fe0e05db73a6d4700e880bd7122c6285ca93f690408514cb9c22b46616161d33

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_b103bb1e03ce350843f17b0d5f86eb8a_ryuk.exe
Size

2.1MB
MD5

b103bb1e03ce350843f17b0d5f86eb8a
SHA1

5aa053843a0a1c9f20e56d4496d20002152baeda
SHA256

fe0e05db73a6d4700e880bd7122c6285ca93f690408514cb9c22b46616161d33
SHA512

6a68f50d16eeefa2ab1dfffb343e0b3e34a14836d613e83f1b326c62b8aabea078597cb36055d3c4514eea732a6d39b76453964f38f7e51c4d20432276f7454a
SSDEEP

49152:8a/3xXBSZ4K5MJ1LvTMxbfsYBYSgxu9+fw4Trf9Ckt7c20+9qNxUW:eZ4K5MJabfsYNcfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
180	alg.exe
1940	elevation_service.exe
2104	elevation_service.exe
4900	maintenanceservice.exe
3884	OSE.EXE
3128	DiagnosticsHub.StandardCollector.Service.exe
1552	fxssvc.exe
812	msdtc.exe
4716	PerceptionSimulationService.exe
3148	perfhost.exe
3408	locator.exe
3116	SensorDataService.exe
4604	snmptrap.exe
1340	spectrum.exe
4460	ssh-agent.exe
2772	TieringEngineService.exe
3616	AgentService.exe
5016	vds.exe
2644	vssvc.exe
3728	wbengine.exe
1820	WmiApSrv.exe
4532	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d8930c56fc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-23_b103bb1e03ce350843f17b0d5f86eb8a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89187\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2c11543d095da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc8f2544d095da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3b66742d095da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0669742d095da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4d50943d095da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fd8ea42d095da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c7a6c42d095da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1940	elevation_service.exe
1940	elevation_service.exe
1940	elevation_service.exe
1940	elevation_service.exe
1940	elevation_service.exe
1940	elevation_service.exe
1940	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2652	2024-04-23_b103bb1e03ce350843f17b0d5f86eb8a_ryuk.exe
Token: SeDebugPrivilege	180	alg.exe
Token: SeDebugPrivilege	180	alg.exe
Token: SeDebugPrivilege	180	alg.exe
Token: SeTakeOwnershipPrivilege	1940	elevation_service.exe
Token: SeAuditPrivilege	1552	fxssvc.exe
Token: SeRestorePrivilege	2772	TieringEngineService.exe
Token: SeManageVolumePrivilege	2772	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3616	AgentService.exe
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe
Token: SeBackupPrivilege	3728	wbengine.exe
Token: SeRestorePrivilege	3728	wbengine.exe
Token: SeSecurityPrivilege	3728	wbengine.exe
Token: 33	4532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeDebugPrivilege	1940	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4392	4532	SearchIndexer.exe	132
PID 4532 wrote to memory of 4392	4532	SearchIndexer.exe	132
PID 4532 wrote to memory of 1220	4532	SearchIndexer.exe	133
PID 4532 wrote to memory of 1220	4532	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-23_b103bb1e03ce350843f17b0d5f86eb8a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_b103bb1e03ce350843f17b0d5f86eb8a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:180

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:812

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1340

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3696

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9c2a1bf0c58c221140adaeb39fe6377f

SHA1
a8d20448dc46148b329203644b9522e6af63223a

SHA256
759912192fa0e77935403d785d795aa13ef206aee9fa82fb7a676abb0c9a8f18

SHA512
048e25f91741adeaf8363293e04f3fc230bf776bfb644e2c8f4dc5b255f83180bcc9bcd2f708a69543b425d4271b11f75f07b4b5a28b209ce0b400aeeec56407

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
20dbbe58902b1ab23ff40cb750929d86

SHA1
8f3246f693a59387f08a02faeb80848f76e1f133

SHA256
80d5373223b453554ed956d878c41ca344ea6acf79db2088fed3d25684edbf90

SHA512
4556dd248db6d4ae3775f982448ef98c1271fa00b0bab85a9b932f0ac9ab06f7201e570d8b6b27f0e920e7a5a3ca80335da612a405c3721c24499537d758cbc8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6f90981ef5881a096c26ca5d49dac7a4

