570562eaf843fdb141803a1b2ea75d819a2cc210d049b12a2dfe8df3be9e40bc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 16:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_874f5ae47f0e8ce0523e6c869ff6b24d_ryuk.exe
Size

1.7MB
MD5

874f5ae47f0e8ce0523e6c869ff6b24d
SHA1

c20b495c3f525f6baaff51d054106e61a3f59777
SHA256

570562eaf843fdb141803a1b2ea75d819a2cc210d049b12a2dfe8df3be9e40bc
SHA512

9d5074e55060337535d28d0c23978c2d7d33f18f8c20317df9c75a2ee2a5e4aacccdcd9f3de33872514eff2888d6f8c0b99517d318b5c7ad22b2723c87cd2b4b
SSDEEP

12288:NXDvAZzP/w24lhIUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:NANw243Iatr0zAiX90z/F0jsFB3SQk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4892	alg.exe
232	elevation_service.exe
3124	elevation_service.exe
3404	maintenanceservice.exe
4412	OSE.EXE
3756	DiagnosticsHub.StandardCollector.Service.exe
4012	SearchIndexer.exe
5100	msdtc.exe
2952	PerceptionSimulationService.exe
4092	perfhost.exe
3032	locator.exe
1056	SensorDataService.exe
3904	snmptrap.exe
4764	spectrum.exe
3324	ssh-agent.exe
4308	TieringEngineService.exe
4084	AgentService.exe
4264	vds.exe
4980	vssvc.exe
5060	wbengine.exe
4088	WmiApSrv.exe
4012	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-23_874f5ae47f0e8ce0523e6c869ff6b24d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cbc50be8726fd8b7.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f51812b7194eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbbc1ab8194eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e32de7b6194eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be031eb7194eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000198e08b7194eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd126fb7194eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b609cb7194eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000deddf7b6194eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091a11bb7194eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3afaab7194eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
232	elevation_service.exe
232	elevation_service.exe
232	elevation_service.exe
232	elevation_service.exe
232	elevation_service.exe
232	elevation_service.exe
232	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3220	2024-01-23_874f5ae47f0e8ce0523e6c869ff6b24d_ryuk.exe
Token: SeDebugPrivilege	4892	alg.exe
Token: SeDebugPrivilege	4892	alg.exe
Token: SeDebugPrivilege	4892	alg.exe
Token: SeTakeOwnershipPrivilege	232	elevation_service.exe
Token: SeAuditPrivilege	4012	SearchIndexer.exe
Token: SeRestorePrivilege	4308	TieringEngineService.exe
Token: SeManageVolumePrivilege	4308	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4084	AgentService.exe
Token: SeBackupPrivilege	4980	vssvc.exe
Token: SeRestorePrivilege	4980	vssvc.exe
Token: SeAuditPrivilege	4980	vssvc.exe
Token: SeBackupPrivilege	5060	wbengine.exe
Token: SeRestorePrivilege	5060	wbengine.exe
Token: SeSecurityPrivilege	5060	wbengine.exe
Token: 33	4012	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeDebugPrivilege	232	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 2480	4012	SearchIndexer.exe	117
PID 4012 wrote to memory of 2480	4012	SearchIndexer.exe	117
PID 4012 wrote to memory of 3464	4012	SearchIndexer.exe	116
PID 4012 wrote to memory of 3464	4012	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-23_874f5ae47f0e8ce0523e6c869ff6b24d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_874f5ae47f0e8ce0523e6c869ff6b24d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3124

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
PID:4012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3464
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2480

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4764

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2916

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
151KB

MD5
8e82ffc04b5f7404e8dc2f862891e6ce

SHA1
ae172af71a2b09403af51f91fb448ddcce5a6d59

SHA256
dbcabd402cd0787eae8691f8839d9dcc12f05526e2d3c575d3eac4c7c3dc548c

SHA512
521ae65610d2d54db3ef9bff0e5f4343d7dafaa048ef64dd2f80d85c61e7c7de55d9310ed57f8684b237d827c2ee69c8a58710d858254e3107a9250f1a614e95

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
68KB

MD5
2c9b0b9861e495bb6e8d785af55d3907

SHA1
f70d642b547bef2e1810313c016b943753084217

SHA256
902938634a7d9771f0861944439b8cd4253b41a0f492f67e188e29677f7d0644

SHA512
5d06703e2566ae7dbb77c00df1a9c5969842a0aba0585a30e18c821abb54f5b47d1c0f89d54e1e5ccb6bf5ff220a4680f5a092f1cdfccaaa856a86c31c68bb66

