537ef23ba1a923347f3456802e4070d0d108015a17ece3d670cbc7bc20cdc801

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_61981ebe1eb1c57ec7f9e5dfd01fa8f2_ryuk.exe
Size

1.7MB
MD5

61981ebe1eb1c57ec7f9e5dfd01fa8f2
SHA1

ded8233b8ef08365b5c331899075b605f3b3a57c
SHA256

537ef23ba1a923347f3456802e4070d0d108015a17ece3d670cbc7bc20cdc801
SHA512

6961b758f2facb248e751dedad1b5b059a3b2e8b7763d135c9c3a139588c20fb4bd3729fc9e331850bdff6476d78ab7c62aeb8e25027b07d37096dc4f72a99d4
SSDEEP

24576:k6V6gC/AyqGizWCaFbyh6LaRFdGJm0Q3WKVSwdr13Ek0VA:k6cSGizWCaFbQ6KFdi2Ga9x3Ek0V

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4276	alg.exe
3596	elevation_service.exe
1564	elevation_service.exe
1008	maintenanceservice.exe
3772	OSE.EXE
2696	DiagnosticsHub.StandardCollector.Service.exe
548	fxssvc.exe
2316	msdtc.exe
2672	PerceptionSimulationService.exe
1716	perfhost.exe
2692	locator.exe
688	SensorDataService.exe
4568	snmptrap.exe
1404	spectrum.exe
1464	ssh-agent.exe
4824	TieringEngineService.exe
3960	AgentService.exe
3720	vds.exe
1476	vssvc.exe
4808	wbengine.exe
2084	WmiApSrv.exe
2332	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c776a33a5bf65ce.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-27_61981ebe1eb1c57ec7f9e5dfd01fa8f2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108796\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108796\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BB1DEBA4-2D0E-4BD3-A275-B48259468944}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d736828b7551da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049604b8b7551da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a4b958b7551da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000575bc78b7551da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3596	elevation_service.exe
3596	elevation_service.exe
3596	elevation_service.exe
3596	elevation_service.exe
3596	elevation_service.exe
3596	elevation_service.exe
3596	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5072	2024-01-27_61981ebe1eb1c57ec7f9e5dfd01fa8f2_ryuk.exe
Token: SeDebugPrivilege	4276	alg.exe
Token: SeDebugPrivilege	4276	alg.exe
Token: SeDebugPrivilege	4276	alg.exe
Token: SeTakeOwnershipPrivilege	3596	elevation_service.exe
Token: SeAuditPrivilege	548	fxssvc.exe
Token: SeRestorePrivilege	4824	TieringEngineService.exe
Token: SeManageVolumePrivilege	4824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3960	AgentService.exe
Token: SeBackupPrivilege	1476	vssvc.exe
Token: SeRestorePrivilege	1476	vssvc.exe
Token: SeAuditPrivilege	1476	vssvc.exe
Token: SeBackupPrivilege	4808	wbengine.exe
Token: SeRestorePrivilege	4808	wbengine.exe
Token: SeSecurityPrivilege	4808	wbengine.exe
Token: 33	2332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeDebugPrivilege	3596	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 4084	2332	SearchIndexer.exe	120
PID 2332 wrote to memory of 4084	2332	SearchIndexer.exe	120
PID 2332 wrote to memory of 4384	2332	SearchIndexer.exe	121
PID 2332 wrote to memory of 4384	2332	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-27_61981ebe1eb1c57ec7f9e5dfd01fa8f2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_61981ebe1eb1c57ec7f9e5dfd01fa8f2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1776

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2316

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1404

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2816

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f5707c04ff0de813df1aaf49bc9e3f08

SHA1
fd837db7e96f3dc396834fb38362efc879700196

SHA256
081de54a03a210ea44ab3e5237dfa003ce02eb0bfa3dd50e49cf5af64b196c82

SHA512
8202bfa07c6f2533f45b3ad5eb01f26263bc156a405f1940a240241be3aabb729f5cedd76a81f5d7e2966961f02cdcf8c47feb8d7eef8f7b7f46263b22fa174e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bbdb911bc6300061097b2fc973d418d3

SHA1
020af081a8a530782dd2364bfb7f3ad502e97d82

SHA256
119c3e7cd996f029826824e8a1d06721216c4f5f78fe46479691833c28f4177c

SHA512
8fe852f7024bd64368efce68475440c1efa8052eb1c91aa700c9d6cd82193d9795d529e9e750592d6c19594b127d69c20bc85243ac84b5e1a9b5ba90b9efc6e6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
64KB