SHA1
71074c2cadaf807c80b61a0a6f4073bca9d9d4f0

SHA256
84fb281316347446900b3584563332ebe81e69d3d97307cb1c0b4751667bf314

SHA512
62c18a5c91d0b0e97022f98447bb0d099301bad562923a00acc16fe65cef55cc2c653aca4ebdd70672152e9bca8b40ac55b4e36c1ef3065e57a10dd896e336ca

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c90cd330fa849810bddc637e0ca71a62

SHA1
8d912318e23b505da4b1baf37e2a9de155853c5c

SHA256
328288bf73580a4f72e64125704b75f6b361ca60e4257ccdc0fa10def87a207e

SHA512
94ebc11fec7c6d686a5172bf3bfb1a7a9682626a25011e7ee1f68e8d0ea86ddeb35dda3bc9b0cbb87a1787af70688e976854520619b4303a02df417800755dc7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
45cc534b618909978f767da898f87876

SHA1
52bcdcc6212c4f146f81afb301a6f32caad63d0b

SHA256
17bd1cdc77c1bcd3b891d1ba7e569f4403f9b02c5a42c9cb266ef9973c5d8b94

SHA512
7a5eac06139a74ebad252e688e35b20b5c61b18838eb55f7e1ad570d9ab284ddc6b0eb0367cca391a4cff28fe9f6304a9e54cbc0acdea512000a22827cb5db9d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ab1a726962dd805e2f2cb0baebda00af

SHA1
9b1a1ef241e9cabf20cc3878f71e5330551ca4cd

SHA256
04e35345df30d565d0e4177870cc99fde55076df92f3e03466d102d388a77fb3

SHA512
3e97f223755b4552d0bf69fe5175b6ba155aabff9817571a9cfb50fe522a786e407e5d537557e77207b5a0a9003a3f3b564cfb5b14032108f8820d00d347f468

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
1452646d9df77150c366461abe163653

SHA1
1b53295a952cd22040bcf8e6e04e5e39d9d158cd

SHA256
af6a97197d814404c89fcd579059af740d6a9b20ef3f2852ec735870926ae792

SHA512
6761514c3d20aa4d045da8d9df68171f8f27d0bd860b8995c0798fdf3c10b6060fc6d2f953dfddf7054135d9c1e2d3cbffeedcef9c688ab241dd1d5982c3b162

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7abaab2d87e1b28d8991aef5949402b0

SHA1
a3bdd587f5f73d7f274d543dac03fa254356311f

SHA256
f19d3b98c3956b4f49bd3fc94de5948615938a9b6c6a086454b1ac104bc1ee38

SHA512
a57fb5a4b95a1210678fa3917a4c0db09dc942a8af7bb1dd8636a761447f2f58839c1f2185d82c6882593610f9a8d3f4117f92a7612e7aa39f7faa5cf0d54ba7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
de36734314e49f6fe1701845def5192e

SHA1
7486579a83741520ff3f61f66f11feb6731e052d

SHA256
8bb2461f1d1e0f67570ea18d1e51450a18a446591e937538a1727aafe2250bf7

SHA512
25ee3edef39f689ca3cdbe23dde919f091c8028e927c83d82755ba43117623b9f80568056783b44e0b2b479ecef8cbba1fc1071de4006ec8ed5d4d340ea046d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
260eaaabf692adf31952361500057ec4

SHA1
4d3833b625b37814f2b98ffc139bf9029c13fff1

SHA256
38d3375ea623efa98b948162044aee75e38f264c9736a8161068b8228f107e15

SHA512
3aa10853a5aa7e015a0332cd7daa27829e91921caa3bba1e4daba8591a3c74e1ac8b5f97d06107ee4f7a97cee63569fc991d18bf79588b47629bb7ba52789bf4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6d9e3a11e9e56cc0fd59bf74b64a43e0

SHA1
f01131a87e40b8003de0b35cfe6c51da29f81f37

SHA256
8609a8a2f5f79f7410aafd19fc25d4d3649bc5b6dbd1c2faad120df4fe6dd509

SHA512
5b75d4740dec5420adc09e22ec2b0aec285db57c8200c7bcbda227c806fb48d04c291efebd9cc3b487ba310ac0faae3b5af3a069548e9c165563599c8c77685c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d0deb1e2b7913fbc9b607317172110ff