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1000KB

MD5
d6bcc8a7b193f7410f1bc1acfadf02f9

SHA1
02e91ef49e3b9866b41f16c071603556abbb3131

SHA256
84e05c42d02d66b3e30786290bc59aeffd2bac2cd2ff971f5b443b24cf141952

SHA512
70d935c902ea4beae616f4f0ca462e5945a61dfb1b0bcae7f2c66160989a22041b74e9ecac9e9d955ae574dffe76c6509240437608d2b39de13d0b0d501c734a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
183KB

MD5
e0386a3386dcd8e0cdc858fff25bedc1

SHA1
e4bca761b40b1f39339d6ea056048b43917be452

SHA256
a60db4e16dadda6a6f0c480d408c571fdf8e789d1696ca6925adc3e4327a975e

SHA512
929eaf9b87aadeec65efd7070342fd9073ad912942e2d1a3af7b6e0c1a07a02d7b8b4de1f4c6cdc99e9e739fa3a6bc6863d6b17c275974fbbcb0b34103d12e06

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
99KB

MD5
fc2eddc5d189590e471c6078f08f623a

SHA1
192e4ac3417b5df4686fc10111f32afbe1496b5d

SHA256
491036e8e4d6abc35b83302f87e9f616135b782911f395d0b97ffa14784f72be

SHA512
867c22f4fce90f81d46524885536c4eb4f242775cd7585b3cd86b44be0083103266888e0bf47000fbf68ed988b990b7dde2d70ff52c710aee19ba62161907e48

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
43KB

MD5
e770464482b94faf66effe4c42fcec54

SHA1
bcb04cb33d93084aaebdf0378b8cdb51d30c4fad

SHA256
2c3b31d0ebcd89aa27d798f8bbffc878dc6c305d0d763faccc32e31bde9a1a39

SHA512
ea5cbf9775421147c091bced1bb25a6238a0f57efd0c081409a4d1b251875e08e786a4abe3548c9c5e49cecf11ee49eb446106b172af576abd858c3efd7f831e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
164KB

MD5
707a4eda080e7097ab8c023a1b30b23b

SHA1
ef04996ec9a1b16aa4dca3b4821622b004c0d39d

SHA256
6aac4a17cbbf17a3171184c3b5c033c1224afc37e044887ff8dd311af52bdb7e

SHA512
d71e86322f737fb2990232d017ddbe018a7c27e1b08907faec79de199118c43733a27308966f39b7cb7bebf37f02b734c669d5e751fc0b233a17a76e9c569383

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
169KB

MD5
d72fc2e6a07eab831f1fe832a6dc8670

SHA1
af6f55aa0ffe7820d741032cf5c1a5ffca6e00d7

SHA256
6bb4ce20373969f3f2355e0b332fef5d887b351f4ed557a3bacbf0f7eab79636

SHA512
1a0055eedc104babfa30b3ee20db74ac3fe1ec19aeecd730b7acf8e7214b5ae45626309a8459cfa41cbbae55419f96a48e3115a113b7023dd58e2814c12a1b2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
59KB

MD5
290e1b98620617630a470fe6d5706a11

SHA1
7879cfb29c7bf504b05f94e80f4cbd1568e0aa73

SHA256
cde5469eb5001b099f7bc8e2789301a2ffe92981451064b245a2297a335b8e57

SHA512
907f6470ff94eabd727f9dbef32825e9e46d3a3e7c84b3c831694d98b2a00b4456fb92a0bbd2c6ff119a012c2fcbe13abfc5c2e1fe5f95e44ff9a20ebc2c1b53

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
77KB

MD5
719995da212e789e8f015406391b79ba

SHA1
179e3d2625e3a0b8f70f1dae3fd36bb5261121ff

SHA256
1623fcfcd8e6503d2b36d8d2a4a8bd2b1d2d990ad370c578c97caf00b5694bf0

SHA512
957aee8184369de03b6971b6a148a8746c9e8d50f6fd5fc264a40027e036f332184b93c2ecd41da81366ee8a5d67e8c51981ad018e362e5da253eec3922b5430

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
56KB

MD5
aebdc87575936597361c7286d1526be7

SHA1
25fb25be7b7bb77f3d7481127c8bb2a3b556286d

SHA256
7d1015f5be210853dc135bbab549a144bc187e2dd648ea2ebefd8355257d842a

SHA512
b25afcd1d17cd042ef95c5b7158761adecca40dd41e5bb1323a583969108bddf4a325a2a8094af8aebbda404bf67e2bbb9fb0b0ab7d8846255f00fc27a32ff31

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
163KB

MD5
6156aeeee1deb60c6b269d86a6cde634

SHA1
ecf2a738d594be6aefa5756f8e7da281084bb907

SHA256
db4d2a52e1047abc80f9c4772a25e2eb13f99602595ac5f4ca81d20193768d1e

SHA512
4c7fca6aecf9507bebecd66992e4f1a14ec31bafcaaa7df1eb7b0b76f48cef5f31dcc0d2385253561b6bbcc19baabdbb02d6f2fa084cf5cf0a38be0c8cc6ebc8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
117KB

