fc840efa53afa67534338da2e8ca62f2b8852e58397f1a21ac7b0b176c614593

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 16:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_411f8e889f05ed20e67ae7f689947287_ryuk.exe
Size

2.1MB
MD5

411f8e889f05ed20e67ae7f689947287
SHA1

d8a68a22065e20e723fead8bbb7a10cc21a76b26
SHA256

fc840efa53afa67534338da2e8ca62f2b8852e58397f1a21ac7b0b176c614593
SHA512

f9024e59f866d0ebbb287334e93a1b9bf29067582359b09515d452da7938f72e3dd898a06e3d1135846b0d45533a3fc85003e58f38b99fe78c9cdbfd1f18618c
SSDEEP

49152:Sa/3xXBSZ4K5MJ1LvTMxbfsYBYSgxu9+fw4TYgDUYmvFur31yAipQCtXxc0H:8Z4K5MJabfsYNWU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4552	alg.exe
3928	elevation_service.exe
5104	elevation_service.exe
2680	maintenanceservice.exe
4892	OSE.EXE
4384	DiagnosticsHub.StandardCollector.Service.exe
3500	fxssvc.exe
2896	msdtc.exe
3580	PerceptionSimulationService.exe
1396	perfhost.exe
1200	locator.exe
2028	SensorDataService.exe
4600	snmptrap.exe
2124	spectrum.exe
3472	ssh-agent.exe
4608	TieringEngineService.exe
2692	AgentService.exe
4428	vds.exe
5064	vssvc.exe
696	wbengine.exe
3568	WmiApSrv.exe
3520	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\48564787d34635.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-24_411f8e889f05ed20e67ae7f689947287_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{703E9549-BDC2-4121-B382-D61E8F1A4A8B}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\java.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec8374066896da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000a551056896da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000492b99056896da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098d363066896da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f12c7a056896da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b0673056896da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddcb58056896da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a27ba7056896da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d5b8c066896da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe
3928	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4860	2024-04-24_411f8e889f05ed20e67ae7f689947287_ryuk.exe
Token: SeDebugPrivilege	4552	alg.exe
Token: SeDebugPrivilege	4552	alg.exe
Token: SeDebugPrivilege	4552	alg.exe
Token: SeTakeOwnershipPrivilege	3928	elevation_service.exe
Token: SeAuditPrivilege	3500	fxssvc.exe
Token: SeRestorePrivilege	4608	TieringEngineService.exe
Token: SeManageVolumePrivilege	4608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2692	AgentService.exe
Token: SeBackupPrivilege	5064	vssvc.exe
Token: SeRestorePrivilege	5064	vssvc.exe
Token: SeAuditPrivilege	5064	vssvc.exe
Token: SeBackupPrivilege	696	wbengine.exe
Token: SeRestorePrivilege	696	wbengine.exe
Token: SeSecurityPrivilege	696	wbengine.exe
Token: 33	3520	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3520	SearchIndexer.exe
Token: SeDebugPrivilege	3928	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4708	3520	SearchIndexer.exe	132
PID 3520 wrote to memory of 4708	3520	SearchIndexer.exe	132
PID 3520 wrote to memory of 1676	3520	SearchIndexer.exe	133
PID 3520 wrote to memory of 1676	3520	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-24_411f8e889f05ed20e67ae7f689947287_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_411f8e889f05ed20e67ae7f689947287_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2680

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1288

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2896

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2124

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4708
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b5f3f1b31be9b7e12253d869323d0d71

SHA1
e74609c6068941b3dd97cd774bafbebd1d15a0dc

SHA256
a99b88339a9339938c64b50c17cf974af13bddaeb288a5e33063fb17f3ce72b0

SHA512
54b02add515d360c11d226cb72eead39661a9b6c853aedbc250b5720d8987706c6130218f1e5a05b631eaa621390219151b42bc7983fc1d6ca0c7eee9068a8ac

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6d9d628d1c51ae409369c0c0a569411c

SHA1
ea9134881a6137fba7227512cd6850c3d7741c10

SHA256
e8ae2e5094725ced5d1b815718adac3baf0244361c4ddb0bf0aa6c171733eb51

SHA512
7f971202b9892b8bbbc3c860c148486e98904091c68c01669e0f0cb55da4f05876253a326bf4da864b37535d1b77240012fb38e90631006f7b7111b1d89e03e8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f556ad9505118cc3c57fe3d67e264b9d

