2f7ddcc20b354fc47c24e2c3f70af89199de32dc95c2835ce0c7d9c9a641c63c

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_ffc4163a05af0929b21c26002fc3ca9b_ryuk.exe
Size

1.8MB
MD5

ffc4163a05af0929b21c26002fc3ca9b
SHA1

b62e39ca67bbbccbbf6fb853d298f563466f2a78
SHA256

2f7ddcc20b354fc47c24e2c3f70af89199de32dc95c2835ce0c7d9c9a641c63c
SHA512

41885bc28f91a9ef51753fdb384bd356982450695f1ea879644b0e9b9729016662746fbb617066528f13ded9cec5fcc2d9a2b6b9cf69cf7ac7b923b2c7eda9ea
SSDEEP

24576:y+6kf0AR3OgoyYm7R7I2ES6d4bUwA3UgxrsqjnhMgeiCl7G0nehbGZpbD:y+PJFOg/YmNIXPd4RA39Dmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
536	alg.exe
4596	elevation_service.exe
4376	elevation_service.exe
5080	maintenanceservice.exe
2952	OSE.EXE
5088	DiagnosticsHub.StandardCollector.Service.exe
2372	fxssvc.exe
4472	msdtc.exe
3380	PerceptionSimulationService.exe
4336	perfhost.exe
2772	locator.exe
4836	SensorDataService.exe
456	snmptrap.exe
3804	spectrum.exe
5092	ssh-agent.exe
2636	TieringEngineService.exe
4976	AgentService.exe
2352	vds.exe
432	vssvc.exe
4544	wbengine.exe
1932	WmiApSrv.exe
1940	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-14_ffc4163a05af0929b21c26002fc3ca9b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e97180b4c98e5a49.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7AF60853-3BF3-4621-8184-C96FC7FB7214}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_106859\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000def447a4575fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009577eca4575fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5e153a4575fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b64237a4575fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038ce40a4575fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000581733a6575fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000753b78a6575fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a3024a4575fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4596	elevation_service.exe
4596	elevation_service.exe
4596	elevation_service.exe
4596	elevation_service.exe
4596	elevation_service.exe
4596	elevation_service.exe
4596	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3832	2024-02-14_ffc4163a05af0929b21c26002fc3ca9b_ryuk.exe
Token: SeDebugPrivilege	536	alg.exe
Token: SeDebugPrivilege	536	alg.exe
Token: SeDebugPrivilege	536	alg.exe
Token: SeTakeOwnershipPrivilege	4596	elevation_service.exe
Token: SeAuditPrivilege	2372	fxssvc.exe
Token: SeRestorePrivilege	2636	TieringEngineService.exe
Token: SeManageVolumePrivilege	2636	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4976	AgentService.exe
Token: SeBackupPrivilege	432	vssvc.exe
Token: SeRestorePrivilege	432	vssvc.exe
Token: SeAuditPrivilege	432	vssvc.exe
Token: SeBackupPrivilege	4544	wbengine.exe
Token: SeRestorePrivilege	4544	wbengine.exe
Token: SeSecurityPrivilege	4544	wbengine.exe
Token: 33	1940	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1940	SearchIndexer.exe
Token: SeDebugPrivilege	4596	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2724	1940	SearchIndexer.exe	116
PID 1940 wrote to memory of 2724	1940	SearchIndexer.exe	116
PID 1940 wrote to memory of 1368	1940	SearchIndexer.exe	117
PID 1940 wrote to memory of 1368	1940	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-14_ffc4163a05af0929b21c26002fc3ca9b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_ffc4163a05af0929b21c26002fc3ca9b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4376

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4284

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4472

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4836

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3804

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1096

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2724
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cb18ae1184913060b8c59e66f0997bd9

SHA1
a0978fa08083f53db11212aa5d11c9bee4a19d23

SHA256
90e7b96f6db3255464665f8411a8483236fc3b5bc7f51d70978512cd1365d3b1

SHA512
84a0a0a3290ba521f02200ed3dab5a980d1fb1e4d42877507f0543907f617b12fcf6022c40fc7473be10e41a0b71dd1fd9e9b9be8a3a51096d0c6fb427d99ffc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2180c615dcb6d5444de246b4a1f07042

SHA1
dc0323b269a75c46580215f9bd0f5fa972a23e92

SHA256
6113b7b193f17e3d6f3e594ff97c7ecca231cecd5690d86a433e731261cafd09

SHA512
89c8aad5bb5d1fbc127b55c316e8c0560d82825da44dfb6fc68fc9e1ff66526005f37da87ba85cd8595de877ed71353ee8fef7717246b4850ccc550883b8c99a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.1MB