MD5
a41097050f1e6bcd0ee0a0b15baacf51

SHA1
687a22cccaf5a6ccf1c6ed5e7fea2008d8f80bf9

SHA256
829564375c0940a84f6c2ee03c78dc8ea469a54702698a3410780ded4816e116

SHA512
0267d6a13a2519a1771846cb0038961d1bff35c94075881d9d02bea69a8a59501610efd4c5c2dc47526158caab1e4a023413b730a3a6f4a54111eb9353bf1763

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
82084e9cf812e041f920130b28466741

SHA1
3bf5a1f91e8a8d4644f96f01137d0dd84f7aa4a5

SHA256
9c128c56b571ce104a883faaa426ae793fc9eb7abf79f4941140ec46bf23fb4b

SHA512
5d9bda95f8e7024ec1175d67aebd8eb70196dc8795fea86d98e5e8608e46c69e8bfd9b8e69d72da34e46d02ae6f9cbdb20ace718203716ed3398886eec13274f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6834ae753db9e2dccdcebcdb29132b16

SHA1
0e5f25d5f2331f9a60eb54e4a6e85db82372348e

SHA256
04354aee0e7bdd5b642b88a4ad1c3f65aaac3bf1e7aaa857a0aeded7ece861c0

SHA512
851a53ce218fcb99c5ec3ade9151fe46cc113b5a68a996952cc1b5bc63cf8b0217c69fe5f26e3075f957698b5cc717fab9d0f318fdfd44a77497a338b394227c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d4a000d1a12ce864f41088dad0fde8ed

SHA1
42010d3a6e61d358b2d523c5f0b48ff0e8764ef0

SHA256
fdbd56777712491211421b9dae738a7166c16eee0251343100a36235551ed972

SHA512
3f46cb7a5e36d79923dbb9525e25a427486e9971c8aa739b7f1473691b82c27351b405f888a19d5652f414a713b37b0887c8da1fb6b441c13e52cdb12df69169

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
640KB

MD5
8571409036336d9be13a0adad1cd3468

SHA1
6ee5d4911d254a3602f9ad57c016b038933365e0

SHA256
35db8fc59cb7f92206ef25abfff7fe692c0b2e6fe26b30c11ad4e537e4df0c56

SHA512
9bec75a3666bd7ad5646899f240588ea20781bb7d10ce35ed249206ed0c18064138ca8146fa31713c8ce0ab0e5a23e00d7d3fc083f9e8533029b385c77b86851

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
2.7MB

MD5
23004f548e744c89f2b3bf6abf91f476

SHA1
ea42eacca313d5b809d20bab150ca81dfdd97e8a

SHA256
4850438045a5a61625a96ff0b7b512fe8fbe742ce8ce1e35b159c28e0a792cb4

SHA512
d4203e69fa90a18b8bf485cefebf7773e0072aca97ae4384d9e65dadbe965f421bfff5d4327bd42af66c44794514ce2c85c874b3372e5741d29d68d8518d3027

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
623410d0780cc7506bcbc99a9d8410eb

SHA1
936df1e77c915aa9982d9505dbb47fdd34247fd6

SHA256
589e41d9b33832c77c57a1eef13fc1538024d98202cca5b942273cf4054915a9

SHA512
04ec68dd5228532da9cac7cf3af4ccc833432e2607f9e312737d06815b8edbbb23a41b39e78e7c063d3ebd8937653b99ca9ae70a7b7dee443cd1c99e22ebc37b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
64KB

MD5
d2e8a2f7285710b37efb77dc82f60abf

SHA1
e608af60921cb8e37b9685951231aad8ad00105c

SHA256
a6d857697376ec9590f3dd5612890c1aeb1be5109d6296676baddf068b6319b3

SHA512
a22a73bfaf4270f7bbfafac5109fdaf1a2e21be3002546577e39667bc1e5eac2f65eb31e32028edd92b59d6f040b6fc2291dc799c8f8ad7f475591ddfe5b2527

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.6MB

MD5
ddace4863c5ae9c878943b5ca7419559

SHA1
097a7d7db7828cb2b9a84ce589aae91c3fffbfc0

SHA256
a7ff061f4e42476bfe1b8f76798d6513f788703d4244af859ef1ccf04351a991

SHA512
9db52101e0470ba3adc332af51fa3e0d632a16d0d472bc4553ddf5fef36927849f15de865e25aa7983ab5d81452144df7e579d1be22b40b1b19b23b26c11a2c5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
754KB

