6a61dedec0ce8dd649995ab9422faaaae3a4ae2a3e1c7592495573d66c86593d

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 11:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_7925c2627317744f8c012afb49649084_ryuk.exe
Size

1.0MB
MD5

7925c2627317744f8c012afb49649084
SHA1

cfd68265c7153df4ac8173c1edafef82d8eec39a
SHA256

6a61dedec0ce8dd649995ab9422faaaae3a4ae2a3e1c7592495573d66c86593d
SHA512

09fe1d7aac7da761d07918a85fb4f3642310bb94514d46029a3d03ee9d6b35719b81c71b7802dbe4b8f7fd93e743be834ed6822a1565ccd390360f963687512b
SSDEEP

24576:W6V6VC/AyqGizWCaFbydSkQ/7Gb8NLEbeZ:W6cbGizWCaFbVkQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4356	alg.exe
4588	elevation_service.exe
2784	elevation_service.exe
4696	maintenanceservice.exe
3376	OSE.EXE
2748	DiagnosticsHub.StandardCollector.Service.exe
4700	fxssvc.exe
1640	msdtc.exe
2544	PerceptionSimulationService.exe
3612	perfhost.exe
4444	locator.exe
1112	SensorDataService.exe
4060	snmptrap.exe
3516	spectrum.exe
2800	ssh-agent.exe
4832	TieringEngineService.exe
3788	AgentService.exe
3128	vds.exe
2124	vssvc.exe
2960	wbengine.exe
1808	WmiApSrv.exe
3644	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4aeba755c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_7925c2627317744f8c012afb49649084_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_72093\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a36a5f3aac94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1847d3bac94da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ad0233aac94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b248fb39ac94da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd7e723aac94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000424bbd39ac94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c135073aac94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a149dc39ac94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052077c3aac94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4588	elevation_service.exe
4588	elevation_service.exe
4588	elevation_service.exe
4588	elevation_service.exe
4588	elevation_service.exe
4588	elevation_service.exe
4588	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	920	2024-04-22_7925c2627317744f8c012afb49649084_ryuk.exe
Token: SeDebugPrivilege	4356	alg.exe
Token: SeDebugPrivilege	4356	alg.exe
Token: SeDebugPrivilege	4356	alg.exe
Token: SeTakeOwnershipPrivilege	4588	elevation_service.exe
Token: SeAuditPrivilege	4700	fxssvc.exe
Token: SeRestorePrivilege	4832	TieringEngineService.exe
Token: SeManageVolumePrivilege	4832	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3788	AgentService.exe
Token: SeBackupPrivilege	2124	vssvc.exe
Token: SeRestorePrivilege	2124	vssvc.exe
Token: SeAuditPrivilege	2124	vssvc.exe
Token: SeBackupPrivilege	2960	wbengine.exe
Token: SeRestorePrivilege	2960	wbengine.exe
Token: SeSecurityPrivilege	2960	wbengine.exe
Token: 33	3644	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeDebugPrivilege	4588	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4424	3644	SearchIndexer.exe	132
PID 3644 wrote to memory of 4424	3644	SearchIndexer.exe	132
PID 3644 wrote to memory of 4936	3644	SearchIndexer.exe	133
PID 3644 wrote to memory of 4936	3644	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_7925c2627317744f8c012afb49649084_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_7925c2627317744f8c012afb49649084_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1640

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2952

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
25325adb62defc6faefaa9229a562a96

SHA1
00c8b3fac999efa7e2fc95709c80b4e2f0e80472

SHA256
d06538c222cf69943aa0d90d5fd303d6dc403dfe3012f8e7537f9fa15ea72c40

SHA512
707cd654c6e67dd3bff62d204d4d1eefc9f41ac48cd8851f280bde6e7ba4e9f8c34230536dfde5539b48ae9162a3a0c386f0a46496fd742212607fc55824ca2a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b6e0d934153bc775cf571feb8aa50eca

SHA1
68e0ebb267880c3d348a59a52e07b6d24ddc7aac

SHA256
422eb6b487eeb56de8eac15ddb176d61c176b307b8654b60c44008e1b4ee3e4e

SHA512
0757c28fe285f008cd345ecee3e5653c16fadafd5e81294aa88da47e401ca9ff145897bc1bffe5675b2a5066c097710a89843c65b8b7e26aafb7b82b60e0af42