MD5
03a672f7d8227c4f1b95a5730d618a67

SHA1
639d11e4cf52f396b0da1c08f15bb20852ed0433

SHA256
8e7e874f582e9593bb9c57339330ea8a444147b764c2055d8fbd4d5b50fff922

SHA512
e0a0ac1aab6fe2fc589266a41e5a5a364a57f98474b5d81c7099e72787ac34553fccc7ee08d57b01a05df518ca8bc8f0162bf13adfed182710e2da32279503f0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5ae0ccf42baabb0c2251e3aeb16cacde

SHA1
641976982e8ac1f686078d3d002d9dfa6be19902

SHA256
8c7e5df7d3cc603b90c374dc6a4580c11092c3de292ceabd77b74ed478f23fb1

SHA512
58bc2eb39a5b8268de0488a06993a230fbf5da10f555c8b489feb1d20f890713dfa99f218769149f59a5fefb7c7d99fc2198f4cb3bd4d78bfc45bd161d3fe944

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0104d1d517bcc531e5920096cb97bab4

SHA1
f228a3f0d3bd5683701a4547efe9c8a47b30dd57

SHA256
a82e43e841331559cb9033533929713fea8630de5f19fd98bab9f900d899523b

SHA512
72afc4f62f60eda8093f6dd98f590eb81fe01a35e2035cdf4de94b3949517cf0c98497aa4920accbe9f02bdd75cfbd86ce72e9525808cff6e3a145d72fc5deee

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
469789cec98070649a25b062881857f6

SHA1
dca18b7c1693961b1ff2a9270bb09f9574c67548

SHA256
655c81c3aee70b4a2ddeefca169d6deb7b1bf4649c1e9924f83905b4bbf8ca60

SHA512
3abda5050f4fd11012f8fd197cfdec02f98d8387c87da50f2c7f8713143b04adfa1e77e5bef46ba98d655214f91cbf5c67175d5741906732bc23173aedca87e1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f817369a6f5d2b4d9f1d2fa92508a2dc

SHA1
6e8acbe14f72228a5f1f145574f18cf244d89b88

SHA256
563731b8c797070cf273569806e2d67bd7cb326013449b6cb77e59c741cee21b

SHA512
45c721b4372ea72597e647a526b513594fb8393b9c64286db0895aac5962aff4bb4bd8e185effdbf59e5c6184eca58173b2abd75fb27d05f48d0542dc5d05bc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
448KB

MD5
121c7a867a3b121a6a15bfa69ca61998

SHA1
9f398e21d520d496c124f156c56e38ba938140c8

SHA256
7787bfe5b914b2173b8ae984076abcc667eb3cda72d897488916e2e4f2b5dd4e

SHA512
e75e5da6fa4ae50223d2b2994e540a1996676cca9cc223a455bc7be2febb8fbedb0e1f2bc1f9f02e0fbb23e0e43a65dd3119e847ba6b819e0ed096634edd6f86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
448KB

MD5
bbd925b2383c704f91a58df05b7b4394

SHA1
4ea9bbeac89f684c7eac9effc4eb920ff4e12e14

SHA256
ee2beaa6646cdc8c236a059f5ef9aea379e8246abdfe21716c0ccf5cb5af76f7

SHA512
232491a79e42a9f5eeffc1a1c0abffeef5f97c55596bf4517efffc6de94f5c9bdd25d1b638d01fd01607ddc9f55fe8a91b92293b565dd477369aeac15ff52dc5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
768KB

MD5
88a83f6dfb16e9f2bd631f90e2ca1bef

SHA1
45f83185cf5108e131ee8765629b759a4839a86e

SHA256
abada25011a043e236ee38821189d9386a0213005d8837f36e8cf2fcf76ed6b6

SHA512
bd5c16b31fdfcf2e9aa8c78a816205283dd4126c4ca7914a64d699fad4147194e61f71d70fc1ea83efd0efa10fa975b79092860e5ca86c163f532cb527dab85c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
384KB

MD5
f0130f9b00ebb708b043257b046c9186

SHA1
a9d055d1b237aacd3e53a1535f57dbaf36e287bb

SHA256
a8901f6407a92dbdb6364f7e673fed0847471890f023b97378accb1e6faf67f5

SHA512
161ad6960fd752835b0c5fd574b542a7270a989bd6f2906120fd1d6b781fe12566d8197eb57b72bc868602956a4099f8f503eec979dcfe5e83b6b5998e5229c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fbc27f38086bdca056d0f9a26fb730bc

