f026f4a7f79152ff906633b0d917c7176e3d3750c2ef2de461dcadaa6d9c8562

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_a1db2107bda5d276d931d828b0bc24c7_ryuk.exe
Size

1.0MB
MD5

a1db2107bda5d276d931d828b0bc24c7
SHA1

58b0ad64415dcc15e3d596c2163ae84ed93ee21b
SHA256

f026f4a7f79152ff906633b0d917c7176e3d3750c2ef2de461dcadaa6d9c8562
SHA512

1633bfc7f8fab6f5d94ee46031496b44ef8f357ad41b6ca02e4b4d0799538b5dc80f64aa354a3df937b50a0b90f9948bcea8c24197a2f2921570b8a139dca546
SSDEEP

24576:m6V6VC/AyqGizWCaFbyoSkQ/7Gb8NLEbeZ:m6cbGizWCaFb8kQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
940	alg.exe
4580	elevation_service.exe
4304	elevation_service.exe
4724	maintenanceservice.exe
4996	OSE.EXE
4932	DiagnosticsHub.StandardCollector.Service.exe
436	fxssvc.exe
5008	msdtc.exe
3988	PerceptionSimulationService.exe
884	perfhost.exe
4536	locator.exe
1620	SensorDataService.exe
4000	snmptrap.exe
2216	spectrum.exe
1188	ssh-agent.exe
2212	TieringEngineService.exe
2592	AgentService.exe
4680	vds.exe
4468	vssvc.exe
4252	wbengine.exe
1328	WmiApSrv.exe
2628	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_a1db2107bda5d276d931d828b0bc24c7_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b4225a55fc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{96FEBE14-784F-4E29-A39D-9545447021D0}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ea54077ae94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096082477ae94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007bc1577ae94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009942d77ae94da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9a17e77ae94da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8ca8577ae94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000666ee876ae94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4580	elevation_service.exe
4580	elevation_service.exe
4580	elevation_service.exe
4580	elevation_service.exe
4580	elevation_service.exe
4580	elevation_service.exe
4580	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1812	2024-04-22_a1db2107bda5d276d931d828b0bc24c7_ryuk.exe
Token: SeDebugPrivilege	940	alg.exe
Token: SeDebugPrivilege	940	alg.exe
Token: SeDebugPrivilege	940	alg.exe
Token: SeTakeOwnershipPrivilege	4580	elevation_service.exe
Token: SeAuditPrivilege	436	fxssvc.exe
Token: SeRestorePrivilege	2212	TieringEngineService.exe
Token: SeManageVolumePrivilege	2212	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2592	AgentService.exe
Token: SeBackupPrivilege	4468	vssvc.exe
Token: SeRestorePrivilege	4468	vssvc.exe
Token: SeAuditPrivilege	4468	vssvc.exe
Token: SeBackupPrivilege	4252	wbengine.exe
Token: SeRestorePrivilege	4252	wbengine.exe
Token: SeSecurityPrivilege	4252	wbengine.exe
Token: 33	2628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeDebugPrivilege	4580	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4244	2628	SearchIndexer.exe	133
PID 2628 wrote to memory of 4244	2628	SearchIndexer.exe	133
PID 2628 wrote to memory of 2764	2628	SearchIndexer.exe	134
PID 2628 wrote to memory of 2764	2628	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_a1db2107bda5d276d931d828b0bc24c7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_a1db2107bda5d276d931d828b0bc24c7_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4304

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4724

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4900

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5008

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2216

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4860

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4244
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
885f1244b6566e1a940d97a690041490

SHA1
971a9cde69a99b4eb408112a59b147b7d9de5c84

SHA256
a816863f79c6446c00be70eb9034e81555689678bba35ccc99798a6cb4f6ee7c

SHA512
e9b221a75703ca98f398f05b79b44a581c323a79a2ee57e0a243118359beaf57d99f0c762782e71fbe8eeb5a2d54435f13791ab08b9a63ff17281adcfdf6e5de

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
39f8b0e729a93fd2f49cd0c53cac4542

SHA1
4d311a3f18f07dec21d5e825b82f554ea9d1c67b

SHA256
25c8aa86bba2ee4ec544f635c51dde66c2862611791c2f15c7439c40ede8175a

SHA512
551f9396bff789fbc6bedb6cf5446c59e877dc80915b785763ae60f9564398b5cf2f584d9ae648514d51811df175ed59c5d95d8278bc5002a1c8df2ffd9eb699

