4edb4c0a186aae981ac3e4772026420dfacfa7bed51dee23f19b4dd2c6eb1685

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_cf87bbe4cd8d294342cb43d35b30e25d_ryuk.exe
Size

2.0MB
MD5

cf87bbe4cd8d294342cb43d35b30e25d
SHA1

e235d27b7f08059e3d45d301df76f0527d32cd85
SHA256

4edb4c0a186aae981ac3e4772026420dfacfa7bed51dee23f19b4dd2c6eb1685
SHA512

4db8690bb9bc478f6d228894b0111648c8bb9f4015399f7f8707dd80ebf9564f821effa01b04d398c2c878d55ff6d49da19d9531c00636f23ad5c0e941e43dce
SSDEEP

24576:j6V6yC/AyqGizWCaFbyQsqjnhMgeiCl7G0nehbGZpbD:j6c8GizWCaFbzDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2656	alg.exe
3928	elevation_service.exe
2832	elevation_service.exe
5312	maintenanceservice.exe
3736	OSE.EXE
2352	DiagnosticsHub.StandardCollector.Service.exe
5168	fxssvc.exe
2556	msdtc.exe
4896	PerceptionSimulationService.exe
5136	perfhost.exe
2328	locator.exe
1820	SensorDataService.exe
6096	snmptrap.exe
1348	spectrum.exe
4440	ssh-agent.exe
2164	TieringEngineService.exe
1680	AgentService.exe
4784	vds.exe
5308	vssvc.exe
5224	wbengine.exe
1836	WmiApSrv.exe
1152	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-23_cf87bbe4cd8d294342cb43d35b30e25d_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c81b74812b574d51.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77343\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6AA169C9-EC13-4792-9A6F-B1B56AF54223}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f668f576495da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015c5cf576495da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a74ff576495da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4f15a576495da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4f15a576495da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c216a0576495da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db1781576495da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3104	2024-04-23_cf87bbe4cd8d294342cb43d35b30e25d_ryuk.exe
Token: SeDebugPrivilege	2656	alg.exe
Token: SeDebugPrivilege	2656	alg.exe
Token: SeDebugPrivilege	2656	alg.exe
Token: SeTakeOwnershipPrivilege	3928	elevation_service.exe
Token: SeAuditPrivilege	5168	fxssvc.exe
Token: SeRestorePrivilege	2164	TieringEngineService.exe
Token: SeManageVolumePrivilege	2164	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1680	AgentService.exe
Token: SeBackupPrivilege	5308	vssvc.exe
Token: SeRestorePrivilege	5308	vssvc.exe
Token: SeAuditPrivilege	5308	vssvc.exe
Token: SeBackupPrivilege	5224	wbengine.exe
Token: SeRestorePrivilege	5224	wbengine.exe
Token: SeSecurityPrivilege	5224	wbengine.exe
Token: 33	1152	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeDebugPrivilege	3928	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 3252	1152	SearchIndexer.exe	135
PID 1152 wrote to memory of 3252	1152	SearchIndexer.exe	135
PID 1152 wrote to memory of 4848	1152	SearchIndexer.exe	136
PID 1152 wrote to memory of 4848	1152	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-23_cf87bbe4cd8d294342cb43d35b30e25d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_cf87bbe4cd8d294342cb43d35b30e25d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2832

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5312

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3796

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5136

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1820

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:6096

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1348

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3936

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5308

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5224

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3abe7cc5db77439e1b63ba46d17580ec

SHA1
3ccacc10cc72dc8a040b3501375ee6117e523ef6

SHA256
e68b0aad1268b54fd2c55de28f25b3b85e22374f6f2c4b73d39583cc903338c6

SHA512
ca83cfb5b2b55cda0fe862efb524cbac4db23bf1c291dc471a5b09b93bfbde7dfff6d2e1901b464171e8037a475eaf5ccb9bf7d390ca2b5f11c63ce502787a9b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
70a44fdb25a348102c47d173351cb8b2

SHA1
98202b9592c642d5d98710ddc9157e7cafef8819

SHA256
b2622b7a29caa8876dc4d2d338d5378b4a7029de279bb7cd5ce27b21a185784a

SHA512
624a4daec312805e9e051df6c67ce8a0e73de2f452cae879bace1b0ac437fd6f81c0c1a23377be0d407d27f2d61bd102efaf0243d0cb8ff57092537f3a71afe4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
8d05096eae7c3dd832356309af6a8d94