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4c6035ca3d20813e61698c5a76d1677c

SHA1
efb4cc370f55de618260595c4245d98cc9cfb05b

SHA256
d1568dbe36796f59e42b34191bfdab7d1ef4dc78c54847d8fe91d3e0aa6c190c

SHA512
2d85ab3ed46cf9c6d5aa4c745674d285dcf67fc58f77b95c1948baeedc25bd3ea543a3ba7895b7144bd492c2904c82252344eedfd334c678647cd0ef550d5549

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
61c37dc847407c69ae281b66524f7a71

SHA1
e1eaf5b61c50430d89f8d7c54580e74f3de203c1

SHA256
0333714ab220111fa3a2f75e8643dc69d10d9fb71ce9928cfc20192940be9be2

SHA512
99e3a441bfd32c9eb6ad2a28926bb068f73ff876113daf9a426fb29b10617c00bf73ecd5ce0bd7150d4d58c832f9e2d729bf286bfb37e712f4eebd26756a6963

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
df83b97399fe1a6eda2e217078994da1

SHA1
4cb9927e10ba536eab7883fcb05ec7210f7f9cf0

SHA256
692b54303cbce971aff114aa6b2d42013bb84175aab19b87f1c5002e8f8f2bbf

SHA512
229741ad678ecca8f1e725dbd567278dafe56030a38fa681958cf39131234e6ef2cd1972920d0e30c633cce5e49b9214a1550464961be8830b9c8c145c61dbba

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b84442c594d2429f02fc2f9ec48db61f

SHA1
aed0e3dc2e7358e89fd0ae7d8519555a77b62a29

SHA256
926f1dd0744fccc6b5645a4c3dc00b2d9785143a6e49035224dbd253c0fa5b80

SHA512
469ebe8c30d2330ba2c23f31e23a4de00a25b8fbec8197af2a382a045901d9b0de14d22eb094239c036e6a048293bd02cd3ead8b8c448e73d0439f2bcb10dfa7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
3757f5ec1a5916d6ac39d4885296dcdf

SHA1
fe22aab8b9046b2461be7a01612c0c28ed8cff46

SHA256
b32608c9d1645b5e8d0eefdbd9e4dd1309c39a4a4b3b57f5f21c54f42ccfebd5

SHA512
0ec4f603d049e421a73cd4d10aa1e2624accf66f276c9a0829633dc9a689230a126f0ee4523d788128ec0d28f1beba34655c78800add82c7038ae077df8d10cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
aa75ff598ee156710bbf8f0c26c01031

SHA1
a7023c5d62438f1de4807698495a074aa0bf6a6f

SHA256
26c5eb43747893561c62b6949c09fc82280ae8e94b29937930bac64720df54e8

SHA512
04498db86e96d7bf7445603704d7298ffa00754949c0887a7fbfe1140dba073037defd9de7b347e9d9c73a8cdac51504e5f581495f34b5c2ab5fb36adcecb33f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
aa05dec814ecee8a49c774d02943fc02

SHA1
35fb728683bd57779a4582ce3cee31e7d8576577

SHA256
ca338ec3295dadbcb941e7a3ca7d7660c7f2766c8f1ce0078803694a2d660344

SHA512
b85487d18605f843c0b18f1135d65ca8ea1c5d9ae3f6ef304c6576fb8fc81947af90f386491142519a8e7c8a1caec0a14ef9ced50b47e703c3257517f1c7c878

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
335e8c183cd04ca8a4946d93d1c7240f

SHA1
334eed18bcfc392a600dc2f31475029493dae1ea

SHA256
82c80866dbc21ff7e93b708a07ffd0b4193cb046329bec93192d77cb7951b8b9

SHA512
7a5f038cc72dcc8c10f2df9d5787676f4cbd51fae5c034dcb9579f05742d15257ef8ab1ccc10ba19fe1dcd4123bf5f82b6e36b90bedb8777c3289e2f4aef88a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f72394bc5ac4639541e84880f6793f5c

SHA1
5fb1b54884a2d65b4d51065bac8243ba217deae6

SHA256
7913ede586000a1f7f3a05c9026405652eec9af4ef3d4a311a39d8bd218ba25d

SHA512
ad7b522c0f5acc3f807dfe7f91040b95bb010ee28eaa9a4b881dbe5c8c55a4ff5860faec8ca29c34df98da0a6eedf217d894527ae6f25d817fed30b45cb392a2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
372cecf1b9b29715827a478a9cf758c9