SHA1
4e272799057e329953e5707ce7e92c0373b8e099

SHA256
1c66d630ca83dc9eba77678408535d792398661d9aaa50eeddecc13be69496ea

SHA512
496c17a5dee193dfbb429d7d2e1ea3df7d087ed21dec53ecd7c0c3a830e510d859b9746ec55638e5c8a50b9e8d232069681f9fa62902ef7fccc07bd0b5c661c0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d01d804544a20ac7a81cec027464e9e1

SHA1
212733db2b739552f4ff696eed008c0b07e74704

SHA256
ccd8cfd4c7330a63d9f3d832bf68813966275b3c058aa794232e136ab2426530

SHA512
47ae2a01329c32159cb16c6c1132ebd69bd7be38b382999bb84b666cf8fbe3f67ff0c8271c07545eb63d4537e00836315d963ba002bde8d8a546bd8260c12aca

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9c33deee72bd9667125e4b87af3e3a6d

SHA1
47584060cbef8c545fbb41b9b771148857658645

SHA256
30fb83f6e5f0545be7dbe96ef40af39b9eb25b56d95296e451f0aeb0ff6ef113

SHA512
e15a3290dc8ed40ad33a65f48e0066954b8dba1eb0b74da2c25c6fa9f051dc636a13c02b0812f1ff4e06e8e2b9c39eed2bca7ea1e24acbcc1442c69bf6903ad5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
af22a20032fd9d104cb7f1c666b617e8

SHA1
6ce4541f568cb7d4416b7f6125ee96b638c9e972

SHA256
e7d02415ae49e7815cc9ca102c42507868562e20cb7a9dbc4661b48f61a909a7

SHA512
6275ad38bffe580228fbe41df703291f5761639628c3457231f76f7bb67c6e5757b3bcc4502e4f63fd4945e925397fe2b1842e717085e3de5251dfcf4bfc91bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
eb251f5b9854197bc97f7e234410d92a

SHA1
d61025aafd6e9262122743116b539b27225624e8

SHA256
51f93b04bfc1c43f21ab143bd8bef3d127ee52d8dd77b2b15b395b10ffd8ad72

SHA512
1cfeb9b86694856d066cb90957d0fe7e86c7dabbb5e9a0ce60f85545b3574cf69f276c035975e7c8e21a58b2d8f0e8c647660991408fdb962354ba9424b1a7da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9610cf309cc5b1e39cb90de1fbc1a672

SHA1
87d00f510d6f7a83425cfcbb9b58b7de9ce4363f

SHA256
ca113476de4bacefa160c72cd1a885e7495105bb840ccb7efefac547ecd04c7f

SHA512
2ad44b005c9fd6bfbeb9b8ce1a05ed5c8dd98b8f8315ac5ec65cecfa09d85637e8afcd74a618e35616538e72922884b271d56cbe99f793fc578cd0f1c80a5c3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e765739089ffe0b6fbc7f1657edbdb9c

SHA1
47d988ef277b764a9f994765040b300fc1a8a946

SHA256
0e6d3a736af4b63c60a9153b72aba4d95fe0e175e88e67ec91f1eab7e65906cb

SHA512
31effea527b238cacc0e15c0d916296e741b1709a3cacee844f442ee7eda2dd157879d00df4279f9e12012b39fc0910a98169c331c300720de9a36ec615cbbe9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
794622f45e6debe444d3697e9461d872

SHA1
c348fd34b9e3bf758937daf1cb74657ed42d7b1e

SHA256
7ffa683e13b8cdb5e3dde9561a42f0cf0e36e93f00ffc4980b783abcfad1172d

SHA512
734e99609c0abe4dd254540d120cb9a094563003dab1e5f9bb65ef4635102717fc84772788041ad75a030f12bd2dcb203b95f8ffc168951de194d62a8592e94b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
74f9e20ca896e016504951b7b42deb78

SHA1
a60d27709c706bca769d5cb136f54987a9f2fb3c

SHA256
a1174f9cb3ae18a0f1e711251be0c04832f0b9498bc39a0b88d1e6ee17bc5284

SHA512
b548071e7ea6027af03511915dfb20d0afc4bc332b37bece4874bb2f01055289f6ad396cc7653f352708abda0a0ce8f9ac629c062204e6c5543300a902fd9674

