001ef488f9bb21f605f79bb24bbb368b53741ab9e379d064ab00f362c15c9375

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 11:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_72e785ea907ee3bd69a8686f92ca244b_ryuk.exe
Size

2.2MB
MD5

72e785ea907ee3bd69a8686f92ca244b
SHA1

5d018a662811ed3e5bf316c9bc35e84994a4dd11
SHA256

001ef488f9bb21f605f79bb24bbb368b53741ab9e379d064ab00f362c15c9375
SHA512

91d4740ab1b4c6092335651380976e5bbb2e8170989da961be06c2265fbf1850afd109090f33009fef34e80675f2c72be2b271b041a7f7b42502dcac763df6a4
SSDEEP

49152:oNl7soq7sQCc1kyG2xHywRfHIO2Ts4bvDEEjhMjSax84:cD2311kaxp9qEQWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5772	alg.exe
5184	elevation_service.exe
4812	elevation_service.exe
3100	maintenanceservice.exe
5816	OSE.EXE
4976	DiagnosticsHub.StandardCollector.Service.exe
5048	fxssvc.exe
1928	msdtc.exe
5820	PerceptionSimulationService.exe
4032	perfhost.exe
4416	locator.exe
3140	SensorDataService.exe
5240	snmptrap.exe
3720	spectrum.exe
1028	ssh-agent.exe
5508	TieringEngineService.exe
3332	AgentService.exe
4664	vds.exe
2520	vssvc.exe
1068	wbengine.exe
1508	WmiApSrv.exe
1220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-21_72e785ea907ee3bd69a8686f92ca244b_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d35cfbf47c1fafa7.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14476686-4332-4254-AEFA-4A0555D6C96A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005571251bba64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f322d1dba64da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e29e71dba64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0be521bba64da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bea77d1bba64da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e241d81bba64da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086f7311dba64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d00b611bba64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab459a1bba64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d5c311bba64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5184	elevation_service.exe
5184	elevation_service.exe
5184	elevation_service.exe
5184	elevation_service.exe
5184	elevation_service.exe
5184	elevation_service.exe
5184	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5672	2024-02-21_72e785ea907ee3bd69a8686f92ca244b_ryuk.exe
Token: SeDebugPrivilege	5772	alg.exe
Token: SeDebugPrivilege	5772	alg.exe
Token: SeDebugPrivilege	5772	alg.exe
Token: SeTakeOwnershipPrivilege	5184	elevation_service.exe
Token: SeAuditPrivilege	5048	fxssvc.exe
Token: SeRestorePrivilege	5508	TieringEngineService.exe
Token: SeManageVolumePrivilege	5508	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3332	AgentService.exe
Token: SeBackupPrivilege	2520	vssvc.exe
Token: SeRestorePrivilege	2520	vssvc.exe
Token: SeAuditPrivilege	2520	vssvc.exe
Token: SeBackupPrivilege	1068	wbengine.exe
Token: SeRestorePrivilege	1068	wbengine.exe
Token: SeSecurityPrivilege	1068	wbengine.exe
Token: 33	1220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1220	SearchIndexer.exe
Token: SeDebugPrivilege	5184	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 5432	1220	SearchIndexer.exe	117
PID 1220 wrote to memory of 5432	1220	SearchIndexer.exe	117
PID 1220 wrote to memory of 4388	1220	SearchIndexer.exe	118
PID 1220 wrote to memory of 4388	1220	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-21_72e785ea907ee3bd69a8686f92ca244b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_72e785ea907ee3bd69a8686f92ca244b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4812

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3100

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5816

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1736

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5820

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3140

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5240

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3720

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3752

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5508

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5432
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a319915a9bb4fc25a91874ceebf0a56f

SHA1
e79a5839c48076e7b2d74daec7942b312413da46

SHA256
4324706f2eb21c0ac1d200b4f0ac6356a0e34901b302edffb85cd5ecca3dcc04

SHA512
d243ace6453cff9d747788c4ee26916f0518f29fe0f1f7cf707af97afd1c1839674451989d71aa2abf356b5e1297c58dbdce15aa3432e9f78f9a779616fe6e87

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
2KB

MD5
afe6d82c6ae4c73baf0700343760b505

SHA1
2060f4a85e363ae7516886e6bb472fb7018263bb

SHA256
8d52ff02cedc96ffa1e06cb6c9189cf38387ad8317d97fe5c90136d8af79b58f

SHA512
c9178d9b3ed693d7a9e9d317704b1c36d38432ec84ecaecdf70b0704a8e787f8bab1105e5ba0edd6b5796d1e41532b59a3e64ecc152ad0df0fdabe3d855229f6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
5e0cfb0762de6efbd22ff9a29d825ad1