SHA1
408bd9c9e6219c34e7e842a557338f8d7e68e4d5

SHA256
275c9a011823d3c165ded8dd40166d2b39ff92de50da2bc1357cb594657b4d5b

SHA512
104ac667b057395a7aba0d8be8736f20a056ce2a2d84b9233af7560e92706978fd0e12e776e1e562d3371210157b7832ba6175cfddd1de2a810d6cb7c1466c75

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
89c54dab30037698f214289c474a93c6

SHA1
5dcc0e9a7b22ea523938df8f1f7044354b625410

SHA256
e94741b4f536d4d0662013689994bfc9e1df3b9dce1002a252ea0a7965ae0a3d

SHA512
91f1e255843ac7592f09470cdc288b6c51f716c8ec8623f85c886d3cd96d596604954c98c7313077eddb301697741ea05414231a6fd5587902dae938b81ed893

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
55dfe26cadafa253432a979a0cf86e53

SHA1
59fd231c5e65bf4f70cfd5a349ee771f91b7cb62

SHA256
90140d1a4a17399fff65080392f0a603175d30e29dbd211cb013fc47a1d75db9

SHA512
1758dceb93cb41a64fd5b413f58051a59b91ca1ddcc75a4ef7cbaa63d90e9a2819143abc3d4dbf75cb615a4c6c7d4159313de2568a896398e5d9eb9fab5ab924

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
677f52e04a4a2f103bfcf709cfaaa3d8

SHA1
5528578acdc9fd0f9a09f77c8a67a627c504461c

SHA256
d851c6592d0231a7e8c88b4f20b74be762d347d0ad12e62e05567ee610147b13

SHA512
e86cd827d4e08e65bc4edfb397da5586c30f8fac67e23f15e72cf75ae50d8b1a96c98607607b20adf6647caddaa27b4bcbc56ee9fdda0a4a8dc7b7cea35f10e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7be45d642e4670059e706a802c10cdc3

SHA1
e123b30b89339c6d94eebda6ca929ad1c9345c82

SHA256
c223952ae74ea80a435028847a21378f6f894aa131c264bcdbaaf135fcae50f6

SHA512
677347301ecf1265b1d07f200c201851ea00578cc6373f5d9a7d9989b564b4eb84542e303a5405585bfe70b64d8b419463e6d307feabb7181441d543c73547f0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2e9dbd645a94b96ef5944c7af5e22be3

SHA1
ef00d0c210e00eb82a8f318e19e883ef51b4b486

SHA256
e9cc41303d1388a76e143dabb7f416d7152dfac7bfe9185f6722930cb5d23659

SHA512
0c690ecbc3aa04b80b8b1a34817fa860a8f094cd71995855768b8c48a51c7430dec33b7407d04e868266d04e6fffa399f0fad0584fcba105a991a8724ba7aca6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c6036be502569350a916a33228fdc16d

SHA1
d98890b166d3bf9813093b1238fbec78a8cd92ed

SHA256
10b1175cfd80892fbfdfaf1bc4646fe4b8e47fc61ad7e1b78ae8a1ee315a57cc

SHA512
d97b4ab125a9030dc79a85fde57273204be5ff967766115628c2ec3485cf5ce8a1b5f79c2483ed9fbc12cf3935c4f3d1b7dfac12d11c389719b5f323fbd9c825

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
987c7984db4695429274aaf14fa3c484

SHA1
537d073afb55b5a959e52e72ed352f7b9728eee6

SHA256
b0271f1e19ebc5f1ea454ed3de996387da1b717a30d1b1e75c2db9ee20921761

SHA512
32a49d984cf2e993daeb7ead96d7bbfd83484197edab758abfdeac0c732e5d318b0fcda4efac7b7d101c8432239206095499d1a93a24df5473430155bdec70f2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
057be75f069c6629058381c3b685535b

SHA1
d2840c0eef593d922271dc330da21fe7292f75a7

SHA256
1e3a7572205b6c378bd48adc3e67f6f8073aefa447678de4a4ec5976d88d9b84

SHA512
68c8034c68cf74ffdf64e7ece4c8bf80630318dd4f753116e7ac190ec1754e9dbf2bbbf71128111bdd58a1aeb0f91b4a3cde76fb7006bf4374fa6f741be58906