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
50ed2d1730548aa622d78af5ce1dcb55

SHA1
320f852df7f86aed3ad52fe2d30816b6b1a27ac7

SHA256
61bf1cf652df39595ba9737c3c90c41699f3d27af172ff280b4e351185b8fe7d

SHA512
bc2861a76630a9256b5b8ea4a059f7b814647fbf503d932050dd37849b66a66569da57af8cd4178bc3c60fa871a14933fbccbd1b29450c9bf50b1cd78a4e3c4e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a5f442ac4f97a61d352bac3f0ad127aa

SHA1
54ba7a9e30ee0004c348afde009ee80f355ad7c0

SHA256
189974f29de3833996263c725c673abd37c582ec9654692a34a48f96d324f3a8

SHA512
af30cc2b750c87a803cd23f81b3496c8f4390faf9475b3f5f518f0f83dab355ce6d64bf3f280f85a1a3eb3bd694f4bf32ee11aafe4a3920864e56a279b2139c8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9585e086146e39b88cb277fa6840e215

SHA1
a5cef1160eb401d467df808b939f3fec1f118d8a

SHA256
9039393d11b4dca1b57a7d7b774172fdb278bd2fea3af7575859980f2251ceba

SHA512
7f847af7407bad3a5ca5511e6cc0aba43116a9dc2ed49d229b99799803f7bef719f77484bb558549b2977724763db62c79812601ca78993058c643361f548e5d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
86c686f5ff3a533dba2c578cc1f27a33

SHA1
4933dfbbf0b3396a56cd3728d0f76294d18bd6c2

SHA256
839ecac46aef763c83b9f359691d7e28ead1dcdd4b4deb94a1780f42654b41d8

SHA512
7a4fa9e5aae55ba5a0a6ccfc6ffb54e40544b7546bcdc418311c0b47408508354d095398aa1fd43d2e66d3be2abc88ef4a27e959f1b52379ae6342967936bfef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
43d8235305404aa6d99791b9806576f3

SHA1
0f2ca13172282409930edab780632d5b3c7d17a2

SHA256
c2cbc299905182848e28193e25274252c52a0e989b7d4a9ca3ed463adeebf8bf

SHA512
081dc0fb0440d596fe076c229ae8617f6a616821cc0633887bd98dafab06cc9fc192c19bfecb849a9c20359b8a44115d02e6575b26bab091eb55fe43aab21a80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a584be999e4669fce7a811e56333a077

SHA1
9e6d308d7cb392b42522054c0955883e68a0a654

SHA256
f2e4479fc431e828129f37d5abadfc693d89de30aee666c4c7031f92de8118ae

SHA512
849e271dcd88d01b0daa038b67545f87afb5444d37e8be9cc2f9a8c2e4a8dc8517e06c09420c612fa32453bd36a214c733c82aa409fd3edf3e324e6975eef137

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fbe2d3ee8dcfcdc68b23f6da5470e93c

SHA1
15e0e27f058bf7f093aff6f9d172d5abc595b311

SHA256
95960c9cb78ff0d3b8bad66b62183f6a8f46aae1a470fd103b91f48e42323d4b

SHA512
56e194fd13fe72cc32b3178531acdde168c6b6274aae8ff79dc7cda3b13f7cfbedbb7acd2fb1707fa9bca7d750e5cc41f39770d12cb288a0287a3447dfe8af17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4d28ffe93ccbb9b4e18dc61f60cfa7c7

SHA1
c37bb3a6c4521d93daf572e02f997ba5aea6df78

SHA256
f4a548556c3681f09a57d6bc3b616042cc15c710b0f65edb539d628295c2c8b7

SHA512
394aaae92402b2141b4f1dfaef8fda5ee956603841949df5ef877a2ab237da607d501069f10609d8aa52beb014b1887a7ef30f957b85f2846fa1d715511970b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3ca25f750e73175846d2e54fe2ce25fb

SHA1
f9059f7f8ba777abefc80be7f0f936918fe0dc41

SHA256
8c82c661a348c6532dca34ec2cd5ea4980a1f7d0acd6dd86aaecca8837419a38

SHA512
fcb1502073fb718f770e71d9629dc1687c3fd5b8a7700028494675eb48d58af1e3b2a26073410b5dcd9d618359e49dc691dcf4c24d6147926aa3a77bf2f1b105