SHA1
869040f405921393b4d104781afb613adc7a43c5

SHA256
79c16b6ac1c8b37374470b67b0e0b8256b7f39dbb77e6e8919ae4e582a6a3f4e

SHA512
2fad16249c6eaf4131fd4940a0014e222cfc1a8a7d53fcd0a3f59eaf33e93ab99e2ddc5bd0c2014ce466a55a95c77c673ee4cda1a5f7be0cd5f8c53c29afa400

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
9def91192df97568a406d41fe52832b4

SHA1
3ed4da4ac6d076288508cd4df72a7bf8908bcae2

SHA256
3400314f893ed98edc1fed5cda9f207561738c9c6d5417ee6484380e532a2007

SHA512
345788d4fe79fe86478f9eac3e42c4e50d8a31bce95ddedfc8e6034414544b48d8584763318662aa456beac92d35df8e9d250b0957cbb78064ba8aa0173f8a98

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9ce3f0bb9870d08910adcc629afadf54

SHA1
811ed01f90af155f461a17e707a667cb71d7dc0f

SHA256
aebc04687ea66a64d484dc210911af3ca75344454318875275bf9eae755fc52b

SHA512
a2167c8eeab84da237eef6f236375200c7966b52896b0a1b342194a6809ded2bdeb15894baf07cd17769523a8c8baa664f3b9764b180286c86b2a6336bb6956a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a83b5e1844e79c4652f294578d4c2cfe

SHA1
a46d27a829af9c87edd9213147a24cb5f5434fef

SHA256
bad6ace2622ab95c98b155178942ca8391ef0524ff703c3194aef8e93ec97ab2

SHA512
b466cce7b824025dc8cfe76477fbd4a9562cfc591f27dffdcbbac45dee92425a57d7f50cf8625bada60f06a45c4c4796c5793f9a5afbfcedbdee98896e66c37a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
cfa072ab8f682643b6c8dfc5e730abf6

SHA1
21fa1b50800a73c341e9d91013a29f6e3f047aa1

SHA256
455db49e8071c5ea3fdccae2d74f4155e8e33ba3211ff83bce499bc72d3e6c47

SHA512
6339ef5105e81e47dbd23932d6b00633a56583a2b21c50e9c603bc851c2f4d89f763b85c649709e04d3582b3ac6f55d520911e4e9dccb270a1688134a7c042a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
896KB

MD5
ee1d09070e3d8faef9a6d708ecca7d91

SHA1
27668ef2f4866214d5163c43fce79804958fe087

SHA256
17aa8053811f484c081af01f546eaa4211d034e43ae077e1fc0ced6b28e2dda3

SHA512
10a9f84525395e693d124b3ad3062fade75850af929618f65d54d0833ad73218ac1f12edc6d46f16a8ccbe8dd142ef13e11f05e07e991e2358469dd6ef81ea89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.6MB

MD5
f07cf536afe99ece5a0d73b30b114627

SHA1
12a62d908ac8fc45ccf72e130a42aae4e3fdf028

SHA256
42428d256c8a6564582ac8dd922a7506a94c152b405c1be006a66c9260dae4bc

SHA512
d503566043cfeba1e811afca363886ee49c3181180abde9f0a57a91ee93eabe15e8cad055257f92b3a17227f00ce18e07bbffba3f6b9b75769a4fe439a44fa92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
9d8a5144e70882e5655d648f8a352ffb

SHA1
d1d009a0ac729713eedc73e48fd5669657204b5b

SHA256
05602aa0abb297dc0ca43f3de585e2628fca0cad3381d7159cf65cb80b2de267

SHA512
0480d795df8c7f991c91bfe98f6aa93c161e054e1e575c35e3cc39efdb0fa6ddb3f522b762c0563a10bee6a6d9f30ff1c6183986918c1519774b23cf94dce2fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
704KB

MD5
fd44f53eed2314e44568de9b81d9124d

SHA1
c2f2700dfad5b111f5c39c2901264547a1e2336c

SHA256
0bc0cd21f0ec6ef3cd3390defc0e0fa7299a55bfb69dee5049d51a07be63c776

SHA512
e66ca17b6302d5c144374a3b3e34551bdfd781a95fcb4efdde1e3bac4c593ff02499c1a11e39a27f420278fa6bf5ae22632084abbe10e96031b12cd97e11bfa3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
928ad2e451c9106beb3932215e1aa0ec