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bdd34dd3d23fb3dea76bbe2b7afd9e23

SHA1
40a17fe5668ccf0311cee0cf658934edbe79516c

SHA256
804ced98efbcf34c2109981f48e5088f55a7d77f918e73a20f6ff675e3090f98

SHA512
1a0cae02fb3f71d16c0b83c1338d533a8bcf6022e05c9d66e7aa2f09910ae9ec0052e28076380a96a3a4fc89375e230045b966cc50a025a9bc4f51c938901761

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
aa004c0e86b22bc76e6cc960d0be2e33

SHA1
c5566a8cbb70d6a419efb8d1fcbe760585f66bef

SHA256
becfa2703cddb85afabd67e272f384e192e95b76de5a32411b3b7e97f06bd489

SHA512
4d8a7880e3545660fcefa5ecd06cd2d91faa248212a9456027893cab5639c6315e2c2b4edc0a6e38333078618f634cd4a1334e6654bd913ab445d90362e878a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7309103c16afac4e3a8979f6092100a2

SHA1
02a547fcbae87de1a769696f3f32fcb074d4a1fa

SHA256
da95c517db1317a8f3b1fb464113719bff278cd16e318dcd7e30490e981505c7

SHA512
b29d05a6f2d1d32d782eb3d416cf485767fde6a8ff6c3f2faaa059cce58141a9b09b4921126df13fb5bc62552dc12a5cb66038523f309c2a2a3772180777e7db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
70ad10d42944ed4071c43fec18903390

SHA1
73d8f21bac82d06545556196b6d45b1abf968fb1

SHA256
6734e0603ea939b014f060501d827f18a8a2f81d9da9cea1f2bb95e0c98e8976

SHA512
4c437d7f990d294ce48e1a635fd090e824d8d728522626ee63ae4f143ad85abe353aba621af1feaa9e0ca3bd7d3aa766c5573f99d9a51a345fc1e1c8953f6859

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f0a22d4a3d526dfd95b9fc3c5233965c

SHA1
423d164ade4d9d9834c431cb3ceb5dc74bc82da3

SHA256
d92314512e72b28a46f67af905f2b76f21a87446c1acf980bb9482e303b7788e

SHA512
2d6424395b9222d684b0f01916b8250457128688f5bc6b4a771831d2874785308321e4439eed552e6f1be296a4f7e068afb68b26cdf3985389679dd490b23671

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c2ae57c4dd6cdad65ae0b5883d737716

SHA1
87034ae39c5905ffc7063f4f41f09856af7c7a23

SHA256
9a2f8ab39204e870326fdb5410da32f5cf0092a1a9cb514b2387ec38855690ff

SHA512
b334c49158af21d87c4d9f0cc78be614cee16105c9a36d75ca77910c4569216d911b0bc4bcd6eccb39a4e371bcacb2bf3869a98f264b62880f8335e8cdf44402

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
71182ee16b1168bad207d46a0fc08cb2

SHA1
77b30f75d2f8987321c1813c3fc9c1322d87dde6

SHA256
2b444b43e0ceec23a871a988d94cfaa5d9d7476fe5371a65fa0cfbf90088a6ff

SHA512
7b73c38594f58c1008f224c65ddb7c24614d3032a52917337d25664df84554472e95bee81aa0471a5fd99acc2484c4df077444ff9f5fe558fa6cb89353f45a88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
affc25c0e6044b2f95de552ba84db854

SHA1
8c2f9aef6ce9ab0787c9726dc180d482a782f340

SHA256
92a1cd980d1f59aec5a09ade8b97549f0226ed3bf15fed2b47d6d5f55d5e5361

SHA512
16a06350a8582471b2b8977640ba2672aa795f2e96b088b51c0b67c425ba604b7a1fa004933d073ea4b557e3639a8a38016aa3cefd50d555dac0e38ea2689953

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e36aef9318838ae411540425d9aa9158

SHA1
1ad67a42ff5e22f79d7bf98ea66d69ddb15c2140

SHA256
d87297bbd233b3f3f7a53363f04573cee16371c81f6fd8aa43678438e18cd7c6

SHA512
96c42670ba23427536f6ed0d129d460f4c8c0a44cf8267acea9737f171992ca3a7a9f8b58e6d5c29f2ed3f1a583766acae1ff556f7396637ab4b77a82db2a9e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
cd3295da3e5f3bdc8f22bf7f0d8c5ec3