MD5
31dc7a79e6f2faf7825deb5ddccd0de4

SHA1
fb6941f6b4116b2455162f312a349b382ba99382

SHA256
4fe5fb110ebfff05c1d37e96901e7d4bd80471623cbc654b7417bbb7af59ae43

SHA512
614922baf7b3a9be1a9659932641001fd0da8e6e43ffdaf169399891ef072b49a89395f57c3dcc3bebff4bba212b8ce52d337df5b773fbd992f0bb8d50e60cf3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
6e48b3c235259c200b59b72ff677a9fd

SHA1
ef1ceb7064787a09f490a6c0c1835177054ded66

SHA256
61ca0a98045a4bd5d69d49b60268b3ca7a778fbb03c790725fa10e39a3238360

SHA512
96b0a2cddf065a8d7cb0877d3d7a0c009c262b63970646cdcba728d27e3aa8ab9bae59a53d6eb23a78c988c9166b5747ad76844ca2ea584ce6ace77b68e2343b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
687KB

MD5
52bbcdb4bba468d96bff62ea69f3bd0e

SHA1
70e8f11a2e90bde74862b6fb1c1c612265635aa0

SHA256
3b138301c9271d3666845c507311d62823905c5e681e458932a8dde2606f1455

SHA512
2aa678f2172b9cebfb4d84ae30ac9f40f460093f0f30bf7010efcc14a4e774a7da2dc06548cfa12faaf080e1f66d55276abc60664fa5985aeb4e7171d7779a29

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.1MB

MD5
4246a68b0acf0cb2585546b548732387

SHA1
12eac8a26a62509a0435f37c742d00592228ae50

SHA256
5e39d4820eca4504377546ce2f77c438c68827c6cd8e09507f383b334ba84c3b

SHA512
e01f07d123f2c47f826834986aaab3e2ca09216e36df6b91990e30e7c681971a9e0937b7b26d64c46f90190c952767424d2d1200c19fbbe96ebb9a4e548b071a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.1MB

MD5
b79393430b99fd38dcd25fa46026919b

SHA1
05579f8b7032040f93f2d86f4d4ccb3961cbd259

SHA256
13db8d6ab96f684372f465bc6272b8305784596d111b43d32ae3983279c410a9

SHA512
a4d4adee7d87e8911c019ba78bda435b481e87919f39b884950b651c9dd0b3e563cb2403ceff159af512ea41b65c3035ebce9b0b4be8143c6a228a90f007bb86

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
421KB

MD5
d3eca93887e2180b6e6bf72f5cc47641

SHA1
271df0ba209093627a5f69ef0940829123aff044

SHA256
92226f8043a734df99a1c99dc0284679a71d1535e46b07f490e9da54c202318d

SHA512
ac36eb6f69715125153ec5d971989d1541d27db756794a0068e1af77aeaeda9e9d2f2169c26aab36b0c2378234668784b5001f2cb47f870aa1e5275189172e4a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
06dca49999327884799edb9bc58cd6e4

SHA1
05f95d2f57ca177b114e87ad5532af1214998cf5

SHA256
b9253be3c58b8fe2b4ded44a985fad377e8f15da8f3c331d22bad3408b4e0420

SHA512
4ab424fd31d9df5efdba7482d491ec0ee8614811cd6a84e4012e0244d0d5c8aa70bc4375e6566fcb621a0d7161c59c885cae18034e639cb743e0a7af1b2f6549

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
384KB

MD5
73bd99ad86dd12d47e3ccf325a614835

SHA1
66d40d50df17dea30fa90e552af022cbbb8164c3

SHA256
b666c42a515f01fd0861701f6cf0ea631083767aa10bbddbe433fe39be8aa59f

SHA512
dfaca78923fdd4ffbd2892eda11925f076316dcb72392412cc240035098f8a889ebff336cc3dc94eb8d0e592239b22c455e815246ffadafa5e59a3252dad8524

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.2MB

MD5
9f7a6ef9bd21542eacc031e9afe02951

SHA1
0bdba7375bbce630288b040914403b3412de5717

SHA256
2fc1624fc64142996e99d5aa42b482af70c6767f1b9d6749e4d6f982452f5953

SHA512
36ad2fe57a59ee35bb44ef357e9fac6fa7d9ae928a4215f6891f435fed2eaca687fc0dd3169c40950b83e7633f2dfdd8ec6382929b04180b87d35fba6c460e25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
bba76904aa65b22911d9d252c6c0e6b9