SHA1
9b54d1942b7ed8d91413d9b7d6f463268ae3f4ec

SHA256
5de7a6ab33a04d3b14864a9345a4059c01829df0e446b4214499904cebcb885f

SHA512
f5d3be93264500b4bc95b307467bdb0333d3f3ec43561641735c3d7d07526e1f598dd6a8644e11976e71be040de7753c4dc47b537d5a882ef661570ab0235a7e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
622cc6de0b9899161a54167e3a288047

SHA1
d77cd27f09aa421dd86364d98e7038a6cf926e83

SHA256
98915730519afdefd16bc1e821f793b92949baec5108cd0321c38b14558baf53

SHA512
2b01a5e848b284b9e0d9c04bf2c3eafa97e63ddc4701ec5c039590a01db11b8fefb07592a018443fb5bce10deff4288c087b15b2720d801685809e2325fa4aca

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4fac5113c0dad00279d0ded9cfc301c7

SHA1
53f4a4237d75230d4bc79787a3477303e2c43552

SHA256
a1904be9e707712fe6762e25542a24ae31ba4637a352d5789801e9c27b425f3a

SHA512
5d6f82260c9eada29f9a6f38ff3ca6496ea494e3dd9ccd883e0e084c41fe74af3fec926afa4b99a9b1a8c1bf2b92c07eac6c27dfa538428ddbff2710d75afba9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
e5b3146bac310c99f5db052a7b58e7ff

SHA1
b1c0855d377a14a01bfa1f1c8df220d31697fc5f

SHA256
46700f5c49584ba955de1fe0d97899fe559f1fd9a21001799778efbcd2374d9c

SHA512
11ff9721531c06f1c3c058847893491f780988a7ccf07b9d41cc686ae2019e887dd122cd5e39fc912d37101a3064ea646147d6f7073b67d01777bdfa81f82f4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
44e47f5fd3c6c6b72d41ee189856d04a

SHA1
26e82596f166b1b394b710ba08b8ec9453725751

SHA256
b57875535dadf187fc6ab4ba408f4d8afa76a432963e30fb09e2751949091f45

SHA512
068ef14f4b9775a25519c50605ee3545af326d79bd6ef490427afd7e130fbbe5071bb1531f5018d826ac534dad1f5591b7ac4ecb2d7ee013b4eb1b3e65aee07f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
944172935c4dc01e5c991868ed3215fb

SHA1
b120056e10251be8c4c5356210a61b3659736604

SHA256
bb05c12866045429cac2dd35b135bd8c256dcbd3a95016ccbcefa18458acd038

SHA512
f56fda89dbfe1d86e5361df703483328d61191c6d61e5ec5ba141827c9213627a2ffaa1ca16c431fc777dbd926a1215e8cf5adcdacd11b63560a02b8638602c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
2b9c53681e1317844db62001ee1b91d3

SHA1
b33c289c140cb9c7db3e875dabf48f594aa163c6

SHA256
3b12f83caf88ac2c7c9e9d961e93d9ed09b6e8ab8cab2819a8ee2be1e1b65477

SHA512
01f69919427b67db25f06ab2e876da9f793036e0e64f3257dc1f3d6ab5bc3802efceb5bffd3d3f9aa8f91985f9fe41db4b63cf0ba99471c6d00348d520d51c1c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6b94a5e2fbbc5993eb94c51205050749

SHA1
e4a3545e7b32ff722b76126231f7ddc70511e454

SHA256
7ae11db63d9a8c5e20802de5f6342c80cf86325eb1d151667be9c600723f1173

SHA512
9b8833f607c0525fe15fdf0d2c771ef30ff61671e16e664b73c54627d6c9eb22a271118355a3936c4a66bb57ffe016830d0814eef47c1f436a3cce79b1464851

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3723c57b416120d02125f738e85426c2

SHA1
9b1a2ee7a60dea90249a24ecd77233ae51e12882

SHA256
8a7df336b9c9a07168ed619180489f6cd4695b8c80b048284a4b0eab96ac0e7e

SHA512
f9ae4f0e4c2e2cac89d51f1f2939b83622e9fea358616f25bef47155d45136f94d9d416bdbc4178e02f81879930037103adc65196828a9b22173e5dab86e26b7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
565b092d31745c504612b96d466dfc09