SHA1
bb564a2dfc085c8bd167f96c4db59ef074c38ff3

SHA256
2a1cb09fda60d65b5babbeb756fc30ce5dc269d9b1ab5dd0c05444cb0f623fcd

SHA512
e0ac8304279f0efaa49a742d443fde8294bcc8f9f84979a7c2d7d1bbb2868a2c0010d6a5dd5795c3d54906c33a4a37e134357800508c7e5eda0ae793ba6fcd5e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2f22cc33d03ad0dc584ed0b4f897917f

SHA1
5d9be0331b9424160695296cd2d6026cb57474ae

SHA256
382f03b5a52b0fbc944ea3caeac7650102493682e2e50167edf81719c1427ae0

SHA512
3e067f616b52ffda777adb603cd0fe248952893aff92e09c2d603d1bccfe3a5d79c2dadd8bb15647c1dbdf52b98690a677410ae9dea46f0d4fd98e63bfee8a4b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c7cc843c8bbe3555617b5746b87079e9

SHA1
9f819e2c9e32a859d9b1babc25e322b0b5a2e0d1

SHA256
390944a7ded2eb5afeb3672fb3193e002855a012c1ed2831c78f7bcc17258561

SHA512
9233579c8255e65329c5042a3b105cdf17c9682e5e5d1f57312623ff2893068a16eaf0ffffd1a5060e1e7cbc7e469719bb343ed8183976b84b821e974a2b31ee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c8dfdc263cf0d5da708b5688654c2b37

SHA1
d0d5ae483ddb3c31aa23ffa0afa16d33fb51a11e

SHA256
b02df460a6d3a32a7abb288c0b7961826aeaac106de4554ecff0c2978cb067a9

SHA512
6d14733e7f59558f6717edeb11793da8142b32c166054155fee5bc6ec3a97f1309eae243fd5241a280d266aac5a77772624235ac23dbca76327a3ac66a652753

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8b3b3c5acc017983fc63be3cd73659df

SHA1
44d5f55ba1bfec1cd4698348d8fa3f0285e2d9de

SHA256
278d56aa914bb97c4a814dff70b81cf70400ec792cc64dfa2a05bd4307d0513e

SHA512
6ccfb5370b928449d22f837b5870b3b8414e994d36558c058f4c02110cd7cdf3ff52688f513e83348b68bb55a4ae0ea6715e9d91a9249f842a7a230a94f51020

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0e5c89583e14b56ab6cd696b86cf971e

SHA1
0e6b1b79095491a87b54d059436d47ebf028383c

SHA256
fb517a3307d407ec2d57d2719661b9579f356d427e7e580a6a3bfc47bf824a88

SHA512
bac6834bf4e18d315031b81ac4957bbf37cffde516fdfb02052b71e0676f914f50b5ffcda24f7e8c468e15b480456d7da9ca924093769403f3af02be5fab1f8b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f600a4967471d2b73257a62786c1bd58

SHA1
3e7d56b43d35e69c37868aa2a89ad09a37c918b4

SHA256
3c4bd7c066b02a5836364e954a1e1af52728e64f76dcee837131574b83e858ae

SHA512
8dd8263e1e3d55122d88ff7dab06d57130132e66d6e5f40594f0d2d1cb1a798dd6a2664bfc2d70b95cb663151687616460d48f1a3169e2fa774b46e83e31828d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
927aec667549fbcc8fc2b9c8c0a521fe

SHA1
b3118e3ab91740626c666bbe8803c4d3edfb7eb5

SHA256
14df76d23079a7f6157cd7af32ef6299efed8761ee113cccdceafe073b48bbae

SHA512
72d40f167b51b65280289ccabae45d75a5cc119912cb1ae7fc18958327196625768e779624a8b97a9d650e3fdfdb5c2abf7fb4463858052281f39163748f2098

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3b38f3fd0e238d940b0aefa5b18430eb

SHA1
90797ba1cf34c2434189a74daf71c1eb1cf36d11

SHA256
fcf420dfd806cb7e1a0e057279b558d2ee891f17fc809d6fe9d1b36897f09aff

SHA512
fe859392fa70e1c24e4df4671e66749be2c5642f2f8d4eb2dcba68b67c434379a396a3e72a4640a89bca2fe41da093f3ab55d4733cbe777341f493d0e0096b17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
1eb8529af588ab4ed36fd30da3048ad7

