e85b774546dce3d8ff27729eb29cce67a33b62907a9dc77d45c5649d116dde7d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_ed5339622ae209d5cad98e62c677fa56_ryuk.exe
Size

2.1MB
MD5

ed5339622ae209d5cad98e62c677fa56
SHA1

cb93b157d0ace7b8ad7f31c87721b40f436c6ffc
SHA256

e85b774546dce3d8ff27729eb29cce67a33b62907a9dc77d45c5649d116dde7d
SHA512

183f5aea61d688fdc8f38b93cd01e1508bfc110c3dfb8e12fc386ecfb2975dc6142ae7f64c68549291dc8e4dc2090036b39a7cc5ec444385abeadafaa29f2a1e
SSDEEP

49152:La/3xXBSZ4K5MJ1LvTMxbfsYBYSgxu9+fw4TpRVlbnXf9gPTTW7H1GXC:7Z4K5MJabfsYN+RVlbnP9WXW7H6C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4968	alg.exe
224	elevation_service.exe
4276	elevation_service.exe
1924	maintenanceservice.exe
1372	OSE.EXE
3268	DiagnosticsHub.StandardCollector.Service.exe
5016	fxssvc.exe
2448	msdtc.exe
916	PerceptionSimulationService.exe
3284	perfhost.exe
3084	locator.exe
4048	SensorDataService.exe
4416	snmptrap.exe
4516	spectrum.exe
1948	ssh-agent.exe
4504	TieringEngineService.exe
4664	AgentService.exe
2036	vds.exe
3324	vssvc.exe
8	wbengine.exe
4560	WmiApSrv.exe
5032	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\af5be76cea8238e9.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-23_ed5339622ae209d5cad98e62c677fa56_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78500\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F78E1BE0-FF5D-49EB-BE42-30CD3989C2A7}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78500\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a026c1f4966da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000323c861f4966da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004440291f4966da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee6e3b204966da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ecf5c204966da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044da831f4966da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1a674204966da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe
224	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	824	2024-02-23_ed5339622ae209d5cad98e62c677fa56_ryuk.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeDebugPrivilege	4968	alg.exe
Token: SeTakeOwnershipPrivilege	224	elevation_service.exe
Token: SeAuditPrivilege	5016	fxssvc.exe
Token: SeRestorePrivilege	4504	TieringEngineService.exe
Token: SeManageVolumePrivilege	4504	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4664	AgentService.exe
Token: SeBackupPrivilege	3324	vssvc.exe
Token: SeRestorePrivilege	3324	vssvc.exe
Token: SeAuditPrivilege	3324	vssvc.exe
Token: SeBackupPrivilege	8	wbengine.exe
Token: SeRestorePrivilege	8	wbengine.exe
Token: SeSecurityPrivilege	8	wbengine.exe
Token: 33	5032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeDebugPrivilege	224	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 2588	5032	SearchIndexer.exe	120
PID 5032 wrote to memory of 2588	5032	SearchIndexer.exe	120
PID 5032 wrote to memory of 3228	5032	SearchIndexer.exe	121
PID 5032 wrote to memory of 3228	5032	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-23_ed5339622ae209d5cad98e62c677fa56_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ed5339622ae209d5cad98e62c677fa56_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4276

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2448

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:916

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3576

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2588
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bbdd524d384293074e17a3b1de60a451

SHA1
908edc6590fc233c540390f53f745429099ea54e

SHA256
ebe9cc31c98f9106def5798358a1037fb8e4f226cf61c6b5691448be0356baad

SHA512
390a66eb9e79569bc1aa04b92781a07287a839684e66b4857282fddb05cee03e1d96a3643d6f2bb051bc6eb1e2c73720bcd50d441c9dc42bb0ef44c8ab5b4a56

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ceac91bc4458bc038c3cdd9f195368d5

SHA1
7d914f51aa6b16b6c3eb1d5ca76a3531021cb303

SHA256
d208d603b42d38850cf8b83ccd020c3c0f5ce8ef777428fca8da62a93dd980b3

SHA512
5f7152bd7bd7f805253391b6de97646061968df7afb4329f9d978a07d04080da7f5c60482c2b830dfb05c1b6b4db0bf46d369c9b1cd9ca122527f7aa05bbd7b2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e5134f31ad10c96b3a4047a7417cfb97