SHA1
6cc89d526a1ab5f2109612fc9cb440bc434b1a47

SHA256
157430e0907312ce756fe668d8afa62e2f88bcc6459ebabfbcd84f161334ab3b

SHA512
1597a1aa8464ad2634dd4b2a778f5dab8bbde3d556a0ac9390db6fbf4a52f69af49b521980c6c296e3569e66f2c3782c9767cdce486cf4d6397afb0e1479d15e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
156e0439d33ccca97a9b14d5108bebaa

SHA1
490c5d73c90345d78806632c24428b894c863af2

SHA256
08b4976ec3878743a104b23d07107168868925c66270610512ad610ad75f5b45

SHA512
05b1348071bed53136cb4facb7e9eafbc50d816227e087fc3489ae6acf91e520b9951da6368163fbaa6ec4615f0b7380cb63c3cd7a11130d82f7c4a453801f18

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a01292e3d0297d54fa1a63f2485a3682

SHA1
50a655c7fb8586f75123950a2bfdf9364ab76397

SHA256
6ab8f702056296f5ba34ebb7744c19df9dbe5a6075bff8237145b5a5d1decde8

SHA512
303992e83f451154834f0f95a9f03f767742c4e9a75af043fb9a776e4c279bbd776cb45ed530bb581580ae3d5aaeb28952479ac6087d47edf0878d9bcebe99cb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b64a8e460fc80aca2b07160fea9869e5

SHA1
c61ab0755592f426b2ad4c8633a0013e720259ca

SHA256
4a6eec36537940914fff232dd1e216a15a5d45276c35b195efaaf89f2aa2b6bc

SHA512
cfc7c270bd74935582161892a630dacf577dac572c0fcdfe5e3e19fcf9825637ac0af961864beb1b3bc30e656ee0133f25163c488484b3ffb5ec53478f3d16f6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1c8d28d3980189f2387089955d8f647b

SHA1
c92c467b047cfc56c5e3745c6314dcf6b5579ed1

SHA256
d4ccc28bdcb0be238cee635b6bd231638b03a5000fa2adffad81acd6309a4a09

SHA512
481e6d29a9ef36807c6040cc6752a57072e0f8ed54f607cef8c79fd109990039e04060484703eaf8e11ef5b2d18c37e2cd96fb8bff1bf4314ee4aad170c8ede0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
3.4MB

MD5
1426358b5dbb56d51cdc4d7509e75871

SHA1
9492ba85e4ef12dfc480d1f68f9e5b796e96dd96

SHA256
435ceab513e203f27b075990a94458b6e15d0a49f56791a6030607f42f1e45af

SHA512
11cef9af4e9d6f1f5d4025e39ab22a4d9dd5e31a5041a742c0eb513a457b5400413499123e1765a34e5278c1929bd93723084b39fecaf35a7c005292506f4143

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
c115476b6fb1052232a044db50439dab

SHA1
4c944bb2b8a5c7eaa71287cdd3f86121c76c3fca

SHA256
65e42f87bfc7986304778df15190ac35aa2d28606f991f1f71adbc7b847c7ae6

SHA512
ddc8491b4598d607e7d25f0487bdb1c049214072458f70b1f962b439af2ffefaff17db8b5dfc5cff7076c5b7324a89e8205549fcbb0cf66936f2c0458a0f6ca5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
17ab7259c66665a45069eb295a95b9f2

SHA1
69cc9a548de5c260f66de6e09575de730a086c00

SHA256
b7a181aa1ca24e3fc21cae1ca49b472f7f4fbe258009daf4984ae920fa0a7af4

SHA512
11d2c3c38164d738cd70c9972702f94a7163ccc579149b47461d2e4be1d89f8798992c5c99db1dd12ec4772b92f44c79b9459e82d3a2bcd1f49df95d1f4d10e0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
f5668c5c821c7c18b0a683a9a9a3a8fd

SHA1
347a8cc78914e9f6fe45db05ee8ec2e84059550a

SHA256
b75ba7327816e430ed9531f434f71fd411002718142d4428052f1d44a4eed13d

SHA512
272b955be20905e5158735065ba6603a7fba96bace79c42d08d6d435f45a41e6bda3da9f86b60a803b115c564853eb744255e6d6f2afee6528d6fbf65b51a75c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
7b48b32cc85764caddc1670e0c5636cf