SHA1
96360fe047e7b34010c730bdeb2562d3fa9de9fb

SHA256
a8cdaa970c2dd6b3c4ed419549597cb44c715f0a43eff39d85746c26b29dc095

SHA512
5f3458fed2569906f62f3446d4a8bf90d52d26c3b6715ad24b2bcddb02cb09a119d451b1698915ec4dbf22d32505b941b6cbc3980cfea4b0cade2f0bd7a5a652

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ecfb442b123c9cd441267ce2c1b44234

SHA1
8dfd29627455e9c2b88a847b0d092ebdc6c4558c

SHA256
0514bb1ef7cde17ebb22dff32a857425cd0bd388e6533ee5262f5322fac9966e

SHA512
f03c7b2fa1e3a3c52b49fd6f6c1e590eaf20dd179e8ecdbda7fe2f8cd9b137115d770a303d473415e9314b3ccb512234290e7f1d394688b68fa097ac13c30cbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
535464484ccc92a09350a949e147125b

SHA1
36aaab148327acdce44c005f254f0cf1ae806f47

SHA256
60c4ec2f6185448eafd6b6fff81a89acdb041f01a43edd9743f9d963be4df843

SHA512
a72587c2c4c5292d394b5028f90f52ac834e3707403927c9286f273f5cdb09f2da217aca32edddba6d0c75a04cd6bd0b9b654cf83c95c20d19b691dc9284a3cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
828606062f22951367776d64d893b3ec

SHA1
ed8c29f90dd6b0ac8affa56b3450534ae8b61823

SHA256
aac01cb8b3be603c1059d22f99c07cc1b3c8ed8cb7a8fca2ebf6f6bcff61b50f

SHA512
e2b696c726e21dc917c0cb9c50ae87cb824ccbb373a81022f74ee240881dc3de74c5084a4fc774e67e11a3067bb003239c4cec3df4982a9f7470ad1511742202

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
699c2723e96bb5ab0594e6b698d52812

SHA1
d93771963b30b49feb5f6d12bc0a7e7902aeed9b

SHA256
49d7a26fa8e07969a69b3ffacca6141cd544ec2333eed29fd024a539a3b97d8f

SHA512
0fa8f4acadc16aa8d907fba3bbaa21c9e75cb563d99fc1e740ac591ded2709cfbf165b665edba47363d1084b5427d041682e924dd6c9acd5768598d20ad5ba4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
cf5f0759ff1d2519ad27a8814088e6c7

SHA1
82d7aeaf81a2c9e3efc536653af7582fbf3bdb17

SHA256
326d08126f40f497309b4abf6ab54b3e17047c7ab4bbdffd6739b0294c0edb90

SHA512
c2b639e93acf2e7bc493ae6b65aafd4a70a3b3b28e8aa0c9b159e41fe0b2de541fad7fe2ad4c85f19ffed0a0f26d37762ad27e89fab2442f90f43f10d5f75966

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
711dfc9e5d9b51bf3b5b042eebe952ef

SHA1
2170bdac33904d6a2db83983b76ed42ac270ae1c

SHA256
2e61edf977a77c1a6ecd2814810f8bd755ab5accfc05e52280ee2e0ee2c012ca

SHA512
37c7f27f6c94981a1a4acc7e5cdea2aa68bf5ef8782484f78ecc81ddd40d6e5d3643cd1a91b8bc7ae6fbe54d1de005f3cf7266c12ee874377d016695cb7a59b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
82d3dc542b1f0bdac0e3f61bd87ba820

SHA1
b81017c602bd5129f1e1b420968d187902074f2b

SHA256
6ecbd88a9f6468dfeae5cbc76ca83bdcafbebcb939f6a71b0ca30d376dedd36a

SHA512
a7dcba2ceaaf7b63194a5a91c596ca5a1b1833cf6aede6f441006d3ec7ac6077029975f5e7fc5ab7cd5e74125f9a7f227fcae61eb7ce60d1e354ac09c9df52a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
85dc9a63cd40f5b8d2e876ce25dcc47b

SHA1
a6cacdf7bdef5fc5653fe2bd091c4f601f1b68bd

SHA256
ab97b3d47d649965db33700a0ee9b98eea4fac5590242a722d35320e25b17ffd

SHA512
d93b777b97bb4d1a5f0fd6654809e553da5e5e2dc96902536309580b6360d523ed473d2f4a1d54724eb009a42ba460cdad8e4632b4d2a421ff92c7b1dede5e13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
574442ee15894de53870d26ea13e4547