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8cdc716e9fc42e85376eb73ed921d57a

SHA1
8e88b0356c7cee924200e077c86d19c29e86f3d7

SHA256
257d2886f75a61ed5b3929fd24d075b8a33b451cbef3e92c2e41b0f4ab800cbc

SHA512
7f2b2480329c5d0845bb0eeef98d27143ad5c135742e60db474caec2c4e34eee99b4813a65b9a25834f00d295884cc9f6ba725dc56465ebf0cacad173ad5a604

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
caa2e0e802465c51ea81f7b104c6dd10

SHA1
2193d6ef804afcae44b75df8cb35d3a6027199ea

SHA256
2035eaa839cb0f0516cf8ad0aedf14026210aea5a001ecb90d9f172bc0e5ff58

SHA512
9af1db566c15e9f7e2f0a77bc9466253a3cfa290a6aa507fe31aab6af04c1abcd2b86862d55e7c3abd075347de9dc28c61fd3dc83074e84466fc88f488bd88d8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
054323452be65e76ea9aa4d43056c371

SHA1
52524bf67fbb2455c0a2a32252f713199d9faa7c

SHA256
b21ad9f1e3be33c77eb53f5228f85abdcbaae5792bd398790105ab29ebfc001e

SHA512
bc4392e1e6d4dc2325439afb2f2011097e7ec75862579949614bf2efd4c38fad3612b69a8d15f2ba2d5883926c0c83926529ab2a2f79ecc51d2f11c505a7568b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7c6cd040bba6abe8ea3d2e1cb0beda3d

SHA1
c40380157618b3468f3f6f5c69a695b6fb24f8de

SHA256
d4387fe034c3ebae7707ce361260f16653a0430fa322fe9d0923a7c8400c61ce

SHA512
5efbc591f21761158f2b2e60ea98aabf962162915d262c5baa6a41130f827f1a90f5dc1ec3ed081e49d9647a4905fc09f83381898b328ab3e71d2f904776705d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e2f778315fb86537bcedd865d1271d6c

SHA1
da59bae577a04963d50fb528fe0b18ffd45eaaa6

SHA256
c40adf33d0ed48c977eeb16996162cf40bf38855b1e769772f539453cfe9d714

SHA512
b4f83af37f495fa82a36dda4dcc161866462b85d3ebb51d5be5c13ddd265c866dc091ac03c563b74e0a0891f92eb98b07d8062831e6dbd61b43a4fd48c96a7be

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
bd18fdc5f763cd7b50a6a60f1e5a7c4f

SHA1
1026932a83cf5c20065d273f128b9d701b14f579

SHA256
8619ccd1fde47b0bf8d4814248c3cfc7719e55b7f6fff200bc88e7eb01055a7c

SHA512
6a8541132ac082103d3a4ab9dc68f82863e1f43eafdb3dd9e3790ac1e41a83631a55dd6b3cb9124d3617186234c8e8410183d844db90d01fb5c9574813b8d927

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
33c82758ceec96ea222d5188b879282e

SHA1
1f1e00505ca738b607e4c73340b458956ded186c

SHA256
560688060e5808dac691617dbb0b5ad8b50c65d6f86c7081ee59d1365bde367d

SHA512
8272272d5f9fd028f228de3d21913f844ce841fab6bc6cce3d622be65a2b0f46fc70ba56e18dd35bbc81e979fed99da228e0cec0f6d5a5b8209efaa891d3ed6a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5d2f28d3de7d389925a99f477d9837cb

SHA1
e1c711b104ad7ce9564f079a4e1ed2ada6525886

SHA256
53169fe8e3bee42c42fa5ca2a406ac3850730c3c1363f77e0df88e23af361962

SHA512
e37f9ef53432af2d330418f681cf0cd46784e584ced21be1ddb52a32a63c30219df4628c99398ab2b40a17dae1e83370d68d0f4ce13ab861513ac824977e5957

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b13021c395506f4fbf50f2af93723d79

SHA1
266b71bf692e47b8182af159b6555acb74025bce

SHA256
363d9b032a32c80e055168a9f7a3f0e0f28b2b9ce33804c3e81ea82c8ab3b611

SHA512
ba4d35b3736adb195e6f337e03f000bb17ebaf0d9e51c1d3b6c71946c81dd1008f9af3519416fb213cb6b5d70fa5cac64518ae4823e4ed515295c339428cf2e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d9b00f9231e1daac1d64abea7a65811c

