2d

SHA512
c906a354cc978784b8f9b387188cf663948031713e25ef014a248bc56aff2dd3f729f69ea2bfbf38281a1223e3a2b825d3d6cf30f545e3c6f863c65c17115826

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a238d10429d07bcfe6a8bc70cb9ac3b9

SHA1
9276667faf49084a0164eef53b2939c03b0c3e57

SHA256
a8e1c86b781e59f5cdb0bd2e185f496effa09f626b21c60c10fd012ce0d8862f

SHA512
3f62619b7f65c5ce0b29a5eba6c3b060c06667975f98db9dec7cd847886f64a35f327206a54d65c4da74ab9050ae861746e3b2ee8eb99f755a6739f778535497

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
63e038242f8f0b269898bc80aec8926e

SHA1
8c4af9e64f303753da2cdff35121b0c359a705d8

SHA256
e8e3c8b99840db885f4994d2e0b4d588d0ecaf3f6ab378c19515d9a431d034de

SHA512
a4599be15edc64424148a8436ec4137702f5c255eb44742d11808863187ce6b0b19bead168dcb8cec1548629f4daad35834d91394cdeef6107e762b08020b169

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b709695e5d95711b2708c23b9bea9977

SHA1
dfa1047004d41d8c8a7c10e40c845d98c94df31b

SHA256
45aa7df39ffe42b6ed33ea08ae98473e9bbd24c11e5f5301f6dec4eaee496d78

SHA512
6bfc269fd6ab4ef685c3bc7b15ffd612695d2e07a0e0749916df25708c5ae95daeea7b43e88b309f6d6e710d5fa09de8a2764109b1e5650157d00e5080fb2b35

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
11095655f11a35b3161ac236367c0dbf

SHA1
94bc1e47d09f7dc1d5148db6968a3352fdba00d4

SHA256
07942fbc1db8750294a05d2550a9b938def4d476c54ac37fc3b2119ce092c05c

SHA512
9d9f5433da75fecddae98cc9436f5a92c751e391f5a6962370f87654caf0081eb9f0934ebe4f89cdfd5834a7e89f27fe2371650247e9f76e6c2dad293672bafb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a49b2dbaceee6652974276260fbe8687

SHA1
983bd3ae98702346cd6fe83f880a98629e9c0a4f

SHA256
25a2da5d6357fbfacaa2b5515d4c5013f5388304d890b48c51aa3b7a38daa391

SHA512
118b938d0663e84324d5363b2c971482ccfc1042c8990a81a769d0fd2327f46df5cfbc65bf10924fe6a6bbe90f5249b10a5991bc1c94f3c5a18e2784291d2554

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
85d656db0f263b5a3849858c8f195aec

SHA1
e84f039c5164f3ea0f75fe1242f01732ba7efd85

SHA256
42d9787de9316935ed0c0b052a02e4aa74ef8f12897d6f8201312c06f69bb631

SHA512
2b193aef7a8045157214db517518452b0c4616bcf71e768c75e68db287e40dc47740b5687fafe490bc11c690bf5c54a84a1e97a007c463bb575467cee4dc0ff2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ea9ab2b422214ab45ae7ed9e524d7504

SHA1
505c86b92d80d459bbcc3e117d1a391305efff92

SHA256
ffccada3f0bfe7e22d35cedd4cd0c106bfad09cd79978be611e104cb328a6ba0

SHA512
77e07a4f05554958567df8e4499a8a65315367f4b9adbaa34ec976bd5db943df02cb76e42854001110339ec7d3626143086c78a490fe796cdf79de956b5a0331

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
09ea108a6c0f4000807acca155b0030c

SHA1
8dd68660eebab2c9b679e116f95afadb1b8fdfbe

SHA256
0392d84f7ea89674e6a26ca257a6d5672a922dc8c148efe396f805c69325bb17

SHA512
9b155c4e6b301d4015053790cf4e2c11dd299e02033aa2a090610f07a9c40c6fcb2bfc8e21becec5314f1b29dcd52d555852f7dc6c83feff716578029a5f0953

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
02dff3203549b108d3a47af4d8fcd28b

SHA1
0f4757d829e35d09a9751f9e69850cdafe6dfc1e

SHA256
b7573c3564336d436735ead25fc2a652db90c59804962accc489de6ded798b52

SHA512
79ae073dac37b6c91ffbdfc404316b5a0262d012b6cad165329d1ccb7f082255416ccdfe639c26247eac2f14ed279a9d186e2b62a4a824a849f8a61dba4f75a6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
76b89906d3d423a3feb9a4a719bcf3b3

SHA1
74b16d3ceb05177a9f4db95ea52f8463ac373bb7

SHA256
59ca643819542cd9e78fbe9751a4a4307b45cc64fb6087a8e0158efd1305ff24

SHA512
e5574fc9f99c1be107203d8b77a65c2753a7b15b0e81d7cd687da474dc8b8c8f862be1b91798dba217101ccb034d405ee539ed2ea2330428dbc56470242e65d1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1e12b2e8d4e8c4f1e57a2d529f2854f1

SHA1
3c8b86e305740c127c49ef1bec8a51d2db639004

SHA256
f0d44ab139b099f9aafdde0c7ff613240f42dd1f17fe5831b0ca374d10f36f0e

SHA512
82ede0006aeb29779e294a4038f2857d65f24d4086e4ded436cc74b12ee204706cd68721a7ff98cc57861cc4fae60f7fe5b7c42eb1b46c51a8fcbb96201d66a8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
bf240a456691dc02c5cb462f0b003b58

SHA1
ba5add23222a4062c382a86ec3fa06f60003d631

SHA256
125dc52ccdac8191d84c87b9f27b3ce3f3255969c12b20d696a084aa0fab44ba

SHA512
7bd8799be2a49fad928e4a54230a695ab270f03cbf4a05412bfcec7330ba352ffd64628b5b0e834e0e8cdda2be5be03632714307fd2a85ab8484e9b2f97a6bd7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
de040b4e3bc4aa0c327ff65ed2556b4b

SHA1
68901ceff999d9afc3490bedc0ee456208ec812a

SHA256
77e9042d2915e38306444d7f6c5bcf38a24824447826effa9548ecc9fc47a2ef

SHA512
0069518f77a232ab2d05728bf280d74effe3f1da90f300053477a3b0f069667c8d33bd2d4d3287de67fc0b2bb80259cd8a8cb7d699060d0d0f9d1459ce0c0a87

Download Submit
memory/1104-429-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1104-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1368-359-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1368-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1368-292-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1368-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1744-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1744-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1744-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1744-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2368-375-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2368-367-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2368-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3188-312-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3188-378-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3188-320-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3204-62-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3204-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3204-50-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3204-58-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3204-51-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3676-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3676-408-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3676-347-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3712-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3712-250-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3712-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3712-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3920-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3920-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3920-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3920-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3920-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3996-278-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3996-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3996-344-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3996-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4020-418-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4020-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4048-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-331-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4048-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4156-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4156-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4156-67-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4156-73-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4216-457-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4216-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4540-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4540-470-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4592-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4592-274-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4592-264-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4592-255-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4592-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4616-388-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4616-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4616-381-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4652-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4652-1-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/4652-7-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4652-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4652-17-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/4756-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4756-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4756-307-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/4768-360-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4768-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4768-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4832-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4832-443-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4928-400-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/4928-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4928-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4928-406-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/5000-34-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5000-27-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5000-26-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5000-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download