7eca90505a9483bef5f5e71113a4488b53f2e0d11ea9820a7b29fba185c56fda

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_cfa98082c50098b1a06489f74c7943b3_ryuk.exe
Size

1.9MB
MD5

cfa98082c50098b1a06489f74c7943b3
SHA1

46a83027aa397ede098fc75b4439a30c21b7c897
SHA256

7eca90505a9483bef5f5e71113a4488b53f2e0d11ea9820a7b29fba185c56fda
SHA512

60d72e3fe0f5af4f5f3b99e032a72dcd102833e048bea72b88a568a23801ed5df1a469bf8e388f9d7afe2bc5de65837ffc2e46cbed76156ce26822488c770868
SSDEEP

24576:KEPxoECLW1RcD92OB3aLXkwcIBIbHoFZbevPPO15qaMbNW2isv/G:9CLW1RcDgOB3aLVcI3ZqW3ORW2iS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5224	alg.exe
6100	DiagnosticsHub.StandardCollector.Service.exe
4320	elevation_service.exe
4668	elevation_service.exe
4988	maintenanceservice.exe
4132	OSE.EXE
4524	fxssvc.exe
5316	msdtc.exe
3412	PerceptionSimulationService.exe
6048	perfhost.exe
5940	locator.exe
4908	SensorDataService.exe
4008	snmptrap.exe
3548	spectrum.exe
5944	ssh-agent.exe
2392	TieringEngineService.exe
5004	AgentService.exe
5256	vds.exe
4644	vssvc.exe
3628	wbengine.exe
5440	WmiApSrv.exe
4788	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-23_cfa98082c50098b1a06489f74c7943b3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-23_cfa98082c50098b1a06489f74c7943b3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-23_cfa98082c50098b1a06489f74c7943b3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-23_cfa98082c50098b1a06489f74c7943b3_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f0de2e68999e850a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75109\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0d08c6f5866da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f44cad705866da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac7ebc6f5866da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eb7f56f5866da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f630ae6f5866da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003edd1b705866da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
6100	DiagnosticsHub.StandardCollector.Service.exe
6100	DiagnosticsHub.StandardCollector.Service.exe
6100	DiagnosticsHub.StandardCollector.Service.exe
6100	DiagnosticsHub.StandardCollector.Service.exe
6100	DiagnosticsHub.StandardCollector.Service.exe
6100	DiagnosticsHub.StandardCollector.Service.exe
4320	elevation_service.exe
4320	elevation_service.exe
4320	elevation_service.exe
4320	elevation_service.exe
4320	elevation_service.exe
4320	elevation_service.exe
4320	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5220	2024-02-23_cfa98082c50098b1a06489f74c7943b3_ryuk.exe
Token: SeDebugPrivilege	6100	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4320	elevation_service.exe
Token: SeAuditPrivilege	4524	fxssvc.exe
Token: SeRestorePrivilege	2392	TieringEngineService.exe
Token: SeManageVolumePrivilege	2392	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5004	AgentService.exe
Token: SeBackupPrivilege	4644	vssvc.exe
Token: SeRestorePrivilege	4644	vssvc.exe
Token: SeAuditPrivilege	4644	vssvc.exe
Token: SeBackupPrivilege	3628	wbengine.exe
Token: SeRestorePrivilege	3628	wbengine.exe
Token: SeSecurityPrivilege	3628	wbengine.exe
Token: 33	4788	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeDebugPrivilege	4320	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 784	4788	SearchIndexer.exe	120
PID 4788 wrote to memory of 784	4788	SearchIndexer.exe	120
PID 4788 wrote to memory of 1584	4788	SearchIndexer.exe	121
PID 4788 wrote to memory of 1584	4788	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-23_cfa98082c50098b1a06489f74c7943b3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_cfa98082c50098b1a06489f74c7943b3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4988

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2060

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5316

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:6048

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5940

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5440

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:784
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
aa9b9b304b70c51fd590f2dad21fc6b0