SHA1
0f2f7b2d36f7dab7596f37e8b853da6c1be6aeaa

SHA256
7c83ef442667fa6a59a0a5b8cdd9623b72f5435c6ed75a8ecdd12a5d246dd6e0

SHA512
883bd5507b2fca7243f486dd7d4ce474f81ade96cbb95619ad20f947e8c68e0d42b72da2de728a04f016b2da81717ffd2d8d27d1aceaf806cbfbfd3f36870fd2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a69e74888a677ecd4a6dfb070506eab7

SHA1
bba3abbfb819bf3bc578d105366f0c10060409eb

SHA256
95c73d30f1b8e87a97279208ea4621d94c50bf2de18a6952caeff26e312fce2c

SHA512
33018a70ad09c60a0468fbf6d6d8ffe4373e43b82d32a356cb39ec87b3811295ee38b47ea1691997c3aff662e48e728c1be2372e4cb35e751d4a50f00ea8a322

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e2b9ca763d967a4457d4044e7122575b

SHA1
4425d2980c2e3d218a36b950926cf711548eda01

SHA256
7aad21b8a5f4cd54d6df8d53636b91fc7ccd6d8d61a3c816938c1b0d06d1b072

SHA512
bcb79806f30ade65e8c2f6c1f5b5c92484610d306f2f270febe95a481b0c13c7f3d103ca72107f7c2ebc5a5c1a669c8cf9e8cd9d7c0614075b2e370eb24c5c02

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d468bd79e555ee31d830c0d8f41c41c9

SHA1
f48d614797e5e34fac0fc30069db456697548cda

SHA256
aee9cb912f30abb602aa95b5ec49679b282e5e931e774335f323e2e85ef35af0

SHA512
1e96059731c654d79cdff442e69e95a537b6e4362c99c9432d2285ccfd9763cb94a7c81078bfeb7d5869d6baa28e97742abcbe16f0262c990593a80d2a8c0185

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
77fec619fa5af447ecadd69fca11a2d6

SHA1
8cedb577aa699e914a6b9922be33a497d7cc823c

SHA256
0ab2fdf54e66c14567d26a6f572421f4bf92fee1fcb05a76c1bc4190dc39c081

SHA512
4aa72f6b0e0e9e71db11e0a2d975fa57949ee7624adcbd1520da8e5e4ca75a855ce3bb481151755aa0790f713ca43f796f4f39b2eeb901f6877df60f88b5b69f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
af2b6ccec6e7a810e06b52339ab20c5c

SHA1
82d5c1f385726acdea3acda95a7288a18fe79f3a

SHA256
fff78767247b688c665c9155c4dc5eee55b8f788873873b48a71ca245fae8e99

SHA512
bc5560b9fd9a2ce3260b13df71c1654f9665f052285f22a2860e479305d83e8d49f1e4510151b1b4594066ca543619666bd6bb45e61201b7dcfb227b903b6ca3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
79d1051922b483823a390eb0532f1b4d

SHA1
475fc2ead5a8985d4ca8678eeda9fbea5d92abe1

SHA256
3bc21df35b05554d6e459072b51a91f19ea545699ec2fbb74b65f6bf793d1167

SHA512
a37d7cdaef419638b22231dfd9ec19ec535bb005318c3bdbdbbffcce0dcf6854f3ebfbbb6043db5a66a8bb0ccb9bf80796c1b6c5079c15fb460a0fe2b109ad43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
384KB

MD5
2c22fdf5bd2eeb376556444eb1713029

SHA1
8b6afc6fef49ef6b36045299eeeca2df4e95a7bf

SHA256
37ec8b761576d41e487bce3b31fdf05fd7a309786a2126a76849ab5a7e6af503

SHA512
7499dafae2eadc7a7c0949ec4dd1d3d878751ff3452a8e1570c5b6f19fb50d885659e5399dd67523321f8a93aff0d5fdeac9b98cf5854c34f2dca61dffc13e42

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e21ab13ddc51ee39eff71ca2d7e27bbf

SHA1
0bbb156ab30bc634b80ce3a4d9ee13f867d14cee

SHA256
7654e8c84cce2ac4e2f4b52915de4ecde850c4036360136e84e541bb98202641

SHA512
e3a55b252a9adbc214c6bba31e82fd110b26af46365ba42bd517a25b51cc645ffe09112ecefa0e0acf947fd86c3779fe5167af3e0b9023c702e68cbb8c3aca6a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a03740225af304a2ed980bc29432a8b9

