5cf455ec24dac2b7016c51dcf97f44d6bb6e2ae8da750c95dc563d3199abfd09

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_15847c6b7f71f3212175d6dd496d4888_ryuk.exe
Size

2.2MB
MD5

15847c6b7f71f3212175d6dd496d4888
SHA1

1b36a1712c94c076f5c760a8137b6ab092866cb4
SHA256

5cf455ec24dac2b7016c51dcf97f44d6bb6e2ae8da750c95dc563d3199abfd09
SHA512

c032947337cf6602b7007c230f6f864ad9247c3bd27c89850bac7cd18b250b3204474043504792b0f50407fb73f71cc0f639a449bb38b8893833d9c6a350bf70
SSDEEP

49152:wNl7soq7sQCc1kyG2xHywRfHIO2Ts4bvDD70jIpM3kiSBM29mhNq:kD2311kaxp9qD70uMhSBrkNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3508	alg.exe
2020	elevation_service.exe
4148	elevation_service.exe
1636	maintenanceservice.exe
4864	OSE.EXE
2720	DiagnosticsHub.StandardCollector.Service.exe
2040	fxssvc.exe
4200	msdtc.exe
2180	PerceptionSimulationService.exe
4580	perfhost.exe
4736	locator.exe
2160	SensorDataService.exe
4072	snmptrap.exe
3320	spectrum.exe
4460	ssh-agent.exe
3376	TieringEngineService.exe
4008	AgentService.exe
2868	vds.exe
3624	vssvc.exe
1816	wbengine.exe
1456	WmiApSrv.exe
4724	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a38f12b9c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_15847c6b7f71f3212175d6dd496d4888_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e92713941b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000026b6a3941b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef39963841b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0f7353941b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011007c3841b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000253c773841b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010bd1b3941b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003cf4d3941b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000177e7d3941b5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000994d8a3841b5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea74913841b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ab9783941b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2020	elevation_service.exe
2020	elevation_service.exe
2020	elevation_service.exe
2020	elevation_service.exe
2020	elevation_service.exe
2020	elevation_service.exe
2020	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5036	2024-06-02_15847c6b7f71f3212175d6dd496d4888_ryuk.exe
Token: SeDebugPrivilege	3508	alg.exe
Token: SeDebugPrivilege	3508	alg.exe
Token: SeDebugPrivilege	3508	alg.exe
Token: SeTakeOwnershipPrivilege	2020	elevation_service.exe
Token: SeAuditPrivilege	2040	fxssvc.exe
Token: SeRestorePrivilege	3376	TieringEngineService.exe
Token: SeManageVolumePrivilege	3376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4008	AgentService.exe
Token: SeBackupPrivilege	3624	vssvc.exe
Token: SeRestorePrivilege	3624	vssvc.exe
Token: SeAuditPrivilege	3624	vssvc.exe
Token: SeBackupPrivilege	1816	wbengine.exe
Token: SeRestorePrivilege	1816	wbengine.exe
Token: SeSecurityPrivilege	1816	wbengine.exe
Token: 33	4724	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeDebugPrivilege	2020	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4116	4724	SearchIndexer.exe	123
PID 4724 wrote to memory of 4116	4724	SearchIndexer.exe	123
PID 4724 wrote to memory of 3588	4724	SearchIndexer.exe	124
PID 4724 wrote to memory of 3588	4724	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_15847c6b7f71f3212175d6dd496d4888_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_15847c6b7f71f3212175d6dd496d4888_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4148

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4200

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2160

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3320

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3640

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
db8b4507827ce1385a4a027294b05cf9

SHA1
614bbddd5b859565fc6c67f0c364429f3487aed1

SHA256
4ed951cec93703c4e3131c741a6799b97c1f16f88b37a414d2d9a6f2c9a88c1b

SHA512
521715e7b079c6154e818e659bf5beda679812df7ca80780653498ca3511493e7479e1d0f3284f713a930a0df3dc1aeecdaabc6753274c2fcbcdd08c621fde7a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b2e6372e5c94251102f653fb933cceb2

SHA1
4b2677efe8c87736833f6723249ffdbb618c3676

SHA256
f4f260555b7db194207bde9d318282b7eb30f75c623b9512ec315c227c527e00

SHA512
635e3ed3b349bf572ca2769221c1cb50bcc801b2d5922776b0201971c36fce8a74a4463af484597db70134fa5af943431b11f30f87a35ace79cf596ca18c00c8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
93742ef1a20e30063896079c2914a046