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b65bc2d03dfd982828fdf5761fc5cc7e

SHA1
da89088bdae18bfea3c50bc51fdbc788ac6bb181

SHA256
13aee4eedd183ed2978af316cb0eb0974839074d98aaac30cf0429f02c4400a2

SHA512
5114666fd374e48881f0fb8a80ceef4ab1b8a2f799759813291d761e4f9903ca9c33ebafcf801925a290f532a4973949b8bead26e2392d3b1c205e691f8b22e8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
052db3f83db160109728431832625d8e

SHA1
f58b661a256314d3b5e517d81d5b2ac85f16228a

SHA256
107058c5ec5114c5eb19b6d816ddb1b8ecdc5ba5ca9fe1bbdeda703b089c2de5

SHA512
ce71c5a9e38349fe492bd288e5fe9331628039bc949acd6838473565c53bf2548e552bbeab4f4b2c534705f382fbd71e548b56b8709f96cb73765c2a480f77a9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
070662cf357cf3d51efcfd1b88901af3

SHA1
ab304252be1c33fb0bcc29d36c51e97bf2a23739

SHA256
c178a0e4f03908fe4adb47202f4f6037482bc02dab77f9864c60a0915118fb61

SHA512
73f995a9a2cf07ae5bdea9707fb5ec6b832f2825d249bb7b664ffa25b2134bac356a124f60b654ab70440d7f13f68c8cdeb998f0263eaac080afe2b9c1576e1b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
85885216dd181aa54af6afa06d6e459a

SHA1
2b10524828c01ad3ba50daaa93b2b03d5afa8133

SHA256
8be21eb66865d989f0fed1810fb68a929edc63b12371b80896a64e4ad89ee2f7

SHA512
fb43acdaaa5c371a57683688a623af9a2a385822c5893433218424fe1a69d7754824439a02731d6f4fe545d61362d201a67fe037c8da64dc739c1791ecbe14ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c6e0672e2dfaf25ba73807e9f870b470

SHA1
376db1d50de134004e2b89293f099d309df4ce53

SHA256
d32ef621d98fb3a925dc31e4a978da2fdc316abce5f00722452e7e7a6304ebf8

SHA512
e764520a8335246f9224396891c03cb9022623161f1e60f18974c3c3a30a23d4c143b151acbb6977d821f2cd8808bf7c876a05409e504bf4b9ca635ae1e28212

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
87b69366bb3fe819bbce99da1d7c5466

SHA1
0fa7944b6554361b2d0b86a383d112688c4ef5bd

SHA256
16a14beb0329aaa7805ae0a356f098c17dc6fe4b91246ef9a370551fcf409aed

SHA512
94d6246883c1f1ea1e8b1908a40754c1d5cee10f2ba84b99c07c466fc55a6e5bacab637c3e616d225c5dd8fb11af67e5887c3c05805dcb84984cfa27405234c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
99866fcba0d188c3fc55caaf301404cc

SHA1
ebf3d65a5e6ab0f6a3d242ad21565dc1ac173861

SHA256
7795b740bc43a55e6014ececc5f2de1cf3dddd9bc698895e2ae65890ee4d4734

SHA512
f0d31db3ee810620474fd0b8be547d625bb113ab25269a289f722cfc9f73197e3750dd47ef4f8fb682f2022fb6f6305d8919d64a997da2dcea5037b81a3ac75e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3eaba5b4423641e45415cdb30230481d

SHA1
11c9d520521c8b401cf7e671b1c0b9319c678dea

SHA256
6e4bc1660e5a9eab95059316e7cbb7b33e4dd51ab00af74912847ff0f4aed974

SHA512
8f72c8c6da4bd8668ef4c9e37e46eb9a0c9173d438417eccc4bf82560d3f0f139e7073603888aa50090f85a895a82e5594d4aa68b1a0432ea68a099648ea871a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2138c98ffcfd48f1fa25eac97bdd1517

SHA1
a1cb2c5b9e75148796ce8f39e97b95a2ed233eba

SHA256
6d114db4c704be4e471cd1c73425b16fa3edbae93874bf60357185a65210a6b2

SHA512
e63e59e57ea8bb1a09d1a03f0e770b190d01831843bf6d8a9c43cb8a01aeb3b4d66b79af314f962465aa5cad380902f7e1a0a047087fdbe761fca3fb92b49795