SHA1
f2de56aef66a6ea10c0eaa4e11c633742813500f

SHA256
c0b7d35bdcec407aaa61d1236670cb7c2d98005c88b6ced1dc7c15bda5580ddf

SHA512
3a45428f2e8f8bda49f99908e440013fb8b93c710787871501fbc434550c2d572b514095c3a4580e1a946b933cba80816bdbe419706c5d4d7a1d0743ef5c9079

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
bdca0599516592e1128c583f1ca0c7a1

SHA1
6b4fb34b53f5da0a44db7e7e5a3b5334611900dc

SHA256
0568cd6368c9846ea1be65687c3b6cf1b586341ff9f5bc8561150d6e0953944b

SHA512
65f6204c454cb11d787db5086dcd317e1c0dda9d7effadca71dcf039d4c5f0247daef4825edfad39fde0e9d737f0e92487ffb30916e85e5be17db26075ef834e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
bd2fdb9d57492aaaeb7ceb2e0bc926f7

SHA1
f9b4c4e552b77d1f05070585834f4e2ce820eb92

SHA256
376fafe31133683a0cf0d9b96d0cb5991038d07b470b52df3ab2c4f305890a4e

SHA512
61f701ef586f3869b12ec1cc9c79f14d653ac10e29094f0c4b6f62f47c22f9cd153019c622b4a0261954934f5d6fc8ea41cac1661c85d34ece8d2be969d25704

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9025fd1577da42e487c636396fa58ad8

SHA1
0a9445def147cb8416d1965578b4fe03d49b792c

SHA256
e80b130b3d8c1fe6a973d7a20baaed43ec26c5f231b205a9d47f51d196f232f1

SHA512
41fc012e3c8e3f2128972f999e5756b1385ac0071eeb8139c040692b1fb876a2d131c26bbb63e94806fa1c7d3f287bb3578822823868214af50a8d3b4319894a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
100c44b515d395b9e26afca1a170d9e5

SHA1
ed0e747f22600a04c449e98b371f59d449fc9055

SHA256
e7453e5414a5a5edeb961dc11910d65df3c770f9b01e6a2325a173ae58a2fe07

SHA512
053ef1a941ecb2f33ed657b7b5fe18cc2f78e27e6ae2f2003b952059bbeab8bc71ad7431327ff4dac5d970f6e021d1794af844a665e8093c39774f852ccd8132

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
677477da3e4acbb006956aeeb7238dd4

SHA1
c68351dc2d95197a674278e1e30d91bb057de6d6

SHA256
18b2e64ffff4a4d458e6ca9ab30a6609e30cc8749a0c9bbf189f5d8d34ebd62c

SHA512
1b3e05c0df7e6ad00197999a29fb73b9327f99835e63e8b3de04cdd19fcbdf3f4c3326c23f2e4d390298b17afdb7909e53c9d726366bbc72b62e7b56af06ff88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
b63c4385bdd99f2dd25432b7f1696b07

SHA1
6a09f8078d0d7a7bf36cbf23962ad23acedfe9e5

SHA256
bf685d405c50194bfbb141a586f15726ed7f1992abf63c058b5d92b5a2757bab

SHA512
c60e8c52dfeaa7326944f89eea57e18bb8f8c7b04affbc733e46668ca269b4fae87c019027d780848fcd5db50fea066d17b8c3648282c8e7051f8acafd9f8fd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
925629a477854ac8d1acf9574bf8ec49

SHA1
2e03de3bc681ae6a8bb382a9bd3f566e5a0042e1

SHA256
f45651f22f8c6ce12be1f297c3af259af2677659179579913261d9df4c2ef57a

SHA512
a1baeeca5250f9e206f6b4e924109e262a3d214ea88adddf5b3010b83a14f430fa353615e71352f4cd4654ee04fda163269fa03e9ea2d3f9b60b7935800f8a3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
d0269457a0b7fb16ca5d3363a243e713

SHA1
0924fd569971926fb35153e115933bb7c6e6bc63

SHA256
cee079b4e7480d3ecc2e22481850349c2ce0c20d650e11d73fc79073baba54a0

SHA512
ada797fabba1cf0f81ce7229f1507133518772a835cd3eae905c15cb06eb2ca25e39421c19e854e8319abf552c7096dc0e38ce0318f17ccc82f8ce6898778cf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
24e67ab9e8946167d6ebb73ae7e55509