MD5
61d3351d217641d68310f8c5587f696a

SHA1
3d8544955d6eb896d0b1763d2eb3aa4fbfbc9e7c

SHA256
73f65d38acb69e654131cf7bf6cf8e92081c0395e70984258be2f3f8e72dd8bf

SHA512
7af4eaa45ea127da60b02e8d7f9e9b985b0e9adc540baa33c2d038e1e7f1240c7d59683f3757dfbef23ef83dee1cbba6a11c8ff0395f81d4eae02719f5eee51d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
598KB

MD5
bf22f37ee7ad2aa1c6deeb4ce890f46f

SHA1
eb9458321273714df180c3da59f18bdde998ba16

SHA256
babe68eff0d1fa391aff65b77a0da48a446d5d572e23bd60b0187804871f9fd5

SHA512
fefd761ae86257590cd5b5dee58424a565f2a3837f4e5554f8869f965986dba394b4e40bbadcddf53c894c8f9fdc8d094f7e9ef4b38116081cab0fa78cfa9dfd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
38KB

MD5
a450fd7a570df6f7c7a54eb7ca894adc

SHA1
869de49d0112bd6cdb4c0384666edd510072363f

SHA256
544babb402ba96df00e6b272e9027bd6707408072fdc8fab817466812d18bb22

SHA512
124c8af055923cad0343714b0ea8238943d149f6f3394a16bb331c340a05277884e96017225d6966f640260b6de611a0ccd257d58f19b12f9891382eab4b4f07

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
42KB

MD5
ebbde5e197340520fe34994239fba942

SHA1
8c5db307d7dce63a34175254a3d32a409667500d

SHA256
cf88471e6fdeb78cdc5b832df14dbbad0cc97698b65b67862d07bb0877c7c001

SHA512
fd1eaf8961a6d635d757b0ff509532a8ea34e74ccd9661d761bc47c8b3b2ffca0b602963202e24ea67b972650d70b0d1e8f58e9f34b85f21722c3adef44a7046

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
19KB

MD5
00d21d69ea43dbd77762fe79a3648bf0

SHA1
d9be37ae280f621bb73c9a97a9a9c4f3487883a8

SHA256
d846af8aa4a7d1ad63ba217ded49db18513ec1c9884caba9dc3314aef1833d41

SHA512
f2fdee7d4241df9f2772f3eaf6321141a36cb90d9b8272a6a856b838942cfc559821052b950dfab459e45bf2128a84caa6a5c675cc536ec337de7de3ab6eccca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
135KB

MD5
de4e01147795b62d4cc2a51b16c2ca0a

SHA1
2375984de3243dbb07358737a168b97d5c8fb5c0

SHA256
e0515945b4e56c9a59f33a095b3fc2007495206de17acfabab0272d08f0c99e2

SHA512
af04786300448e550b9f55f24854fb0312b24183ab4b8c74495665ba2b8a521c0bee5bf2b8a27a1afb82c5f8eb4869443a5dfe754be8e995f9a92382308c8492

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
127KB

MD5
ba39356e914dda65fdbddb9f3baf2d1a

SHA1
873dff24504b9c09de7a43a0455e8bf36307232e

SHA256
ceae24dc76aeff3828607cf8092356ed5f7471b132bdeec2709b8b0ff1c55bfc

SHA512
380c416fb39e5946b33d2101097fed8291c053afbce9ab4d1a6ced738596c5f456acf7a87ea1336573add45c8c383e982ea30d0cb6286a5d77de9acdae4f9681

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
36KB

MD5
ccf3c0e489f02fe510263eec0041c4ae

SHA1
2e7b93b43c65242b704ace455adf57409e6832ed

SHA256
8bc3f2db97ead7a04843b5bee57f6b5c28c622aab1750efd9d92fe71b2492a1e

SHA512
fb06d761b4fef19001472e7cfd83db9d1083d3c14b684730fdb00dee29a5de21af2b5ab0d323d8d13ee9ed212514f45825170ca64bcdc67701c95ba4e6eed244

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
74KB

MD5
b4aa6ce76ab87b001bdaea66f04e9e55

SHA1
bc12047bf2275226ecdc7b4dcd6fd7e1e7051787

SHA256
04d8ef4c86f317ff5792a7cf7eea3a6c7d34128df4f787f1e5fbb02b477ceca6

SHA512
b2744c4dc0bf4867df0bca02249ba0ebab21df2c20c9f6d2193c2bf2316d3e2f45b2630279bfb6921c9f4c96d14e00f3c63844efdbdb09d32821cfb44bd45d85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
79KB