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8f050439ff7bd3caf542e0ce2347aafb

SHA1
886e0dd7ee3376c5a51af2e18e87a3da9fa6ec21

SHA256
feeb3add4abafeebd479c6bb91d2823652a2a7c8ca0a6c87606607ceda521c8a

SHA512
c742b8554f98b1d1c8cb5013206307eccf2ea63f89ed955bbd25bb273d51247d2b78d9bba8846b31630da9d4eee2aa7d0048b8c96841a0771092d03816a12a0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0a4486251d4f98670f1a6fd5dca68e69

SHA1
1d79219f3f7028ad141d54e35bcf1d1f6b077b25

SHA256
3f2cccc9a0bb08e947cb91196b526ed2cdebbcb840b364585fc49352b0c1672e

SHA512
f4105458dccd59ba562a521aa5b43a2c46efa31b04d8df2b6b54787d6125084ad02d91e890275420e56bb0cd8ebb23f0d0915dfe6100c972bbc0a8e97f7e373f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
734bb6fdd145b2aa34578f34a81f80a4

SHA1
898f15ef50227fca73dae33f412acbf72ba1b052

SHA256
43b4159eccefd7d54eabe7b3c47e8405148f53cf46dc59dd82cadc02ca858dd5

SHA512
703ccc7cd8123b2423e893210c1bc6dbc16e4f765ff2ba39a250fb8b6b737a0d27da8c3a94a4a5b7995603e6b27801ab513b1e5e0ebb0dff3887af6b7851ef54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
924f756c576c5e73c943529d07de6973

SHA1
973d6f3c6dad8b719a34bf58c8270ba2b297054d

SHA256
6b559c55da2f672dbdedecfd9b678ac990e34725e37e5a670ece73e4070b6bd3

SHA512
039f5ee039ca85e3bb01df65a3b31df95fb74aa218d6627dbc7dd73d08c029e1445afdb1ad0df61177e24bbeac3656b9134bc3f7cab29957c65fd20361dbce50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c447491611b1188326ca62cd320c1f51

SHA1
036687aa5019ba1c6cf4d241cbca8182f2503a2b

SHA256
7b4be9a237229cea5ac309ce9a71b6b8f3e69d14b1735919a8d7a5e4935e1651

SHA512
f9446c4354849cac7bc309abfb14a7c3dff41b7e701fd34fcdd1ba7d9a8eaef47333b4c04022db10b57485df7f19cfd30455f8d3dc6db49b9f9e2a2862587d8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ed2c76638665b1f1c86a761865b2aaa0

SHA1
7e1d73676214be5f6da55d39ab008ef4ea8607e3

SHA256
d286790017417200d159af083027b29650aee11b66bae2fccc64113d44c350b0

SHA512
7c905b385cc179db2c3afdb85546b1df3fcec98c8b728de6a2ae224031154838cc25febe24e1f73d381830ac29af9979bb8cd9898430ae981949b3f471706323

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
fa10c7b31ff31f21cf48077d2cdd91ea

SHA1
8a3f6e0eeb8913752d5f85c26f0af4b251d244b9

SHA256
7efc36717b4f74b6f99384b20038a01c2b59f6df226908f45f6a5b06373ba7e0

SHA512
bdf7973cb2f38525ed6ae69f01245691681f335c4f378ee636f0040106e6309989cb03105dea80cc977bd5b3059d66413e8a1cbb8b0b198ca3eee007450c64da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9c716e280162ba9497d108bbf96e36f4

SHA1
e945c02c437c917ce60f9065412e1d58375f1888

SHA256
f5784a2fbb5ae4f7e79eb8273aec53cfbedb367cf94fff23e5cd62be743d19d2

SHA512
54238c15f1bba0c88d2757819809184e39ffbdfb964709bf96894c46a43824ed4c5f86acd7252d65f2bf8386c398f31d563021fed2d8f832acf848a5f7a21e77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5fb56635326d0696002dcd82ea4087f3

SHA1
83e5ae34856003074a8165260af44b23e6f34bce

SHA256
588d4c9e63cf9dc1ff00fe9d49f568a7e8dcce8dc799ce07ae1682a7b009cf91

SHA512
256fa782f9f5316417cb4f0537d7b4f5f9e0e3d0f731d9ac1ebfdd8b4b218ad2c66fe9ab7ccea226b8ed2a52396dc3817dee764cca69b9067f270757308a04c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
efd3a544a25b3f0299fa27d7611fdb5e