SHA1
7c7e81c148da143a1224ba0819fddc46395718c8

SHA256
2712c2204898c18983b655bae6b7eb698b4c06cf9d82f098d7958e67c73be6f4

SHA512
e9085bac4a1923dcd0be82e057e58d94ec07527ed15921e22170b233746cba39efcd73095f7a8d73cb78c8ab767c4d595bad2d4fd69744b0f051f200f30ed811

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6dc753565ebfabfb373ef72c9c53678f

SHA1
c06b8b52589224f1059ebd48d79f8743cad9f1ad

SHA256
acc18a7b70a2779a514b3383b917f0b673fc90cee8b57fb73ac9fa54b3a52424

SHA512
85b4081b49445a1e35b62821c9e7cb75d19bd187471589ebc931379dfa13c76d372535ff7c62cd2cffb4b89098c92bd07025ccbcc4ea2329ac06bc49e84c5ec0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a0c4fa89ba61cebc303a695d45b96403

SHA1
b221782aee187926cd5ff98f1f676ba6c577f668

SHA256
6778ac0ac5f16a08b4e95710809e5082b6d0ede5c40bf90dcab2f620498e12f2

SHA512
21d8e235b6aa27c42525e19b0a9c0b82c869a48191b8c04e7de6732fd36b88b23645940a66447955990762a37d4f02d7489a1e8830793a26804ca6611395a63a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
58c2a32d02794493587cf5c50589352b

SHA1
22226e92a89edbe8e8508c138359c23e18369c69

SHA256
592882f6eb19c94eb3f88daf6dc1d269d77b7e625d498a8ab499f9f084903812

SHA512
369c4d4e520b9f5da0dd640dc166484489d72adda79c7d877fcac5d07deb052ece0e53d0d49ed1105c7509506d0cfef1ffb526ba560de385aa3ef815153e8460

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
da55ea3d08804b19fd9d9f04613f76eb

SHA1
aa1a7ebcdf7e23a138c57713a47bc4af09165440

SHA256
7a0ef6ca5fb905ee472e46ef1586ae220f8565ac522638ac61c9861790907fa3

SHA512
a87dfe06a36726a4bc25cf52329f5e918a5af3e8b1ec97ffe7df0951ffa419c389e1f810a51192d4c2749d503be94c865db30925a03b411f5eef5c6f628c7ee7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3b91936122707542cbdfcf377b88e01c

SHA1
e6a7c143ea8822eababfc437d05ab181ed75d0e3

SHA256
e4d204d3399e3a7fe16e55b8098ca506c7fb076e1e369ec620f1312a79d4875b

SHA512
1a218b14e1121fcaec18a77a60c0b41f07f5a2f219b29236289d24826ab01f31049de7df717c1274432bc9abc3f810080630ff5f70aeddaf90546b4d3cf4820a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ad96702c8f954dd5921ab8947e167e4c

SHA1
3b6f623fcfc7eab8406a3dc36f055a54d20e3249

SHA256
4a7da0c4da6580e3459629025ff2f60299a1debc59a7f80ed58ec8b243dcc3c0

SHA512
508c2ceb7fd782677352448227b3e2dbf04e0778d655fca53656b971f8acafba4693e00a6de97a8484648f48465a6e7e9f1ea367b770861d6e06641a4e503eaf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d9777a129883cac4bc68d1760f258667

SHA1
097254e8ab0c76536394417076cd9f7052cb98ce

SHA256
44ddd6e39072e77e9d90d9f203e225938041ab0be656dc42c26a85cdd21692a3

SHA512
925be7bec71a593a2b02dd985046665e9dd1ed1709929f0763a3f979b5680fc6b450aab47c6c06f34503a9814ebebf75f139bfcc5137204e8ec15617d172fee6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fa54525d4a8637637446c864da6d171d

SHA1
5332aa712dc38909a0d9f7ae3de59e2fd74910cd

SHA256
94aaed1c84b9cb8c8809679e3aaf08d12c391cf005a351b38e0d124e83afe479

SHA512
cb6c6fa5b7e2497d39dcd393bd4b0c9b4dfb602947e0262d98c56251316f582b950eb0f1d6201b9ff1b2fe55a4855ac518082a88ca04d61d78fd34ab8ee6e425