SHA1
b2fef2bd6cae529f449a7cc07a5e89f15b9496c6

SHA256
e56e25ed547dc8ae55bdc5d2284cd13c2b7d3d59ff6d0639ea6a8efec5f60e6b

SHA512
c78a9ba07dfb83553acc2e5ccf50c4fad7725ebde8444a2f638c845aec5e4b2f58b652d969ddfbcebb2903340e97d147f4b722b9425f3af929d6acf0e7b6d672

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
63d0a401ef7b2ba3513d2b14ca7743ca

SHA1
4f93de6b8be79a06096a561d5c871ae3a0d18024

SHA256
5b78dac8c0d3c48c8c8fdbf646a9f7c820703d2f4d3d2c43ef382785cd6384fa

SHA512
dcc9103ea077366d17e759806c2c7ce83866942c3b2a26929f8a8357c6c43e5ab60588d8b05965ce2bac0504fa1a7f2f1b3c21fb2493975a3f43cbec5c02352a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
f67dfeec9d5a8021dcfff1ece4864442

SHA1
d7e34449484077ea9b1b8273309dc258ccd74960

SHA256
2e08f5002c297a42b47c75054edcab3f15f4f66c9cb3bdc5920bed54804c8153

SHA512
312d8a654bc6257adb03b0f3f4a9e9851f677976108714e137071282afef429c7967eac611d137c5ffba4a7e60fcc3de1d8c795e2e622e31cd681fefb65f0248

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
be485f34c837d15156c294ab0a2f8b07

SHA1
d9b9da9fc08151a153160fdc13eaaf7fbce8b68a

SHA256
e990f1b251afbabd3f5d0537179ade9e5943da90a15d31f6be03d3bce4b05e04

SHA512
fe378d8b948f683fd91e71999be41a0819e8407177212f8efa78728fb778a22a0850d682063c1cd90ffb69e0241770b521abca6ea3cfcb70a07ef8e34971a28b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
17216db2ecd5bec6dec20d93c072e2bb

SHA1
4614900efeffe50671bf2fb3dae160c133a1adbd

SHA256
00a9f23c89e85de9462e3303954d6817cbc044c15ac21b107976852762e5ac17

SHA512
6b50534a5c6f01c31e993ad0bf5027bde58200bc857c68252a2f73d262fa4df0b779e0a3998613aa6231f4551255d7e13f523b4db5df3a7463be9a1324cdf503

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
b0ec336738131704cb90b32ce6f18ecd

SHA1
6a7ec02ddf247ab460a949e591131c0bb9e318a4

SHA256
87a6164cb331c8161ee069f6ed94f77f569667448fe4de680750bce173d86ccf

SHA512
435ca9b31f96bc739bc936142422bf456da6bdc106fbe6e0dfd1832a4a0525d01fc0cb2439d5ed7a71ffb0fbaa1ed98559fdb8f73ca21ca45a9415c24d0432dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.2MB

MD5
827a048298683220027e896d85c3488c

SHA1
ed76c51db2133219aa57903d0b5ce54520d2b1a3

SHA256
7063a4f9f599dc151cb47f097190e37e3c26bdde27423ba506a04b80d8910376

SHA512
6cfaaae05c49ddd304f63d9553cca64262a07cbec26b9b6cd1a6520dc922e0fbd103e729e288debce3b0875b101ce109cbe5a737bc10e27116fe4d38277edeb8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.1MB

MD5
f7c00dc035fd4699f3fafaeaf0ef6676

SHA1
c099116a54ccaf52a4deafc87b39fbcb999d94f0

SHA256
1c61a80acc523f11758ab213faed6e92e49abda348ad5b429a47e3b6488f701f

SHA512
b17868811e9d0c778aee2630c8a625fa04de42af3c07cc9ab2afc057868e6b501553beb168987cc35bfab505a23cd10168402686f8c6912d1db26b9807da03a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.1MB