SHA1
139873da06e3f59be542c9e81b2a10455bc102f6

SHA256
0e2e8d77c234d64f06fec77016fb245b673d4aa159e739bf4ca583388e01a0d3

SHA512
2df92ed70e3860beaee4130238eb42fff946bf009ebd0d978ef6b7ba91ceaff1dc8f24d448f6988a0affcf4466560191d6b81ba01c99e263f3756348c29cd885

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1f7a399f95d6015e598ef6fa9a372399

SHA1
8fc62825fbc6694154d1fc79849bee4115897283

SHA256
4eafb679ddd772579a82e6e7c2e64fff768ed3c9e35e6057be394508f22f71d8

SHA512
b43d8f06b6e86f29243cf21a0839a6663e665954bdcce73316f42100b6c56574239ca2f951f26b8bdf1ecef2a77ae2e5a79bc4f0eaebacf7d04be61b52ad7629

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
806d3f113f878b9f81c04e3a8b4f0283

SHA1
8c8ad1d60b2bb0693f730fb0bedacc9fda63bb55

SHA256
5ceed104421b40de98a504d5e67440a6aed295e882809c645f40ddb10905a617

SHA512
f55a6db9a4ffba2d9db96d807ae6b7bcad94b613a3dae63079d25d00393fd31c65476ab9e1c2aa005ea285a7f70aaf3e60d26171505ecae37bcaef9220eed89b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7d330e14e4b2b16a1cd8e2f120504e1e

SHA1
7b91ff1ce212187d2b77ea81ec8a891099d92db4

SHA256
9424ff08bd424f8363c04652a9f0de66dea8e32c3be561855fe5d3a9874bf0a7

SHA512
14c101ee3d73928b7b55b147bbf8facd6de755767dff3249c4dcdcdfc27de6b4b6ef72c6d5be85967a53ac3940485070b266c8303080b714076a3ab9e7ebac87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
541df0ac2cc0f15294092fddb76875c2

SHA1
6d17aeca28417f7fc1892e6d671dd68fd468a9d3

SHA256
f67ad54d66fba71b729af5a16c201934168787d2a9c1693213ab3968ddbbcb45

SHA512
28db6a0fd4dfba906a19169093a1d257fd5970246855271637af95caf838dcaaca328ea9cccbbd45e4e9c157cf0fe3913548bb8eb0654e3f2f468ff36e0f1f74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d76d444f50e1e7ea860e81dd31ba3cac

SHA1
5c6113122e03a7fa9b4337d4fa038c76092b0622

SHA256
ced1abe15ac4988dfc2a4f0e684bed0ee99ff2cb32eb29a082096d8dbde27a74

SHA512
8674f08491f221058d2151419903051fc78a19ea13da6751ccae2dcab3a50ed7fe41978d726dcf23adb1c30b1cfbf162e00ac33fc4d7fefea7c4ca32a330127e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e89a4fbf17becb4144d09ef28facf2ad

SHA1
c433a8e9f624aad94b1b26bf709bb446446f45ad

SHA256
9e4e6b5d8f6223c2e484fe05e10740f6cac66be2d9fd9e0e589391290083ab2a

SHA512
92e45a74fa0045155112118ac11cb370e4e97c82ae4300109318cc146d58dcbf2f5c43b64001562935c529121ef549087995b4d6ea7cf81738a48b42aa7b61be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
46b6c1bcbff1ae2f592bcdbb3fd1a172

SHA1
c7da15025e03a4fffc24fc4df972fa6d597ec60c

SHA256
f57b0b970271f6e2d3a7ebe40f4f884a726a5c82cb24643947dd8c846bb92f69

SHA512
dd5a4485ad7060c5f4f19de690981611b7568652dca4d1de8d6ebd46a936c31a7900c751c20863cb048011db63aeefa6fd555ebbf6412827ccf8664b9a9457ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
fc30037192f6d4ca321de03eafb01c2a

SHA1
03d330487c4a712458247e1a80f83e48cf239246

SHA256
f1bd717b28784e4638cf02428918bd4ce3622647a6832fc9a3c280d96d07c8c3

SHA512
a1db12952a39475b7a38bf212698babb1de11ca5cbbd318418ad4bb5decf5130f897eac068eb2156ef3d291a96283c42cfd9c00e6231b42ea40ed383c8998411