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a770827db20d8040a19426eeffabb954

SHA1
d2db7c0ffe4f04041bdd0bb5a401e7eb79621e4d

SHA256
19a3a1e7a91c7981083440e793f6f9846bcea3c5faf8c0f4e39b803000806bdd

SHA512
a231c84075f8c8228d9ba498890aa1777372e3416350380fdbccd950b9348e16ab790d13bb1deb12572cd9e0cee251d9b86829c9576726645917a1475ae394e8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b46bafe0203add92b2fa73316394aabb

SHA1
6d1c5874583fadb0fe65f8689cbe64455c39efba

SHA256
0220a2f863a0343f3664fc29ab051dd954044feed5165fc67341f5ebe30ea892

SHA512
824c28314582b13cc29c1700eae5b046b433e8d8a5fe5bed62d72437309ab93330600b2f28b7c7f20ce8a11a2ddaf76e4208feede0167e163bad8d33e9d1ed92

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ab24639461e87a626af276564dd73bfb

SHA1
2bed50532afc054f9c13b67efd6d9529c4d40e06

SHA256
30c80aca29b2cbe210be9e870f5e365cbd59fcd3796dab38d50983ff42ed891e

SHA512
6951a4e3aa26613f059552e2583be7792567722f5a6bd0dac28deb538ef06cc363c9d36881752d06e021b55859aa05e7260986bc2df5333849dc2815c265ab50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a08241d226611f12e0d71d426c80a7dc

SHA1
be59091b42219d5367cc23792d43a6531bacbcce

SHA256
8b6b6d2a03b395986a89c227501ecfcb68ee6ac1942095f7b4ac538ba3f9f55b

SHA512
47d3977325ba036c9efd5757850ab55a20aa8084a70c415eb0fceef2bbcacda202aa0fe45aad5f2650b8766ce9c5aad330afb05250676d8ec600afc84a68b6f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
82a2df437cff0328ff1aec7cc0594b01

SHA1
cbb75538baee1988ef3fdca55559887b3f33d49f

SHA256
e17cca71356b7eb06b24da8a5948efe0436557641f0cd757e920ea22067cc91f

SHA512
80ad7d980da4c8c7ecf8ebaccabfe6eb5ecca86ea2ff91253be91468c018aa4d485cea46735350d7b8b26435f1c8d19dd94b85e5ecbee615ba5b8facd38a2a19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b4118a627c7b3328d3926dc2d564564a

SHA1
47bcae03c320d98cc563449df83f6f3278424a71

SHA256
885a36f34bfce37970108b257e2a90456a9975d98fe712d04981e82a265e13f1

SHA512
8e6c02c8b9188b926d0fe4dd0be7a639912a1f11bb9d81ed9356ac303c27f5d8614410bf40fee18d8e4d5eea6f3efd92b151c45f22a6502168757d1d97b0b13f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
95db49f119fad4ddb6c504c36b4dbee8

SHA1
2f018cb6fac613feb4649751d3fca7ceb24cc9d3

SHA256
7887c6911321a305c93a82b822bf5086c2f0aac43290209deb6ce59b03be85a9

SHA512
69f4930c7d269f2355648ea4ebe631dcf85ed31ea5495cf89f467b660f0e023592fddc3bd7e5925a69e6414a98b8b2d49e361900f28c1b3a0c30981c7c06aebf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
93b9414821617ec08f8d80c4f27c72b9

SHA1
87c37dbc7389f8e8021b1236f17a5a3db08690a4

SHA256
4092a62f8cc153b80264cb9965ca4acefd5b71e3027e8a0dc5e2f79065e399eb

SHA512
84c30d52c229200b4e6142b712c52c2e03792b1e8caa36525152f5b0a46dbdce0783c337b2f4a87530e9bd4627429cb4d34673289e7707949aeb76191962a01f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
969b8a1e04b956da78b15aa1911a354b

SHA1
e0c510457754c6e1665f4d6b86612679bd033300

SHA256
1d9d675b013a2c3ab98cb73f35190b5994599d5841f2bfd1434a5cadd68a3000

SHA512
c6174f85c89dfe8e061716691f54e35cb26d13bf39f56f67b487ad604000b62d5483a847790333afba577d42bd9e489111a4bb8f59191275eb635a4664d6412a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
421d60bb38270a11e3cfc6c8040f3e80