MD5
c8f5868c633af496ecbb2a3ced82767c

SHA1
31da48f8b3aef864f895f6b6599fef2e78b5ad35

SHA256
8d19d29b111982933fffbdaea664ef2d818ce8d3b645ba79f69088328cfee55a

SHA512
cc39d10b784b019a1ceb21b0100a326b123916de6406025a38773ffc4aa7673e7f123e44677e98b3ee8fdaf28b3fb0141aa7acb14109b7b2ed8e3079c16dcf18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.1MB

MD5
c03129a42e9adc832c5ef5635c43b0a4

SHA1
cce4b63ec49a93bf6688bbab330dbd26573c8760

SHA256
e8ff99f04afed0c0d0db509a5bce6ad83337978b403bfa01e19f420be3351c90

SHA512
c222246a85fb91a1f902c98cde87c31072167e31f868ef57f3d0d15c3b0760fa531e364e8a54d11dcf4d15ecddaf6d52e547e86a95cef0505f532b41d57435fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.6MB

MD5
c56d9e125c66d9c8ad9ce395e609dc52

SHA1
338e8940dbd3b573ad8d752895bd66cffc12f897

SHA256
8a73aa25eeeb348961c51488e1ef870861d29c09d6b612e198a333031e8cfa0e

SHA512
11453442157062789628e2fecb42c74c6d3454f1c31f304f567dfbd62a451b3dad3c58d4b5dc0f2ab41566759c9fed5c7b5946b2284a6be95b71e83d106c5170

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.0MB

MD5
97ec555ad68295d6601b5aab74b61078

SHA1
1f3e5c18b9263ec308f375e0b31f1e7108753912

SHA256
b3ef7f86f6359e1003600257d9c0e650d0765341134a580f0e5d764c77ca3114

SHA512
2bbf8c144a03d22fdc92213aeaa4d295d06f7cb6ae3f83ba2269823e006b8f0b627df6dcb7ad6911c649a9d2f4b337c3d75401846dbdfea8d5e114ac6eb31940

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.8MB

MD5
ad0bde9516e4dcc9322fc51919bf7245

SHA1
55ae4454490b18c0b7bde2f7442a70fe8e9e29a9

SHA256
275468cc6eecbd841ffb1244399b723d5357205fb3ad017728329cb7bd784066

SHA512
2f15218c00e133500cf040201a7d7b5a2b65c7564fcc9251b8c187fe6c139710fa83a215b6ab0242440b2a1a23e3153991809ee107823bc93e9fdb8c7460b848

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1017KB

MD5
f0291d94f9ac6ba2bf070d706487c6fc

SHA1
f626d13086b0fe9ff9ec7919befaf6f04a355574

SHA256
640638b833a52fa1cdf608e142c0a854d3a99bce871251bd5c706a6ccc93be92

SHA512
f7e475759cf0b70164182678e3447aa50027a9f3675196ece3e1f55d73d28c00f1b0ed9ac00fae1652c871a305511b4ed65cc3b162b01dcf025f10b20a330b24

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.0MB

MD5
ad8d7fdfb1b11fa8aa5d2f750be75ca6

SHA1
9552e5a49faa82c0dc4ff262b8faca79c4317396

SHA256
c721f333b24ef1ca5d01cdcd38e3a67c6e66abdcc9c502681d4e4f494cf1f26c

SHA512
964e79b53bd8bc6e94452742cd78c38df286d72059bdf947eff59d48e58a445ca08ad34439c5f36dc4e33da99097eb300320cc300ad8587185db472d22e68c19

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
915KB

MD5
8b73bb77e4fa723fcbcd7754feddd891

SHA1
eb565b5fcc45f25dc0e90b1144b95a93bf60c2a0

SHA256
505ee40380a30f421ab0e465013af2a4acf2169f7816749d31b3ae5b33467ced

SHA512
c9d04758b6e24e70ad66678b37cd784eaed3c6972a303cf749409cda313c74f2292a960d2c2391ec862f38165d5b178611ab42012e82161edc28859233a47e87