SHA1
2267d41fdacf59d8973d3d4cfe2171f7564edb33

SHA256
96c5c9c1536c2cc5f066e6d7ef7f4ad07fa8156ce7305471184c77ded250fa95

SHA512
9f61752f75864b233037d9cf01ec20cec4e3d4b2fb59b047aea2ea83b1acad832c88f02cb25535a1fa41148ae235653728b90fc46345ce597920f7e0f6146940

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
79c73fe5b6e2f0aa13913d6d68f57067

SHA1
15abab577dcbf93a64d741ab97a9599855a64fd7

SHA256
6a86f1ffc366b9fd397889b5d3fba82af1580a0d2732991db20d3dbf52319bfc

SHA512
53277ff96c25a1702a12b35a2743ec13d5ed8d52b73e2292501453d244216b7d7172edaea8aca8fab0fd2548bbbac936330fb31a58449cd634ceb0e0565fed41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
f2260ad03bc5d6c356bac8cb355229a3

SHA1
21c4fb5fc8fafd7c3342ac287a6c3c7cb6f2f7d2

SHA256
e52b49e7d57b6b422270b655154c4e6243f8955c7f717169efbf1cbb35442e73

SHA512
9c5d51a4e1a8fc9b4484b245bb7452e6a90d762224ca1802f68f7ab3b32037949e1a3bd29a26d91918faad25457a043625581f9450732401a74b9e69f214382e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
9607b87a83deba1520f991a2bf05538b

SHA1
007a632e36b5b6b6dc2a81b9c8a1721ef899aed5

SHA256
8a457e27000b4e85c8dacf66bcb400a533a81e7030603b997fd847ce972c1d7b

SHA512
70119d6705e6507a15df5e57c2b59a06ebb95e2beec0e21b05f3a59a217887f2c74f819f58fad3210815a83f609ddf428c0a48f91acce04de5dc69b0c96b97a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
8c94459958c0d213c709837aaacb1b03

SHA1
02400374a1e4ee19fc28e98524d0f2e12c362073

SHA256
cb813dfedef25413197051a48c24aa5242b443c36f62fd8908aed66b7a9cbd93

SHA512
b82c1537c73b14e07302f93ddfefd25ff1bdd630be6785ce1f1d4d4745faf18ccea526b37ebdfc89ecc619337ea9d959b8ccce1158a8b685e6170d70f68db2db

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
b1dc42f794af0d459cf79d2acdfad9fd

SHA1
30887a276032f24abaf5ac4d2ecd3beacc6410cc

SHA256
6179a278f6457f39a8eacb03005566f74cec0a2280bae3d4ace462fede12ffac

SHA512
0619cde6e782cc12b9b8d1012dd3e256081a0563eba5f3aaffff876210d90fd8ec76a4c160cee4cc6d60d5bec10b2cdefec47908df186969c0378ab04d1effda

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e38f8474aadc6a4b737bce21b46e05b1

SHA1
081aa6212ef9716acb7f6e86ad43400b1e08d969

SHA256
cd9b8703ffb6649946c9a08656aafaa76ef78f1069f41ef0f81d9f1f69bd7c93

SHA512
f6552f33788908ec573cd3326b0eb14ae57041ef7df1caf322285f32f6c866e0f6a4522719fd41398fe1f9a85bc65676122c7e8d810e47adb6b89f575d915156

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
44e3b49cabd57247603f78f38fb95d70

SHA1
27baf4bd7199058a208c8dea3ae318323ce4b28e

SHA256
a0f7ba50e1b00e6994e2de19df6ca68a4989908b7fe502b2b7a4af30b7a076d0

SHA512
d655f1a11426ec45782e834de371c1e12cd3647fe0f323857cc547745963fc7ec15370da396428a6eaf56491de8be741d5efc4e7cc9587abb827a9256f13fd17

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f0b86e8b990fff0392ba328b3938aac7

SHA1
6378a2b60963be3e5fa2c4dd45003b18c6d52883

SHA256
2d22bff6d918393ba298960f1c41df73168834503674b8070a83797456f0a99f

SHA512
bb429ce4700bf9b2af8c36f7a47b8828cfc4801aa4c4859a312c432e5ec47b49eb6f2d00a7cad2066f278ab3ab9c043854d23fb856bfadc5e59867b7156354d5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5f690f0d31e556a4d8cba5ee77a092a2