SHA1
0e7a986970c6897ae86324b6a45cb4d526a365e8

SHA256
f9f896cdccf1e806b2eaaf413c3501adbfde4a61be2e622ea8562cc9f7ac5644

SHA512
427f97701e05d6703f3a1cba49c400f924aa9f49d7350511ee4225b1b16d4d1920bb8cbe557a36a7d735afdae4a7de2826d5fac0959e11520631c00a55e4c829

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
78093eb396c683c4b6a9295c90b1e2cd

SHA1
74c264cd1ca75902a5bc25b1c5225f2482987774

SHA256
815d4e2191bacd699941e9f71becdff0811cea86f6d5366d8ff4a273bbd4d4a8

SHA512
09ceb2b41da14d5c7222204cf2b5f05c7de33bd3f94cfa89080e922071342cbf57516adb8819ca7b6b6c9079be9bc40adc5824e39b865e7c390492b92b7dee11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3f55c934d41069a5f0df3245fd9c1c5f

SHA1
0b3cbdcfc127ac702f2e4de5632d0f3c6d56bcac

SHA256
e296d7af1867fbba6c3c875002686f403dd2b73a063751ad16a084585ceb69ea

SHA512
e6ee9a8f43f7d5fb31550526082f26389107ddf517a0f10e13f171f620eb4953f228c8769d73ac12a68893a5a02524eac12b2db5f31a8e101f8a9e39b3837f71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4f7529e0cb6376e8d0c164df3bb005ef

SHA1
bb97a6a1c0d9c0abd5292d56366f5674af11fba0

SHA256
0b7768ca80030b67d185e52216337a1ce46248cd754fea1f2a22c0bd5deab3ac

SHA512
7c86112dd09160ae0b59f22143fad51c3b6651da68ee03220fdc821a673c3d658630e112bc22fe9ea4ba73410cc9d7b762b7a0dff999b6f2742205092f6c9a57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
34a2f6b647a5a7157ce7dc05edb8c5c5

SHA1
154e2d50ce4ec4306f4e06f10161c7e16643fb12

SHA256
3569f7c2e30c7468fe11631db9dca7402ea3b2b384ec558a997b0f66191aa461

SHA512
018cc3119148dbfba35d24e854b37d3b2b5ce3d4b3f47e69dfd65957a917d674233cede12f7270992eded1b27866d95b4e00f72f9d6f36d59ebcc96dd5e283d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bf772b6b05a90bb7a64ceab22e9bd522

SHA1
55421a7e4048771cdd9d997830d8d5458cd5a6a9

SHA256
cd665991a9a9e5c2a406aa79c45ce1cc82e71938d39efa6d64b89d68a269b96a

SHA512
617a58f38d012f50b08c3ba6d5cf6043b8d2eff1d6fd5561b60229a9c90dd9ebc87cdb102119105595e448929fc5e88182ef8274c1280eb6173ec277d0615401

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4422c56aae2995658f43e9a7130173a5

SHA1
00d15e4b1d405c752c9944f1271a0a1e32ea74c1

SHA256
29ecca5cfefaea751f538a9a2816569c701303afb65ee6f238a9732efd5cad26

SHA512
8b4a66f73d80713bd7f67c268d831917cb2d98266015a9f236f4c839d84da49c7d6c2d440c0d62f29781014c7cfeb813b6f740b93d98e18aadfcbe2459cfe955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8bc137d08234834d0f27728ced1ab886

SHA1
56ab423fed54ea68d5b450a3e8e7964c5584aac2

SHA256
2cdc112e178712fda699856bf85a51f1c0ba026c920205189106d17f6638a3ca

SHA512
1a202638f5afdd2827b5e3b34729f9c77ad7373ca2fde483e82fa1d1342777bbbc09b5ed95de3c8248b75c7aad28bccc50972f4bfa2665fc0bfa1b48d00969db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7ad04faa8ab50176a4d14a3e027ececd