SHA1
1b8a80bc4a66d1b257c7aba95a67a3eafdae6ebd

SHA256
1f0e7206672886c93e98b9068b9c0dc04678b39e7eb9196d3dc2af1e23f89c0b

SHA512
9197117c4f6bd73275002ff2ff06706f055a93fcf066db7660fc52859ab4d496701b474352eedab55e98161458496c239d3ccc6cc5f29fecdb8b4fc9ea4a6309

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
c9c92230e167683f6e83e646cf2defdd

SHA1
34ee73137580c0e44f5e63970c6556a88e5234a0

SHA256
7619d90705a9adcfb4872d69225e35397cdbed8327a5ee3d329e939ccccf05d1

SHA512
857874f4b777e9b73d4c855eca23dd8a2c849cb7c2313230e32ec038e1562a5032ddcb9bf60edf187e9e0c49a34c95176997521fb41ecea31b19ff7e2739b656

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
1b20b7f295aaa40864e812c42c41decd

SHA1
e8cae1b9dd7186cdbb5b7dac868cd17884c786a7

SHA256
d146be2b3df458ffe645626a98fdb8d5b430d9a71eebd2429bf48e12de986c2b

SHA512
f68ca46588dd180fade4123bcd4290f890f1ba1824bb65b7c2b3728644e8571d3e7ee91b4a168408ab5712413e46acdd9e7039b809f6bb4f023ef991ded5eef9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5d6d68f85ad15e239c5b2895a2f98a94

SHA1
77ddc5787a31ba0f52b92f44f34656b11a62899a

SHA256
4df7132f9bef72b0865f297cc09069ebb261b738b0da71e10a8350d79eae31da

SHA512
8415f8ed390cc6c3ea344681566bb25a024253146815f62a9d960903bde4184aa17c31ee3913d170ce8fbb9bee3daf9d367c2e8cc5c77c9aadea24d7c230d430

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2ff26fd7b661f66742a0f2559f30dcf7

SHA1
9dd4a769ca491ade9a3681ca7183c8b0e0ddeac5

SHA256
850e9f1031f4a5b3fecab6b2a0e8701c1c01c6adc9e26347044ec4cab8609d53

SHA512
7d647bd8880959c63152f41479fa7789dd0c60d52bc17e6a0ac3bfb2331d4d59e9ed7c74d52005da9f782f8093793573a86d28981d2be11810db2b4f1289622e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
746283d9b569e07d76731312fd1d2bfc

SHA1
2a136112e69cbbca40da29c0387a2a809033c11a

SHA256
51a2818d31f97d0548f0250e05ad3f2a6746ebd28951de9e038339d94a74c1bc

SHA512
af222066a31a80323ed8efb5bb14b7a1566bb2f8357eb2d74a6c7132655e3dd9fe2a80f74d0db3727a335287eeece8b1b9b11ea803ab277c0d9ef9fad6ff2560

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6d19dbff644b7013e1cd7b830da2f32c

SHA1
971b75b515889ec1a618368796805c0a15ff332a

SHA256
503b573058fcf7df1985d7e7cba81e003956a06069c9314097a908483f334c51

SHA512
2aed0c74d03d599648ce2be44cc54940d645bbfac4b4bf4c2e13a4cdca2ce4c903dc960c415cc0db12a850e3262eebe6efb47e210e465bf47f453ea81e869f6b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
eff177283fd20607a28bbd42d6ef1c94

SHA1
1c82cd155125506d39314f9b66c0106b24c7afe1

SHA256
630008990ea8e97d3cdf0aa9dba161ca796f52494ad71f2123ec9f75455e971e

SHA512
b2650e41b81f2abd7a3a05ae82d70ef8d4df8d42f6f708195e81ecefd30f7b0b0767c7cb4c46b7536b1fad7cf4785664fa95ad311d208c5596a6e124ed00a5f6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8d99b009ac4db145ed494dfed7ffbf82

SHA1
def2bcb5b98395c9feaf13db828fb2f9cdaca480

SHA256
165673d225d9172468695c697605c9ccc886c986f8151d3643047e046c1f590a

SHA512
ea2f7df5043da45ccf0012e0666ab97e61573367f56808c59a9edc0920fa6ecff46d8041b85c6b3603326f7a80c9e39a66d47ec65eee794b0cdc77814a73bc53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
1c86a1efa8333c9ec6512484061406c6