SHA1
2823d4245004e6e9ae42a88392d4e227687664ee

SHA256
d3dfd064464c06cd9dc1761c9ff4b5a4e6c57b20eab86461b7d9ac77363bd454

SHA512
3690c1d17de3a7484df79219983e2d7b5b3d369325850ac9c0aeb86ef83162208d12c3103836f27d2c8cb3cae2f2c540b4b703fce6850a78997b90305ac74b4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
2804ef2c1acb07313f9d9b09a7c6e493

SHA1
ef85bcd897f2614b65477c00aaf0196750b763d7

SHA256
155be3b297af65ccc498eb3df41a9d4344498a328d1e65bf61f0491797c2ce53

SHA512
6d855314619a89b332e8daa4883ec929a12930f01b2184907f3fd09b576629e3745ea74221201166260e7c0e62758b3180e32728ae8562b4617c43439a488927

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
992KB

MD5
c5cd76aee548c5cf1047e3681e235bd0

SHA1
df03e152624ff9a2f583fae68324d46dd8824d73

SHA256
140d6d52d84541faedad6682923dfaaa2531057984c394ddf08d12620ea80be5

SHA512
bcf97f57cef14702c68465442d90833284c2c939744d5d92138844123d54011abcc8136b55e55213098525b5ae2a208e1629c31eb62e5d675d287be94ef7201f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
832KB

MD5
ea7f0a9640c4d6222fba70dc2f85f2aa

SHA1
fdecb2e9e90fc629bd7fc7d46e3d68b596e24435

SHA256
5694a0ead82eda0b556892d758a7f1f328541b2e2ba619ead4ad03a2badc22a5

SHA512
fd16032e284f2a57b2ce9cfd9bc2f397308f5e992f4889a2b941154fd80752278c90e37474c43748651dda3f723f93c42c64487c2269eaa4b4b5040f91c59e10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
903KB

MD5
8656abba35d53e9095f486bbc236f658

SHA1
564741591552a07c511f6cfe20702d9df381cd75

SHA256
5b38c4a8a9959896b8f69c2f3ed11f4a625ad579ee69ae3655a6d862cf1ff415

SHA512
39f4b335c3e5ea68fbb71333143c38aa18b66ce78e755dc7eef7a70654ff6fb2694b3f54ebf2fb6cca57321c2269000a51abe154745dbc6c5fc1bb67718aeed0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
9aca21082e5d48edf5e275f080040224

SHA1
d5dea28a4421a26512590756066815ee749d0a70

SHA256
cd180b465ad41d9c8aafa695a11906b43387869a8c95c679aa1c0612badd5481

SHA512
b6e1cdf49ed630008d47a1201224e33f87a2bbb95d11e45cbd9a2628597143f6c701bee0ffa86fa59d1ee1531b8072e82e3e1ffbc78cfb3c6fb64354e6733080

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
916KB

MD5
ea00a24c5bf81c4ba00717bbca5355ac

SHA1
0360da0308942de06c5541522552bedc614176e8

SHA256
b362eacae77a5ec33f9a930811061e1a858dafbd3482fd22d99115eace4b6635

SHA512
8bed1f9f2314b2899673bab71b93dbf1abefcfd587d5ac587b60be62f5e05d6fbd0cf2bef2f2f636702ef679574510cd79c39478c400b22047d84974ade79a1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
936KB

MD5
baa0fd1fe6207cee04c30c35310c1d8d

SHA1
53a200aff63d0d8e3ccfdac551240ea6c18ef1c0

SHA256
e47338708a55b5e8552e02fa8544b23f72a6b5205138e17b0ebebedfc643eb3a

SHA512
d113d4d5e7c375dfee6f4fded4f149ade83213bc9a7adc0d1417d09ae4a286192167087374623b51ef73358a70bfdf8f1335b66c1375094d48561e94cadb026f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
960KB

MD5
023c938070f5d12b444bd11bb4233a64

SHA1
c983f57ea6381999a05a29e1447bab5583a6fef9

SHA256
ce6ed3f7ff8c26eb6d10df75ae152bb464c9ce683fae8d18b4a70fa0a53a116a

SHA512
7fa2f41f2efce7245eafb94b689c5be528c9aea2f7f8d144a6c1996ae9c21585c92e3b44b56caa598ddf8377ba059d6e686dce02a4a24ec3957c2b532c0f73cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.0MB