MD5
c12b9834742fc2733bf936cd9437da63

SHA1
affb73b4353842c049f102bd522c9df577bc0039

SHA256
e3fc3079a10eeaf4d71b14d90088886d2b29d638791df2c74961ff0b871ffc55

SHA512
01a85ed9e47de9853b3d435ab09977eb6d540fe2eb5b54267c965ab9fa8997b1af42405df9d13695d4a3237af558cfaeb66546584d590213b70f69f1eadef857

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
29KB

MD5
3aa48903e6d39afb953f838a8f463aab

SHA1
1a584e7dbf021a74f09555e322d8c9f6f2a9f414

SHA256
59b1b51bdcdd3c04d11f07590f1bbe50d5884a64cfbb7ddfe660bd397f19e743

SHA512
f898d6f44b41311ff00c5f32359c554c137cd685cd29b7487f9b55a30ccc320e0a5dfd6d87888a16d62eca847fd169aad979076a3641874ee8498a4c64e37d3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
41KB

MD5
45b7d00b459f3d0f85257405884b06b9

SHA1
5291e5157f4d2ae12a350437a1f712eb6645f16f

SHA256
e4c27ec3377f19b44a3595ede9cb58445fe5ecdb5878025c4e50907ca054b83c

SHA512
5ae91be51afb2580dff3d432afab7bfb6e5142e2dc78c440c771c75cc7c91e32fce9000beef6e04c6c6d296b5a81fc3da31ebb0655138796ff2402185c510399

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
72KB

MD5
2908338c4871211858a0d27998fc872b

SHA1
d5f86cc88328eff03e1eb315865a9ee7652f56f7

SHA256
74e374a7117a594f5626cb4f87a7620121c0e5df71f765e472547824aba1dd6b

SHA512
9311ad48bdb49ded1d9038799c8dd9f16e61e4f7a485758658b16e335983993b53477b2e9dbc16eba99c0d076c266f1467fd2722cb42919844f415e1b78701dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
107KB

MD5
215b6364553879311f13f91e49eb9f9d

SHA1
c248a671b1db852126a3f1232c34ef1d0c85ffc3

SHA256
f6331267558bcbfd24e57dce23e8fd2379e178f367bad60776cf3e167de21fa7

SHA512
75b1ab549ec653aed966af38e12e7b50c9420514f1843f61c1cdfc4d63e211ed5311cf76235957df45f89c077f8f1ea4a3b8b549e2a6e6ee3e9697b0cc16e172

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
90KB

MD5
422dd4a0e1290c0693bf4edd592d309d

SHA1
0fcb280923f184e84493c8184eb8108942c63f46

SHA256
43a7d6995f7aaa053015d3fd13e36194b14ba6a8d0e251c5b327f79a09d1bd7f

SHA512
1527dbacc69d65e63b3a4a03d3fa61300e36db3c8755bf1690d2ce9e119f9f99b9dd9560228bda3f7ba8351ebcf51e125a890577a42f6d7020c802753e685496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
63KB

MD5
d1bd9978000c4644ed68d0ecb78db1e8

SHA1
f4e84f8ce81e3ca1ebcb414fca0b1183ac60999d

SHA256
9149445102948e7cfd65e1199cdc87dbf12fc091641d0d79cdcfc7f94bf062f7

SHA512
197944d4923948817c42fc574fb5178e02260862d324c51ae5a1e18aaeb3685e3d5a0064afa65a4c89d8f8699e5d1975faddf55198fc658a4fd7888753c36902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
83KB

MD5
71942c67e4c504e92d68bdba2bb2c306

SHA1
5f6e22f4c498f22a5810c31b77ad63daf6ddf07d

SHA256
04cb14df4d51afb57983427e7d72356c6bbb21b6d0766a2b90e696af7e4c02e0

SHA512
b5976c53eda504aacd702efe61f0eedd29059e842bf2c386a4c2bd16de9b82b08c20f65af4ba06ef9fd5d1f68567a25145322f95660d8e487616958103595d31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
82KB

MD5
158c426798b188c9c7e473da493b11e3

SHA1
53f1d1a77283701a9173e72179fcd7deb067f1c7

SHA256
20fec49f48403fa39a8c1af070cea147b726278aaa9de67d18d397be6506e15d

SHA512
1ccc617d06b1722cd9118940d87a5997ff0199bd06171dc3a0895c87aed88ddedc733684ad4043bf7bba269363625017cce7bf4ea4b5215b1bc1142f08608c1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
69KB

MD5
794bc78718e4676bc449c19bdd17c4f9

SHA1
e3162a17d7815a6f89bbb6f28843336d3a2b4069

SHA256
859c9fe05c0e2eda2c066ca1a6e50a2671b872de3370c4cb848e80a054803741

SHA512
9ad27e67e2861d59c4804103bc7dc56fcf3e014bb3f5c7bc4ace61f2dc90586d730652bdaa04286cbbbe65c289792335c40595193ea21426a4a5aa278a763ad5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
34KB