SHA1
5d3d457ffee40b2ebcc8201ded33b7c369c61b17

SHA256
248ccff397bd571a4e3a1a700b4d628330adf38f0785747469b34cf66a6812ba

SHA512
4c5950aa92d89aa6a7102184d1b7985e00956dae41f55a796973b9b1e37f6f7d289620a7590dde82cfbaf53816f0ef28cf88f2d5e683f5deeeff98e22ddf7c39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
ede12d8daf8f0a7458834f342f658b71

SHA1
19d29b14bd74c6d50a57149ec8d564d672d873f6

SHA256
a718df575618d984bade55256b7231b894ee24fd9faa1fbfab617c11a4f98b3c

SHA512
633e0e30b73fba26541ec30bbf8812a60af2d0dd4a2406202a8b4b565f412a900e158bfc163ac526f94a8e4ac80117d54feb84827f062fd19f85d350511870ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
beff81641a8f6050f94eb433a27201fb

SHA1
8fd649c0fc9475e207f7fffcf1e527372eb84f64

SHA256
6663f7a74aebe75374a4a1e3bb80dc0f04f1d81a3216cf7ce50bf28f35b0e57c

SHA512
c271e4e7f5a4666bddd10fe3a4cf7fe3e792b57c627ff1b4dfa4d2c4a9685e1f3a03588b9a237d4c7c6bc4113a685a95ce348ad4b83233b9d093a625df05edce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
88a1bbe194ad52741c3587bf75e7e25e

SHA1
6ff152ce73c9c19b683d323cae4596d1f75f46e4

SHA256
a21d2aadfd9dfa6198d31a15942852246e88689421b3c66d37e54619344ec0c2

SHA512
5e6227e76372d43be079f7bb3d4862e0e5c7694acc5fba9ab2381dedcaf0490d108d0657f560e25e69947dd47dd781475c9748b45099c728b68205cced38e055

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
c66ded1f500943af6a233f5e593ad770

SHA1
b52001776ca9e0f3e8fb30635d1f873862e2d8e6

SHA256
1f45bb75e884e757dadead69eeb82b72548078402c0981515f96d3ee25c805af

SHA512
e109ab3de2a0980d842a10e08e36a3afb2aae450c9c7697beccc4446a93b98af2b2fcbebde2354d8259e6de6532c145071f0e54c5b85bd508f07bb7c404ef264

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
06a9c4cf80a17f7bb9f2f90fab28e982

SHA1
4426f62d9b26b6d58a26ed628be77ff1ac01f02f

SHA256
0a54ad917529c3d38ea13793c894afe59ba63262fdcb7467445768194a837b06

SHA512
77b8c97dbbbeeaad8b2e0cfb9f247c0adb21b528242182339f6423b87916bf9002553f625105e1d90259d6fb77db742cbe1b6aaf34ff1e057cffa45590b0aac5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
34b6379471f51095e74466680632d2bb

SHA1
0c7920d513d95b0075ee03d418323ef5cdaf1c66

SHA256
0327f1281237421bdf33527d0812fe78154a47f3e18c6c1ced927a122f3ab545

SHA512
2f773086eed0c77e0d41c4355b33e72ba079b2407f9c65dc5ed4f7a628d6d9c31e9ae99fb2787bca4106c4d1679dda16fdb6be3fcf9cefea1d67154d104a1fa0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
52f83e7e1f202e34495e6a0b5a16a916

SHA1
b16323cac1aee3bc51fb39756d9cd3bba437e1aa

SHA256
dd764de3860d2dab18cc6edcbd6fb8308dea5038cbbcdcc7dc502a3ed82a3e0c

SHA512
e7dda61b82a67971610a40b90cc469412840314ffec2385992a7710fd67b7358e56c88990d5b334341c7c2a9ac888ecafe97f730c8e75c4979e72428f158ab14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
088bcfa8424f3f222e9b3a1fee7241e6

SHA1
1f702efda37d22932a2f4afc49372086b180256a

SHA256
550ca7f82ea29991c39d081bb3e83e6ece2a66cbc7126ff40629a8837e07fece

SHA512
a25ec549c25be4df0a6984fbd9029d596a9d489c18bb8cf0bf36c038888b5de25beb60ff966eeb37c0fe74fec92488f4b017db02f975e4ee6c1ba4b5707f7144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
44ed75d7a143fac6951bcd49d3fd9194