SHA1
7511004fabfffad57b9fa00acca8c8a41fa5925f

SHA256
05c5ee0285ea541f2596e0760fa4723b2506c5fc6d077515e87111354f9f637d

SHA512
8327f14351493394db3bde50e3d5a0b82e7aa40defc8d33409c42450a905e093e0413417c402d02292954f49d824f7f56ddb856da93a7697da8e4b5ab9219e82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
764d6d3566c8dca86cbdae94a604d3c7

SHA1
6258f76134844a00b27415646b7353c25e153b03

SHA256
af27f17ea4f9c9c913fb9dd4533e98d1c10b2a4065cdf068e926c119682ebbfb

SHA512
dddecf6baf0c43c7ae7989e99a592e62830a05d7d5e60044382c640672554c83cb01189f4aa6ee3c2e9b3944f3f5afc5fe029fd60a76ee3fb00c7835b11e6d79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c0b794dff14bd22575ddfc6466010854

SHA1
43263607b99a650c7b4674b707a39890f3db19b9

SHA256
f08a5aa9aa678e9eb3cb06ce9a20e9180f09e0ede80c89f97efe22a1a7f269a8

SHA512
dd042bc25ff1fa0995d5d93a6afc27f8122edd27b15ba09de8a67d4de9c9c25e840de9160cb3a5766fe223a2da0d7c90b8d6adc1bc0456ce2a332039a93fbc00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1d589badf86081ce72bdaa1866e46dcd

SHA1
74eb0ae4a8c621114b5994044dbf822bff042bc8

SHA256
538fb3e45a968f00994d8df714ec1c501183aefdb6d4721ec525d67d4817a74f

SHA512
2be3c72463bf037cc83d6d1ca5ef1534a1a6d9190f8e73bc32705feec9b2cf0b05d951aad93916507ec09d2fea95fd8ae71f46950c06feaef18f7f8ca4be725a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
96ee6dfb4826b8ebb5c5080a64eefad4

SHA1
dcee8d6d421add542fe0ddcf6610bc3ea5969a45

SHA256
7f63a9393c43f8fdd008dbfd592860f0f28aa650a3c0e726e71e5ab39286b9ee

SHA512
f3274fdc7e5e198014cb32425cb44abd62b578041f915791171dbb101f53d7a99b208a6e73ed427dc555edcc3d3a818e0199300780ce7d7a89a8f175a0bc16ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d150c4c1e2845da8525e0ebd79082fc9

SHA1
b9d08795c11d9f2be7a43a4183d706b5010d68f6

SHA256
0833bad1cb08dc557b23ddbe92b2fd14cfb3c23be6cd4d01ddff06f75daf97e6

SHA512
ebd901d7036d98839b5c6e0d4f69ced8c121ee7fa7a6684e2907b190602d6876113cbdc3a4d00ff8213e477e909d6d19c109fe2446f2d32f2a6c4d7c16e68b84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c28e42a275190cd4da9ec96a992f1c4c

SHA1
1a1d7a828d37eb26f673205ef83dd9c25bdd0bab

SHA256
67dd3fca3898b8e3e6a8369cc144c97429de6c1064e5ab6e544471a8b90fdd3e

SHA512
415e18cded04b01d2f4680a55e6e9c4162c987e6232ca8a884f111ba63a20228f9cebd690384e145c0d9d20c4520dbcda319956506b1e394abb8c4dec24eb270

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
861d7e12cbe14a6b6b28345c760e6a44

SHA1
af12e8060802cae9876fd56e20ad7d2684d3c771

SHA256
c69ab3ee584680d91574e7414153d3f63629b916784640be021ee06d21d40ea5

SHA512
82f0d22ca33ddfbccbf405fe36f8514f580d9fbd4fc60bfec50528184b4a5f43fe35d16fa59da65f7343167560f29aec3393ed4bcca5bae68b7ca2118fdecd38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a59943c38fd1ca7bc627f94b7078f556

SHA1
eb03a42c816bf6df322d5d11ad401161e9822d2d

SHA256
86ac21663781ef31413f70ec07ea19b015a72b0987525684285b51ecee7af69a

SHA512
d764f91e5336d7ded17cd72a0cf079b3b8af1f55fcec0d91c588c3d1db0b7428d93464504ca76706377a4f50f1cfb65f7be75ca5c7a2dbcb57b11742e0df0413

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
104e08aceac0d6e501a4ee2f421a3912