MD5
0921ecaa1c90d13fb095eec6e1b7f1fe

SHA1
5e0d978c8ad796b5642432e8f142895a2d845fcc

SHA256
3507a06be680bfb0d7e248099085bfd3ec1e07419a3e027efa7adc3b9bf4ef4e

SHA512
56ee90c0df76d129f8ccad91600a36e66e2f42b96585cfa10e97c44f4edc256f0992b29ce843026ad364fd6b2876e6cdb4d1d9e91bfa5eee77aafcfb3fd45dd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
92KB

MD5
79642a38071dcd56858404275ba2f97c

SHA1
fbeaae488f2c391906cee9f6912e90366a1d391b

SHA256
d7daac20908d407c40d46d6ae97c8f5b0056c2445bc788d22aca76626d010924

SHA512
e2918bc78a39046eb3c9263ffee4847109684c11bc200ae1a41d01433ef2addb09c295be245532e2174fbbd5c56113f4ebcfd2187163bb9ac2cec41d3a2aaa4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
22KB

MD5
ff653ca245570e9b4486fbfd97f99ef8

SHA1
c61a7eee7b8fbc2173ec39cb84d4ac163b3bb098

SHA256
cdbb80350bd1021e06a3d47b74736c254a3ff6e3efdfd7d9b29b6c4ca04d42cc

SHA512
a3fa0ea7e30c94acc02c43645bc4cd0561c21511e07d8d0857435c92ed6e0e59f682ff4b2300b49b2237bc916c48181e86676b6b31edc4c6193c59441c533e3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
52KB

MD5
9ca4d053d42b27b365dbe23d819d54b6

SHA1
69dbbd5638179a783157a01f505fca7cb18a009d

SHA256
5cbee37cb8d9e2bc1bbd8ba0e688b411e0a4193884e6ea51b3c10d3375cf5884

SHA512
4f55144c16d660c06b6dc8e3958958e15fe191a69747e3977c796810f0509e0dae85ec7eb589f4f7f6718c3a509d465efce201e7c6ff5037e8587122e268c536

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
88KB

MD5
d2f64550bd23dca4162b0e88f92e2f74

SHA1
e9a34a3ba8e9f972164c128ea49f7dd83d390175

SHA256
19a7c559081998fafd017264153dde4db50bdb8bced54a3b9068f46065966789

SHA512
857249174a3741b49cc4ccf14b0aa0a6656e5c6c626bbfac5d4e3e163a01b64dd4d07da72a3e8fb40117f698d01dc0a98394085ed83e7b5b007f883f9d88d6e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
18KB

MD5
69ef37eeb5d52c094b9aa4154d4ea378

SHA1
cf15b948e955dcd8e635ac926ee54250e2eca31c

SHA256
f5b3000a6b3537ea9d0c4dd71e0645ce4858e4173a4e4afb300ff2e0d0e6a378

SHA512
6d414745e1cc8b1fdee610ca1ce1d16529d1e8f10f7f53dc28c67dd48632563d1b4ffe3beb17355671e21102a471d0b9490d67da09237c4a739573e5b6b49b85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
41KB

MD5
838e968520ff5833286ac74d207a4ca4

SHA1
2290d64aa371cf2220bc63e909993695c71ac1e4

SHA256
326a47a48a66bc7b307a3d99a6d54354f29bee853c65844eeebaa219199b9ad6

SHA512
4200a80dd586757389ddeb19c7d162e1c0b16935f2917ef4c45b98f31f773a28d9a31a7ddcae5ab52ea9ab2fe9e63d5aed452d269e7ce3357d6384cfef945998

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
21KB

MD5
6cfe54e961ab7d771911a979f18545c3

SHA1
52f1f89fc36d31604798116686f5f33c66b028d3

SHA256
19db7d6053b2679d791a17d85bfa5e4c551da3983d652e709b422b45524ec9f8

SHA512
a57c7aa16baf1574f9d4210251982fef78be1e7cb210c81056377d03491db5d607c2ebbcfbbbd4bc2c47fe9aeb05af845cf4190d76091ef0bbbd2e7ad2d16542

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
25KB

MD5
a6f76c9eafca01067c77dedf5692849d

SHA1
2e593f4f5b18752e6996fe1a549c8147f61566c7

SHA256
5d4e336d98a11198051eea6af9e1c0b2faf8e2e5b87f962448c82c16d445b81a

SHA512
265928f154e557781691ee999cd1540924ce07d55943f63c91ffcde1353be810725ad10a20f32b25e41d62e022356de0eb0ed1d2116128d72a12fa47d135c1a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
42KB