MD5
3997ef1050f0b696648bfee2dc1cbf6a

SHA1
e9df421ea274e4b498acfa460a5f7e13a74bf583

SHA256
acc3943bd03a2f4c7addf1e7b2538992fbea6ef1667b217b3cef191e9446f104

SHA512
db2cf715106166c0fb70c2283238d7722870296b7458a5d47a11f65511d4714ee822f432ef41079dc22884b8797af10684585ec6b74749768568b23d6ea6748e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
547KB

MD5
37ca7c11147c9d5bed7e8be256a88bb5

SHA1
3ccfe4f7f93311a79e94f5620aa42b7e2ddf1881

SHA256
51786582ce969e9194d94c5539b7c2135d1f6c56317720d21e41cb5223076cea

SHA512
789a93b50b194c17e6fabcdee150402d3446a4efd3a65b947f995b38a9794cc77188cf226641c73234d5351e82ce4fa7164a06da881173bed626773ecffb041b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
384KB

MD5
a5345e168e911e8735ab57debaa2f7d6

SHA1
27dafd82d0959536e865e90d5d3b2b4496662f7c

SHA256
57cfea8bd669f67d4ba81e120701b18dab1d5e5bf8a8ea3efed3c1da228982a3

SHA512
637ab8d9e93b82593cc232a687271eb149e986a9e466149d56df7163e1074a678d56a2958ad6847a0e3fe5c3aaa852ccf69abe7fe2e23c5120e8e4e5c3495198

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
382KB

MD5
7bb8f71a7355bbe3cdc34054d82fa825

SHA1
8cf1ae4b7f288de041ec3afd830331c493b630c0

SHA256
519c7865fc9d3f176e3a312aeaa2710f0969410fc16ef7996ca9f901f1f58c9a

SHA512
9a6c05e01d87cc7b0b569266561327908e978f51ab30246e812148470de75c81e69e78477cb80f49bada7b8fd7d4211c7ffcb7d9a66cca09051c8bcc37e28f42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
442KB

MD5
831d6bbbe1b7bc3262f7c713dc90c218

SHA1
e90dd48ac21975fbaa203f01dd5115faf4dce358

SHA256
68dda94634f9353a60885635180b54e8d0683aa185cabdf30ca002951ffc335f

SHA512
bd64f7cd12fc914533e29ff2eed1471d5ac19e7e2b9d0d2f531ceb2e84a58d29a8aee285515c06a41b544b414440ffe6bb23b9e2ec1872f43e07d8ed4470541d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
417KB

MD5
48459c6fdd18510384eca1889e9e45d2

SHA1
94888d0740e4863fdd7f4d583cc1f3cced5f883b

SHA256
52947cb3b70217d6bab6c8daaefec08e0c79c82e398d515b86fe7cd18bba8999

SHA512
f46802df3bcdd89d6c037729dfa74ffdf64317edeec5115bf337e8bbe1eb2e7bb73d57e27186093e211041be7c9a183ac1d1cf08507ea89157cf37ca1f459067

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
331KB

MD5
7a69baaf6a66df1c72e95d0bac75b45f

SHA1
f3f3f8109cdbf26eeea49239ad19ef182b03391f

SHA256
22574655356a9e0839d945a05abf2abce6a633faf1628a34a32f62a3bb987018

SHA512
fbb9435dd6410b01d66c6f55120bf28c351b44b1710a41f4ea6675a86823fd7a78ba767db7eccd3a6faf474a2141923565b986a1b6e6441b29ff33814b382055

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
274KB

MD5
8cbd2b6195b10f36aa61ce1756573e26

SHA1
86ca6be8996cad4770c8e77563675b290e5d4c28

SHA256
582d06bc04b522d9b642efbe82a272e74e3a687a80f875a257ad6c284d596462

SHA512
2b6046af39036de7ad27a86bc580b015abfc354119ff994f86078a22bc3b8c396ece78648e7667bdb8eea041fa41c0d365aee5ecd3c75f7e2ccc9e9d07352497

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
374KB

MD5
84a44db67f8e44d3fb2fda24e024a5b9

SHA1
bd51b60af41f111b786e50a90a4a9ebf1bf1f065

SHA256
b450532855bae16ed82fc8bf95df14fc4b2a551baf8076e07a11df880d0ba6a0

SHA512
6e1d5cbdbec7a8ec498ad2fa0cf5921eb2deedc0a9b82692b13dee0019f586b374209e77a499eaf2ea38ce3b759cf73819144aa05ae2719340c4af195eb042ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
308KB