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.0MB

MD5
1c5d5e7dde66c6e88eb66d4e50cc90ab

SHA1
e0095fa48ff57e06c4ade5a177670747ba943002

SHA256
ca99cc6d442dde5422fa5b2508d8fe3c671a067e2ef959227bf39bbba2edbcb0

SHA512
987432a5edac6d201354e9b5f89b81cec18eece7d600630fd13c53c352a672bea9498c3dd347bc942fe2b5c2bde26b45f8534b3ab6cf23c7b9650a472d3f604a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
512KB

MD5
f981e3aabca5abf558bb9c855f662164

SHA1
4abd9824b35cbc21bc994c57e58f63a574322db6

SHA256
0d0002f7131af0db784b2d82bdd5d207d3290c51c75d577c1afd5be78a4afee5

SHA512
5dd9c7cbb76b36516595e217843d94e0eead67e6039932a68d9a29a0cd23e0abe7eb34b3650acc8435f7d72c4df1fab17cb3e120a9bfc2b3d8a250f57cf16d35

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.4MB

MD5
be12de7cd0b78c34572667fc4e39ebbc

SHA1
40629ddc8d172fdf6e321c54c53bdf4bf093a11f

SHA256
4d4db9584fdfc56e3aa52706e742df765699e794a0b6b6f8ac27a4ccee465eb5

SHA512
ae7c2c746e53d3f85fc538655f3c405d159b3bd970cc39649b616d47bce9ae03213d42f663b3980d8a251fd9989f4e18309b4c47156c1c57f807c7fe835e031e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.3MB

MD5
fce1f22b7002f3a3031d30224c6fdd17

SHA1
027c1c7eccdb9c5c1238e77263c31babc7f961fc

SHA256
176b52b54098f63b56340dfb93cba62957d6e3c0b9a1e4b2bfaf135336d128b6

SHA512
a607c7aff9320aa08a9b8edc6e43dd3c65a8331b3abf180ef20ccb04b8fd0e21b3f492bdd87f587294fa69a950d66d3adacb04ae109a379e68f1d2e095282911

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ec6f90ccc89a840e5e276f1176588dd4

SHA1
99a22553b40df58aa0653dbba9e242fc7562ce24

SHA256
7430f51d9b4b3cb87481b9e222dca22fa685c6f047660ebc8daabf2c6a69be31

SHA512
4057342a89ac4cb7ac081f9aa04d9dd2653c85dee92f2d175f46e2a7b05767068655cebc3211a0d404554d213e5ef8b32892893f268ac9ebe6e7536ac1d13145

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
6016228100087f3e458bb22cb09a72a7

SHA1
c8a646ed672e7ed415cf87e0cca02fe9a2d16613

SHA256
36d9666c4f06281ff9dbec78b83eb80e3e972768fc2cf64616b595ec327d9887

SHA512
ceb626f3c76a5da0412808b47a08f86467236a572b3e753018498faa05f57e7dc0be87bfe34744b5ec8d915f3db3e1aab5a0340cb250ba6d6885c36168a09dba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0e12ec4d217ba32d11a9c28f7cc3ce4b

SHA1
966d96b50489adfb189c2b24d0e05ba2e24f2ec8

SHA256
19f202717dfff41f2fc7b175c47ce8bb31f9fa6b5d9a9d844a66599a91fc2b94

SHA512
3ad7e0e57346686a28302aa2ad8daee5dc9b325130c5a188b9e896be0c8c8a565197a9bdba55533f05cbe4e22b3a0941b6cab8861ecdcd3524a1717c74ec8386

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.0MB

MD5
d20c74b396c676d305262c0199c0166a

SHA1
a79d3f5405b13f964e4362195fb7ee9a7c5348be

SHA256
660d64d99e1e0a4dc2150397624568db1fa5a8b44d749f64197651cc10f68a74

SHA512
e425d5112e23bf2aecb1d36fad4cfbeb180901e45476f2094f6e629f6eea65c2d9699d3ef9325b214a5ca39539688d1058229432eec0d36e1a23a1bb023dc49c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
edec3528aa7416b7da107cacfa623153