SHA1
6a22104cb0bab48ab4cfb273d3b677a2b451ee6b

SHA256
42eca10a82d5716ce6da776c027f8bba52d5bff9b2c482876359305e28360f51

SHA512
005310e65635b98fb8b02f7d846ee226771552451c7d8ecaed35fff6400ef1d1e54d122c6c616cc577d593de34ae63317b21988aa5b3f728003eb73324456b2e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
c83de5a95d0d6c9335929b52cf785c12

SHA1
34503b2f3bb7e1449b73b38b6efb2d578bfc26ef

SHA256
a8fc9b5254f2e4ce44d9f1596ce1e33457e1e0074d908685d5f306ca3994ed72

SHA512
769357df394ef736cc1f541fb1e4c8e5c8688c122ca8b855db69f700a810f541e66758aa0e993a514700acff0bdbd23d577d955c36c61ed4fafa27ef9b59c19b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
df711470ac6dd695c3cf3443bb7b8fd5

SHA1
f6ff8ad963d71d75849ae6e76d7eeb8e0959f298

SHA256
9d4fd49354dfa008719aabe930c4341ebb6892c9f5bb5a13643e9623c533aad2

SHA512
b7af10e0a4da400ff08b5146ac6b6ea60c266af7db0b8d5991b9db2dc6a7a56b8c4d571250b41adbdff88854f8394323f7f4506fdf73038815a42d6a7032e7ce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
e9eacfb2a72a4def0310dee2847c5c93

SHA1
b458d8b67231f94559015a92b71b8ed0e0befa8c

SHA256
10df5644125602840dcdecc2bfdf8e3895d6b64f5e5280d074982ad51947a3a0

SHA512
0ae492fa36f75561c591395f5ea03754652866ef071734a35c6aca54ae9a86ff8f2e02cd60d3188299dc4b5cfaf199f00159fe1f62f20573fa8151a8959d0c99

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
019abf60bb3740c2613adf5afa7d1060

SHA1
94c82da5ca7673e12c85e66e70f071883681cb51

SHA256
b4de95da2704b65a5d2f2936d2131c80c3bb3d08e21a1d164f6597f8a6387e01

SHA512
48b97d86933216f2340396794cc493bed047e356ef31077297621ea4975d4262cb5376632122deeba084204a57e34e276c49e708f10813287046fb2cc0887715

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
579eca4eedc302ade95f5eccf6889868

SHA1
3a471c7d7aa420c96ec7dba822967f114e8acf15

SHA256
c24f7b7f81a553401eda39b52abfcdd8e208bd499d62b5542a867e6f706b114f

SHA512
06b11d243ffb490c5f5da32daa6422504fba6ff352f12daa3e8ac9e40d33968b015c867078f82c5076dc46a5673957e030acad3b8e2d0b0f3fcb7a1d6c3989aa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2a7787c71b80721ed0d5c15b7e9607ee

SHA1
c244c0aa4a8befb5387ca3bcc8e0e0afe7db00bf

SHA256
1ecf3cb07dd4f76a90a1256a526146853d43e6968212ed6c2b5e66818410cf2e

SHA512
b79157372830c8045f00a0679eaf1a55602a7063ef4793a1eb5a0de8dc35b06b278691075c4294392f8958cdb142b72a09cc2e85ee1caca98c52baf8c42b2f94

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
903b7d7c066ba9faefa3caa856c550cf

SHA1
767ceac09e6478dab7ae5b0debebe3ceb04c81e2

SHA256
339b8359e22e5144f9ab618cb6cb9af6a039f99b0d6702cab7881f51c40af7ac

SHA512
795ffb0f29b6cc4daf81f899085487c917586baf454f7f1d5319328d129470a5ccd8f4c7e9587c2622bdf41855bf11809346dfe13320bef02df3595e36e754f0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
8e3b6e9582bcc9b3244558132ea003a9

SHA1
0c9dfc7a892186c789568837cb105e1280b99e71

SHA256
10f232cb6a4448ffaab33f3bcadf92a0412e6ef82f058da4ad3e7705ab9c1e54

SHA512
8740de79bcf2b99d5193d6e5af379d7ddbbfa92f7087d4bab383a442219ee08449b555bb9f7edafed5497fce7e5257b308f82fddd00257bc2f319678143c96bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ea81ea5c10c7d353aaba5bbc89436751