SHA1
4fac1892c12c01ad5a4c62a78537e6218befab01

SHA256
88dfc76b91284e41ae3fe06b263a6db1ce0c0e400d404162818dfb552e393d88

SHA512
85b5a6aab8f0f22260216b40647880ee69f7ee9054bd410af0539bebb9a857ac37b6ae1948a94ac247d5466c33ee747a6cf81ea2c96185d761ef5fd96724713d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
fa4db5054bf10fa4b4ffdc7d34814a83

SHA1
bf7662ec43213002b54fa85c8b3f3643259785ab

SHA256
a088d5028019e63438a28c0190294ebc13408d8787d4709bc7d05cef02830d2d

SHA512
80fb167f56793fc5200cb439d172fe833e31d423bb6d872d43d9403fce3d39d62d2bfc66e0e4b6eaf43658b5b18d54779bba8d54a9fe9b6935a82c32b00e7095

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c7b663e7687e4fee3b0aae108f366fa3

SHA1
349dba367abe733d2b1184eb76d7be40ba0127fb

SHA256
94d2e4ec6349e57a69917a08a3394c023e5f7fdfb872a0c0e8569b5f0718f76c

SHA512
9cddb4803ca78546519dc06ac0e2135337463fd96831ca4ebfc144054080ef3dab9f1659245fb526dfe234972d5507bf3c6b57d8463cac8ca322962cd2986df9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
623116e79f5693c46fa94d4f8feb20cf

SHA1
04d54c34de6e6cf4a800207fcf47d2bf75258c74

SHA256
daf5d6ee4eacd1896d9d9d06d53ae83a7ce5f26e17c86c80c66b795f4f5d7e0e

SHA512
4f0628b999eda25ca15f47d401beca6fd60ee53cf7e5391fcdb21d8477a982f4c690547a2cf701a5b5246e21bdca51bb3a10e92213e169a53b290a69e5412524

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c943e191a2356abec7c8414417c46152

SHA1
de643988ea4dd5259cae816b5d7cbd41e16bafbb

SHA256
00a62493f50eb7ae6684add3733b3ce4477020819ce7ff1daccd8d885c936a9d

SHA512
27b9e2079221ddf1c5ed0b366bb92ce948a7d02a16ff9c48e1ec346f4cef19ff8c7ec9993192bd3701008dd78282e3352082929d61e6da5266c1ec6232f65689

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
65443963b153d4c2a33006a0f860e595

SHA1
d3cccb61557a0cbfd3b7c9734b24f86a8298daff

SHA256
b3c9cf1864fd8a9c471daf35f16be8f9f4958d0c2fcf98e901df415a6551c2d6

SHA512
c1d287901fde58f381b449e229ff7aa4c2a377e16cb52a2e65b6c2bf904bd661571d3d6a55f63ec53b2eb61da2ba64cde29348a44620165b44a9f126927ceb35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7bd7cc27ac4c68d7ce0f5ec860c3e78a

SHA1
0bfff065025bf8b2d8a402f8ff2ab56c50374ab4

SHA256
f8e16ccfb6311fbd0423bca5395366d5a75ca1dfe04cbcbbb6aa48bd2599be2e

SHA512
ca8e8998948ecc8fdabba616d27741809e680273d8da99a95401ec313e595020cc7ed66b5f6baa03342759a44e6731ce474a3f33d2e506ff3835a8cbb7ff3cf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
478c75e4da8f8d0a1818c651e5797b0d

SHA1
497913458e1fb248cf4437c732805f3f25e54302

SHA256
80cf5464dc45daf069a00fc8d475d13128e82b0ddfc8a6c010fcfeb7c43f7fbf

SHA512
e56e37a788ae6e46677ea09ded82eae6cadcda8da3b62878e68aa6485e4cf9eca9493d1eb950bc313cf5c7aed1c0759d27a7f71d3b68d5cb942c13deb57471dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a18837f80283ddec6eb54d1734b85bcb

SHA1
32bfec583ff9e457a4eaaef55b95f8f9fe09e60b

SHA256
514518059ef5328fdb6edc6ea7e90c04ed92046c513b814d1065a2f150dc87d1

SHA512
fad1073fb3d68bb95555d158072ad5fbaf73105aa27faab982376116adda598b05afa204b937073422c91b24856a7adbe7ac961202df4b1e596c55a36fe31bf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
cc1c465d7b351cc9691f808ac3133bfa