SHA1
1e653499ade45467dabe3239f55949ae4101b773

SHA256
bd00fde8d69eafd154fe9c8900c3d1b23f01d7ffe2060d614bf045a7f01e6b5c

SHA512
be86d6d19572a7741453ac62c68314ce49b3d7e95f584ad66dce48f3984d32945b055017f25cb1678ce3cd8ec857bca217a32ce46d68c89e59a4e6babf803d89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.0MB

MD5
70d567366b962823c1d4f14c65fb522e

SHA1
09b996e19f83438cddf1ee3bcd958309281fb7df

SHA256
c93882b3811b13500abd05cb123207da4015d540ecc4f8f66926c7259fdbb434

SHA512
badcf73207fd4a7419d3305cc4b47924f9db32c8d1d8101017c9364e96d4848e0496a4d3cbc8519d67d10092815117f3d2ef56794671dcd9f949472345002723

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
81538125aeb90075f027690067d231bc

SHA1
ddb393d798e38da1db73ba912779b3acc5790dda

SHA256
add23c969efee896a0ab0e8fc8ec6464684cb20171b0a39f026fb5624aca7790

SHA512
b023bb79c4f480821855d35f98dd0103c2f78af1ba18670082e6ff074e0b3c94eae0c30d613973a1ec0ca43835007705955ce905e464072dd770f2848b92ca76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.1MB

MD5
bc021de22b86e4dcdcc7e37a378600df

SHA1
50d1b35f7735deddd7d777ffd9020027ed455170

SHA256
97af2bab83b194c53aaf2e58027ed4f98cc5394454f0fdac8eac333ff286fab7

SHA512
0a2d60a841f14c9f20733bb737686db4d7e35418b2e3da09e04b785b3e817c73f0509e3669713ef8fa23644963bceba19e5f4e4e046d9163dd9a2f410dfc0e85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1007KB

MD5
ec3de61fadfff5a430b0e1d69eb14290

SHA1
49f449572e08cda16b052d20e43c8a0bf55a6989

SHA256
3fcc7aaa8ead40b4ecfdda8a967c212e2df5c3347e2eed8f520637be36dcc5f7

SHA512
4fb04b9c0d061215e422e0ce28217e60d1055ab1f99398e9862b68f41782847d09aeee205e812147229a3f92aad034a2f8ca18c190f556461441cc86d2636050

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
802KB

MD5
7d1e20f236c14cef5745905c6b5f67ab

SHA1
59eb21f477cd0982eb510ebe4c36117df1443bd2

SHA256
9b5100375bab34f7cccfae75b6dfa69f70435b9c984747eaf0200c67db2010b7

SHA512
98b1b114f2bbd947a7e19203b1ad80899176d6e786102a1e6cc13f925b036d1df44d22bf0a62aa2843a05aa104250c6ff0e92ceac6e7cb3761aa7e05faea3b85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
925KB

MD5
b266cbc2c7dff9330ecba8a96745416c

SHA1
060ed89c83eb31c2c180552bdcdf44e6addf5425

SHA256
950959e059b0419d882f324d9ba3b2f2d54ad2350e40a09ffc04cb32bbb89aad

SHA512
166c4a760f4d151e25851e152af2895eb76379325d043368765f5547ee2b1556479a4d6de34abbb5e45c05e1f137528047cbff436cc3fb95c298327b27bdc67a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
925KB

MD5
0e930d80e703ee90ba97bbe16d094da3

SHA1
0eb099c8c0a98e35c9493c223f9e5bdb0ba9107a

SHA256
420911da35e5201f631e016a8af377f7dad4e28f68f91abd4c33b748e95ed066

SHA512
cad936843740ff7375e0d0d1499bc7506e268bf1d8c4d94ec20dc6bf565d2882ef447bc13f8739922fef0838b40586a78185da7eef22ab09f902705c3e7ac269