SHA1
72ceca4af1588566d419f4d2e702ecdc679f1143

SHA256
55ee0e2751f3750ed233c283d7d7b624d5eeced51c4458c537a1ee7cf4fcc6b7

SHA512
ca7e5606b3333cc48f35b8df68f9fc918b6c7bdfc596e88252a3f88f5e1a5cf040f46e6f58aca491b0ace8b601a4006069b77942ad26fb991638bb7e793ac101

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b8463d3afd5e93bbb1a9f5e93227d2c9

SHA1
8676cda4ecde4de87e7b84e1e43056968e9da667

SHA256
9dd8e0715823243e1c3a36c1f979b8b278b7cd24075438f49ffce0e61e61e530

SHA512
3b069320bc89f03faa3d8037e292ba5c95aa47c2f781435462919ebf48fc2da7eb0dd76f9111165262c540870ac162c692520fe713090c652797a2931eea45a3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a5fd3137e27fb09911f52ea49301a6cf

SHA1
3fc35bb06d4a67006aea35c8aef7ceb79d4c3dfe

SHA256
149b84e32f14c67aaefc0d9a6f079a36326b4f3be41ba73a87e0cc7bd7a470ae

SHA512
b1fce14d970b024bf65cf9aeb2c00f9940451f515314ea19c6c07e2c09ea82c653b1b82b39b375910fd707bf45c13af907b7ebd4345351f81767dbc5f44c1f47

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
1b291f0e4880732fd76b275b8848fff3

SHA1
6ff6a0f247df3a7ba891150f2ac51a7a4df6f7ad

SHA256
2f467e0a4324b7f096d2b8ac8e3be65a78296b78e20ffc59933b4334e6bbf05b

SHA512
a55b3c3a3044106d08d7cd65e14a795015ceea2aeda2cce173a025f50810d5bf3588e9e4cd7078f43103f527441436bbf69f31117465d4aa4b3ff611eb39d421

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
2c30ae1c644b23ff1ff88e2d753a6320

SHA1
e4074557aa3638aefc7acb3fac84876d7c916cda

SHA256
c650139d947b8be0483e5990c8111fecc32db7ebcabe7cff06166595614bcf35

SHA512
d9cca5256a42704af30d911b9aaee070f40ba390ffad9544c86fa263cf770d42cb0bb4cf739e6d85101f558b143e70a76a868e46272afd5fdae89be39011a5a0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
39b4db14b2d98d287e1022816f9adae3

SHA1
d27c61ac69961caaa66bc17723a3ffca7168e16e

SHA256
21ed514463cb2b6fd148128710caa1fdd1fc9628f974fc23111fce7f356899d0

SHA512
97175be7d77d6cdb01794a75fbf3505d0f2e74901c24d3a91232842c52520043f766c4b02e2ef69de6e81bd1e51047cd048ee1401f137e797ca850109cb498a1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
8ef08a022e96db8ea45c858956f7aafd

SHA1
a247382c74c890e48375097c2f41bf3e347dddcd

SHA256
e51928f468bf2ca25f19f8150ddcd68e4d93c7259faaa1765d516fab215a5246

SHA512
ba9d47f89fba45ce408b7da6c436f9bb8e70dcdccaeed05e8a2c0fabf8fe276521e5f14c687592a19b61a82c67f7f9dd86a711295195e439b88884f3e8d9f4d0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2ba05750b298f3821cc3ac1c5d80e02d

SHA1
60c660509c31ae63efa235b85b71fb41baf6d22d

SHA256
17425f5c35f2b0617edccbeb03474917c85d7cc4e47ede5d8114efbe34b7752e

SHA512
ac6479546d1f07e3fe3a6592cc95394e0eee25f8e603881407365196f0f46d66e6791cff0b7142c705b7287d935a2d98fc549318c30b21ae14c638037d29c8fe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
5137318fa88e24bab87551994b9abba8

SHA1
eacdf6fb7254ace9464eade0db168ce36990b4b2

SHA256
5f028ced494f2b21994bacb588278b25ea48714742ba2b0a74aa0b2ad33bd72e

SHA512
a9bae84aed42e4ef3529c8d5037c86b81555d21929642035bb48728bebde83048fd333fc6177aaf657197c2d0a92652158a7f4a9cc3b9f698e13edc2d56e1cb7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9890f2555a2318ce827919ca6e9cf05a