SHA1
6f8b36a34895fcf5eb44241830bda0b0c6f6d368

SHA256
423259deeeb7d6671bc90e679122c30b41c705af51a8a5cb0a0fad21905a5e07

SHA512
c7400d2432bdfbe29553d2efd14cd19dddf7996917f3580bd80d31014c380abd9ff872273b09946401c628605f0f0a671a1530decc3221ed458385d025459589

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
482d1b764a38cb812dd828fb454a04f3

SHA1
b0746826e1ef51ad25e1a47e6ba13a7ef5979b0c

SHA256
fb1e67e46667d18a9ef19536e0fc8b17bdc266dbc146976ae7e2dc88113bab5a

SHA512
5d91e2c21f04f53eb7969efc5ad431aab9043820afd5d2f90f347f1396c47cb6591a66435815f8aa582e2cd354aa8ba375604baa98e6757ef5df4a5c27583b3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6d040a038be2b0490c9d746eb5d27c4d

SHA1
2126b0c7d9a04ac4ef64605d826054d56a41aa6c

SHA256
eed7e172e800ffaa39ddfde52924a8edad5e4b50421d09a9802974db4a1c65a2

SHA512
36a5ce0d7f3f244ff69a121e1b9a250e68d3b1a0cabf9d5df481d9aa98551ba510444fab0819877f58f7265b339f66e12031482210cb1f808f2e246a01d2ed0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6709a8ccdc290551bb45c857f54770e2

SHA1
433ecd90ccfa158841eaf2217555b00c1fa109a9

SHA256
b452a980a29e38cc6aba95a65e38053a1cad9ddc9663b071d571447073979de5

SHA512
2932898778b1e79b16d67a0fa01ba3cfb13aace1cfc6c7c10d4233292aedbf7379544e10a600259690c21716470760030ab6bf65fd784a23716158f580be0342

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2aa6e6cbefaad1589de16b1fcd37837e

SHA1
7cc2dba6ba3c28d8782117bb58583d4b888d6a61

SHA256
ca4b9ff8e69cf52c8267a537fcf174477132e77ff680b9d22292d58593666f0e

SHA512
97b24f97854a4b85bceaeb7e83f3464d53e7697bcf0f8fc719036475073a1230152aa16f4481f344116d2c30dcd36aae4691d694c26523741ba2ed04f292f59d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
aaa74d6dc0551d179905837e8967b8ad

SHA1
0a2f3e74f9d02c61f8b2353a2995d364a879a25f

SHA256
b56a81fde33fd50997dbd00e87be9912d7719d3cca28e966ceb31d5825bcac67

SHA512
e94e29eb105b9bfc64c52ed956255ef8fc102454c4807c3e5ef78831a8cd61b2d6227e7aea6c22732c3da696eef6efa0e2b54581b21df246e76beb6bbfb62c99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
16db760a6074159f801b862085abc5ab

SHA1
432881e6b3141d518be2c9f2615d5a2fd6335ccf

SHA256
7c252c6f0d1153023ea69f4c3d16f8f6a42e39d6f6af582f7693c796df255b93

SHA512
e52f8709babe3c36275e80679eae87789c0f7be08ee06122ca4257d2550d016edd28893aa3381ef3e6fc310266c3c73f2d78ba049a9ff65b92964582b48ac425

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9f00833d6ebe798c6d16486926b4091f

SHA1
df7ebe58b34a09cac5d4353fd4a6eb575e13d0d9

SHA256
b8fcda6b0d15498c854106b9194585526a98aa6d73312df2fc6f574f7266c0c3

SHA512
9b6c94895fed40e6f36ee4ee3230c81bb4110b121e89b9a8e9abff903a149edcac03876d68989cffa5901544c5a1c7a6c36ff6983e56e110643034226a7ab5d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
f13aa9fb4771ed08ee7f6191b67a3251

SHA1
092ece036af76237a080539baed8abc5f0b909cf

SHA256
4a9884ab582e39b7cfb5fe3fa1e4f080aadde7bdef4395a00708adfc459b852e

SHA512
34e0fb88868fefc3f54fbbfb9b7737edb0b7c6dba37014e467005e70e21677f3c24e993f7ce0bbe2e554a4aa1914710b6617e5773cfb4e1441936f9efc22dd50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
0df8228ddec2d96338fdf43a525328fe