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.0MB

MD5
13ebfeebeeb492eb53fd3c12575cfac9

SHA1
efa4572cdbdf9b8e83ea1b640f90f6eb59643a86

SHA256
0974a0697cea70f9478dbbffc0e0d1d2f64b3a0c68b3a8f101034eafd443e755

SHA512
549b902eb73cb83e9f25ace824f2b0d6794c25fe1327e7c6cacb107e138da85ca2c6815539f3d4379c3a9da16acab6d47f8a005a8d9ccd4b069499129ff02deb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
840KB

MD5
273d19b48278f0654d5766607af9b97d

SHA1
07f6b8b3e023c0936da5ed459824f47311814b21

SHA256
d474da5ccd661265ccd754451eeeeff08fa30227773486c00daadc7653a49aaa

SHA512
53908edadc3bddad6f6cc508a8bcd1feafbdd88b2a6a31d92ad3d59196c0f588989b8fc47de342b6252400fbca82e6a5998cdab1350c0e94149b0c92df257657

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.1MB

MD5
9edb87fceb0937f9badc9f94f351f381

SHA1
282249c8b03fad131c8d9d469ea4754c807d9fa2

SHA256
970adb2772a2ebaf14b344fd8f375653c056ac5202216111bef9b4113e4e29ef

SHA512
c25c9de0bf875b74793e5a14d279113997eb0a27c215a2d507c31cf1715ee825472995ed5a1f93eb6029a9c1c94f53b2ea6e2ebf97bb8fe8e8b21e5493bb0e01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
881KB

MD5
7622f854c2d5da136e4ffaa021b84812

SHA1
803248775d351edc0ae899631f5ef34107d45cbe

SHA256
f3891291271194719a1d50a2c735ffa19c3b3af86a5b4ce3b5c1a0d7c0e590f9

SHA512
4e93c3274d8e6fda9ea51241dc8370a3367c96bc0badff3d363e4df835ffa282e10aacf9d02152c7e4a98c824de0099d06f492a7ed8395dd6f0d7d65245d8e15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
806KB

MD5
2f4ea2ef6e564ab50628462772c0b490

SHA1
da393a8179430e85265ca42467a7df9b4d7c908b

SHA256
4b771fd987e8f8f7abd8476f7fb950879b88a2417eb50e7146fabc5e4e9537e3

SHA512
c2d42102cfbf2fefbff08467adf41d4138ac0eae96cc774da78e0b37d528c793f12b92ca481039f01b000f95590e13b1f87585823549e901ad76218763a8b255

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
727KB

MD5
6f37f3f0199e87aad636ac387672b3ce

SHA1
6c34e6b0dbb1f703f2bd30f90bb25cbbb289cd54

SHA256
f525e4941b9e5368506f62f24539219b816b747e286e6a0c01d8d39de7af92e6

SHA512
7a7907409d06d224a07af76cbfbcc8f31a729861e18efbd2044466bb16fb1fae11a4980eab248feae11987565a67fc0fb65fc0451263e0089be36b36dab42e03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
888KB

MD5
29ca7009ff72fb38ebe77321ba87def8

SHA1
fe60c8fed43ae9236cf53db8a6cbb60de141bd8f

SHA256
e3ff9750ee66e4fe93af2050aa8bee40419d401de326c4876f662f5f4adbf965

SHA512
42fdcb49718a30ad0f7fecf8a5f67855cb8d6d58e30f71c1cac48c549f5143a5576355f9e68b5aa93050227d3692eb6a4841080eb777e0623b5df0a6e0e44645