SHA1
9a53edc79656fb28671819823918ab33fd4def05

SHA256
7ad99759dd562d925a44427b7150fc86b9ee0f860f7654d563a5bf40cf8e034d

SHA512
84a23d044c2b187f1e22b6077cb9acaf37c415bc35415b16d9f3193dd753d32727bc7f88e86511ff5612a412fe2bdb8b5cd28e3f16ffdcfe6b7769428adf3685

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
8a0a1c414fd31a591712be2f281ca1eb

SHA1
65106da16ea14b587708e17ef88c0dbe62201ed9

SHA256
3bbbd4b95f66acadd04edfcf44121fb97058ea694e3470020f1ade8bf6ba8ad1

SHA512
8bf9fdf01df2cdf4e6d940cd46b4c6570d3743339caa15264c454957141600fc8a1d3a1e8434a286c7b17ec5fea475c1fbf671485cf8a99b8df43eaaa4d0abb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
7675918c1a6dd5f9332048425cc19a73

SHA1
7d5ddf75dbdf74d20937495a949a7715510312c1

SHA256
91a730b3ad8294067845ee0f9d97fe2f8002c38c449feafe90eaf23ff743a00f

SHA512
c8445501a815e252fe14b1a18cb29dcdd90ccec1df9f3902eab6481475f996fbcf6fd8eafc1664a2994b1ede0e7340d9215867c2301739b6bb3f1c7ff1bdd66c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
e9aa999d3be6a50587dc6b5a661e9961

SHA1
52eb4d87c7369d196ebb3c9a0326cd80d16545bb

SHA256
2b8261e1c0e4e7698946e8d2afbb2e110a380aaf07b7a1cf4742bb422a4d558b

SHA512
6e5efe9ca9d699fb5691a870dd33a423134b0f5e2df0b4789c23d6ec0a28cc904aa6f649aa84cb245bab627eccfff35d95c8e330e07c8b2a54c1ef96fe3b7e3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
1fa2c9553d59e0837c3f149e81ab7a84

SHA1
b22c87a71daac2d37ac7a10000b0ca5f66545a06

SHA256
0c178299fe71f3c6a06cdacfd30cbf4569a7523b4d30fd3f87c0def39cda6c47

SHA512
85878b3bacf4a7348c051fce2dee1fa3129218013dcceb87a34baec7653932bd90845a236ceb1d204128d2f5055e411deb8b7b68202eaf90aa5f07afbe2885f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
896KB

MD5
13fddececb0ec39fd7e2bc4b26e50d90

SHA1
e55063ebdde858ddb9ff8ef0597d5f7617b82fc4

SHA256
73c67b454cc203072c6da3ccf8be40ee6c7cf3c3ac3a63f484b0730bfc93bdee

SHA512
d9e111df70d0dab89bb1ff6350eba4e2d0b9e1c4c3484cebd3fcc060cbe33af55697de8f4eb1d90bb84b52f48680650da900dcfdc8fd828e1c9a57ea71b9aa0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
896KB

MD5
f34bf836e2a60854d66b84bc8e9d8d39

SHA1
de73708a5f51d179d4e510e04816d2cacea2ea15

SHA256
ed0ee2814666f65a58460c6dc2e6f76c0c22396a0b6a67ae104aaa2215107e9f

SHA512
32496fd49a899615bee6b9f34443f11cb36728298dda0c03cbea0075b4eeb7ce2acf416e97dd73d11b192970fc2efc256b51b51cf6ac8372338e5a05f2fff2a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
832KB

MD5
021974cac123cd308012cc47b6368a4e

SHA1
ccf4c3d93e3a77570d7691a43f8cd05136720ae4

SHA256
fa884ebce432076a9949ce88aad7c6a3392e68933e22f2cf8fc450f22ac9bd8a

SHA512
54d1a8a01857d70d2db1f902c24a28efa9d0471a928acec1e438b37e0042156432f4010e689bba1c49fe17e9b7ec2b66f92a16c1c22e059f1348ce1110adbabe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
832KB

MD5
8f8dd9ab97f28b558f5be14813d18397

SHA1
383d1e25a06e38618283340d53710d99698502c7

SHA256
a352c6ff699679c3ae67155eb712e9c2a1395de558d733d6cd9dd945f844a6f2

SHA512
fdebac472e3d5503eecc3eb43313ea74261029ee6e2772c4b668ff0ae845bc374651b2d2a2e4b705ad48704dba848124397d833c16ad9649a2915b20cee905b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
808KB