SHA1
40eb3fd0261c1283990630f36bb9b17bf7936fab

SHA256
c69490661de907e20b18530c4130434bb4f935aa0abb503c222fe5219195c23a

SHA512
5365f8f1892344f7a47f930646635ecaaa5fb0fadbc1fc508539099831f730660ca746ec20a65f400054e9a46bc2612fef20d81b7a7154d970daaca3dbdb5280

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
565296f79b1d3f9f4623b9dbced3f0ad

SHA1
ee881a6289be1cbf03556389225aa06d957d386f

SHA256
88f39e4a765d14487ef2e6da78bd40c7cdb573459a7eb3e9bfda59607889f07a

SHA512
cffbdfc6caa802efc0e0cf42d2e0b6d179c1660c5c5d05d4bc0b559996c60c67fd7c778e78190ed4a00cbee654a8e6f8c24f0cc63ddbd2f29c769cb66fc81702

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
cb3743494a93621c2c1d691035af9f80

SHA1
29408565c6604bb9a535a065dd2c45b3268df81a

SHA256
99e202c3a8b22f6cc407481f1c4817cc9e1a3eb8bffbdbdfc9e26a2584214fd0

SHA512
d15b5b0ca0c53c5f18c1a29e910e5089a089634197477a00c7b3b3bf1836bafa6bd8d85ec57c7000b2a592e0e33ce22e9c743c3304cdc81c11407e7ae44d5764

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
7f5cccbeba2c1c95828a1e0f36691ce1

SHA1
bba309f3739deab785c627d8e0a1c9786021ae7e

SHA256
841138262173e5fbb32c9d48607ed21cbf4cb8b367c4e4a8d5713b0a3ba3b338

SHA512
a40695d87727d8683b697f96e139915eef63818a966bd2cd820e904c9c95628edc15dcbcb6f10772164152f7d2ae601bdf71393882ed1eaa5496e85bdd2c96bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
e726553b5d173e443b7d90cbaa12cfa9

SHA1
0e53769ddb2f7ddd9d7d58c805dc6697844c43a7

SHA256
863af70995247957317015e4e0c153daa364c464b37e3896be576400960a1fd3

SHA512
92a4088805025285f822a4098bb546aff55371a0d6636f6c56b539062a839718636e03667d808e8af57fa15c13db403bb626c11e2e09ccf8285e2a27af908dc6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9bff3aab8d8cc37df663a31deba30f2b

SHA1
a5a788ae0384ea2dc9400c0adc7a7c9b89008db8

SHA256
84a836bb354fbddd3053527ce4444e1c0f0150e0ab214276752e643660721d3b

SHA512
1c5277554412338055b4756e7f1c7cff69a2c0fd5e5661e2d173b54956d0d7cd7d199e853c71f77095bd33c83c6c5227dc5b7dca3a443ad45e283792fd346db6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
39fd32009d6f3d42ee9715815886e9d2

SHA1
70a208656288d8c75a6685c6a88b48032bde84dd

SHA256
8f7b9b78423a6e31be9ae77910e1bd0f8853c0f6411923d1fe6dc1315bc239f2

SHA512
e1d4d2e11b93df0d9fb6543b700c33e9ae84512b1e3398fb8ec660f067c6f5a0ce3390f7206bff045f71d514f0b18bff05e256203c1dd1e8eacc30d2fc6cb356

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0f267271916f7521652977bf09f138b3

SHA1
059fd5189b0062504078c7232c2e76f80e5762a3

SHA256
abbd6047d05ba903e199a5d12aa32022103a4588dd46846c41aec272cb9bd526

SHA512
9476acf6f3c5b4c8f428c45893e6cfb8ae6e31faa221629b253069e9e524ffffab3515ab7f88ceff1e1683fcb4918d6d927028b8574d5bbe4ed053abc22c28b1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
477ed4b12b96edb435e950d28de3f4d0

SHA1
d209ad035736f57c74dd9a481b3821609d7fd480

SHA256
a5388a6ec838d622274db86b04244de0ac4bfc218dfb5e2d0d22651c21f7d95e

SHA512
96ea0d25773413167aa3331b7012b4d438abe993017fc93dad605d8301bd30823e6092adbe690c92b1ac0d530e1db1d97d55592936d719be7fa88f6c48235621