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
808KB

MD5
67c3738480e379cbeabc4206b22c0b8a

SHA1
16c1fad10a99f7626b9474ba5f4215207c5f96cb

SHA256
0f0ed8fa1ae2bb1669081c80a10e21a1eed8a9a389337ffe58d6c2f4e82b59a5

SHA512
27857c598538a1f8796c63a1bfd41a4ee85e9ee248dd0a0599f12b89b39924afd62ee8f563a22da00e14ece7f15977441b5f35ca6ffe8e631856d0804d2e93ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
773KB

MD5
d6c2474bbd7ff8ab02669023060c5c12

SHA1
8cfc5ab3bb9627b3083930d011ba41cbbf40e764

SHA256
432347c9aac4a86d608a57bd92f9ec0833d3fcc72758edfc25f91f81cf8a0f6a

SHA512
d08b13674c8d802d1357b6a69ac5758ffc375d2149102f52124542f7041b55b03c333169c007b198a12c6545530f675b2f92b77518886f57dd54b5e38733795a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.0MB

MD5
837cbcd4b293da5e790eb51f4555db55

SHA1
78942f4ae38b87f265d043e28544050350012dd1

SHA256
14ecfd30b706b4366a7a95e15b51b51796808c5307e6b99e34f5b33b71adaabe

SHA512
eb179c37de15d039beaf658dfa1724ebec104e35ffbde502c079b82d016fd918030426c957af48178cc326beee9ef2c5f4f7e6fac44125a0493cb03f5dbe7feb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.6MB

MD5
84361925f72ac974add75565803dbd83

SHA1
215fbc7df9bfcf5a3f09e42ad16fa04801adbcbb

SHA256
b9b846fa3cfac1d8e520b16663184f34f188b08dc3d91c76bd09f81a18362387

SHA512
c52d64aa55dda27aaaada78cf5a20894eaaec3e0dad50f2b3488d094e2b4df6d591af922d7cc7da55a0558b67fdf82c2d0a47155f6af98ef9287f35eae38c24e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1229251bd9010d56e3b33359a949f34f

SHA1
46e70f17970c4f86e279486d673099a17d940b07

SHA256
bae3ce63c80914dd196f8429306e86cdba5a1053366dc133779138bade11c09a

SHA512
bf59d2de2176cdc20dd2680e2ee43f75c3b41bbb029cb2573004a7107ac72fdebc0f08de2f89a9282989808bdabbaf42b748d2b7867e2d5be5e6adb4a01f8be4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
f9a72c146e2cbbc9ec7a153ef7fb5cb4

SHA1
cff3632faf36ea561a79c581fadbe3631277caf1

SHA256
a578fdbb946607df726cbd69e63e23829bca87e0c6307cff9222813a0e4e4967

SHA512
0d7cd5fadb63b5d03a6a281b3c1bfb849ca061b3903b6a2bafec7fd0144e9b434da066ac0d08f0fa47545d05ca96295e1f9a95d194d9c71720f610fcae359b28

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
36749ad484935c2f7e76ac79144a72aa

SHA1
dab0977b9a928bbf4d1704b43b69ad596b738550

SHA256
cd14db179692bf8e4f4c55d11041aa5c36bdf91d3bbcabc3f53d8fbf69a6cd85

SHA512
7476f885062f599d4316183873fdfe3e344031eb1978789abcbb96618a9682d810c795d27c4e5e1ed2b5f3708310353f4230448867324687ea650fe022bd3960

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
783cde39ebd85de348f86ce06baa438b

SHA1
3610e8e4a364b0400ca035c2b9349bc40a3391f6

SHA256
b74779e498d51d3605ec9fa2f5e18382485d2df8c69b952e4d2dc5c979f58f6a

SHA512
4ea5ff520cf8ac0f5b7feb08baf52dac1d6efd3d57839db122aea4ea0cf639aaeeaec0869688ee1f6a97ad1ffadb2c69c1228c4cda3932f9a2ba96a369762920

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
874075b67481e70c3d42ce8c5bc9e46c