MD5
915c0db48f35458b264f5b411d0635e6

SHA1
da86599f4e97c35097148cc2d06f36a4028b3558

SHA256
2b2e4e69c89fab3a40fcf062f68b1adacaebd3a7a737d7ea0128a54479e59033

SHA512
5ce2fd90f75b5432669517ac11b208e0604d574044e84b6f37acf2c3ee1bf11b2aa4c1eb349fd07421252976823ff2e7a00b3887c85bd3e96e213c3a4182173d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
787KB

MD5
6e9e84fc0a56539d1eba4dbb30f05763

SHA1
3d9b78c36c1b3d85b3bf925c5e56b8deea796eb8

SHA256
36de5469a1745e8415c1fb1f962bdaffc0aed630acf6f1950bd51157547a4aab

SHA512
dd61f18db2610b735784a1d1ad2d52189660538906d2aec87bd611cd300d98044ee4a95f04e7ac64a8f90ee3e647323875de1b17812b5b75647d4c5d2dabaf29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
768KB

MD5
27abc30e488d653ac0e8d138d5be2681

SHA1
8c750dcff533fa2d65fde6427876231208e89325

SHA256
820bec2f6ae037a1659b84314f3528d97ce3eb74e894dbe27a7ec83dd77275cb

SHA512
b94f2bdf4bc45a6bff48e898b9c49fc2f7513a12b776b66750cab233f974459955318f518a392c477f8a6fb4147d5fac698d7f3e2195c3aa0cd7ac8f5b6617e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
768KB

MD5
cc94f3a81e57e836d10bc87ac8aa0949

SHA1
a9ebafbbe21bf21708206154ff255c423859405e

SHA256
9a830f471a2884ca344be1d668bb18b7530a2cc88da39424826b53cfab8a8a11

SHA512
77c1334ea4c402232c2704a2731a98307bcbbf03b300f808ebe7b3bf73cc7a4ff95eaaa4050cb51d462b64fda5050c4aac44413f0483ea6a77fb912727d7ad9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
705KB

MD5
02c61c99ffb1b4dd09efcb40edaa1b61

SHA1
24501cdb683d8f7bebcd34cc08671ec1e18bc1d9

SHA256
1e0f76ed5498487e6e78fb55e090e46a80a4a6bccd2d8fd4ab143a5efce319c6

SHA512
cbc18b9d82316e6b37fdd1c04d938cfbd06839d79b75fb2568d3d919fa8733d8da035a5aef7ef21b36e45150ec7791c0e7b98e68590acc80b9f3eb5469e4f716

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
704KB

MD5
6667b2ec797bc074b3d17a1cccae8c9b

SHA1
ea1f6d41ec614c0f90a23623221a48602349b01f

SHA256
6b2fe4eeb8c0b9012d505e0b48b2e57828b6336bb0ffddb34924081201339fc7

SHA512
64cd1bdbfe8cf250a4220f721d08ecfc81812f07e23c49d58f7cedee0514063a5a64ec1f87a6388ac24eb61dc1cd677cda4b01f91673d1053c83296db162403e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
704KB

MD5
6f5a991a20a913cc1505a2adfa7cd320

SHA1
812ce91a38c281c2c4e07c4fb8c6ab0b298dd57c

SHA256
1353db720a5cf403888ccd0570e21063eb416623018c14f64a7156ff76bebd7c

SHA512
f1aff0d809245ed9622751a779ee1e20dd7067b91e488a164c786514b73eab6f9aff69998a4b9df657330f2fd518f7bb99d895d0e8e65fcde9855cdd4cf9afbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
704KB

MD5
31d33fe95697d8c26de147261c6a10de

SHA1
8046706128f81a432fb808d58249d8c002700609

SHA256
8cb5f717adceacaaebd9e036dfc8b9d7aac92b0262e97350b6a46cad6b29ec41

SHA512
4343eb52226573f2a44d81034b7b26e8b1fd20ce381a0e127ea354bd1db8df6d54bc825a8d73c8a959191ed16baef9b2f1386f825c8e888401d8ab9631921594

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
640KB

MD5
19ea9bfa12d1444b2655031460e6134d

SHA1
13342f0e0726c5409532f3238a9c79641805169a

SHA256
601e53294164f5baf656343acd7df7f83574823fb69642439f8e372cebfc98f6

SHA512
f8fb156fd8ad959d02765e63635770d450f732f97ae8c3172c5b0e980cf334ee78138d500f2ff72640c2b89d7946c300e92bcfa5504520ab31f8af7632e4ffe7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
640KB