SHA1
75c7d073fa62832a5bb79e6c62bbd7cf50357b8e

SHA256
a999f24e8b118c4f8df7d74c32770b0839759d18418db248263c0fa80f9fecb4

SHA512
cfe2b27ef1a89c1ba507ace384bb08065599c39b50c5f258c8bab41dc6fe766e1fdec13665f07ab6eaf6e2c2bdc7a57f9d3a270edc857c0c34a65cce7c2e3745

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d58bc6d5c683d96c3b78a1ebec600b42

SHA1
1ef71eb1830e9908c9a521c7e2d0ed1a1197637d

SHA256
65c80ec84e1e44aaaea0280e6ad31e1828a23418b45e01695670418a96654974

SHA512
93098589bb1e2f86ee043884ebe7cf452cd4067e9b8178f22e96464432db7141665bf2deab8042fcf730c34c81a2e16ce6893022dee11ec652cf77b62cedc7bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
600ca42dc2f64750e50299273da85467

SHA1
010965436a495cb22d636940f36ee93e428a0614

SHA256
a1c07470d1ac09a07c9f0a1d470ea1c0113a158401edb6b7b43a54a074c875fd

SHA512
29f87a708b2f3c18729d1a3a9f240b3a9e96624c92ab79e40fd60c86a1b29d580a0787f694505ecb8914994b819dae27e33a4263870d1184875ecee6a98ff057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
33c5db6e62bb0c1346a20cd975ea3aff

SHA1
220ffd2367588fc289348903df10cd0353d9e2b9

SHA256
27d6a2c6c285438015a2cc4dd6754f6536ba44dc30e5e1ebee59d1a060794f34

SHA512
fe7512102ef3c6ccd22858353bd4b309fd3533fcbfd9ce425430bf052f82724ee32ecc39a89eafa792f4e7d7806f0d72dde87fcde58351d95d1c7d3a784e38de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
38a0531564b0e002c84a48c65189aeb6

SHA1
0b94c57a7ab250217c8f6eefa059a59f5711832b

SHA256
c5788757df00fec63349e00d06c57c691f3c75af5007020456231beb599eb3d6

SHA512
d22eb0f062c972d6acf6ff4edba3b7ea3c0c753c860c72a4d464aa848c7f7f35c71e81e6e49274ace771a6d4e936d24bc8808e2dafa068649df2c9f702ec855c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
b0a222424b3e9c06d2baa6a22719364b

SHA1
27fd43048aaf185acf52d1a49404d13422f39d87

SHA256
a22497f9a4bc3c40398910b4f80e881fec33fbb2fdbbfa5b308c23c4e6ab97f2

SHA512
506b2303c073f39f2c41db80c413834688af6d381657f076e82cf9dab37d81273cb6c4f8e4d4790772724a7f89bf7d4baaca5bda5b54b3752126562d96b1b23b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
028e2f4d0b97593691b2aaff8a7c4cde

SHA1
7a0daf8c48bf9c9550eee8efa1ada83ff0f039f8

SHA256
b31dfd01e77d4ee7a9bae3ca522edaf5e9aeb395bd9622868ae28e40fb7cec33

SHA512
956c6fff2b29f2631204336b8b969b478387d687d8b2583ba7a00e12ac15e9a1e25eb97406d2f44b1244848316a77a68e37056a7461a82855203d6d021953d5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
d2fac3aeefe0cc56d7353e5c57cdf93b

SHA1
088250573b28b780205711e5a58d858b45717607

SHA256
185771d673818ec855ecfec3676e7feb44ed07eaee8cf1811f60a03c74c4d982

SHA512
108e1937224b5c18d17bfd43675135f95a707c3e889402f3af5ad62bf18c0e65501e2471f03a0380dec86f3970551aadb476032d3cd23c97d17055230df8e372

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f1c877cf69b53e127ecd37c08245c489

SHA1
6207da3908e33db88165fb9cf6785e83408b60b5

SHA256
9b791aeee77456ef0eb9a5094cbc94b6b882d125b421910d39eef9485555c666

SHA512
f9da8aa8e9ee1cca015040f51599f1934df715163151bf5e32bb4f0303b0bd13e48d610e867101da7668c0853b2f2de6dc002ca70b0457b85a5446df21a24b45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
9a481d6d5579e276968918a8dcd94265