SHA1
896d5b993fcfb3ea7bd4eb24f02a9ddb47261672

SHA256
ec37a7b3d26aa56c31bd07680b781f140dc1a8dc77e22292df13d4d759b492f2

SHA512
fe78943a3bfea226144b3044ad558ab6a2d011d5ae812389f6955f1ee483c72e52d18e2a8dcc3dc979516c03846467c12d76beeb2b1051ea2537fc0e12c8023f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bf8688ae5bbf1f6df058962efdfcaa5b

SHA1
35f8d87c30a088f3f731973b505c87985ab0018b

SHA256
771b8ba65c7beefa9c514fa2d01a2f2fc81d992349bbb9a8ecb228224f48dd80

SHA512
bb5b6b43ee20179546c172cda29f594a077686a51307aef75b5fc767e9102d6a589f3b13944a8ab3bef04f6bbdc980bfa2540bd7f5b2ffa63f552b8d09e84e1f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
75e353b0110236f5f909e16d9579ee68

SHA1
08842c65c973e6174ad82f097d300b03b16e3f25

SHA256
79c2a5f6e6c298b73f364ef887d8cc3a58d77f195fa9c3ec4ed86bc003392705

SHA512
48e313315626508f6a709b01b29dcb6aec1d878d57e1bac1e9ff9e9f592d0958449ab7ad08216483d8d43247b5519b209ef85fe5a402d9f226024c12b7b09597

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ee7c51a848892426b788b30b9bc4a273

SHA1
cd2e5a25d12ad06e30862116df034e71d3c9c797

SHA256
d7f2a178c1c4f6bced80396c776c1d3ee3db9f1eb9adc415c5b8c6655f44903e

SHA512
8bc754049c5fb9bc5e98af195ed2b3b70f20bbc1ca7a1661df30819828413e1902a68da3d47f6cff26bf837391296ae740dca244cd50bf0f1222901c3e4800a1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bb606a0e2feb0141308747912ce82791

SHA1
72df6842cb35aa73cf020c8637a1549f30a331fb

SHA256
6083bdce68df552d03c2f77f46d582573cfe7e295906d51a0bae50dd22a56223

SHA512
45473d5acf1ba46ceebe5c6a0382acd94091ed4ba3c1cb1b1891e212b2a64ae6219e0357002be94b982f63dc041e89c73043b56e7223465b7aa1b509b505acc2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7454ac960d55a387ca1bbb481bf19240

SHA1
90d5ef4a7c433607fdf8572799b5f67775da8c0c

SHA256
e9ddac4736d29233ddf458bf30cb083fe728dd86d602988bdd7ecd0b9577accf

SHA512
c345c9d722f4a8a48b87bf9cd2a97a6ae9b977cf5d9c6fc9b6b6bd9ae44ac9b0f26114bbde15a6aff840a6432b8dd1fd3ff59b4493d9109abb543a00caed235f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d292f17efc934f3aed4148c7cfd4ad49

SHA1
6eacbb702616f216140a08ce52a0c1cbd089c12e

SHA256
9c004159cb39f2989eaec70c87cc8a5eb8593c959cb6ec625b62c8a3197219a6

SHA512
bb9514940dfebd3d5ecf4302c5fff89427e2eccfe100deec6701111961e77b883e9416d56ec293182ba26b38dd2a1196ea07234fb687f5a786c2d4fcf74de227

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f86957e1258059c42e38fc94a60bbaba

SHA1
32576237640fd6fe3af2b8cb81f0a864d6735360

SHA256
07efdf68a083da7628a1aeb52825fe4cdff7cda08220e66a8f38ec77e9f4a162

SHA512
086c3729f34eac9e379f41feac439d3638bd2981fa07bafe6bc91388e2761865afad9edc16a1181b6b454aaec989257bc64540fdaa377263dad0f373cd1134dd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8837e1c29ae53ab454a79edeebb71d17

SHA1
b1522029825b155cb53ec5562fa2713da427605b

SHA256
edf7925d42b0da4cea6d1d66cc7e2a415f1d9104948085e56721f656f49d5d7f

SHA512
73b5ec9d6d5de3055b26d1e375be83b97ec9751ebb5a83735d382ee211383ad6f04337ce31036f0d71bd3868d35b6f4f18f1bae1fff556941c9a988cfe202d92