MD5
4b45725ba20aad5ff377ed481d0dd8e4

SHA1
742126884dc33032803ff86d616855ecaa91338c

SHA256
f10a86513c3b122338a3e17a5b1a5b6bf6009b367f3a851a752f4a345aab99b2

SHA512
6ae77f0ba430d59d0965c762186ca0cb3e7b71fe29b203bf301ed464a1effaba31dddf5e2d3d956f3d4acb79f58749fe575d131655e7eac453fdf05628356eae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
640KB

MD5
e2632013ea1e82a145555d23a595f773

SHA1
78e2d5041a3fa6e5195ddd7d3e416c4ac7ad7166

SHA256
8c5409a9aac48bc95ff3c17a4f017efe61d3514f38ea145a903fa7a09dddb3a0

SHA512
e6e020d79b0028073e7a4455a93793bc7bc3fff4381f2e6566f6356d466affde9b7cbb5b29b011db3b82b04e26ff309dce1c21f6deea68cfe9877d0836ab56e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
576KB

MD5
8e6bdbc8d3e37dce17c261d29ca35ef2

SHA1
4ebdce3c557d5c67d317f595e9de3e8c54f62c42

SHA256
b29b6401d46dc825561abbfa8234ce8414f643ea513846f400d18014ac1b4388

SHA512
1ae59166f01432a6238dce45356909a5834aa14f11102b31fcbd04cfcd61d3fdb814625f6dbd9e68a8fe2bb401f4ba071854fe295b01b36e930293f0f304e6af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
576KB

MD5
c9b1fb50f00ab824f0705370ec1eed26

SHA1
6d010d4f359dccd25ffbd46ec891cc4407d265b4

SHA256
05043f14088bc8ed186a6f8e03871e793f3255c87e18a789bb7eb8ee0cd925f7

SHA512
04cb0befe9d630892fa83c22f19ac50b618ef29e733b37c07590e0d2d39e7b731919fe3bc2f1af30efbd27a6145bc483987cf5f171d579f4fcd6cf39321c637d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
576KB

MD5
d99d38bf652e9fd2b9526f74b3b90264

SHA1
12e95943fc123abf42b8b86828f38db3a2d76518

SHA256
e444875495f0bb5fdb9df10331809b048d73c80465286d0567229d07f33bc03c

SHA512
33c157aedb29c7bf162bb3f2a402af52e500f2a36c9a3ee4f2bf705bd4ffa4d553829b3ed59cab097f0c8f614a22cea1579d2c32bc975a7603df9f8ad7bc4b11

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
818dd356c9fdc48bbabde023dd249528

SHA1
3ce2cacd58d28845d156b5d2c8d1f591b87fca07

SHA256
bb9dce935030e6b1a0a943fa514bacc0d2801672bba57b7a67572cd978d5fa56

SHA512
2ca9c428dd3d834543225486bfc8bdec7e5627ff1d3bd91c3ce2b8c53e102899c8d0ad88de2fd186226c2f84076bd238f53c7e86fb8ab63ff3901b6130d3ef5b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
fe74503405f090c711320ab94ab7fdbe

SHA1
2edb75d8f58fef81dac79ee60352fd661d7f2e22

SHA256
0c062268a26a85c24cffc23af941323d8e61464d7d0255984fd6d29b4940f713

SHA512
0a87ca4d610e4ba6797569883520b905450b2c380be09d815ab02ba3c289ded4913d24ec0be815421caa84550b7ebbb13eacbf949163966172c7fd8e324422ed

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
38dc90084500c58cd6d2a1a243b0e4b6

SHA1
cd20eb6cfae8e5f0399db299d189f30ad8b68941

SHA256
4b9b4d31f1badb1579d9de9405d58fce443229ffd88bf3edb078366dbc041923

SHA512
8847a314e21ff3ac1afa78321ab27755b7bb30f3ccac576254b9feaddf2a0369946a88b44f2992077c833075246a4adb985e5ac78bcdd62ba49222f0396f276b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
843c70ab4ca6ac5d75d720d1db61ff25

SHA1
f0314d12d302f0c4c2ebd293e7ecccea9049d086

SHA256
1ad281a8acef5a101272f1d0df957679fcdb569f907d512a81fd73637e74c6ab

SHA512
d9c8ce51c4f31dddc1d323a560b8940d4f42c189943ef4b2b8101fc4dbaf26ea828540097ad2154c94438b707c30f324a14dc2f4de5352ce101c3c7a1d94986c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
07f75c064c3d9865fd0226ebab18620b