SHA1
fb266e4c82ebbb0a1f4529eac2b5e6fb28d5ef27

SHA256
e34a7a5e5dc53e7b190925c1fcec7bcfd3f2cd8b4b4dd54e74dafdee6cfb88e6

SHA512
1913238626d6de87cbfced2fd5945fba79552c53efb71d011d7d5aa2ced7c608c322ce82f223595ae988f54b68b6dd34e7f9b78da76293f3a680dac035bdd063

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7ff89c478c141e01d09608f36b0159f2

SHA1
d268038ab8587ffb122cb33e3d81579da586d650

SHA256
5b7ef861095b39e5e78d2c2e1297a083852a4ce8973befb3abe1bb77af3ecd8f

SHA512
b8ac88a957e7982400323944a35c1abc28750b6d740fef77d33549a072827bd82c5b91c566798817f4aa55a353a0338a9c203f7861ebf841c56e23f591d96699

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9b16a496b64b97fbb09614654bed3593

SHA1
9dfc3d8a4771503688dd6478bdee84b564d5d3bb

SHA256
04a863b099265e2dc7996c1d770d7dc432860b8f34f368295d94d7e63604a903

SHA512
af3b05b218fd997f2777db9bf1c8ca2d469648c12b571feb4acfe409ec52bc4d1b83cca2b91c154474c82f72dcbb60ec9716d029d6fbc7cc2a279a477497391a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
9f335c5433f3d9b2a94176eb620bcbde

SHA1
909225a3aeeabf4310537358e767621b78450cfe

SHA256
e8a9673c9bcdbb20bb2ecd1efcf72067a60aa2b8c8b59bb545e8a320ef143a06

SHA512
031bff09e4c9b8d338fe8569328fe2ae9139d619e9624259a279778bfd02f3480f0e1cbb88f5de479aa75b97e1ef7cfe9178f0958dc131d91ceccec75a6cc374

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
9e1251875b1dd0ba20df9ace72e06488

SHA1
e1eca3372f63c4ab4c2d1102d04e808e045f0f3d

SHA256
480f990e33731ce49a8f10f0d727992ae3515852ee9e5f2761598961a0cc1d2a

SHA512
cea76bc79565183748273e4bff840187dccdfa737fecf443b1c0c5743cdc1d5cd2fe49772ab2054f8b12ce59f55c7c5ebac8bbd840941e142e7f2018314798b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
256KB

MD5
49a5ae533a3c5910bf78bc9b95cb6f2d

SHA1
5037f6329912e5340d03d57f4bbc69ffbe84458b

SHA256
cdcf9c96827c7bc632da362e5d073a691d14fa905cbf7251e59db7dad6c5676b

SHA512
ddea4be07c74d1cb810e3146e717ff136a770f5b500091d1bd9b1713cd85188c0c337ec498cd429bde28779cd8fdc6dc124c6b954f4923dcb02e216acedd08f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
256KB

MD5
66e0094be78e259d95b353caa1a45710

SHA1
03b0ce865bb25afc142861d2a5a3a4ce78644063

SHA256
abb58894c7ba85ab8933da59a8cb745a753b8a5e18c5fb582b5e9376f8f07dc2

SHA512
a55b3bf0a07f5faff65250da22066b415efbfbb642b2a818657c78e4a5e00f56ac8a9b2eddd55ccf7b19694bbb6f207235fd034bf1c7cc90b124674cb187704f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
256KB

MD5
102050fb1541ed28d154db8ab23be297

SHA1
e9fda44f452ca639cf13d7f1d6786e881b21821f

SHA256
69027e8bf498af54acf5189410fad7c67beab002d222a023ddb8b79e2bd567c0

SHA512
cc93cc6f9070c24d6b7affcf9d132fe9b8ba3640b7039bef7b1c3a7bec494fa11f9ccf736cd8f9757edd9441d19e790bf4c6d3a570145a87d4318adeae999e17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
256KB

MD5
3da91f0ed514f93937f2f6bc344b5d7a

SHA1
1a2f9848af2dfa080d31bb0e642896f9925037fd

SHA256
14b5e5e747e5aa7d5c3e11da351cd3e339fc387608bae16823d47fd1ae3a0027

SHA512
d394664d6c32454b93dbb6eefbb8e02109bb3944072bd86234e5939e758739d3e927c5bf1a2a1c6e171a21b51f6f278bf941c8ccb0285879be71e6040858eff3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
256KB