SHA1
2d761d811d76cba9b397062f4ff3e4f2cd036a88

SHA256
7ba0737b00f594686ccff1eef2c0d0fe2d911fa2949158b662eff95c5ec5e193

SHA512
ced3019b426209b2ee6c93d7d50d33b2d09911f5990fca3d241821f4273e60ebe1c35c82cb56c73307b9b1405b8c27aed47693033032126a10c1bf6abadb1862

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d954faec4b4e5c5f2f73084db5c387bd

SHA1
fe1de4dc83c4e971cf0b0911198950695d6e19ca

SHA256
ea346265c862d4a4af41ff27ae42f6b708ab02d39f8175f9634c7287e3b7b1b6

SHA512
d8c9f8803e2c8cd7cdf91bb8d264f1f9d8df0b41f30fc08b6b2d84ebcc7fd932b8123f0a23ce993518c0f44aebeb37b03e42a589ed14d23255d92f854623fcc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
cc8497a665dd834b8d7203312c167280

SHA1
a83a87ea8977222e57e2c669f930d0aea2d781f8

SHA256
f83e8285b0dfb7ce04daf5ce9c109fb1ba9f0df8164e86363f2dd26e37efa3d6

SHA512
3bc6f4b3ed7b480a1810b8284c63438bd55b91df94995c897ec0625d169d827812ebb5dcb7d15bce322c7d6b86cbae9b40ab5cee3568e97e50a45969cbb747d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
ac88cb1359035c91d1900008193e6f0b

SHA1
3ce28b6ec44172e1bc5a124a65e8ce229f6b1dfb

SHA256
0f3653a425848bda89ce63965a6f70c7d17f838afa56ff9dbafaf8687e3eba86

SHA512
643f674e11cd500bdd78ceafe2ee10df09160e08c29d0e7b3557cd381bb59fe90728a7ecc5b24dce3c695b3fefd0d7e072f2ad235548f747fd284abbf55c2fcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
85a5b21dee6a4fa44cd32c056ce6cd09

SHA1
c7494a5be715efe7821431f8c2010a6ad17026fd

SHA256
a542e112b9100aea86ad778f5021c8a4050dfb03b5f4cca8e8cdc54833a53f50

SHA512
cae61ac6c033ba991d2080019d033561decc3130b0efac182492e1119dbc6a7f58467a048dda47df30786ebbf48fa51f921ee78c637c21fff907230154559fbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
5bc8ad98edc231bd8e35493c6de58206

SHA1
c19fb12ff0bc00c20a001426fdafef106d0e7a55

SHA256
c24b65fdaa0887e88a1888191368b9be36892fe691ad916383894e53c6258421

SHA512
2451f03a4e408239fd228e23b0fdbdea537b5e83bf47aa7987d11faef06a6cc07c0dd514f6223c8fa1c244fa29f8e5374413f26a32c27a882a1d209d1c90527d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2bd48357f78e8d642854acfdc959710b

SHA1
5193521dfc37863c4f4257a3906bf6ab46919c6d

SHA256
a9329e6ec77223372557e71e57a6c17a23b63d942a527290ff3c00de0f47d323

SHA512
12b6c1f87105151a6e5bd247966a3c23e0a81ab3c0bf57f1dc40748c4150789a4cbdb4ae35d8ccc09552b5233c63d2f67dc1754a98939d1760542fc6f041184f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
c2f2711a29657733e9e60c7aa877aa8d

SHA1
02ec120f091b8f52cfb5bb5e42370a09791924a4

SHA256
19301dd62f08cecbb4a95051e73f5f3bd3fe8f565a40b7b5e8c885bd72e35b15

SHA512
2ff1464af727bcb42d22859b1bf7978c1802aef8307c5cd1c3e346059bc04037940b27889deda067eb1da38a7eb3fb705b2aa6bcd212a4326f8dd76ed18a705e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
832KB

MD5
a7c81ea67d5ec1bc6cce0b27a53f08a0

SHA1
73fd3e2f9853087a7b707572e380f278269fe605

SHA256
e243b0c4150602d01fe5a8dc6be7d32c5902d79a0d49a2d65af4b4935ccca95a

SHA512
cf5b40193a9962e251a38d6b939afc0b1d8db88c0bb1e943d19d679c836198a85bc2f950a13a429184ead521c79e836ea363e1bdb9e1f3328cd8175dcd87c541