SHA1
1be203ceb829ff99050621dd575cca95a28937c9

SHA256
045c22eb3a8cf0532d6132a0eab210871f43994792ab15a79d5b8fdd7a1a0a31

SHA512
1c0b42f4dbb81ad1fdd3c2323ac3e997a4e659c84feb00d383a53c426d1f8e8168897d3d131528fb09b49698e805695e7c6d8bea2ceab2b16e53f7aa6a83b0f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
26f93fe771f8dae86ffc7b82436b57fb

SHA1
2fbb8c9212931db92eac78cc1aaa9eda09836a90

SHA256
4a5bab41fbb424e1b9cc66e344bd2d8e95d03b2332f6fd08aefd2e8e76688d4f

SHA512
498513ba41a8de57ba0d4edc36128b6aa40658cbe0c6d12111ff58dd6d98d95f74acb997f07ba4c644d1b69142c0ca50f02fea2088297b2b591668408f81747a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f41150206518a9e890df53f6bc620073

SHA1
90d914716c15ee3c023803570e2df788efb88177

SHA256
b448ff835db210e8d12fad56123ed5384303058c2eba44513dbe3cf9a7b67659

SHA512
aa9c47a5f829202a840723170207678f3161acf2facf7e8bdb19c42c78cfbc994a1cf12f4ded6e9b56304e0d06c918ba2a6844ad31cb40848bedfd81199b0f41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b9be44aafc6d7fd782cddd29ec579ba1

SHA1
e29beae99630d2a333d0d814b03f2a5bdf201773

SHA256
7f00ba9c8d47a878f92f23d4acdc40d2cbb64077f0fd5fc89ca8ef3d8a792550

SHA512
f1a07354516a2cee0c1e4361b147828accacada0dd48cc7f7eb5ae56f6ed49a333ca32f2d6d3e7ac710a544f4ad4a337e55bbdd0a9804e83879819d194126d4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4c361cdbb649d0d019c8fd6382b7bd41

SHA1
b6ef9493ca7d7adf4c94202ccf94870b933d0a2c

SHA256
c69b333ee5e282116f6eb0af471d42a50948daf457270a726e5bb0e90d871e73

SHA512
e31b80d0ec220af3a59a45323ecca4fdbab4ccbfd569f59380c6a299f984f3d1481aed0be375025e65f7f7740863c425ef702ebd3dfec454eb973efa6e5adb9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
172613d5d18d70b061bf3a3ad62f7bf0

SHA1
eeb4fee2f5cd9f416e3ed64586a080b9b73ddcc9

SHA256
d2a9343486526512b07006ddf4e57a075a4fa62e91fa9de43aefff489bf11ac5

SHA512
179a10d7ef9eb884b04f8dd77da751eec0a7b2197b4008289069857b49e2ef0cd2197ffa85b27063750d2dbe718e14fcfdbc6656611d411db17ef1f705120cac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6d330aa56e8647d39d944c6c4035d116

SHA1
fc6544614acbee7ad15254cfc9132b30694c0889

SHA256
a3b8d35536d7d88d364625adb2c21115761d1ea8b783cc71e769b8e809c0d948

SHA512
11e23de61feedb6e3cf3864b2e5a4de7dc3b113b904ed98c24a6158a50d74221a4f33f327d9ba7ad16524dc88788cbd45ade880c4876b0ec9f8ef519a1883971

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
44891416f1af4b9f7b550f38d2ef27ee

SHA1
1e698f3ac6f786a43041011887ece159b95bbf91

SHA256
39495834fd3910480448a9364e8c8ac8bbb07969272ebbe3c84955fdf88418f8

SHA512
c298bce4aa599c2890b4d28b6de18773c4faca6e3876f3a8ab298acfd9b1caf30cfd9df377e353692bf28bb15909a9d42b48bc65e0a2f6dd6aa3c11484dfd263

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
c5ddeef3f47ee880994fd4d77bd2a861