MD5
717750506dccab497bb377f9c13f9ab5

SHA1
79d1b97e46af33f170e01abfd0f8fb399c2201f6

SHA256
06cde800579918aa952db89657a5c6c68c324a0d7ff160e7c82308e9b8d834d1

SHA512
89215e53004d701ef4714ab84afc4d79f05ac0775705513163df8b5f80568c13719d86f81967c7e67fa4bebb682c36293921383f3dcf83b16d6aa05d3f57256e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
356KB

MD5
849c82a9b0da52a8533b77802469022f

SHA1
6507c83d781d463d8791e866e2ce56534bf3fb98

SHA256
5b5f60e87f36ad3271077900a4f7429462b94a1a9e6121d8f794e46e687baf92

SHA512
b679217303e44eb8248e1ba7e4afb5c382f567fce8478819d6f59221ab0c2d3d10813e13bac952bb02f8e9b6d024ab5c9ee738df7e82b97695a30371780ddccc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
384KB

MD5
5aebf2c5f3c5922af220e4e47a2621e0

SHA1
1157496834a7e299926fcb8066772046924b81d0

SHA256
1b900e7195245dcec520a418eef6a070f58279a90b4a19fa243882fd2c4d4adb

SHA512
754a9f3ef66ab336bcbec56ae559b8a825b74f72e2b88a42fc2e74d4d2c19ded4058f4d4f946d43af71ccdab5cfd5fba4732da8a2646328c466ca62f88690a27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
316KB

MD5
a72e0f8538a771cd9860193396aee2f7

SHA1
22564d5bd00e6b952e838f50062c2c241c401069

SHA256
3d1309370f7f5886cc051718f8d7c66961c485827e38301a501daec60c8b103d

SHA512
1c129d5f028825a5e0957230d65473faf1726a3725930c7fa1b673e6c5fd156204e78dcfd662ec4a1624e09d65b5ae1e1fcf8f0a131ee1b1b6f068b8bb1a9dd1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
42KB

MD5
acc57f7520c33569173f8f4f0b310ad3

SHA1
6f720697f2ed8d75e67f2be2e4991ae49de5eed5

SHA256
79e95e899f1002d969066c77b646cefcf1f8ee0eaafd901be445b9ee9b1dd123

SHA512
1163082960c222b4dbae2edd8c7d74b60778f29ef8bea40904059e4c17793c1e36662f7ce919b11faa9a140df156e3c0657a85e72d913519da0899b0ed8fb07f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e826b1eeccaa8cb55c8e13454fb45f1f

SHA1
547c4b1df5a3287073684f07488c0d5bd87a2d74

SHA256
1c8e58409da2f3bc8efeab9f04f2fbb20cea6317809efe9e679ae3c0dc37e24c

SHA512
2547685ce51852855e68756a06bc4d74bc58750436bbd7e97c60f0e71996177b454c15abed83c7380be7ea570931c01d260bf5c836686a6cbd2698c200868ff2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c8657bfee3ad3afd138b92f007f5c9a9

SHA1
e87011c4f72f0b671ab456384404ccd27528ddcf

SHA256
ccee0ea097cfc94d89be7ce933d598cd800321aa8321398e58d10c457386db30

SHA512
a84137e0b1a2f566418aeecd381d281f12e0b8d76a65eadc489b8095a0e37964c82782274c7f22671e55eee87a68e2df78a05bdbfb96d390032904c9e042855e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2d55e530effb97e2c288c2ef8c260392

SHA1
a5ed6334b0cd2836922031f3bb7e5fab6843ea79

SHA256
8a5a66497f9948c4ab5dd3ec9b4c84f1e6cc7566c0c51dfa1b0fa60a375a84c9

SHA512
2880d00ecd938e9c65d2b3d94084ca64e63205293777da71617161f6899e29bb96ab376663d8399f3d6dff0eca9d2d19b85f7eb73eca5fa9cb9571079eb9e5ed

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
edf32da49c4e11831e03c47b15748dbf

SHA1
95043bd4be1c261efc053fc3ea5836723ccccd6d

SHA256
1efa00f3cbe7294d3a5a30933a48bee0cbcd51a514bf24d12930fd0a846bfb42

SHA512
aae46c1c2e3aa4bdc7cdad4592f1243799644359d98178225220f1835a40d2d4ee1626a90d6c2e399788acf329be39375d29dd9fb32c1998248d60efbb63bbbd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5d24e31ad716e82a9479615475ae849c