SHA1
a1ac8a1b684bb49d96fd53b563908fa89d6625d4

SHA256
cef83498285afc5620c195e69ca31671260fb9648dd9afe0405d79a912b9009d

SHA512
25745eb50d3bd3a51f3abf55432ea558f8cfc5563aa00fb689158b086519d1ee7c83fb88bb83ec734919da64f8e1f7c80304c0aea71f1077bad371adda9837c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
6788ad44a9bc3a46ac7e75aef5228d2f

SHA1
b515512abcccd292fd7f3f1bcf41086889fd924d

SHA256
300744134f5d4aa2713ddf732a4d752df5e6b29c3fe97f7c7235d3d18f6480d1

SHA512
a5fbb357e7dd8ddaf5237a16aa84ebbf733772492e72be5b68ee52c012b0ace907421ca3f79918d0e5d384ae44d21a04a675d0aad5a4dbb9294d112134f6a214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
213a1fdcfd55aed020404aa3bd47b662

SHA1
e480b86bcae19ca74b95fe03475578d59b795d99

SHA256
955af38382681db655fe08a2c5d09586ca2e42a203bb62c945aecd6410a8e718

SHA512
7becff14ab6be2dca152dda3e77df74e60816ac7065872c04bc9fa4fb9e3ea1c753144ebd35b3a2a50770443316a23dc562d2986b9978beb4ddc8883be6b14f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
92e1666b453f98adb799e9a426c474a2

SHA1
41562d49c4dc51b09f19565e3f43588f8162f1d4

SHA256
9a34bc678ae228ac47c7ba33b2c4ebf5688ef6507b7becefe51dd055ab35a7c0

SHA512
e1cc08157dcaad44ede7d04c77caebf6cca1be809d0b9ee58ed23ecaba29ee434ec3214afe1b2a51c2bf23d6c8b5bec98bcb5736a8079c84a1bc889b732196c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
51ff9a08814d04cb982b772d9a28a542

SHA1
5f4deaf6df3981c17faccf4619ae0d5390e70fa9

SHA256
0190dad8cac6bda96ed1476b88a03479131654fe96123d3c3487fdd322621ae5

SHA512
a0ba0a59cc42beb713b3bd6d3b0eaa80e303d13817eb25918f06dd285ff39481b20c239b8674b6d70d8565e48e1a946f0c8ad74d274e2ece72157a95e378ed0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
99f200ac37dbc6a55d5d3c3362566a25

SHA1
91382d5f16445edc9975a8c6e2726a5c2e7e6503

SHA256
4257c8b8dd699e21f89d06cd8c8c0ca8140f700adb3e8fe00a7b0d9e40e26ac1

SHA512
ce761f976011b41d393f550efdfb141917a7253f41b4cb0bcedd73df1b9ab58643e644cb9571932657ecfeca5592785451b844668eadd333a1eda6a9536be7a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
aae3a1735e16798da4371c67aa30f644

SHA1
8f4c8a64a4069ac024e138443d41bf3fcc89aea6

SHA256
3bf4e9e7d324c54a5ecf1aebc96affe143839991af295718e1236ff9147a183e

SHA512
f9cf6587f7ca36da7f3c91687008682485525be7f1724c93e01743f53549b029b568a42894af462f2ca58ed3526792a61113db885fa2b9531fe9a6319d9ad3c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
e5f769886a68a688576062f2a72b6838

SHA1
618e41066632017eb10a84695f22e52e550250c7

SHA256
c44ddb4dead91bf8f322cec531bfb14023f468864a3c07949c6a4665fe1ba250

SHA512
ea1d4f5d6a26a95f74ffe16f65e33c43a88e02ac2ee31e4c1a1fa4674454da5846279001a5e5ccd634326f873e59a2e1e0559e991f98593df98b8ba6db67dcef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
e9522ed7009e3f461db701cbeac18d2e

SHA1
9a4c17ae82e6fc6194f2b7fbf3b309dbfd649b78

SHA256
e31648a67ec3193287ff7129490f0e732c21ec9f2c709c4ab2cc7f4c4331a43a

SHA512
729aa1d5648efceeb94e9d23eacce56c9007aa4dcd9176a7dc4ff07b4bccb845c2ddc9ebf891a4ce989ddaa8b0a0917e6feab2a47aa4bcee1f5012a3ad39a270

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
ed7eb1f1df2a4069812a468e0e1f9fe9