SHA1
b3b390746ee3d470a702663ad603e0b342c1ae13

SHA256
00f5448d4c530f15a19dd922e3fb77f6ba80a28752d0d5da0cf90889c9a84142

SHA512
56f3003b207ed462f65dcc9baac3c948a534b2ce74b558f3bad8e063725c22f3eec458e6318a6d3f25540e4fcd655c5edd86c1c4a2ad2e69dff20d095a39bb4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
e1f578aeb8bebac4e65adbe2da84aff6

SHA1
9c9c61f7935fcf8b9cc41398ba517d84247c0632

SHA256
b492e81b565ef90bed0b733da73bff7818d192d55a0ab929f9edb66a9eeb4407

SHA512
ef763c3151d94381755072b381465eeb0a822a398d6066ebe43f135d03edf77d07549106a0c69247a78414c36554aaddee66bdefafdc06fc5dc0055473378d1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
b2ec17fa5bd02cc89ac08e4a840ce371

SHA1
2437e7909b0da142235e16149268086e25440fac

SHA256
70ce16a83aea31a8cca43254bea349e035194eacea75cdbe0b8b804b76f75e4c

SHA512
c2b6b17736b6cdbdbe0e32ec198346848586b486236ededb38f76ed6734b3f34fc4cb7972653ea863c53916656e9758e761bb987b6ff70f43696f220a2d324f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
97e7ed4e761aa8584b9e0cca1594af7d

SHA1
c6e10bec0d998d4adf04a3252d20c2420d0aefcd

SHA256
2d2f2a81a31982f30ccf2adf58a5d53a75a8d199716796fd8580facf08288255

SHA512
41f6baceefdcbaa3374934549c5e871a77b413485fa962e2609bc348fda6dc69b61e4bd3de35bd97be2cf54616dd92bc59646d4d6d39a5c98dab03f1a606d55d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
c5082dc170c773fa783ad31913afa0f7

SHA1
7d5a0d51409a96dc54be8eb028409a7eb88d5e3b

SHA256
73bcc2b742234bda19069ff10ad9398eec96e8918e9272a94b7cdd28d19aecc4

SHA512
d330f269d4706c0a9aeba71aeeda35954bbcf00ed168e97ba6693b1efe97e340dfc0a1db2c552d5b518c170e90953bd3f791e01969c3d09212dc142ce5f17daa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
dbc3315a50dfc24237864fcb3e662bc8

SHA1
33a992f33a7ddc9433670e8e336113d1499e9662

SHA256
217643b9f55579404128de0c8cd5f932588459a1b65fc9dd458d9fa789323586

SHA512
91c9e4c3e2e6077f349712d927c546f92d969d286c8dd21d1919b9fe2d4d128fbae0cae9f90f95e4e53071e11e26ca5796bb44a4031bacaeb5963e395ffe6a61

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
27afb857d6c1d46eb924c1819434fc06

SHA1
81de535c0e85432475d552b8995a2e13821e32f1

SHA256
298bed3d458d6630b1a6db6a8520e7bceb66e4c01f268debe880a7e48287659d

SHA512
8cd81ae9e05875e9622053a7b1aa5d5980ce7f883796551ad49002e51afa57cfa1a1c6eed154b98ed4996d08e0d560bfa83f0371025ed906c11ce319f58a20fc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f479b644514e4fbe80cb21c88d619c4e

SHA1
ae3573744289c8b6da7cdf08fa8a511ed161a6f0

SHA256
6e4fc35bb9324631580290d85164ebac94567a36b78b29b8c9d156159a1cb095

SHA512
da7a4ae2dea0ce1e05760c0118c9de7cb0aba2aba1d254a3688a05b02ca96d9ce25bbbc1adc209d44f294301aa49a46a38bea10c18a00eda89c5b2895fb1de13

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a08f26287603866aaf3ddf2b5dadde0f

SHA1
a9281d184476477fb03942450a09fb124f9703ae

SHA256
6e4f1fe3236abfef6dfaabcc69fa964990d3fd21b1fef5624eafad8fc1c160f2

SHA512
3fd9e2b355e9aa00d9558102a66957aa2d2920ac7a2a76e6f9a8b2f5f594a684464249385f9ca7eaf4c82b18ea968ae4c804aa29928f6df4a673cbfe6c91480f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3f37b3b26d45348f314e0ccef7874dec