MD5
61254243b15c7c733dc7ddf412f1130f

SHA1
b6a53e73e3e26e92032004730c4315422ead5f8c

SHA256
fcc659e63a733b2e36312e86cced9021541eae477e0845e117607ac87ffb75de

SHA512
41dd5c572df706eb5b124761e1726be83702c8139e04ca1df91ee8ce861c38e2bf15273ead4ade977aa10c8cb58c20ba6d7020e1dbdd0586425b9d34151867be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
138KB

MD5
805bd14add4e85ff9af1af038161f25b

SHA1
d52610b8aa88323e76361656679a1f11c41d85b7

SHA256
884dfc1de5ae167b08b077c0d2ec5ecce6486969548240b64f4c818e2cc8d273

SHA512
39a883313eebcdb8dffc6acc8df3adcadf3cd1df0948477a09e95dc2cafea3848109c2e5451171a853f6a7e0173883f51cd4ea4d8102e103f32e3c197a294825

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
64KB

MD5
a06209ea76fc28e0bb04716414461741

SHA1
9f48467b897ffca690164bea69ff9fbc9886554c

SHA256
173d11d82b712c6062befaef4d496023f2429da53e6971955616b9bc6b989947

SHA512
76df787068a882f5492dc84c4ec8533b876511a36656acc4f619fafe155933fc21b6aab36b62db05448bc7c5f0eb126331e68093ec9a9865be55a4ffc0bf61ce

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
57KB

MD5
c0a161b6c501a277248b6a7eca5054b3

SHA1
6d886e4288c53a4a93ea6c1dbd5d4ccb3987ec05

SHA256
bc884855669fe621405e39309b6178ea1d41b3ee30132eb0de5ee66f54d4c76c

SHA512
942aa3aafe4664fee0c8cbbf85c915c3df40188f3618f75b4315c4280181cf44666f8f1139ed6fa333411a4827788f42c0ff9cd16f1299a44927b3f8761f8b36

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
172KB

MD5
945f6b502b1345dbadb70bd6f5e33381

SHA1
33da05cb02e85598a88636787d351b2dc8a8ce9f

SHA256
b99c73649c9ce4a3a5d2c3c70f1d23d9e5bdb14428c8aaf84fdb020a08e4d262

SHA512
f39628715bf96724388861a88201a9156622748a54e5ff4960fb1acfc6575c1646c14ab94e80ffe6a7a257e33705c151f1b1364d1e87ce09510cc9ecaa599c47

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
63KB

MD5
67c0081e6bca93d4122f010cabe95729

SHA1
2b280893a274afab45c2458efe34121192174aa6

SHA256
e7460193666a9c2f2ec145f94451fb5156af95a876c44db1b6d2ba28bcbd5853

SHA512
50e5d020cac0c2dae390384a4b9e36b8f54c9c8b5cc9655c82d870dd84548f84cb3d077eeedbc75e9d3ec435f1d7d1403078616d02e485fe72ea1edc0fd82882

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
867KB

MD5
8937e61e535fcfde6a8d1097050d963e

SHA1
36f56f41fa57a3f80055b573d002bd93741e4ff1

SHA256
d17c43e2d5001345f6dae15a10013b3a4b83bad66ea2adc1981c77607b5c9afb

SHA512
44734655f5d632bea4b3b5dbf8ef5cfa2d04f9dccacddc19009aaf38fd8994d1ce122817beea435b8aefd8ca91e607875b9023ba5d727cc9a5c8325af5948bc8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
196KB

MD5
aacaf159d388ebf55cd598952208620f

SHA1
f0d94b8261e19c67b4dd4e4dcc6fa351f0cf2f8a

SHA256
6acc424e533251929e300a745c20db9b0fa64d7bb1c33e4a23694d283ac3cbd7

SHA512
b6bf4f6485db65bc8482537fada8ea0d5a71430c0729ff9cb98269bdaaac434f975c6ffe05d19907d5f013589d7d94baf5a5f8f2f018bb50dc05aa8ac070f064

Download Submit
C:\Windows\System32\Locator.exe

Filesize
68KB

MD5
431cd8d2a1341d27f0df2b921207e02a

SHA1
a00baa7f80b5a4d0bb91551fe48179aeb2ef213a

SHA256
22f23b851be0e43140d0d086fac581ee27578e61a4f17d6bc354d7a361fd2677

SHA512
2d598c0be9deabd8bfa989747cf81528c70a9d85fca1ec014fbf0d11dc2c277142492a9a67205e4cbe0d518c9ea677998afd5ced24d8c6a50959ed27fc34df31