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
768KB

MD5
60647d95f57538514fc90212bed2e613

SHA1
d8d874b32638165567efa6aee6dc76745f31f98f

SHA256
780f54ff41b4fc1da6dd51e7ffd3a051ad7ad7d56bf93de7c4c99e197fc14b8a

SHA512
d60c415696439002fe4da3bf3ebf542df7374412f3749bbff1b137a9df01bdc19b142e5a9e438c35bc0d981373a32e6611ae57d335a29b5903805add96bc0a0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
768KB

MD5
62e84680240c18426b2b3feabc193a5a

SHA1
a121263fb118d942299db290f0aa09d1e82d01ea

SHA256
819f0655c57d547d9be3fc8550d8d8e4960cc3ceab7c97cb7dcf4ef535c9d041

SHA512
8dff3a341fc6b83ca0b8a6fb945a8b77baaf38efef5241c60c12099cf3b6dfc82acb6959944dc5365e2b977cf5b0b5e38e185a3e2fce03f0cd6d4ea48ecead5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
768KB

MD5
1a7508999190bda296d851b634d9b4f1

SHA1
64ad35fc9e748ed8e2ee5074241e42ea63f9b867

SHA256
04af77e9e9671d57ff23c2024b63f7e4bc5d1ccc7975162ee65fdde30244af0d

SHA512
e1a0aea75d903182c325fda56da926609ad2c2de990d0e815a8beeff8e0a00931540f41a726b4e3119a6746d3e87070189bf2d8c0b7b1c5163a410142a1067ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
768KB

MD5
874b382615ba76b7d2ffd25eddea1dc6

SHA1
9405d1932b8b61e164bbc7b8167fabe9dbbb0a81

SHA256
846ed8a17a400de87cbe2fd2b9f9e42300da574513b42a3d0bae850408b92402

SHA512
a55dc11c951ddbd9d377614e4eb82bae78f8c914d3c228f564d47b1dcd7a057b757112f9d7f4558b65bc8ce32a6194869757b4aa78171585bf8481b5eff628d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
768KB

MD5
a2640141c349f5ae135c34ea2647416a

SHA1
2f4291f7ffc2f80d5b71a38b5baa212cc497ab29

SHA256
71e3643784d03beb04698f5efeada38dc5615c0e54cd906251f43f1ed22e66ad

SHA512
b55364d82c0dbc7b068555234dbd84e21c14ccd7111db3def9ffd32a834fe8a56e60aae3009be9b6187bad63da1dbd88b62431584153cba6285c97a7e441e1a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
768KB

MD5
14914d3de28e7036babe6ffac1c980c9

SHA1
28fe16d6012a68b692d5c49c047f90898fcf03ed

SHA256
c6657efb93bde1908ef795f0d55aec6fbec2eee20098e3f8da78f9b95b32881d

SHA512
2989ca6ce2a50c0a2571c7ce01f5dcf514edfcb8c0fb5ff3806e925df0820837fd5128c7ccf32efb7fa679f13357daf01552060d339b940c22cc4025536b3070

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
704KB

MD5
09fce274ee78ab228b99edcd4700c5d8

SHA1
0094716b034fb13b0f9ffd1a9414b5f7b312d65b

SHA256
97d818ce4aeb20a0e650812ab114604d14a2750ea4b0d4a87b468b9c377a1243

SHA512
131ce1fa21cdbb4417f07dfd578024c49f5f118bc4591747b7cd476de5c6f3e956cda64c5170811fc01ebb4f2bdf5aab97083459d79b19c8ef5e77ef0738cda7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
704KB

MD5
edb57abdb387a1535add40f691f9eba9

SHA1
cc5d27ddb8bc8b32cbda28e16258d1efb5851682

SHA256
66c5eab6eac8d564b3a3cce174c7c5466b2491258926165075bb1265b2576ac2

SHA512
750e24311afa05ea0f9d0f4984ddbfbe13d79b9347b6a1089eb96eaee2c564f6739aebe9d0a8d41f5880bf968446b3c02519d46628c57dd77c7579e1cb58a887

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
704KB

MD5
cab4742762cde5518379bcc93e868379

SHA1
d94e779164cd91724de806675c457a15ab748e6d

SHA256
8ce2446c41a060e835fd8d87fe7d833f2b9a2e67d925e95fcaec02198ddc3b13

SHA512
c0fc390822722da9c1745e0a7e1290e618be318dea79ba5358429336a633afd447a094987e7f3600029a02edffbce87939a7d92dc8c50b5ef48048a75244d4b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
704KB