SHA1
c12f0923cdc86e4a8c9a4ef09972206e8f05b441

SHA256
3ce567977e4af36089566cfc1fdbec94a464fd50c8052fedab07222b002ec034

SHA512
dfe24645dc247ef443db4d075ca9ca81e2780aa27a663a8212a0517f2c4602cc2cb27fbbc5337b7d550f2440fabd69e51565487f45751bd8f378f99c840e08d3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4fe8ad651ac2101c103478b1d25148b6

SHA1
49c72d7bcd156474bc2a5f045e05903efcf215a8

SHA256
0095b423a160f109f77eba35d0988502cbeedbbcc41c707b983611ec9fac0159

SHA512
bf30a8fc892fd4816f1018c987d836017784db8d180ed6340e4a2f24452df84316dcf2e8e3979669bdebbc2a2c634c12befed7c3057f71ea8063836e2a8d9bac

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0f1bd18212affef9b7de6c618fa4e10c

SHA1
9e78a4df98685d369e2306f3e76483ae97951dc9

SHA256
76efc03791f2d4cebdee090bc175cc4365e667ed1eaf9f7d738d63d7f8c3d8bf

SHA512
c266e84aa3d25171663b15cf37526a6e264e329d9c9e32992be8321776045d6480e67dc4bd19d477e90453870806ac1b622ed3441d414a5eb5f4643d16815abe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0c6aab2b611443fd3aa472c71bbd6b68

SHA1
6d2ac659aeb9d6b18dee4e20a9cc93a3ec606fd3

SHA256
5eb37d60ff19cacc2260274aa1e31da15ef239c8c28202b3502882d9cd5252be

SHA512
99c50502fe1f97191ecf714c8afdc959feeec1513d1fa4a792ed47c6bd7406309c93d82a9eec75adec814d285384233dc105a941a1a8fa13dee594bc8004a688

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b2fcbe4321bb720e72a1014f89a002bb

SHA1
b54548e99f1a16ae873b07fc084cdd3c666c31c5

SHA256
cebf26202b0b100d3f78251d28bfc901f2d3dad8af17ce91953a52f823d6e5fa

SHA512
e83bb49c6e06d05d76bda88648fa1601545e19847477816ebeae17f91c3de3a8b3cefb452ab6fd0e3f0b345470ab5247c3b7019dc3ce0b3a0324868d8da36aa5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
04e4348f392fa6d98a5f96e680366c8f

SHA1
5c33edb66dad07072e2b6f58b324761bb6dfe397

SHA256
44501fbe80c36b9a3ef791b2309fa110eab5943f31a482aa846d239d0e0758d9

SHA512
eaf92ad8c13f7571e96fce9b227068151786e6bc2b31834ecac46dd71c94a31ecad2d0f0a89a3315274d81e38ba144619b6ae7640be75f890dfd35467f814845

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
366db09b07bb685d224076c5ad2ac61a

SHA1
aff40e4581789da7772f92ba8a3f3e44f63cfb5a

SHA256
4c2d3ec496fd08bee9e70f216e15e83571da7cfb7a207a38f89578dfb4443bf9

SHA512
b12e1998b34dbc4d21f305458b67973a07c611629fc087599323e4ff5270154bcaf1574f8a69c9267ce87df083ddfdf54a206344160757d1e811b1550bce97e4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f96ef7fa683ed336e6af8d566add319e

SHA1
92ea4395da801440d327aea022140fd21492ec0e

SHA256
402ecd759a93a39cc5ecbd86f3f9533479570189b56eae6df441457b34a53310

SHA512
2a0a7ef883b64232c40e39b6f5cfeafde70c7c69eda7f494cecf15b02a47aba9cc1a33e7301883e28f4561b21619dc93e2746bfd214407ffe5b77697438aeaf4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cc28b72eab3198b4a3e7fed415e4ae3e

SHA1
ea75db8c0df8cf112bc25b150e34ce3d9aa70f06

SHA256
45ad5296d688b7507f9b14fee56ed9e4e8f63af5c2c5a6331cc10318413cd9ad

SHA512
b887bd811edf44f0b2d25a116719a58d33a71218f06cf8fdf6f08c95a34a789c9f46bcaa428abaafa5ac8b1c1f261bd81ffc5d2edc2d24fda4e3fb51026c6282

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
11a5583bc6e834ace446cea8a04d5268