SHA1
61b3c535f2a605a305357c5691875611581f9a11

SHA256
7f2fb610339cac4870a8b9731bbb8c7feec96b7df6b5579a6a7a1bfdc3501675

SHA512
df87d06bb29fb53f91e7c12a05347f6cf8086352cf4d93dfa4abbd013e3bcc859d52b50822220ad4845c6467ccc4475da2ef68e5f3aec737394406b0b12d2eb9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
0300805d63a2048faa305a38125f9dbf

SHA1
983a454e00fe864abbd1ee175d65f33afa3f9032

SHA256
cf12e13d7637c5f57873fc8c8a869e189720325204fe8c5a8e04652de62faf06

SHA512
3887366f4987aedaac841121deeeb58af8a42018a57415116160065a68dcf7a3a397414a1f8b6dbb76ea9f3b3ce29cd61988ac71cbe55eeea62a02389ab3c26a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
56836e8ef72a87b6d9094f43b8364398

SHA1
5900e06cd7891c08a5d0c5ccb129fbc2d687e3f0

SHA256
01f49542f55bd45d1482dff50b496ba958410a2ecebb04d134ad13a3ccc0d3ab

SHA512
6827631da3a31f367ea65d88bc3cf0237165a9536f8c055671c28bd67219b3b84c6a216aef33100ba3359972c3a953036a66479d778482f9a4c3da8dd2f1fb7c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
43aa0aa3c2e5137ac13c9bed547a4b12

SHA1
dcb2a765772507d4ee40d8a56e47b4bc6c798878

SHA256
6cf9ff8b6eb0ba89be78e56b607b066fa031c2f9953b6c53415c87b3a6def175

SHA512
98b22b162f71906ceb6345f450f0982e2cf585a1bfc0f3e2ef5674631f6cc07fa31e20dff077af0bd417797810daadc041bba70bfd442cf54b14dc9a5755718c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bd735c51328ef467f23e6c863a645ec5

SHA1
b87a8debd9a6c524db8105532fc13d49fa5b1887

SHA256
4c7e3126e2fda34f8f2be0eba892e710228718867f2beb060bfec9aa3dc51580

SHA512
66a265c319f8c28bf19809d1c977d2da74082b71b66c862a311aaf7b8dccb4c4781a05f4007a3784c512b685249a15bd13b80ee1199cd26d2feecd45ae51afe3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c4f92c0b37fb37981eec240fd6ee988a

SHA1
09ef5208aed839cdd35edd31ed89930ff88305c8

SHA256
69cf988d34e65932f66d412548ef7c6c6ac477df55e683e94261d26257f262b0

SHA512
ed77a2dbe30a4e6fad01c539f545636f0e78b39260b2c29caaf739cb0bc4cf11fe03cb680965202412f81237966308c1769475dcbb2f4730db5f3c3e9316603a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.3MB

MD5
8e891af026fd74ddb490a8ba1827c7f7

SHA1
710a04228eccfe04452a673688a439171c8143ff

SHA256
adb8569b6c5c373f96adaf84d055ba5c7573f7fa68cffaccb9451d915102a5ca

SHA512
db8b07d815e1cea670eca53947fa2440bcdfe28ccd09bd480b137be631aa1bb2fddaa4ead9a5d50c4e906ce6dba583f4cce3c3b069635ad9e77dad2101447c8b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
0f94a9bd4b10bc86a412d97d4b7b7dd4

SHA1
15a2763a0c95f627edd96fa6a0424a3fece64805

SHA256
cfaf99d027405ddac4a63f97d9e004041e78b5be918bc94a3fafa88b4d8f685c

SHA512
9c2703be7147a7b051865a34c8eddd34194f0b8fa8e578a480ae1f85ba5a38dd676ba1b4445c657c59b7b71fa1a6be17efadf246b1ecd5cabac89fcee3114010

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9fa4cb9c4e1356395898889960f529fc

SHA1
b06f0c3f86c9cfc3ea14544c1a476b0793f0d358

SHA256
76e2a7c605ef2d886de601b82f27e405559217f9ba2f2233949f559d42899a9d

SHA512
39488d8112684c032234ba4db341f12bbcda2a64294bf4aa7efc5a82649b6a11e3692de342054af20422ce4e72a58e914dab8778462022bc0b61b762ea4514d6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f218de9b929aad7e39696c771e2a1b40