SHA1
cff96bf2c7608d1b08946ad07ce552362c8b920e

SHA256
492ee35bc36c46e9d210d798513abc4a72bdc7725be39967840398eb02080b5b

SHA512
a5be019a81e8e4245a18c11207b9377febb45c2123580d3710db041a2e49111ad565b176031ea6f180517972a3ee324b3171843dcd83b44cd83db6e6a9929851

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
85f14cefdd4c5bb45554be6e3c0ccda9

SHA1
de80ca4438cc9d4e573c4812476418fb4bd7b1b0

SHA256
536c62b19e1c713705e7e6759dabce520b469f37ccc7731f6f1d030afe3a96f5

SHA512
f592700475b841883ba19428e005905a19d178708b074bb2c8177f4a0f35f0fc27107989981305727aeb9ee2abeae4f6f66e69cfb233544a34f822d8c2c53b0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
2e142673d25d21741059a6f36c83aac5

SHA1
88cc50f8153536fc8b2f3138f0ccbeb84d461562

SHA256
542e3fb5b668c6ac7be85dc9f9471aa84c66a40fa6184cf74b88d14be3cd6d0b

SHA512
9ce95301a428b032b3ada57e303c12ae4e12728cd6972d9e2ab0d540fb74cddb547c8b34d6bd4e50634f7ce850217393ebade4a6fcfb3aa872964fadff8c1b92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
57c07f54d351680dc2c94ea2e4e40987

SHA1
9498ec4931ff9e69f8fcf62482135f730950dd76

SHA256
3b22c0e928d8e2fe4af87809a3ba442e98fa196291d18d133455b0939ab0292f

SHA512
721522a34db37c9cc60510c5419f24b3a5995bfa5ad91e24b64bce31654c41ef2d2cb1f411f86458ba56ee28cb54d515602fec16de814d2f042af809be3d287f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.5MB

MD5
4bcaa972b26e9c26283e2f9c3fb24a38

SHA1
8eb07f86c9d58a838b4b7d774651ece4dd2eada3

SHA256
a55aa74998ebd308181a113bd69274ba25c2ef7d7bd4d83fe44683fa4cb82e14

SHA512
2257f79e7511ae697c862009ac1a185071d691c02107c139fc12e70d9bea511b373dee03ffc0e05b36369a1e501ac9ef31119c26647dbe1c35f2378eb4e4232c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b55d9892e8c893a3541740c8cf95e61f

SHA1
65ee27b6e9b5ae4ab3262dc3de1f822ae61d8063

SHA256
0bb42ab985d969028bdce70084db7b87456b24cf6b5f09a7c350722cd46fe767

SHA512
a26ccf121cef688f9cc7543e4b9b431bd4e8566be8c6aa628367d5b36ff27e19358d316c73deebd9a1baea4d6cf4f998db4c8317fb7f5c758bf0e33ffa3e8c13

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
efc8fbb6f7bd02f36ce0ae5d08a3dba7

SHA1
428494cf5ce0b76703fa67c22c52f7ab3b9eea2a

SHA256
531b939aa415a629aefc998dd9cc7bbacb3f4cd05c5b60ab394a1de6c84d8ce4

SHA512
6952312944dfe2f68a8d8d2586cc7f227ab33325e4136b14f2bc9c7b6f5daa60bf9310ca04785c5c885b921efba6901340bda0797ea9686ddf794977f1ad7e31

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e6bf34bdcd338d394d0e500761ab0860

SHA1
4d33657160f725ff030a4c9baaa18af8b67803b5

SHA256
99b700a4c4f045f257b75e52bd5b2606d44b1329a876a533f1ffac3c64750977

SHA512
41dd3dfac8e3c7539770440e5186f7285dd1abdc3bfc5b9178cfb4aa34252500e17214f987fb664b6fe8741c6f25863526a0eb46fae87ca8d81004264036100c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
da61df96c9ab75495c5120404dceb70f

SHA1
48fb21951dabd27c19261248f2fdab44cbc21851

SHA256
24affb2a1991a4d382597f661872149a0b40136178f78ab38ce67900096ad0c6

SHA512
044da0b5ed86fcd549945bf889e8baa11d5114d159ac664ed2bc6ea884aadf42db5aad9ebb89a30c8fc882fa7dea5a544c5efc95cd7c2c86bc0f75a461c7dd17

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fdbc6b4ab8aff5a8af7b9571c28f9496