MD5
032a5e2cdd413b82899a6a28f0726937

SHA1
e36be4e03aee5f7146c578fd97fafd0995185d3d

SHA256
71e025f9156ee560a6a3424cd9a6c3945c4197d258c92830fef8dad6866a8456

SHA512
725524fc3734789e7c8de13a53e13d9b06bb723f628563099bcab3f502d12061ac6176493011e68a9543b236f3e8618cef827ce7921aa833ffd050dd1d9daa07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
704KB

MD5
4c3940af29ae4f0c840e281ecba208f1

SHA1
0ba4317c7db7d4d7677b1485c81d816782ac4bd6

SHA256
96f7d026add687dade81858ec5e5ee6071fd0a1a8aa02eb37a66b5e7c6e63bc1

SHA512
44b7a163a58fedcfe4b9bc60a360f44d65fb91ba8560253d5807bfb4ac409c8aeb5cbd6edca75d7c0d95628521c756fed6745f9daf75331d76bd650a92100cb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
704KB

MD5
efdc0d9ab4fd435d157eba20dd1c3125

SHA1
0a96b4cde307b50956d30129bef58352d10e5af1

SHA256
9a68f5cfd5825736d50ce9db8bc5795ac7da5cde9cb679e222537a0ff8342302

SHA512
70344ae86d78e7b208ae20f0c06b0c29d04a06b10f25d78519b64736a2a3c3443082d87d9f00edc3bd0c4081ef86870c5859b6adb41645e96fb6c7cdb81f9499

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
14KB

MD5
90538718fd3cec6eb5cee5c7cc109a3c

SHA1
0dae0953f4fa4a9a04b075a9384dc18fee945b7b

SHA256
f1c51de401e0a39eba39122a3740d47eba0b9840c6b97cf6fbffe4a925e2a148

SHA512
c1277cafa1fec3b4a9cba29e67d5708c6b75fbe539f2ba61169731c00278b23b6693612198c0ea8adf16955feb7e911963d505f16efd2957e7121e525938f334

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
14KB

MD5
80f7dc3202acb2f1e5adea5aac0dce5b

SHA1
cfe5563d6372b1e96807b044e8fea5723d9e0899

SHA256
99d5a8fb71eaadf9e441076252d5354de65d837af6959d025efd18d2f62f111a

SHA512
7d6d0515d347bdd1aeb7dd11f4c5b4c9c9fe36c151f01bdc474da85ed83d932571dbffa0dca9dd33bd477614c0c8fd8515441a004679019fd84910c760920fe5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
76KB

MD5
1777989fdad5681aaa94c820aac9ef81

SHA1
22df3adbfca7c61ab35e9d7e496b24c097e2332a

SHA256
fdae355af84ab3f15982e9eacf7f755c73eb2e33a51f1f010fcb86f86cdd0025

SHA512
8f44af3d72ac8927663ab7e4e0f7aafb39528679c4fbe35ad183e1484668e1960d15f5223705e2ea1f1f43fc12b7289db4e1b580bcd10aca3201bf3edc6e22cc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2bf1ebb33542e28c505f4f461bc8abe9

SHA1
7fc3430a8c91d85279d52d6cd7415121c73508cd

SHA256
4528acd4ee5542c8bdc86d1df57f16843e3ad5aaebd386964c2b9de0b3814337

SHA512
aefe1ab1bda104403b6eecf2176c9b82f51dce2bfc3bcb6d9463089c0be815954ad79996beead6fdd6433158ac544192758993aea850ddcf666dff9344058478

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
320KB

MD5
64bde60a7573a21061877ade868567f8

SHA1
218f5c8e14b22886c4a2d69a1c084b4bfe99ccc2

SHA256
2b22c19da6728847914480ee382eb9c2a373f0ac22c3be2cf988c2704e8b26a5

SHA512
db7d39f5ab8f143f75f43b43c2479a7f6d666330ce8abc8406fde38ed8955c8b4a885c1bdc737942f9faac2f55021db1fc6173a0572ac630e1acb90a73f74d20

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
49739ebf2a506663ad3fc5ba1a4b0414

SHA1
a06a8e9b4abeaa3e3c1141fce2064c0fe16512f3

SHA256
1b0ea97d26b21f7cea11ad59826122dc4888dd36e512ed786872d380297ec8ce

SHA512
9403bcdc9ba8d6255e18bfb50a055ed3ca8c62ff06b7f90c63f39e03c0ca6cf32780b8896415c3216ace2f46876ab2135391af541e841574c180c709195c033e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
be4b0b59b8489d347b6ed74d826b299e