MD5
788d57fc9958858fcb80071a63f33298

SHA1
c5ac8cdd1b6ac4663e5fb4fd79a7886cdbe1cc5d

SHA256
bdd68f831a19445325408f0e8f5cb277c90f11bb420ce41b2820b34db7aeecce

SHA512
eaf0a23ddd78bc4665eb1915d26ca86be26e996b85daf4a11021fb04644c2878f1b9cdb47a893e46818e89cbcbd08f2e4fcc6a8262edacff5a10ce5241814996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
256KB

MD5
559041c82c3c022e53cd65c2003e4731

SHA1
46db86032d63da1e090994ab2d7d4569d4d73789

SHA256
a3102d27bfbf83effa1a16921f46ac1bf7bac95072b53633be890c44ac6baf95

SHA512
1b34448f82a2035f901f03e14b28a0f056e5aaf88a6406b83ff2f2acd75787dc1f7635f463151391a2aee5c8f30e6a474876413771d101bd0a3890eb67ce3833

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
256KB

MD5
299386574fb48c1a9e12f671b8bac749

SHA1
e142a08b5409bc3e49896cc160b27a6475e3f59c

SHA256
0452c3bb1c9f2d3c8031e8ba43bdb1fbac9e75f98e468be8cc45e9b18e09a3d6

SHA512
15f132724219a57e651fe4ffc98fda049d8658b0846240c5a26c634bfc1ce7d2f2ac50d8383bdecc2edfceb09f20f70d9712ef5503061bbbc66478f893b1c663

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8ef3bfe0022dc4e5188237f5ae1194b6

SHA1
8d6b002c3fae8efc8621cf3f3f33d8289f9f6b28

SHA256
dead2ee6ccf06d968f1382779e07a44234001209dbcf44fa3fc25928bb7125ed

SHA512
818f5e1407f7ecb2b479f3296c68e1a97efb12df0dfbe545a0cc9b95289ef721fcf26c22aca2680aae0d1435dff5e222d21fe4957247509ec2724b69adfab19f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
710eb237acbffe6bba1d4d3f323be968

SHA1
e31da5bb09b7d7b0f9ceda59c749b1156a9d1871

SHA256
d2eac36b08eba1ede89c8a4d87890f32fda0db30fbae530f4447336804fdf60c

SHA512
0e46448f768608ba274415e822de664fdeab52b2c98f0081732ab7204160af625d77800b91efe86f88dfec061f5b0c6caacd97014edf0070fa8e43ad44351eb8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7197b62175053b72a618b3e451653dc4

SHA1
7b01b8c7cf74e6ff7c9063fdfea50447ba0f5779

SHA256
fa72325218588d1afbbcf64a5f75b59da09a73d9e84c1f7f39bdaedbadb5c522

SHA512
0a72ffee198a8381baf4b675ab0c2b77b35bf0ffacb2af1becc6096e68f231d67c7243358671027fb51efe007fd2cbeff976cd6e086409fb79b709319a28eb22

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
528f35a0e423403f8c6ffe79c87a32b6

SHA1
22c4a5b5d24e19e97e7490d6960ce8584dc30d78

SHA256
8f3f04dd10d0306759e40e2307d98451d18251752f7093bb8cbb01e91d970111

SHA512
0c75f4d5e407a73bba78edc93a38b12af383100eefacbdeeb95f0d7bb5b93434fe7592dac4ea3c64bd3636722358178d337b9e01bb3f8a6485fb4e7e3015f593

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2f2a9e6bf783b7ea7c7f4d292d3dcb9e

SHA1
e590d25625e2a2279eaad8c48cde105bd00c08fe

SHA256
aface79a044ab5f2595da6806db4b67c22a747f7f3184aabb544b430f3a0210e

SHA512
a6f1b9a54c46dbcb6a4f621b723cf8ff17e577637141a8d12518a748bcbdab19bb934f584434558f53d1ce852b48d26e9fd46ba6a2db67c8e995646fc4d67a5a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a1e5ad86b815457e9dc19032535f794f

SHA1
065bc8d3162409f0947ff805082a7882f6085dd0

SHA256
aaf462b0c351a8fdffeb1662348a24b4488f27f74c99ea802ce462041a960562

SHA512
65db61d798e244bde5785cbb7ee45395992ce82d32adaa06d0ff38744fba6291a577202ffe852a7251203c9e7e9a47b813b2a2b3da87d4c329f851ff8c59e51a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f661478a60fc624fa34bde4f96472508