SHA1
fd555665bd822701dd41a5dc5a5f6507fc321fcd

SHA256
808ca4c4520bf48397bd670e9aa2a7e8f9ff5a0642ca6cec329a403613e58713

SHA512
10c19969053919d52c66aaebe337b69793b0cc347abf0dd7792681b49f4d032d9cfdf2620d60b87718e47fe44aade24f19093995e1d820f7ea856311ed204929

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
0f9dd88a794f2454378c3c644728a658

SHA1
2bdc314d2fd941ef1d12829bc81cc93d0352928f

SHA256
60dce9515ee26b908f25f12641372dca8371b9e4471cbd6823f19e330336fa57

SHA512
22fb8815c0f4855149cae81f0f9db78e1ca7c8b7bb00889ec74492377177cebbb529601a73133e51a826702df4651b82ce65c2e2d6e188bc4b22491b8813e5f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
6da9ed7a8b5cd7259262c1287d0ca24f

SHA1
6bfc3f9efa77ccd9b8bc3108a461fc8e499c7de8

SHA256
db1adfd537e6cc07c3f0629db13260fea1ff7ad9f96baad7f21b50b233c8388a

SHA512
dc41116150ac0623d10ed241f924216aa1d279468b53227f94dd4a4e25ed2238d9f53d52c681b29d9a762350962bece6dcd06d9bf3367cfd37e2d1c214bae568

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
3f40bdc8e29bcd7d2abfde545183faa4

SHA1
7299d2c3e79d185e7e7f1de27c4c48f42b5fa344

SHA256
5a453c1dcf107ea7457185cf03d1f5435f9cdffc01c011ccb3a493ad0a5f5ff4

SHA512
3d2c142fa336befbbf7931d2ac106fb5755f18c77fe7c70e4510fd069f51dad63ff8800357363e9d5e5545b706d8c95efc7c6317a325cbb19147d97edd7dc889

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
3f838f84c577c409031307b4a361e678

SHA1
3cc1490e77591e7afe6372e1712f66e5ef52b72b

SHA256
521730ba29248c2e6b25eafafbf745bb24d547adfcf15d366b10105d7301b535

SHA512
697f6d3318dc0d4891bd2cffa2faa49b1813ef4e13291d76def77a20de996a9b1fb8c7e7d4d27b758eefaf955c081f86125d4637913dd003fcd5cdd0fbb69c9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
b070e12b14da4df345f2db809194e7a9

SHA1
403120854d876c8be045ad3736c679f7defeea84

SHA256
3f889f952b14c268ea998b5fd6d2eb768479544a86dd79e69da172b9a1339bc3

SHA512
5787e4ef34b3d4e42272e3ae245c5c1a759d11876b76f397e3ca8f5ef3b033575dc365017f2204918137fef77b0ddb994fd63362ff41d72eaf97b18e627c35c1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0ee7ef91ade4e705adfac1e6c777e375

SHA1
b1137fcdc95c185e64692596efc509972e9dedcd

SHA256
a17cb11ebda59ac3c60f6744db08affa4dff02431afa6d7d53cfabf126244ee6

SHA512
88bf33bed4f8c8f362c92e1d317f118d073ae05b4655b2260057bf0c30a07b33d94fa9c3336f923bb061bfe9dccb89dbb4b1f20251902106294f75032d716172

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
79716f9e30e9c9119418c340ee75a9c2

SHA1
7ff60246900f29510128bd1873156f588173ee97

SHA256
2dff788a45e70599c09af4e253baa1c6c11225bcc559cd45529cff0b0d1295d5

SHA512
40f236c0d0a8cc181557ffe3aad8925cc9f4e2ddead2a6b77bd5c9299f07c104e1847cafe354b2ef12cccb0060d574cd538cf3f614bf580ac071ff8896bb00fa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
74b678b0a1971ac14036d5a323765b5c

SHA1
9d773a51bb820b90547ef5aaea1e6073ea4bc879

SHA256
afd246ee3e2b3e5973b8f11f1db766c3abf2ddbec924963c46cfc4fc5a16e085

SHA512
e89cf70cc0698ddb401df541ea7b330ee5fea22947b7e44a092cd9420dd398afdea679c804170f2b5d5afe012612ac38b0f9eb3637f217df639a7ba406306a57