SHA1
1dff92b8aa80c3cea0558a17e57ecf708a17a578

SHA256
e7c63fae64f6d80ca50a676ec643c7738e1a2b894fc7f5d4ad61755bd33481b3

SHA512
0d460652da73c490e7985dc4216b95f96da558da923a3ef1abe9f19ba2b6cbb058194f2af7a3bcc2409eec38d45b29b4b3e17bfc3a8ffb9c45fadaff48fe4a90

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
41eda7b81d91855a77d8232625f6a4ea

SHA1
ebe17b2a36fb90c602b42f8e4e232ea78e92e76e

SHA256
9511847e9e45b79c1082bb2d50061769c0e2dab77c0918b00c6268de31a07edb

SHA512
8412aacdd959f2024688f1682b6b169744651cd5c0591ada6d8c4b2f7f20d698b589eba49b0138d2cea169b9eb3d946c72ae69821b5746c09696e7fe3f3852bc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1f777e0a3b135b1f39a9ad4c10f35d9a

SHA1
0846096b0764685079f56f7330a7e975bc500ca3

SHA256
9cabd4d58cc901ad9a6e866b222b3cd270491ed9e9e221218283d5daad19fc6c

SHA512
954c0569370b37da5cb2dd0469ee9018f4f1a6de898f320b0006ea48eb0a4c75675549b447a95c42ee1d071780e48c4f44fd56cd02d0a099a66818dac51dcac0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6bd389e354aa0ad6fc8829690f3772cf

SHA1
de7d66350b6fef462a3063edb5cbaf6b51f3c36f

SHA256
a8e7e90e5318f1cf214f0eb33665a2b403185a3f0f56200ee12f280ba27fa66e

SHA512
0ceaf6582b05e1d052c3f2368710dbbfb74131a2981c0e98ce7fef740b0c89ce0f98451b0351b71507f15d31832528ad2078c14fc1204529c93d99edf4a51470

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
89687d860fa76348e596c8b95a15153d

SHA1
208b39f4cedf590d860767a7217d6648f2904ab1

SHA256
017774ef68522ae5219b0bada6e82982a6a0ec963cd83ae8acc205a35f838836

SHA512
464672984619ee4d5278f9abf06e1e8dce66a768cd991f151b9f0c5b8c3884d1324e903c33701946b14123a9ba52f8c090d639b551358c23b8dbdc23635b95fd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fd3ce4603982e65d76349b17e0fe5c8a

SHA1
484318c74bac5f5b1060f26cf6ae55ff0a258d84

SHA256
c06ca8bf11f420e362b84067c4fecd46a527f88a2b160adc2b1bd18f8151931d

SHA512
2e7deceee0d724b2497c2201adc10a0147571445c1541d4696c5f27401523821b33f44fbefcd59cc856be50802e46c1884fa26b72528bf2474585afba176cf5d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.1MB

MD5
3b6cca928b0c2c512e2ea38198658c11

SHA1
ad1b5540a88cf719b866c370be129fd52d04db3c

SHA256
e318143784adb5843f6e9bd26000c5dc681b37ec0b0e689d1476f38c3acae97f

SHA512
903466badc18fdd438a07395e951616182ab4599b5187639d172b8a30ca33580cc083411e24b617ef3e73f8e063966357f535f9336b0999abd8558fc80b69be4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1ad013d4d21dbbbe9caefcc111e88e19

SHA1
d5ec1d6d66144f5c70adf0bb9f49fecf47f106e5

SHA256
d869d577ebd80cf7098f0c839eb7073d61a6ec36d3e39266ac09ba249d8cbccf

SHA512
aad7235b82faec4561a32e9cca36b876dbf856972950b6a18a0c36825b1eeb575f5dab845e0ac4741f4951a323c161444409c01d908304685ba0467dbb8e83cf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5f306950126c168583a0c6010e43ea2d

SHA1
6ea72079b5af809bdb8363b298c889447aac3b8d

SHA256
3b720fd84095092dd2afcff78418f2558653fd824ec5f1db1c48175bb08eb1bc

SHA512
1c87b5959278a2fc47fd805e416d816a5eda39a177a95e14e3848b3f2f51832a83902f7eea587eb58886f3323f66430ab94eb348409e6630463e330c6ee191d2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6ad19747f93789113e195aa3167f4d4d

SHA1
c444b5040a40bc21589a65c79666a0060030644a

SHA256
93475f50fb0a8f8ca90108485ee1c3f9e609fa33c73fcbe36e8d9c6cbc07a231

SHA512
1f693ddb2dca90eb58439316fd32ce7de3bacf1f00d47e203f82e97dd6f3c2c2dc681805faba586cb2ef378ef3a76e35c8e2237798de5b769b703f17a69e29d6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a6accf58647b75ead0de8916161fe4f8