SHA1
4ebe609d5d5064962278716d411ad648ca51bb14

SHA256
261e285da6fa37a769f5b7e62eed8ce42072fad3e8839a8189e825fef006594d

SHA512
09972ec06b58f98621f737743fd80e33cdf5ca314c597f1122cb96195a6b5f02dde79164a894a419395eea622a8ddaf8ce3b1308fc9f43e24ea12cb70ab4b96c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f570ae5e4cafae448cf8a4a3384444f0

SHA1
7d504199ac16d7fe4178e39ab1e8ff29ddd094a4

SHA256
3881b459a852d2da4962f5b17e7de6e2070a4a95d1330e00c766a54a65423b9b

SHA512
993bcd741106ce2383d394e710ff5fec729dd2ebdcbe72a9bfd3cb4f7a204ea175fb48730a1420bdd208b26cc06fe4c4b142c0a92116602dd20d98a32617785e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bba28d5b54ea268452ff24fbcb54cbf5

SHA1
b32bbdbf7df2bee7e22881e15c3f1a4930062dc1

SHA256
41a7c3c0ce4a4683f6d38255e1bf5fc4b8af03db900b8ff94b6d79fb5490465b

SHA512
1f43b98c740ea1c0edeb0be91406986db5caff45711a7f4c6d0452d11d44f0d8a71c8d4e85d34f221f6bfff86777116d954781f99f9cdaa2e6aab3656229d78f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cddd2b36f9378aa58ca10b2976715563

SHA1
9897baa2159d2d275b7d81cd3d3a35046c430056

SHA256
95deb70c434b238732be0639c9c42a817568e51a8dbb92699c7d8e849c9b6ad3

SHA512
57e770445ee43d6866bd9bf5e574501b38392b9c530d95082c57bd6c0262216430c48d9185c1196fa04a7b0705d07b8877cc7f99a5618b1183f148c2e23ac4e9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e575e5b8fa577d69f8e3b38231507d53

SHA1
1d84735da545ac6626210d877d7e1a0fadb47033

SHA256
8f968683e13b64c70f84f90c3927d98b8206b75bab8329c21b279e5a7234b742

SHA512
c6572900969c29e33135b92bd078e003e160b6645ff754518aebd07859109bf752cad4efbe81cca59e0471427dbf9a6071e95ac3cc2bf7f2d4f8dbbd5097a04d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a0e434fd96b5f9ab95f89638044f8961

SHA1
7c9ddd0093e138e295255bc66671cd4be1769841

SHA256
7a80a9d3862343fad2451497003abf139895ca2042bae3dc8126182d061c0d5e

SHA512
ca58d3750e74ba0b73058773b32d3375f2c3ca74424c18e3450e9bd8cf8a27c70664279c1bacfd0d75b571b06a002c781679344308144dfbfca8af4033f91db2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d96b2b9c4ba7b565122eb052a7327bae

SHA1
04c35df77f22877b50a23ea6cb452cb6327a1e74

SHA256
db476d14cd67272f1ad9a75f667fba54ef48c2fb80ad3792b03aacd08b17b42c

SHA512
9cf09e2d33a51cb62f9cf79d662df392b35ebe9c213626f0a5b8d6d6eaafc2dd1696dcb74e6faf2d24b82a7d04ebf186c6b50bc3d1dd93a53c552be38df2a1c1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a736538981678aee3129b00baa4a0f21

SHA1
bfa42c7cf4ef22b5d62812c3d483b0f5e8988ab0

SHA256
a77c5b2bd1ad4a7174d4333011f4efd025e5658a385a9ee64de1a573604ca52d

SHA512
7e9391152b4195efc068585825a4041bc4a411d203c97d4602a11864f11134dc1a9c5e495b9ec726a9fbd74e055a1adc6e9fbfb8d4945aea7fade285733ed3ec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5ae123d390979406d79bf9d1f724796a

SHA1
6cca502648a48bfea3bbbd1379f1f9daa1e925e8

SHA256
c3147876351a4096b9aabde07946f585b89034f63dd0870bec66c58b5ee66831

SHA512
1c0734aae864f724546455351910a978400b960d7b0a3af961cf71a05733742fe6217cf9b0dd13287609b064e2bae1c8d069e8e7ec3c46ef777cd9dee31a7309