SHA1
759ea3d106a98d28c8d9f32401e6deb13ec79993

SHA256
0a672b190fd1db3caed84d4accffb43f6dc3edd14240b38d0222031849c60de9

SHA512
af6ec1bbf748e3e1adc2f1bf7b8b4ac894f6cd920f1b6071c1926dd8f077a9eaf96382f9275f864ac20255c139e7b0ec549b28fc06a7e5c1f08c232c0a3916d9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
6f5223ba2095be2c55481f373536763d

SHA1
5f09d7355d2cbe479a234ffa5d27ae06799326f6

SHA256
534306f88e5aa2d38ef1a364c9f15a4969e0baca1ab4240bc731ea07687ea856

SHA512
7c3d857fef9d97d80a68caaa8a35320da692116677eb586cf02ec6f3feaa8e0faef5762418996e5ac1eb75bf2178bc5d37d377d3b3c226456beda195725cd6af

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
02724b32a56ebc5187d294e3489cfb55

SHA1
99d38f6c6b199264cfc53fd63953853a015d3b20

SHA256
695d40d0c0ba8d0187e64ee9d12e2b404ac0ac490f1d36fcc6e8950b232a93ff

SHA512
8662d35f6d3ce33f8e67e0af6cf2e9a02c56e518d3ad4020714382ac6c1ef9994b94b066350a6f2595ab4f6e2145b92df734290e9d6712d75e8ec92b77f59197

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
caa322f28e7862f11cdfdd1ed043674f

SHA1
3e3c3905dc7a05efe2951db8de8c65e4f0d66db9

SHA256
20f6854abd8e9dcc3126aa5959606831b6062168dcea0018d7dfba82f3fb47e4

SHA512
fa8d48c0748f25f7c9576c581b14d465b04c1299ccec6fbc22c0aea3c2503c3a1ef2a769de7b64aca6d88c38673794320631d6b34d8614bf324ca9cb15145f1a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f92728b9be1539b1fb57e14b89953a91

SHA1
36c1a23a0d4165ce9181a6dae088b99848fccdae

SHA256
1f996e7e8a706a97043911848c442600bed678dfaee9f88011f4f9d0f4bfd2e1

SHA512
229364c452cafe676e87293ee4634a0a16d98d69fb74701e1ba944875f3ae1d096981707f5bb831fc008b80b1c96ee806f63048ae1cdeed83637b5608a9e8df0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
39155693728ba6130b2d7003755baf8e

SHA1
be9a5d6334297b065ede73f2e9929cd95d7b867f

SHA256
f46454d43d3406401bc187f7b8e8a13a6a08f44b767bf9dd1d6acf46cc6fd5ab

SHA512
b1ca6bcb0a5be0a655f7df9f0522e0bb745b269addd45cde4f0ed38f4be32e152aa74156f283eaa2eae359cd2322e3f0fcfba09f5af1d2cb871caf9c686f7636

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0a2b68e8b36f0cddeb23f60620633f45

SHA1
b44abb6e477be6ec76192182b83f3a374daade87

SHA256
607905d84110236cd720fce9525b32684fec4b02b6daecb415101046837af24e

SHA512
38f3dd398d26ef1776381dc777dfbeb024b1e1e835e26cca28e00ab865da6ee9faf14df10ba593be85c572ac1b1819c5f175472c3a516c60e46bdf1ca01f8786

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
b05215dea4c002574da1539122dbaa89

SHA1
dadb8de2a9d4c9c859f0cf81ec87f107b8602647

SHA256
5351541cea405bc8ec2b8c3d45cd939ff78a34682cf336d846ef57de0ca2399d

SHA512
ac5d7944bbf50918ec3f73346f7ad3b8e4f900006bd799515068c5a419343216a7bbebbfd2fb078d8ecbc707ea89f721566394198155578504029988493c51c7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
712d6b9ee3864f30f66bc96d6604aca4

SHA1
2295f3e249e147b8a8e77a7cd4c6a9ef7f9241d6

SHA256
8282ec5cef907f60f796c9be534358ccf4dcb44978fbaf3eae1cd736dc45875d

SHA512
e80cc3d801cb6b966afa4c941e56fc0421bd96593eb439d057c48a1f83a1d99b597c23e720c4d2c0ba3facb582b4b1535aa65daf668ebf1b21c0fd1f7d85fb0c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
020b086b1b775e33b1933b4fda1b2d5c