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1fb5c9079e63a9c1317f97fde766d456

SHA1
f80e81c317878afbbd9a3a2c865cf111dd551668

SHA256
53beeee82928deb0af5afe081aea6b808ad5e39109f0ebe0f78e49324414cc86

SHA512
aa1d902f4099b55ad99a3a99d63751c6554bbc53918cf7c12a2e4874623a41a201f3873222afd44f25bff5cc9d3b69fe0dd1e00890783ff79e5676e85b060a2e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
789c9aab4d4697748d97915d44607e2a

SHA1
d2acf8a2e60b33da258abb1ff55deb2867803cf4

SHA256
d79a6b3697f2301a2dc1223ac67d6bca23dcec43922b72666770c8dc795e1369

SHA512
08eb5d02f5a91c36369caba41c141143e6d59732c317e2033328e1a87cbd028c86911522f390d4aaca813de5164f8848846fbb87bc6f58be322372e29a529ff4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
14b12957be9f7ed879a3076edd3e80e7

SHA1
fe840832f9dc9c95766fb612349c2af5252fdb2c

SHA256
5206a4c172506a1fb2c381e941e4a4080effe19ebc0f43f87cba9d7ae20968e5

SHA512
00712119a520c270c6677bebf5c016bdec85ce50ffc7518cad4f774b2d6f48ee6ebb21f626aab151f3a88fcb4365981bee223a03da05623a2ffbbe471896eb6e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b51bdb704b2d3f297fe7e2555e047614

SHA1
97ea630241629e7a870177c10dd87974e73d5c01

SHA256
35d9bbbfff029fac8c690fafcc3960a2d6a98cf6e49f7d706c33ab7629c8d863

SHA512
ba269cbffc1e7171ca383bd8b1baeefb0638a2e3d6901e04a0964ec0aa5d0e4ca4d1ffa02e867cef08b62567e54b97098796df23c8fb5328003468061441eb05

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
755cba33a8f917f82be76c826931e24c

SHA1
e72e5e9f4e5116bb3b743e71276ff0f98c7fac66

SHA256
28dea2c493f4f04fb345d15815e29966b182a2b84a2592562ab05159b781215e

SHA512
a07a4a5afcc8844391ee098196028bc972c25d1bab1b18316eb83d1a338d2034441900dd16bf9d03daa77b1c9dd2af92eb59e465c7d85e3f5d2202af0ac56de5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bb53efd2621f90914c57ca8018f30486

SHA1
a64d3fd843d3bcdb56ed1614006cdb786acf1546

SHA256
d45dc54a933f4eef429790ad549bccff147862e84f5548887c2dd5caedb3fcb8

SHA512
90e0d2ecd0626c6587a0a5dabb7636e447fddb7fdbf5eadb0c491e025a7a4d77c3bf6b0a3f0e5ca9afcc08594229a8885b9e289b8bf45fb46e7ac4903c76d1c5

Download Submit
memory/180-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/180-15-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/180-226-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/180-23-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/812-336-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/812-271-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/812-279-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1220-545-0x0000024E436E0000-0x0000024E436F0000-memory.dmp

Filesize
64KB

Download
memory/1340-351-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1340-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1340-411-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1552-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1552-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1552-270-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1552-255-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1552-263-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1820-439-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1820-446-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1940-35-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1940-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1940-29-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1940-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2104-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2104-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2104-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2104-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2644-412-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2644-421-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2652-11-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2652-14-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2652-8-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2652-1-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2652-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2772-437-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2772-371-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2772-378-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3116-541-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3116-542-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3116-381-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3116-324-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3116-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3128-311-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3128-243-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3128-250-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3128-242-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3148-299-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3148-363-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3408-303-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3408-312-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3408-368-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3616-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3616-396-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3616-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3616-390-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3728-433-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3728-427-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3884-72-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3884-65-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3884-66-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3884-237-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4460-356-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4460-424-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4460-364-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4532-460-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4532-451-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4604-398-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4604-329-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4604-337-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4716-295-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/4716-350-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4716-284-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4900-57-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4900-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4900-63-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4900-52-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4900-50-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5016-407-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5016-399-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download