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
896KB

MD5
cc85c0b2ed0586e571b75a6baf8d8093

SHA1
6a0a8ef37d6192d1567a350fe92b53082a835dc7

SHA256
6e1b10396a8c23c5008716c4ae5ca4c77806ba4b18b60bfc0924ee216ec453ba

SHA512
b3341c9df3a764261b5a5a3569d3570a090ee5db64289acf3eadfa9f830175777ba194a077c4528d9a466104eac280a0afc364d781bba37cb2361f83d8cb18ee

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d55faa9777f9fb77b7fc451fc3d44e48

SHA1
f4a32da6be9294c8cd83dd70c0d07d3f5dcfab96

SHA256
a4a1fdac3b985fba1d641609411e5824e44b2fae35bdc4da95dab987b55fb743

SHA512
05047e3de8831c103ff24ddf5eec14455f40462542cc065b22db09e0dab099ca015df425a278ba03e9723dca2a0ad7a0a00f76a358debf05f4738bc697b7b836

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
281a2f0d1c99eb9390de1180941d3073

SHA1
b340aa9809c2c951f7c6af48afac47c2f386271f

SHA256
d915837bdf5c2feb5c73d4aea0e419aef8ca7c9f60ca26b55313a0475a6b08c2

SHA512
d2c8e3145889875def431af057d44415907580c6334809411214633b3e38ce43f8b77f985ee8dcf5c64f00f23bd1a5350d34cdf87b3a9f999f85203184a3cae9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2188b224fafa8dba737e4b2ad0123606

SHA1
8aa2ff61d1b527c6d5bfc347995810e1e559b202

SHA256
85e4f1b13db34f1d2ec9c045762b7250195acefaf7ffa9143f144285e1b60096

SHA512
c99c63e6d6008d3517a1b60edd2febe3a05dc2512e15cd6393554c1af7402fd8059e676456c9fd5bf2c7f1d201c53b2d209f18d353565698396ff1da6003f0db

Download Submit
C:\odt\office2016setup.exe

Filesize
1.3MB

MD5
e8ac41c2c22d9a173ff182ca158b77b9

SHA1
3d181a74bf8158d5eabba321e87357a8514fb4c3

SHA256
d14e6d969ee4554c5bc0cdf7d4f622ae5706917523945b62e7be6add222fae8a

SHA512
0bc42e6a8b47abaf57141721cc3776513f0b193bb78e09557bed69777251b99cc4b2f4dee2a9b2f9e388d53d8252a67fc21cc6c6db566b9f91919622be99d51a

Download Submit
memory/8-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/8-444-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/224-236-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/224-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/224-36-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/224-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/824-8-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/824-12-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/824-0-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/824-2-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/824-7-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/824-18-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/916-298-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/916-351-0x0000000140000000-0x00000001401FE000-memory.dmp

Filesize
2.0MB

Download
memory/916-287-0x0000000140000000-0x00000001401FE000-memory.dmp

Filesize
2.0MB

Download
memory/1372-68-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1372-67-0x0000000140000000-0x0000000140222000-memory.dmp

Filesize
2.1MB

Download
memory/1372-74-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1372-240-0x0000000140000000-0x0000000140222000-memory.dmp

Filesize
2.1MB

Download
memory/1924-64-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1924-52-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1924-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1924-65-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1924-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1948-367-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1948-435-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1948-375-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2036-417-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2036-550-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2036-412-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2448-273-0x0000000140000000-0x000000014020C000-memory.dmp

Filesize
2.0MB

Download
memory/2448-281-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2448-338-0x0000000140000000-0x000000014020C000-memory.dmp

Filesize
2.0MB

Download
memory/3084-388-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3084-378-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3084-320-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3084-314-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3268-312-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3268-245-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3268-252-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3268-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3284-309-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/3284-301-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/3284-365-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/3324-432-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3324-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4048-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-333-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4276-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4276-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4276-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4276-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4276-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4416-410-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4416-348-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4416-341-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4504-389-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4504-448-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4504-380-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4516-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4516-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4516-360-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4560-451-0x0000000140000000-0x0000000140219000-memory.dmp

Filesize
2.1MB

Download
memory/4560-457-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4664-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4664-402-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4664-407-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4664-406-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4968-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4968-231-0x0000000140000000-0x00000001401FD000-memory.dmp

Filesize
2.0MB

Download
memory/4968-16-0x0000000140000000-0x00000001401FD000-memory.dmp

Filesize
2.0MB

Download
memory/4968-14-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5016-264-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5016-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5016-257-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5016-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5016-271-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5032-471-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5032-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download