SHA1
201c88a672edf4ba7b35da6e926b20064fd0e18c

SHA256
461bd906045ddf5a88f0ffd5b9b089b755a9a6a05a7ab2f292acf3f1a0c84435

SHA512
e845ad3ca453cdad9c6e9d75974369a43ab546d23af8e65f5c4bfd57214217b70bb9554a6561804291dc25cd9cff9af2c11923cb694a74a195dd14ad9e0ecaaf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
896KB

MD5
c88554969371d33aff7b4de506cc3292

SHA1
d004d078d05800b2eb76eeca46c7662d53c4e5fe

SHA256
26f57f1e439fdbfdfa91f620e9c07dc6a22fa8a4c9606f60d9352bd6e3273e4b

SHA512
fcf04258dccab17da6ef7efdd0fa2ac342e6b5c90c0a97c10cebc4c0fc23ec97fa05303109c7dc60bef879f63ebf01a9be96beb246dd28f9e6e5e7249a4d574f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
796KB

MD5
4388a8494a2183900bb3274331d19eaa

SHA1
80fb5c023c39975066a283a23a50c5db7531b088

SHA256
ac46af50dd7261af744189fc7f7a061b1f1fba85d8371841430b2c590eb20cfd

SHA512
96c0897849b846a6bc5df9d9965957328f41a1838b5a829cee4610fbd496d2ec03fdd5b0ad161849d994aca760cc04ba1d7dd89fa576a623f83662e8b70eb1c7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e5183b5a33fa7b9e52bfa0e1730fe958

SHA1
33c216d24e8bfe43b754c9c70c185bab74c1643e

SHA256
800c79c27fa101d5ce66641fdfdcddd4fae336899d29cccea45c99c79919eeff

SHA512
48d4f5fcffacf8370c1d13c23b232ae6b4469a5182af4a6f17e8e90fbdfd434b90ff676e77300864f06974bd642f758d04b4386b6690bed7d9e41dcc4ffba81e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bb9f55fcb3f66372fdd8a4bae2dea4e2

SHA1
d080db292892a754d7df51b5417a653d0ce62de6

SHA256
80cb7998fe5860d18c09dbabf4114f6523828e11d3170e03db684b630344b976

SHA512
6e37a9edb8756874c370e61f0418928df26bf2b3a68ff5158bbe718ae2c787f0cfada89d1b7cafb01eb688771baf5dfccb9dcd67efda7c92f0c19e6993ca6c54

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
256KB

MD5
e104dec5bec0700698fa2cf888256708

SHA1
0d720cb40eb2857f5f3fccc82338d0fb69beba1b

SHA256
83819dc2003cdbe5b0dd03e599c76a41e33e7c3537384f95036e0a2139047523

SHA512
472198d3ff84f8915d6748c55da5e494ac490924d696a2ab9f96417323267b35f7049238961f89fe0ac200b00314a34557f43647feab8800735c69570f23f0d8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1843b7ae6304e4de324a51eabd220839

SHA1
0ebf59873f808db050b9c4bf1344ba0a514fe118

SHA256
003e6322c7ccda1f2ad047f5c9764381caadc912043478d0fa2075e9639bebf6

SHA512
3c57075141bed310f581443aa8ac04bc1069fc605940104b5df0ab30600a6925f063b3ee84e2ae5e23896629812b3d2faf5262c1e0e8614ada5d3b0030536ad0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e02bb5f59eda912ef0bfc85c9573f9f5

SHA1
5f7b27e91dddfabc87181b6104661fbeddb88e51

SHA256
ee3289495c99cf43e8a438a5dabb00ed82b0ce41d5f35d56f50c9b6ae65ce33b

SHA512
cb597e44f92985138b29874dde7d7e71bdf60f2343ee993ebbf700908b819e0f39a8be31b2e3bcff425945f4109f847289f123c84a50e466d2482858d0d49a1f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5ecc886b1c9c60a8e5e36689732676ef

SHA1
1bfd9bc0e8433e2382e8df10233492571d3bcbc1

SHA256
cda576d399cfd1baedf9ce141ee07d5c4ae929f188f0ca12911459011ecbf023

SHA512
7de528d06b78c64c8d34ce59768c481c321bbc3e7566987386fe49a322e1314723d02f690fc6f037f004ccf1701a988fc04ab18e2d00a14148c7601fe9e8ee5d