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b6322cbc1545877e6d834b50a0d1143e

SHA1
9636f5004c98c684efd24a316c6efdd1febf4d21

SHA256
521615f66462e9aa3e483aca2aa4832bb2631c2e0cc2e0faa8b52ced44cd1a08

SHA512
dc9aadc616fabd7da11d427d658fb87aeb4649d6eb656d6b48eb6ebe806b1afeb6e62ccbf78aa3e0fd17e9c0c1d85770316b173aa7761098912725cde7d3ae0a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
aa4d1ad2ffdc551193de4ab4facd5e7e

SHA1
efd9f04f9e7d1b022fb84c33c264a19b5b13bfe4

SHA256
47b04fb48582c63cee3327d50af8762f9b0c5eefd7748d7fe98980572009e626

SHA512
083cd07c7d7a85cdc398ecd38fc699f0cd32f94534fb61181c3900d181c924c86367cf04328a0269c6b6e74cf0578dc04d5f3ecb989b306db93306324e1a8cc8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
032b92cdaba407e6f845c96efb54eb3d

SHA1
064b2191371606e2fe3dee38f903e9e9913e16c3

SHA256
0cca8bb3b73d1a5d409825dac5d844d239af7a39c86ccc7d85cfb8475ba852ee

SHA512
1043bd91812b2400ac4c9a15b986bc3c1711a08173d3e90982db7f6125cd2a871d3b56ab38d67a853d4aed9ede2c2505c71f92b3a01fb889236a8187206394a7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ee59ce112dce9d123c7ed2e99bbbbc0e

SHA1
128b5fc4c84211c2a9d1d009136f269e663ff531

SHA256
4732fcf2ebc305cb4172838836aa0af47a25fb6ace76ca284e53c1abebb669f9

SHA512
3f68396503a2dd2cd372b537d5f73dcec51452dad17fab64a66dc8bb96ead2747767b6333d5ed0b26e4624773f404505b017f65a8d6c962d7a2479cdc3deb542

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5ebaab7ba5a1056f91a79daa4bbc9d8a

SHA1
33363176cf8e4ff3ffcdb22549a73d308974df8c

SHA256
1be5f6cf081da104352bc088f2d0308467dcf31832288331aadb8d72428d29a9

SHA512
853a2bd28df78265f4c08508c9469294b7faf3653c02e8f476b37c45727baaef9be5d7d3a2cb05fc57a638481b385dce087ddf501004d92733932267a2de43e6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0e59d882a8622b9de37ec6edc3cbae64

SHA1
3bd53b657fb15c4bab80c2708451aea2836557a3

SHA256
8f043b8f0c870f35e6889d5ad02d7a993e0a9c5c2a60a6259e8db1fc7ca0cab6

SHA512
8956d7e0da05a781dba48d05958f0de9da495c8442cdad4427863c594b6836df727e90cc0e22f7d6d5b41c78dcef3f2a0848d41adfa5450749a307bc12918d6a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e2b4c3ee2b576f12aee2f5e230108796

SHA1
ed5e88ec46293d63927708ea2664c034638e6741

SHA256
6102df544a2893fd4c2aab1d9ee4b1901f41ea1ba1b364de38ce5e0075a09a7f

SHA512
97c6ad69dbc9d1a02881b5f2a81022e50ead50816ab321a04dcce7c3c1143e18ec2cf61ccf8b317811d184d94225c72a8e353d8ba658248759298e7f2474a40f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fb986b549fec3cae93704d818bd746e0

SHA1
9d43edb3bb4b01cdd7e5ae5596ee318b7f104eda

SHA256
3b351cc565373c02f31b7baafc4c2b50e894bed497c73d5377467d4efc714e26

SHA512
7e0e05fe5e6f6d2c8e42f334e3cc8d507244272e95f866b7a5ec046ce7a5ef8fa7834f72883b991488cb34ff0a4e254d83663f3fe91205633717df5fb8f631dd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5b0abcf15e3f619b90045ec432ceb62a

SHA1
5248bb9a6d2e338c9f2ef94493f4289f6d4c8325

SHA256
5dc874c1a35d2f5bfb6ed9071416cd7739c56006bc9c3955635ca71b404db4c5

SHA512
abc2183e2244f758d92ef373432853d0afda6c685589f4ed5534f89d7662732fa149fd664aab083b068fe60657a72e1603e9bcc7ea36979aec435d7ca0fc5481