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
24b3ee84da12fe8fe25ba4f0edd42726

SHA1
3a255e7c11d36f939828cb1872f5c91309d6bb2c

SHA256
a70ff3179dfbfbb272df8837acffeae908d69d2fe035aa0120ad944406e9dfd7

SHA512
76bfbc597cc3ef97894bb32493f8bcc60842c3a4cd83cb7d41ffc7a291ebdc4b63de09e6a6345c7235c7c61f1a16d0c65405112f816959ecc8f0e5f0da2a81d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
e918b6d4c0316fd34a5aa8d92ccd82c5

SHA1
943e14a2574b2cf5fc9f7504482d4b418e4430f0

SHA256
c7c5fa727e93315f1209a38b54788051671fff81302e09ce4e2c68662b2762d4

SHA512
caa21960bc54c589e6ed298e0618bea6b52583ba3ded106e667e0b6e936cdaf9caa75d6909f78695bf6107881a69e1ce68c3e67dccb0345f4e6780e8caf6de1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
8e8dc79038a5d47c5aea6fe38954270e

SHA1
ad0cbc84e191d7636210cc2f8c6607f3f28baaa6

SHA256
50c127470d9df86cc53a395229eb36387e09c5cd15548af8fc8d408a9dc6f229

SHA512
396ebdb30bd3290868dcaac3e1d05be5104e519b8349afa6419aa12e7f35aff5afaa4666f8934a5ad0bc01a052bf28cb4f0f763ba996732dcabbaaea274d0023

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
ab26d41b16471184665f0c9752f34743

SHA1
bf19bc653c4795daa16f64c70f38fbdca7121542

SHA256
49638baa5f842fd2fc46d6c052ff935111c6c9982eb197e809b1e9bfc5967b81

SHA512
917d4f78ddb2b720da3934b312f05724b18e028a51e508560b841a4f3aad5768aec4341c8794b2ef17f167af5ed6a4768e36e25e349c8dd20ae469248ee38e35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
c08cd2ad63148923f9495aa9e770d4dd

SHA1
6c33e1c93249fb782a767789871242494cf4b553

SHA256
cacf3b92874da000ebe6fabb52cf1f2c8005039f9c267c197372cd2bf0516585

SHA512
cc84875a03add7bf247d8f5e22f871b64c93495255b3cebc3751d47f3bd274f38ee2f9fc9f59aa5081067c4bae6a0354ebde4280c69ea1667350fbf19b8ab492

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
21fb8d72c2f433ba447a1bd2ce1788c1

SHA1
1c6ef1a6de36e6cef442a96594bbe95d35241722

SHA256
dbea1da17014d41dcc824f124101264d0265be67f84d94d3ad8ab6375a6d41e4

SHA512
c45022eb2f28072f7858cd68eb67dc7ce3791b68ce86342b21a94feffe504f7ff6afb92342ec5916ac37acf25871d33dbfde59f45e865988d2c0cf59760580e4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
36ed5befff6da5a62df4201399a08221

SHA1
0524cd89ac3e701edec15d57825e8785920e213f

SHA256
def0661c05bf3d3ed0ecd74c44f1601141ac7af58147a8a98da03846f16d34cc

SHA512
0ed5e4dd07a0767b632192f3efff80783284e7c054aede5e9fdb5449a9d7b5a76030625f0fdf5dc91676c486d38bf15a7891cd94ef3ccd44d516e3e6dcc5234e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b269a262655da6701b19bb8c5b35cf90

SHA1
3cc89bafb3d987c053fc0e7e259f590828ec5191

SHA256
5c314f185473e611ee3c4ff217c8334001217e8557a67413fbd4c168d1dac400

SHA512
f4e3c8c4d2db3b417893915d48740a5d5ed2e6a17b28a166fc0954c228f7d20676ba0399783179d48a9c70a6c53e01e39113019146e5ba17e5b15bf09c199c1f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
349a834e367ba00b3a8509453bca5e71

SHA1
1e7083ea6b82aca88e3ba2a791abdf67f86676f9

SHA256
409fbca3c2ebc80f90fff8ffdfdc26a7deadcae494365dd5e87c6bb99b49700d

SHA512
344b7514c0ac218950c401661a68fe1dcea798714d3c2cf579bb8ef8c8e29165c5edcd909df0726a7fb27fa39e6b4e5fdc820c16eb2f950c1a581d9791321bea