Download Submit
C:\Windows\System32\alg.exe

Filesize
832KB

MD5
7a05f39af8c67ab448941022167493dc

SHA1
cdd9c58f6f0c32ac47c9649a2dab20c5a5ee5285

SHA256
c19bea7ba34af35dbb8616e4f841d69cde3e3a66672995c931a80eceaa46fb7c

SHA512
a24bb398c12fb2af5489e79be0e7bdd47ca868291c7876112aa0e779738bb1b990affa8a10b4c28b06df7ddb34871c3269d52a6cf51391fe6fe1129e42bebf1f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
92047257927fbbf50b396ea28544794e

SHA1
a0d8ffb22a7b3bd76dd8969fd0f2ec54a61b7205

SHA256
28627963e3bc7fd0120e84150ea22058be4cfacd46dc41fa9bfd6e0deb67e95f

SHA512
1fc77f13d6eef950233257adbe3881fb8f18399680d8386e0c76dc6f6bc1ad70f133ce4695a429ceecb314d87bf0429782eebb78fc342ce0aa9958ea0932185a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
30241dcb6bd3650b6c12dce23b36ced9

SHA1
7b3f154deb885cafa5198c1121ca25485a132db0

SHA256
f85c83dcfe624a4a00a384d6e86c395acbea8cacd0c3b2dd9c7a4af6dc5bdede

SHA512
1448463f7c05a9fb7d784b8b7e887e068080dad173105b168100c90b303c597cc0761cf364dcb026dc8e9182dee2ee8476827a11360e2136647cd3a55f3dfafb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
35e2754f94e55182abc8d76fcb274d0a

SHA1
a7d524b14157708ffb4818d316e0a2a514d69a4a

SHA256
c1c94ac8a4116464c399cac06baa3653380c4ec9411eac747b627ce5e830e30a

SHA512
0575595f5a6cbe0203a735a8c9e65bbbcd3020da0e9291d8bc953d195782e8b358322a9d1e993a10965a6099cb4798cea90c2a8da1b11fbf3f8042b4d431a645

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3fdc28496fbd4c9074d722a7ae8fe16c

SHA1
071a0c55e2fdef80f01e629435955e3fcf37e804

SHA256
df37a985b95124aefe60e06c4b261be79f3245255c04d8abcb8768a003889f8f

SHA512
c0654ed4bbe621fc0627771a35ae7556c4c230fc51e232a088090650b6151138e318d1b492931069e2ed343dfcfe991f416870fcc5fa66d1de4199fa06facd2f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0f46e02225947c40317cca681a680874

SHA1
768d6181f8568f8439afe9df325d78c3b53ad1f6

SHA256
320916fa9f25627491154980f0f2222c352360d9dd5892702c273e118387a147

SHA512
9d32c3076fc513787416773824dab3fddc55990aa2ac5ff1949ee0a3dda926ed5b5f3d8ecade7373391c691cf0282dfec2cc6978e2ea10ae35212943cfab6270

Download Submit
C:\odt\office2016setup.exe

Filesize
512KB

MD5
3105e9e12a2b07d93d49c89c84f190f3

SHA1
621dd488b030dcc322743196cddc8a255cbaed03

SHA256
bb9f2327093837a7732c30bfc148b2df805c22186140aa6e5b6ed72a55408fbc

SHA512
5eda41021f04534332f3e4a63d216cac4af16b139acc321c5de02c004d990a54fac80e126934c4683e1f67175179c346dd8550ac6b5845000f87647faa980c8a

Download Submit
memory/548-258-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/548-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/548-267-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/548-276-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/548-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/688-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/688-325-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/688-396-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/688-386-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1008-64-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1008-61-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1008-58-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1008-52-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1008-51-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1404-355-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/1404-346-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1404-417-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1464-361-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1464-430-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1464-370-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1476-418-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1476-426-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1564-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1564-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1564-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1564-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1716-302-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1716-369-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2084-452-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2084-445-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2316-344-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2316-281-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2316-340-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2316-273-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2332-457-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2672-359-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2672-291-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2672-297-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2672-354-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2692-315-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2692-373-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2692-305-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2696-313-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2696-245-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2696-252-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2696-253-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2696-246-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3596-232-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3596-36-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3596-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3596-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3720-405-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3720-413-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3772-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3772-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3772-240-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3772-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3960-404-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3960-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3960-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3960-397-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4276-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4276-174-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4276-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4276-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4276-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4568-333-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4568-402-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4568-341-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4808-431-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4808-440-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4824-382-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/4824-375-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4824-443-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5072-0-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/5072-13-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/5072-11-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/5072-7-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/5072-1-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download