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
640297a904ad7402194f9e83293b6515

SHA1
5216ee9c626990de68d64077c67c7ecefb2db670

SHA256
367e998b8a6d1cb20be8fa86af1e6851f337197063f46609a4cba11cd67803e6

SHA512
056c042f467e15c4893984c2a58c85d703436ddb90e156e63c18c769a2c8b9c6ba0c95da81cb0f2f9ee216d2f0e166e2f49697ca45496bf8a98102b69bd984e6

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
916b9ab587839ac47edb810d71e3a862

SHA1
2c62ac51a206d1d9005f58bda119e7eb811055b6

SHA256
e27845256eefbceddd050559e905b730845ea34e0e55bd9096eb645c62e9f3d1

SHA512
80190ccbea8ce39de655b356416e5a2f80c10dd7faee977466544934f2ccaf907fa049212c242c27853cf2ce950234a40e1202b5bf88b80bb9e23e68e03436e2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d70dd1d7b794088a1b19373a2014debf

SHA1
1ac24ae66c3a829b7aee1dc5207a7c16137ae3c2

SHA256
15b17aea016d69a33617a57887827cb308da1c3d71c24194f14a89bcc393d3df

SHA512
2bdb2ec88ed61832d63f9491b8c3aacb2f49026784299def531a2c776920b06e7c96a847f3e418ea5aca03edbef612120a77cb01a526a82f0c5991f8eb3214c6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f0f444c207be1744b37d22ac6d57deb6

SHA1
c8e09040cd816c320c3d108a1c691a5c5a539633

SHA256
8c2b1294e85c0e0fe70f9e581fa6c20ddea9939303ae83146c373e4d9869773e

SHA512
6399315acc26c9d7329534988c15d4365eda214cb79fb979d042cf6ccd546ef04d2fa680ab52f85fc8fd461e636230663c340c1bbf2f32a08df409fb356f275f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
77be21b4551b116b67d6f2431ba6cc6f

SHA1
d8674b5babfd7205aeb3028716b1e487c6833915

SHA256
56ba72019015a9e6931643e4fa6ca24af5830c47be7a2cad090ffe8bf5b51a80

SHA512
1ff8d95f64b97cbeb24717854d7b032c8619677080630677c7e1683a9d0a483ae13b98da7c658f345c27ef9a2413f6e77c94e4c42cbf09b2f31a3b7a371698f1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0fbd1f589f7962a92800060bc52d6fcb

SHA1
167260e7d0048ca06be249225d56ca87bb2ccddd

SHA256
dcf8acc45be2967f1528b6a76a965785af38e2fbf56fe66996a1f3b49376333f

SHA512
d374e13914007a335857efc05609c80abb2a5e4238a7e423b2e5be9d428a9121fd14a67dd8ad6ed67c301370daa828e3466e66fd6511256977db9cf1cace6d42

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7efb61daf8c826700fbddbe67069efdd

SHA1
a472512eb9fe934cf550d13daf0d07f6522cecaf

SHA256
8dd23848d7e341bb2a18b8ef2a38a6dcadf5a0bd51275b209d27d0e3b971c704

SHA512
c92464aad88a3d2c7486f1fed29319e7cc5fed50c916530c85b0d97cc5504710649384e83478971549ff1bb048d8585394864ca18842118bbb6e77d6bcf4a4f5

Download Submit
memory/1456-418-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1456-576-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1636-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1636-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1636-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1636-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1636-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1816-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1816-575-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2020-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2020-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2020-28-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2020-37-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2040-256-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2040-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2040-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2160-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2160-568-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2160-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2180-393-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2180-290-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2720-252-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2720-250-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2720-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2868-573-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2868-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3320-565-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3320-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3376-356-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3376-570-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3508-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3508-24-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3508-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3508-16-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3624-574-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3624-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4008-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4008-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4072-564-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4072-322-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4148-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4148-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4148-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4148-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4200-381-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4200-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4460-569-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4460-345-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4580-405-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4580-293-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4724-431-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4724-577-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4736-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4736-417-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4864-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4864-73-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4864-67-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4864-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5036-0-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5036-13-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/5036-11-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5036-9-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5036-8-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download