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
170KB

MD5
7b82543c5f91070701a347179db29b5f

SHA1
adf038894c2e2202e395d7247469aaee4a3ff2d8

SHA256
1c91c23d986605946e23b18bd65fc99ef51b0fece6b37abd2bd0323d72cc65cc

SHA512
4f79bfba650fb33ef3aeceb82d7f1c0de4c4b2815d289505e6b198e6a5e4a02e1b22c5396a724768866b1dce7aef6485956d146813ace0290c3a00a700f12850

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
102KB

MD5
ca26a9a336bf104373ff7873fefe0a09

SHA1
5d76c61241b9d6129f6df949005873ef36df6b13

SHA256
21bbf60445ff7cd38d80e2d7d0ba6509074f75eda4f08b7535985b00f9984c0c

SHA512
ab65f9793a4000b9b524805ffe045668268d03d268622885643e5e60f6ab07bab8ffbc74e36780b729a7ea0c801c83019668ef899cc681b88f3a7abe06f66b66

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
113KB

MD5
f58d1b85c85affe9b003cabad69dd05c

SHA1
9c5888c889656f2e87a1173644fc772b19099f61

SHA256
1361cf5a1cfefb0dcb3fbd64a6d6bfb153481ed872d4e412b2c501ff62d40cd5

SHA512
bcbe0eead757a4fa7ab9c68d06cdd80693fbb2b2e62301fd3920a4818f6f18cc62e55ad783bb624046c9e3259ab0eadc57a58355ed5eb1672ab17afa9ff8bdb5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
64KB

MD5
28126fec66d23d95219b3b3f3d194c16

SHA1
5e15eddc848576125a5f7cfb9228af7b546a2d15

SHA256
9b1be822db5ed7e1e01ec0cc2e16a77519b9281311fb7e3c071e2a0fdfcd1af3

SHA512
2a46362da6dd57cdd1d8eb7467273ea16adcf9ee6337253b0113610206b1e98eb88b7f64c0c5286cdb9c12945bd2ecc91fe5d09573185e717fee491278dc4093

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
72KB

MD5
22997d1a0eb76a3c375913ee7a52d25e

SHA1
8cc8ce8d22b7ae5e58313abc401a46549c5396e9

SHA256
d86a8cde841a535142aa371b5ee9abb3be2fba5fbabac2c1352da4e5a7b4fe3c

SHA512
ec1ce1df118b8a96126cc369041441dd42db62d918ae87782187cd905d7ca156bf659aeb9bf006d04a2b98ebd10630f8b24f90c04fcc5fab5317b5abe8595ccf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
12KB

MD5
e0fc190f2b43d70d926068c1e2ee9d55

SHA1
ab870d55b44f18cce7672bab51677af011aef488

SHA256
7bfe2fa669fb7149c4d85ea051e8fa980571f12bd25e4cdd8169c55832a28849

SHA512
07027f91f79727d0935592c600863ecfd5da20e2157cadcc787b57c750670388018fe92a2eeb567991608aaacc3450793a49ae6bc3e7f35702017a6575e3a0d3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
51KB

MD5
442c0fa39d31aa33621bce8a96e7062c

SHA1
cae559e7f8cf0f4a10cf2b47a749f6380c03d626

SHA256
5a9bd4dac0ce9abd92421b9e833d61991311e9327d0b9c7b5e32d06ed28ad664

SHA512
be492f77cfcf8bdec86c143f004f7a309a015e70e3546f82cc3c9a7295758391180319ecc5543c99855be177aa8431664e569dd36c0ff0c89389bd74a7ae3b17

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1KB

MD5
e48eabcd98a99c9a3ccbd642ba92fd54

SHA1
11f66a1a30abab3ae14dbc45c455882e2a1ea398

SHA256
fb0c82bedc7f520be61273c041096bdc1bd0a59988ee847a1aee0bf8bf39bde5

SHA512
845f7efee21a544e583368267d24b468bfb20a8c9d3ce0d29aa4d27f5dbd12b7d907e6e87ed0bdcf12338820b010060beadec570d170e8c1be43e8d2c34b9eab

Download Submit
C:\Windows\System32\alg.exe

Filesize
346KB

MD5
59dbe5888dba2de767ee238841977bd8

SHA1
9fc4308e41f4d4eb21e168920b0bc02c11e6567a

SHA256
a3d374954f507cc35e3bb11f201b10850f3596188f462da5396e6b5ca03ca95f

SHA512
e31a88c3a10687e06007166158cbc7ef5cb31d2cbdde9b7f5480f8e9dddf8d590d66fc6469dff02f6821b01a4dded5d0101f65d31e43f137349fdb5daf43dcaf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
201KB

MD5
bf71869211810dff97ca9b39af76e214

SHA1
d310b1d029c1bd93a480ae4d418f5185c146228d

SHA256
72f851e774a0b7cba2eeac1e7786dab92ebe4b671d6fd4155ce95fc3a99b4ba1

SHA512
114d62e6ed4feddbecbccdc275bc07d080a6d28430c50f808fc0e2555c7e71d9c8c13262d63a41d4c530133c4c1453988da1efd47327ec254308d812549890a2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
36KB