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c0072e1aaf193be5b33389217f68c193

SHA1
1c7397d3dc52a0b71767654bafe500af6a107d57

SHA256
ea9d309e3b2b585a656f2e33307086d814973a4ff65eac89c667e21ea66044d2

SHA512
420b3e37bcf458c8c286578b71186ab43de5d11e0d4b4fe241def0b3e7daa0a5d27afbc90e95ea92168fa0cc396bd65e22807b389ed4382540aec3f7c2696b11

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
27299f154b6f79fa6be61c41f26a1c12

SHA1
032c15c2dbb58b9b10713ab8ca131867c6c9c825

SHA256
ed10f9b8d864277c2a5670d619e3f07a5849b673f09fab536af9ef1e5d81ad64

SHA512
c8bdae4daf2393e9bc6bcf2f5ac8e694eae6403ecf137d32bf9e5bdb94704e780b728db1f8efd8dc2ec1449129e781985ef46d1df4fcdfc405a82406ee9120ff

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2ce70ca85abd00beb4575645085ee2f7

SHA1
b989d40577b39cda426ee1c569ffe789c920dd1e

SHA256
6c94092e790c00f0cd4da91f6c2e542a55329d0a1f4a825430ce4fce578af718

SHA512
703421271673226076c17145218b72a8f6e54a9fb45ed4930f4dba881942706ee975c50f5827c21d6e4da689a1f1e4425bbcbcd44d529a5b96d9842209be4ff6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3d97ac27aaa330a855a739e9a9cf0c88

SHA1
d342bf840f8b89cbdd8b012fc7857e8c4715abe3

SHA256
242326ab0dc2d2f38666c80d90828e2bf5ec73529fc79b3d2ddda34d36f8588f

SHA512
08d905f74bb7157eabf9c7e79ec593de0f1664a6b5cbf86f042cfd61254fb6edf296ac2afc8f91b97d21fcb1a2ff234e58f578a88735755da2e432a765b1a7c7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
58ecb00a3b1f74976cf8acacd13c01b8

SHA1
d9e600e6d1a28c63b99f4e7ec130c5a50488092b

SHA256
6f6d9d5e129f78868f0ce910dc7173cd1d441d03816058cd9323259c6f4f833b

SHA512
158265e6e208b1e8694c8399451e27fa839e26960e130d4629ca7c801bf24f90576388d3ae930757f4a8469aea69a8b9f7847b2b935c2dc0d44184e8872582b9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7a7f7e4726161a16eaa2df3828d37bd4

SHA1
31bd66e0b56602bdf38fbcc6ee4c5eea0233819b

SHA256
efb8d7a3cda32196a49957f8ee9a1f3da8b67ab6a444c2595c103459dac39482

SHA512
3db380cf3871389c46e4ba70e8a2572a5148a1faf614c233cb3ee41f749f484066c27f66c657bdd3c316f792163cc79824b2c1ed8814d8677b5a024c0ff15fbb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dbc3aca170bdf5c8f89e32701b435643

SHA1
ae961ed8ae2f18d88da511e7f347f87187e488e7

SHA256
e6f4a6b6a7a66b0b00c8bf8d58aa6ad4940597ce24aacd9f0beae45e370d9261

SHA512
f66a5a836525b79d54cbca1792c6246303866dc379d924c26ae7a68b8b959da3b2c304e20c796a2d5330121bff8b6dd242505ccc7995b55b61e282d0e2082d91

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0bed975454f7c3d7387c6cbf5ee6fdc7

SHA1
ab190fb85ebfb2591e4a45eed7578a5a7bd92b6d

SHA256
392e21302e56654df1e29a050ed25523c7fbe6e2892851f591f79d51627448b3

SHA512
ab30b9aa2817b299f7a7b4084b7b233b12f8383a725386bfb3798d4209f661724e242344249ff18c3cd115eefe0230acc8b73eae1eb36c5be311f693c1eb6ccb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
22b268dc6554d88e3b5f8e8bda811672