SHA1
9caf087bb3ca09b9a2f6acffa72a20e1f1840de1

SHA256
aa20bfa0603ec9e976d863d7474b6ae89fde1596695f8cff3c4190829381b0f9

SHA512
421c2a7e8153dadbbc56193f978787220cc4720ac4cb7ebe5ea5791599099f33c3585cdcf4289a4d4dc9ff14984be51dd675d004f527644d73b7fc9afe651054

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cf27f2538a66768158baca3aa8b2ace5

SHA1
ac1c36adfde7b971ff710f1c2e55fed005146672

SHA256
5aa423e36bda919a6f0b3285529d5b2e60e213828b411e3931b72cd45da43644

SHA512
578f3c1ab6602745453795f9ca8a22fc4d6cf1e3035049b0b3a7da248dbfa030de12081aed1dd84c742e60ca2b13f63ddfa9ddb19adcf55732c4f86de8319902

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
be7d6a10ecd29c40a7ac7e02658deebc

SHA1
b83b1b1887006642e3000caf0b7e2c09604b014a

SHA256
0991ef37f3f532a48df3ff3aea33c5c04df6855395627017ebca84fb9cfbb0b1

SHA512
0c455b7ae91f3792cfbae703a662d7ecd3ff04202cb7b40b831f07726bc09632287f77019955c590f7d55aeba00fd0ccfb4c819798bfa869e04bfa34174fa3b8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
36bb3b1cf32e87f6c454c11bbfdf8484

SHA1
f557f6b062524bbb3a09a9058349e08739d078df

SHA256
374d4cd1935da440a19e1081d6cc3cde9c0317cd9f08dcbff6c87d5172eccce4

SHA512
20efc5b14038668d64de40315e957ab7c6278e41c96169ef68c51515e08e1637febd89130070fdb3f8785adc70c386745248a9f61f1ce0fe0b50a384b56a7216

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
576KB

MD5
c7185d66299fb821dfd1bf48f4158183

SHA1
37ca8ddd843d42d8ff81a41a49f817d5f7792a85

SHA256
ee9e9f3b08187fca2af8baf82c0800d71f0f574b5390e8fb9ec9720463050ae6

SHA512
95a5c4096f43b0e6b64bbc46a1ad4a585b1365dc87744b0fad6fb38b22a6714e72a147e7df4e8f343c0d72ef9672f61b3ad889d3b76e65e074f8ae4277f75389

Download Submit
C:\odt\office2016setup.exe

Filesize
640KB

MD5
e253e9d3dd381bf5199d064ef2ccb4d7

SHA1
448dd9078a85b770f235e3dd4292368afcfdd9db

SHA256
ee1cd5953d22296a82f3f00dd670afd2f34531d41355b8b0b53a4b9a2410a8c8

SHA512
484d179ebb3bbb9424397579427fd0a205c92f7db28165f2d9dbaf14c80cf73c7cd3013cdb79718135aff43d8498f1b7249b756bf0bdc656c7e17d840fae2559

Download Submit
memory/432-424-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/432-416-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/456-332-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/456-341-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/456-402-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/536-23-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/536-169-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/536-15-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/536-16-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1932-450-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1932-442-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1940-456-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1940-463-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2352-411-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/2352-403-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2372-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2372-258-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2372-265-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2372-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2372-274-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2636-380-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2636-372-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2636-441-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2772-371-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2772-315-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2772-305-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2952-238-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2952-66-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2952-74-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2952-65-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3380-353-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3380-296-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/3380-287-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3804-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3804-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3804-354-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3832-17-0x0000000140000000-0x00000001401E5000-memory.dmp

Filesize
1.9MB

Download
memory/3832-7-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/3832-12-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/3832-0-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/3832-8-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/3832-1-0x0000000140000000-0x00000001401E5000-memory.dmp

Filesize
1.9MB

Download
memory/4336-367-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4336-302-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4376-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4376-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4376-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4376-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4472-339-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4472-273-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4472-283-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/4544-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4544-437-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4596-35-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4596-230-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4596-28-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4596-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4836-541-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4836-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4836-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4836-325-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4836-392-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4976-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4976-400-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4976-399-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4976-394-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/5080-51-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5080-67-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/5080-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5080-58-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5080-52-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/5088-252-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5088-246-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5088-245-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5088-253-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5088-314-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5092-357-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/5092-368-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/5092-428-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download