SHA1
07adfa6fe2070cdf019921846a4c852398ac62c1

SHA256
90c5113a35aa4951e7b6a0dc622c253ef6c29428d6b028c39a9d68b8b971ff5b

SHA512
3bea4f7c0746301816edad201b36cab5dd5250cda932f209a9332d29e3646b817fcbebbe906abece786413e20aaea8d4888a4a115e0375bdb100a0b1f0972b85

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
85290395bb53af776e1bf66a0e4f4f59

SHA1
114138642e179e85d00aab2ebb10d8f552e083d6

SHA256
705121bae1983a300a868c0d1d5afc6fb7f44f72317379bac6bdf3633f804fa8

SHA512
622f43f2a1784b6d8ee04647a5d03e85ad2e288258bac9785cb5294967c4fe9820c32f2f339cfd7c2fdc002d71eefb6a883ab55337f308759d5a3a281ef6c275

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
99c5dbdf1445b6d34b06175f2a77da9d

SHA1
1d0fa4f2415c109b829e7013e86815d8ee1d0ab6

SHA256
2bb5bb3ae6739c1672fa8b16595419b80cd34eab4b1d8ee05cda497a7d80f53a

SHA512
56d858e1b3f5afbd101aaece9aecf63142828ef64feefee177ff1f7af9aec4e37f7ad360d34f96c18f688a61a83a74ea391649b724601e8b38d5f061c22b505e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b6c441984337a2d40693a78821ada324

SHA1
0143d2883c72d48b09a70a90fb944c7aabb923e0

SHA256
c0eba579df78b747fc1224a32e8d6fda222566047e59dca04373da453ec9fd8c

SHA512
d94d3b44d9299729653bc8c038ab80386c60ec7af4099d22ed911aaabae508b6227893aa3a0c7340deb96a9540707121d1d0e4fc6b3d3467c067d4f79efdc8cc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
0e85058a1d5384fa25d30ed5b691011b

SHA1
389a1d57c6814fa489f74ab4e2210f74dc1a9832

SHA256
3e76b0a0d9cf1ff2f2a744796b4c3914d3532a81d82c38df3d0237811c977383

SHA512
c29533ffbe22c484d0a20c860ff2120d862208792ae3583a3a3dcbe93bdbc1286d35b53420e9351edde84c5a32da03a5a1de49e80ccb27d9016d68ec9602a3e2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8e0523cc4c301174225763de3e5e29c2

SHA1
ca81adfb967b710e7f11aa6c3e5e9044f09dbcb9

SHA256
3b97e3daa674e5ae35e37772374dde54ba13d3bb48b59be2c5e3afd9281cc32f

SHA512
98d41ed75fcec30ebba7ea1317204777b6af4a36af4726297826bb02226c0f96c048717ae07b19eabca410b50e7ff24d0799ee9843f91fb81afe9f9b2383aa3b

Download Submit
memory/1152-459-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1152-452-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1348-411-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1348-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1348-351-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1680-396-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1680-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1680-390-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1680-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1820-324-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/1820-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1820-381-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1836-446-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1836-439-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/2164-371-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/2164-378-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2164-437-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/2328-368-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2328-302-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2328-313-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2352-312-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2352-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2352-245-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2352-251-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2556-337-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2556-272-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2556-280-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2656-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2656-228-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2656-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2656-16-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2656-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2832-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2832-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2832-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2832-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2832-42-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3104-13-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3104-1-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/3104-0-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3104-11-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/3104-7-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/3736-67-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3736-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3736-69-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3736-239-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3928-35-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3928-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3928-28-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3928-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4440-424-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4440-365-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4440-355-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4784-544-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4784-407-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/4784-400-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4848-545-0x0000012AA17E0000-0x0000012AA17F0000-memory.dmp

Filesize
64KB

Download
memory/4848-547-0x0000012AA1810000-0x0000012AA1820000-memory.dmp

Filesize
64KB

Download
memory/4848-546-0x0000012AA17F0000-0x0000012AA1800000-memory.dmp

Filesize
64KB

Download
memory/4896-350-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4896-286-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4896-296-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5136-299-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5136-363-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5168-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5168-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5168-268-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/5168-256-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/5224-434-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5224-426-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5308-412-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5308-422-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/5312-62-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/5312-58-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/5312-51-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/5312-59-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/5312-52-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/5312-66-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/6096-339-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/6096-329-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/6096-398-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download