SHA1
83a1d6fa17fbfa3e7f4fd4d15515a5540bfeb584

SHA256
cb3fed405f509c667856a2349c8765aaea2236587c6d509d339cb33e41d3d9a8

SHA512
a94a90388f11c463d776fb69e3b67cdcdc95266c42d68410c3fd5314ab78686c3b662b39ed4d8b48c66945d9b1a64d748b8f676631af703af0d1bebb0c45c298

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fcca142b49ceefd6ac1c4205a4008f9f

SHA1
c59fe42e5e08af25c3ce4370e938d79907e48969

SHA256
f9847f4a3de7cc8e8e71607e2ccf577dffef34083ace08bde3c36580ed796f77

SHA512
288f5b9c78625bc6dfb235daab7cc998b18c1646412f03eccc544bc93328f0ec22354fb77a81a8299edbaa577eceb3be376ec7460ae5e1d9152b2fe521a5090b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2692707082b8e5b8ea67a081523b8536

SHA1
a957b6f27cdd4416e9165d247277e4dff02785a4

SHA256
1310f2602a2fba1733bdfa04b5e52f01107d26737c0032b9dc60b85dc5e0737d

SHA512
fd34ca5918ad868b56796bf567494c9da3c34e8d195ee2d913cf63aebe7edbc022249145773968bd8a3c985c56d4a7c74d6e9b1801d01bc67adbf366f338b53d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
48b2c5dc765abe3521882eac263e47f7

SHA1
a189d0b66deed25895937f9e429e52de396a009a

SHA256
78fe0e97ff47604e4b01930dcbf3856ced4b39c45ecfb429f93dc881e2d3d086

SHA512
231193f32986d013308f8136edb75e0d53dcefb10a506787979968d15c2e671b0cc6f11c1c703985278ca5f53d0d60a455a57f2be018a5111cb7c20ffe01d582

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e82529f536024dd64c8da618a477f851

SHA1
af48c3333434df4e888dc0027d0ed38a32c52f8d

SHA256
b96e7189d69dd56949ffdeed424287c19a63d45b59006eabadd80247a8e398db

SHA512
e4fffe4c38f26d8c94e8f43508cd6744e0e26c8193221c4924606b96e3a9d757a56b7f66a3f0ad5e7a9f3d29208e0834ab089c8c040a0bc721fef894b720340f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5281ee3bbf49aef435147fc63100a4e6

SHA1
4d9a66c00b61ea00f1ceefc4dc55f2a22dcb1203

SHA256
c1cb1e6ca995d1acfd3d91dcec2652b20a800a4830380ec6ce1728028d6542c4

SHA512
9ea045474056cd96791663e02fb58fdfe43dc7eba6f4849db3dc306b659f893cecb0f0e643ad2e9b062e94cec59691f17384b1e61f53505dc169824b50b0946b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
22eff539fad6c92d05b8b8afc218e55a

SHA1
1b6a6e1dacb5ebe818a47a34118d9f6e4347973e

SHA256
7d7fd0282cf12f5ae0953c2f716fa51e07b88c2e6ee95b7bd415061ee3ba045d

SHA512
ee67e2f78f25f8ee450986a61ad64810dfcc1f1e477e061d60298b4f22fabb1aacda1c35bea481c85e40e65b5c58fa1c893f4f894a70a3342134764d3c554d72

Download Submit
memory/436-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/436-255-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/436-273-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/436-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/436-265-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/884-373-0x0000000000730000-0x0000000000796000-memory.dmp

Filesize
408KB

Download
memory/884-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/884-305-0x0000000000730000-0x0000000000796000-memory.dmp

Filesize
408KB

Download
memory/884-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/940-226-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/940-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/940-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/940-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1188-433-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1188-367-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1188-374-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1328-455-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1328-447-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1620-332-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1620-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1620-551-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1620-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1812-13-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/1812-1-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/1812-11-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/1812-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/1812-7-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2212-386-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2212-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2212-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2216-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2216-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2216-358-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2592-400-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2592-405-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2592-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2592-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2628-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2628-469-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3988-294-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3988-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3988-349-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4000-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4000-345-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4000-407-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4252-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4252-443-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4304-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4304-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4304-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4304-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4468-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4468-428-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4536-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4536-377-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4536-319-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4580-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4580-27-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4580-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4580-35-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4680-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4680-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4680-416-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4724-50-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4724-51-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4724-61-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4724-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4724-57-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4932-249-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4932-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4932-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4932-250-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4996-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4996-72-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4996-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4996-64-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/5008-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5008-280-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5008-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download