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
518adeb8bb2164f0b4c0ddb4b0da97b9

SHA1
cecf70376ee956bfb1c95787dd70bc32eb8d630c

SHA256
30d3b6f64f466fd85545c4623d3daee2918e114b611a01f28f05242b004ce8a5

SHA512
7ad629aa8cdb30c6cb5f6a8aa48421e4b38117b242e80db5dda95c63cde40c1644979617b93e71769ec29e4d7deda18a7ee52c50b3521527a3a595a17220dc85

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
098cd6548733676bd478ca729b3a0ea5

SHA1
859e5e09c87b044e8efbd40ff3abbf9876eb839c

SHA256
008a4e85b33e2c76d61e0a1b7b65a3fcee553ffc99387d7d6e3b91a1a294e076

SHA512
8f5a5b205a034d01a3713581c57c6eaa0dd390d3c07ce8c11fca48db7c693eaf7ff224b1e39b6cde190890c1c5f680bbece8907b9f9d1c36fd4fc40389258c62

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
873dc4882d4ec43b1ea4c222c0758afc

SHA1
7e55597045da81bf97fadb2451006514a9de489e

SHA256
99b8fbb407f08be4bebdc26290c3489b7fd894591c50d046d8982254006ea6e1

SHA512
f4d1ac130dd8ce9008d7112deea15a9ed9a408a22bf6f9f021a62389d5cbf76e8de3c9267413793b275a4689dc3f89267ab2e894625dbc811e79bfd80e2fdd5e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2895c39315f3959bcaf5c6deb5aba391

SHA1
dfd970818b3e5d7192085b2304945d316597aadb

SHA256
aaaebbdf38188cb0ce43ed517cf06a80862cbf460ea7f781c717b9f7f6eb4fa1

SHA512
d3b8f7dee25489d7c8d6eaf4053c8ae96cd0599bb9d61c93f5fe75bed2449a05928043d95785fd1257f4d86c44505a620be4d5edbb6294bb305d6c02132ce3dd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9743766cf822b14a470e8e25c038faa7

SHA1
55e901f6abddd0ee8ac08d56584058c226ef528e

SHA256
c7cac62bc50f1ea15086b804f849ff198611e4ccc54248fe5abe690048c4e5eb

SHA512
245f571198be3834c0ce83df7429418b571da3498ba4375305e0c0246cb9cf8f3a6e7888b4c09dccc7ba35a7244e87f356597e0b525746944649840758a83c4d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
79b4cac0258af17e07e1f8551c7d1dbe

SHA1
b957377b891e35090daf172e219808e29b39a4ef

SHA256
adb8797fb0f11d8f90b9e27c236e13fcd3018771cf91148f301006aad58a1caf

SHA512
5588f656ac5e5ee1b2bc59e3874b437cfcb5338341db134cf69bbd78555f0da85db1a0c91ce1f3ec2352e1d71e17b2fed845f66b3f0c4da748c9ee0f7a03ec82

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
816ebc4ee8c9472b793924557a60de87

SHA1
52b3be7d5994f96997436746c83fcc89eea11fa5

SHA256
f451715eec674083518a3690ebf790e46f1a1bb4e8d46376bc3aad64636b85a4

SHA512
f631887e76a3ddc0f1183d125f559b151e01029159822dd0f510308daa4521c0a23151ce30e306937cd66bbaf7805f226806017c1f91a3d74bd942ddf94b5bb2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7bd5abb6e2848236a555b94f0e411395

SHA1
7ee2062422aa5b817becf5e867e344c914f762eb

SHA256
30ae1969d5c1f78bb919788816ac3e8f8b3121b90e5f57ba937c48eb71933232

SHA512
fbd567e68ef02330b78e4fecb4801f81976765ae5ea29c3954c73aa30f3fd19b45aff9f1c0b1494fe03fe838c34e61c25e274350fb465cd1b424893765fcbcac

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
955224f67628de6fe289d4ba967099d5

SHA1
b9f7582da1df398e108957d51b52f77f2bc67c66

SHA256
327a72fd7ef70eaa6482d3f98801c171fa5f1350eb6b5ac1b2b5de1b09d175b1

SHA512
aa1baf73b304cf4261d2a722152d14e0ea5d9250bbb58c6d8cd99340ed34607a6285d2b398477f5f015d22824b289b0ec410ec45b932068979edb9aa067829f1