MD5
4735259c277b2f0ded88582f28ffa27e

SHA1
86620b69ab1304003b721a0749f02ab2b4c8de6b

SHA256
76f06e84f9e3aa1c2418eac9e51959143e94d2ee9774bfd62e0d338ddb804f7f

SHA512
1d6e337471435c689dbabd4337234d6165798c0010dd190b5eb72bb9948498ad9fabb1238a27dd1fbde273356cb9f69373b526fd077e0876840ee156b112b2e9

Download Submit
C:\Windows\System32\vds.exe

Filesize
22KB

MD5
9011f57eebe19c31c66ab40e1b829674

SHA1
79dadcf645c1802162a5f16b310d966f748604d4

SHA256
e0318d72e2e11878d2b19dcf6be601ec0eaba8334c95c844230922394b9ce6d6

SHA512
45cba5bae2d9d13acf744bde173c20f06275c9746ab00d9d603705c1bc15578216126cb2a0f8130e8cdfa62ebff80c5f7b269ca63998b8d1841aa32dd09fa459

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
4KB

MD5
720562df5f2bd1af31fba394aa20b221

SHA1
02a4c2afd04b554c6d924ac2358a0360c610c453

SHA256
c322e83eca448f532a6c3e7d7df66cbd4910e3e2a1834d246724a31a543eae16

SHA512
ab559bb373e22e0ff9c2a012e1a5d3fee70e49a50ad03243d9cf632bafef9bf3f2e8566d1cfd6e7d2bc32d80388d1c3d6d828cff23e3c57ec9f90f20904aea23

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
53KB

MD5
88188075aec18eda519a965fe6b64c97

SHA1
3310397c27f8450ad08789cd7cb54a9b1a7e5681

SHA256
e7eb6a482c40ef153e1fd9207884ba65c2c4cc441a4b3c29b654ced67559d46d

SHA512
21ba0eccbab6dbaa86a0dc423fb8835522971aa8a44f1aed95915d66090b059dc2d8c3397bbbc34d08c293f7667dfad53848082cf3ccca8a38385556b76a2eaa

Download Submit
C:\odt\office2016setup.exe

Filesize
243KB

MD5
2c6edeac48065d38bf788def1b78aacb

SHA1
b7b6ec55eb2498e585962c5e2eec82173b0b7051

SHA256
cd7e157d95c966d1ddfdc4d4b018875b28ebf4cbfdb4d1674f2e1b7cc1d2a99e

SHA512
a6ab81b875507c1ae8fda43945fcb475888439ac7921522ee28c1511e9e3286cf31e3d372160235d9a20cb0f9feafcbfca43640e39ecc994970292f08b6097d8

Download Submit
memory/232-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/232-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/232-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/232-27-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1056-380-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1056-323-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1056-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-349-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2952-283-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2952-294-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3032-367-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3032-310-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3032-302-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3124-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3124-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3124-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3124-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3220-13-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3220-0-0x00000000034D0000-0x0000000003530000-memory.dmp

Filesize
384KB

Download
memory/3220-7-0x00000000034D0000-0x0000000003530000-memory.dmp

Filesize
384KB

Download
memory/3220-11-0x00000000034D0000-0x0000000003530000-memory.dmp

Filesize
384KB

Download
memory/3220-1-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3324-365-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/3324-355-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3324-424-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3404-61-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3404-51-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3404-56-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3404-49-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3404-63-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3464-546-0x0000017FD9B40000-0x0000017FD9B50000-memory.dmp

Filesize
64KB

Download
memory/3464-547-0x0000017FD9B50000-0x0000017FD9B51000-memory.dmp

Filesize
4KB

Download
memory/3464-558-0x0000017FD9B30000-0x0000017FD9B40000-memory.dmp

Filesize
64KB

Download
memory/3464-545-0x0000017FD9B30000-0x0000017FD9B40000-memory.dmp

Filesize
64KB

Download
memory/3756-249-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3756-309-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3756-243-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3756-242-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3904-397-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3904-328-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3904-338-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4012-262-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4012-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4012-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4012-451-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4012-459-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/4012-269-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4012-254-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4084-395-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4084-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4084-389-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4084-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4088-446-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4088-440-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4092-298-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4092-363-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4264-398-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4264-544-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4264-407-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/4308-377-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4308-437-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4308-370-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4412-65-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4412-64-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4412-237-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4412-71-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4764-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4764-410-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4764-350-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4892-15-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4892-16-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4892-22-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4892-210-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4980-411-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4980-419-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5060-426-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5060-433-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5100-280-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/5100-270-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/5100-336-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download