SHA1
031c6a01a51feb565aad109a417ad3471400fbee

SHA256
f6964bc21cf99940592e7d2603a2a13e360f16fc2afa0b60bfc12e697677e500

SHA512
30c43bd95da7520e99085f6ac00851c1edd80b19318683a4d5ec2dcbdd7c00f772ca84799a3a0f90498dbf12c2ac0aabed6d377c76e26f121324bab7ffe44b2e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
138fc377ee2b4b41ceac0a208e887df9

SHA1
0416fc11ae196baceb484f127696c056d3afb80e

SHA256
004f1bafcb328c92165860f9b38bf6a16e7772eb959e983f4fce94ddaa13231e

SHA512
0dc06400f82d5e456cf865d373c71dab70d910273557ac26008f707edd84472b6cf139a4415aa327cf9d76e58e29df86bdea5d27d2a8623dab7ac51e11a1523d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
88278586016b8939a0990629d2ea0d5f

SHA1
552992c706d957c355c98c5ddfa6bff556e854b3

SHA256
6208ea6e82371fbd6f3f25c7927837f0370edaa52aec83d810a5fe9b1f8e4e95

SHA512
fa6fdcb46948e68d0b17274519ba45dd742b0833f3acda5ce4080b067ab0895c597390e2042fbe2e2db3ecd569b92feba55662dc44ef67411ab70ce8924e80b7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f2501d169fb0d3f8fe901fd8275dff19

SHA1
c09a4bb1ac90944f30672df58167287c715588f1

SHA256
87aa44cb3a8a9b1c475de6aa55f469c5adbea67840f6bdd27ca234ec745a0796

SHA512
24f1f5115e3fb281f788232699846e435251206fd268de12c194dec2cea5dbdc146e3b03b1de8dea191abc33ad6985b4e9d64f91659d14b7e599991dfb4da5ab

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6c142698b3371d633504e3acddc99f57

SHA1
664d2ebe00759a7a26db764ddf900ed614237bda

SHA256
76221cabbee5e196d60ed363e785a4ac7f244efeee9b0a2736e1e3d13e2904c4

SHA512
a9f49e30855e74e278bb6419e2fc45bc77e440a300ca248dbe4f1b3e975e2df84fe5a3491587df999801671cf744de62de01e217ba48b334a663294a9407169b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8fe2e3541eda5f09a58284fb0ac4caf8

SHA1
4aaa92b1fa1322124ced638314f1d82efbe5ba66

SHA256
f1c942293bd2236e1556e4ce521e82fdfc37b067b0cbec1f70a34ba784dcffb8

SHA512
88bcc2466e6af24aefde3230d5aa49e6d3b9e38203202213ee679dfe7e796c07daa9c4b4fcf78a2f0af155fd03ee56d9134d294fe407b338e8e5791d9434f4f7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8745d80a3c2364dc84152d8b573077d1

SHA1
b5d70c60bae2b1d011c74aeb2ad99f8407cddca2

SHA256
70a71b215eb226390b328f12c2081e3ba690f1928d8a6452d344cff50e008d54

SHA512
c0d1bf8c655d35af444c788789e4919593b3937d8837f1966c136ec4b2dcd58c4b1ecf6335f6893c9f846ad143a485f93ac72810ccd96fdae5430f483fd42b40

Download Submit
memory/920-14-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/920-11-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/920-7-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/920-1-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/920-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/1112-400-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1112-331-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1112-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1112-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1640-280-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1640-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1640-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1808-455-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1808-449-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2124-429-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2124-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2544-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2544-291-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/2544-357-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/2544-349-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2748-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2748-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2748-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2748-250-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2784-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2784-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2784-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2784-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2784-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2800-367-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2800-433-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2800-374-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2960-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2960-443-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3128-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3128-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3128-416-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3376-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3376-66-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3376-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3376-73-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3516-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3516-359-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3516-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3612-307-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/3612-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3612-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3644-469-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3644-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3788-404-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3788-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3788-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4060-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4060-345-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4060-407-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4356-23-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4356-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4356-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4356-15-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4356-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4444-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4444-319-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4444-377-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4588-35-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4588-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4588-28-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4588-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4696-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4696-51-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4696-58-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4696-61-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4696-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4700-264-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4700-255-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4700-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4700-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4700-272-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4832-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4832-380-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4832-386-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4936-549-0x000001FF908B0000-0x000001FF908C0000-memory.dmp

Filesize
64KB

Download