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
34864a0da88efbdac7cf7aab903ea16c

SHA1
7731c6b3eefca62d6f6a497976751b7c4f782820

SHA256
acc6149ce661b5ca38b82a7980161e400e44b8484e7f39ed279ce8f8c303bf6c

SHA512
b85899c50892faa6f5ce3c7e6c7defe850e0586c68b8d8fc6498f3cae9ad93030a183d3744868b4bd437204a55acaf38e3c274707d74da9e1ad14edd74dbf7db

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9fc0cf3772e5e0b1e115e2d7935ea2ff

SHA1
e3805438106d42578b19e1f36aa5ea7768f915c0

SHA256
1de31050616ed5af3fe9404dda49d4e837bbded8c8cfe1d050d955b651afc142

SHA512
a78cc02fa241c7b4fa45590d4bf710a99a99ab715bf2af14816c15c400a4af6df226231c7b4537463a8c43fd6c450fc05c017b1e8970baa672d8dd271e9772ef

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2e07d6004a193dd0d43cb32928615a90

SHA1
a24882b5c4b969b5a36529b202c397b33e2cf960

SHA256
02be8db4e81f49c56bb607e83a25b875626e0812284e0b9b11281b9b2f9b3991

SHA512
ba57687356db59ba657c18ccf3dff5de6bade93109bc77b67956c8d9f27f6a009d018299bd1e2f40649d38b23ef392ad1a76507a321df6b9b7548fa484ae2396

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
93cfffdc7898fccd796551afe5f7c97e

SHA1
2088c2886d3cb98e67ee5a40e0277bd21853ae89

SHA256
da2444cd506d938375bb0350e7d4100cb7a49608f28dedab2cd293f7054f0587

SHA512
338c3181e97cafaef5ac1f9ba84808d654bae672fea83cafb56a7cf763982258c64a70177526a06102c6b3b08d7a194860b8c20b0723babae9c21ffba04e6184

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ca2e9511fbeb9a4dc17529075a0de32b

SHA1
b5679c0a51e09d7c0c15d3dafc1d2bdce34da455

SHA256
64a4ef9b40cc868227d097e74d3e54039b163ea02bd7c72e810727368fb69c5f

SHA512
9367c1cd4847bf750417a1304e8278f72cbd4479fd632d492cf1a1812df56dee4f3b81f728e4d601b78d8ceae27ebefc58fccdb5d41d62ac275f393a3382a889

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
81f4f68d693513111fb846e78100ebaa

SHA1
ee02c83e613b8d7b5daef4bf3ff677db68e346e8

SHA256
6309d791b1974f3095d1d37bf74a7eaba00e8b8b64cd04ff6aa8a6108d5cff5c

SHA512
fd9fa1eef74ad4d402f0a6de02fdbbe9c32fc8ac21ee4ec89f3b54cd66c1bb7906ec867a90f07c29f411952ac3787a57bece2da1e388efab55bc88504c4f8b81

Download Submit
memory/696-442-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/696-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1200-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1200-318-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1200-376-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1396-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1396-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1396-305-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/1676-548-0x000001D1B2860000-0x000001D1B2870000-memory.dmp

Filesize
64KB

Download
memory/2028-330-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2028-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2028-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2124-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2124-359-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2124-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2680-60-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2680-49-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2680-50-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2680-56-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2680-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2692-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2692-404-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2692-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2692-398-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2896-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2896-277-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2896-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2896-343-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3472-364-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3472-372-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3472-432-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3500-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3500-253-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/3500-262-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/3500-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3500-271-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/3520-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3520-468-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/3568-455-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3568-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3580-293-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3580-358-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3580-348-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3580-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3928-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3928-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3928-27-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3928-34-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4384-241-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4384-308-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4384-248-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4384-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4428-545-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4428-416-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4428-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4552-15-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4552-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4552-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4552-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4552-229-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4600-337-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4600-344-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4600-406-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4608-379-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4608-385-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4608-445-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4860-12-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4860-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4860-7-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4860-1-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4860-10-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4892-64-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4892-71-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4892-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4892-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5064-429-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/5064-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5104-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5104-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5104-233-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5104-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download