SHA1
6e5a634ef4403a15ad36af62c6fa7d1358e50f6a

SHA256
2e9905f0c71600fecd1e44ef2ae0769febea3bbcc64c4764087748b0893135fa

SHA512
474cc2d67781a5ab41e4fd4e71e3d4d7ae635ad9b2e2ee39e8d12407cfabd762faa5e6ee43615d38665db8135fb1014248bcf8dd9406152561cfd9288896f3fe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a2fd57b1af2ffd87a7b3015296a13698

SHA1
c240d76737c654f2bb708b6978751c220ee2af6b

SHA256
35e2dd364cc11341593b14bce2bd93cbeb02692fde2fb29cd3a79d3be74f97fb

SHA512
81d960d8d670be00594ec7b8f4ebaa6e4969f5c99d4e7336499f5517d013658dc1fa3fb26b8f01d2ac30b298614631ebb8cba54033565463e16d83c6d0b96906

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5383cc133a8ae4153df0dbbb646c81bf

SHA1
8f82d2eb40bf88270a7dc838eb8d761a5158bd0e

SHA256
7d79c78efa848a7677528430227aff70666a2e09fa7e9c16170102164f9d26bb

SHA512
ac27dcae9a0d7b89898462656426d2678373be4b1162d76cf3c3c94264f9d7e53d573fb9dbbc9ea4cb384abcd168b8b23401354542dc16976c5122ca06d92e19

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3b7a9a5e9e88ec3ce3bb71747c982cf1

SHA1
d0897b9cf44ffe4882657b1efb718a1c4e1780c8

SHA256
6c5d74f6622212bad091858551fcba5cfa2e3552e94c2f3e2140e00be2e80c17

SHA512
3ec1da3941d55580702e51a03ad76d7ed15ef4684b998eb5b5bc17aa568b7d9e66c26e08222828397211739ad52c69a8f6a93d06dfc723739266d66cf4514189

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
ea20281ca792b3e523746857b42aec0f

SHA1
a4f4ad3bb0109c91ea20a4992e940d2f16b40a74

SHA256
c9eadd010c61610bb775f96b350c809dae0d0bd20aa8dac922f7cdc5b9c6ecb1

SHA512
a9e75fdcd9023465efc4cd50cc5560e7354d1d542144d2450bcff08390b7cc55eacb26036239b193d24786fa118ab46eb34742807318de295f58899bbd636e6e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f627ef6bab107bb8a67bb83cb00fc26a

SHA1
40318147c26d6740bf9b00ea31eb459f640e84b8

SHA256
681fb4bf469111b1485aa7811b4e5b22e76ca91d25b93ab6bad632398a61e7ae

SHA512
b68b1f0dd81027bfbf6185935635ca5cf71724a79d3ec1ee8d56d7d47749b576981bcb2c2463a2131e19481f41d6a478738f924e8387b4dbd53536513abd9218

Download Submit
C:\odt\office2016setup.exe

Filesize
3.9MB

MD5
62c7dfe97305c6baa0752f2ff70c35ef

SHA1
7ce03016a6d807564c8059e540c8cdf701faca05

SHA256
af0ffd34bcdb7de33d47c3d7dadb160ca63c971f42174f634772edf8b2bda382

SHA512
e37b08f165f3c64c724d4a515d657f683cb739175fd291943b1f11732aabccc57d3d65e42070074b61f2977cded75f78cd4d2e2ea506006dd0f0b8f6a1f76f7c

Download Submit
memory/1028-360-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1028-369-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1028-430-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1068-432-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1068-440-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1220-457-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1508-453-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1508-446-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1928-341-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1928-274-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1928-282-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1928-345-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2520-426-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2520-418-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3100-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3100-52-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3100-65-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3100-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3100-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3140-327-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3140-386-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3140-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3140-396-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3332-404-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3332-397-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3332-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3332-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3720-346-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3720-356-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3720-417-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4032-367-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4032-303-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4416-373-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4416-307-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4416-315-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4664-414-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/4664-405-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4812-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4812-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4812-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4812-42-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4976-246-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4976-254-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4976-314-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4976-247-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5048-259-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5048-276-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5048-258-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5048-267-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5048-278-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5184-37-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5184-29-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5184-237-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5184-36-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5184-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5240-402-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5240-332-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5240-343-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5508-443-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5508-376-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5508-382-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5672-8-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/5672-1-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/5672-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/5672-14-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/5672-12-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/5672-7-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/5772-24-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/5772-16-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/5772-17-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5772-227-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5816-69-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5816-67-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5816-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5816-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5816-241-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5820-293-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5820-299-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5820-355-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download