SHA1
20b37980f42bfc651329b238fad40dac7b2049e2

SHA256
f7468120bef3a754af6eb06234c1f4c130be514714ac49b84b0ae16e24fa8f03

SHA512
b6ebbb33216fa33afa7f361c86d1f96c9cb8187ebd15a75ca2c5a2965f40218a23f6a384c0da109ca7d2b425cce0adc12633f6a54bb9443118263d934668080d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
cd83e3e72569b1f7abe90035c53a65bb

SHA1
c47ca78489fda79864a2ee77a07ff49444d87bd9

SHA256
3d3c4049314453ca625e8e33ed75439c846b667e7343f75844a109ecd7a65d19

SHA512
1b47e1f9d08c798e04558de7928159b95551fba0c613f242300e3ac670aebe3818af39df4357d156745569ba5d381c8c72f37500bfa9ee299cc9f55c8a48dc79

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
512KB

MD5
bd9a0a77d1f98fc99395150aa622abb7

SHA1
c5bc7609765382a6a8bf2ed07a339678f8be5c4d

SHA256
0c62658db05e8322a3e76836cfce02358195d8346d70ff4332fc702f26417fbb

SHA512
f5411c437c50a9690d85b9043d9857365679bfc50bb4f46c3686e3451c27a30216f4feb12cc8de202217253e60389bffc1b6a98e114eafce2c53fae1cf3f00af

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0fcb053cc8b2065459addc6e6498f073

SHA1
11aeba1b907ae84ef640931251daef6551e6fe31

SHA256
f3be750b38bf429f9599841e5d97dac42b05d56090dc3d24ad34f1285445508f

SHA512
4a48dc900ea5572a24eb4e3e23284930255caa6cc7070ea4e4d652c07d0c8d9a3f006f2198d7ab18a52e9308c1ba8690d994034abb1d153f8a314a532c9ce756

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b8871768634ad102cdddb2cc62f3a89d

SHA1
d811404cd5ae2b024814a3abec62acb9c3c6c223

SHA256
cfbcac769bd5664414949fb1df4bdc3f71eb42a24f1198700fa245e7e7ef3ead

SHA512
df53f2b11bd59f2ac2c0f3058dd46108e1dbc6d0e977d95705a7e3b6ad55a601a01e32266a0a38521c4805cdb42def0420035f28e993c3e87614ba4f553b850b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
0a6c8fa0a5b2d3dab55457eaf7daaa87

SHA1
968b1e206108e0f6771ca2a64a32b1f1efc23efc

SHA256
68a2ef11e0bb370cc1d986b94be190b9e705932ea8e146ce0845dbd09abbe9b8

SHA512
cc2b8aee12426a097e11374f4afb23c17ebe646916847f89abcb470f3c5311cd3f47c930cb2cb4d3b823f11fdb83f72cda507646ae958bbe29eee7a12c476c6a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a4c7d2b147d33408b93bb4792be31c1e

SHA1
3e4e69521cc8a42e52566ff00adfbd1a5fe707c3

SHA256
bae7a9617ae4f75b2dc19ea5492783808b25c5573270583a08827b8191a05720

SHA512
9c8fa93644ba5227824aabc7d66dbb49fe39676e367d9dd21d6af0a24e910dc3aab0b4e032d4be3d3049ca0ccb80ba40585a8496f3a94f093fccb4a9e412afa3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
f54918814d0b0ddc539f78c761d98af9

SHA1
2fc5e52040d3767f74d9732d6b90193fde78dc8c

SHA256
cbcf73518b1e1ab115e7f8745e6494ca9aa97e632fee42abc3f7f08d92f07a12

SHA512
ccc5a88b79352540813e4ffaea3a9dd4ce84796ef68e753377170e8baa2600946a22a05f3c674cca3dc56aa0c98b86a598216a9dc06f768acec909697625867a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.7MB

MD5
dc0622897160bdee816fee6094337b32

SHA1
9fc399381045339409f37d9084070de29dbff5a6

SHA256
a581f5b60a41d7ff43014a5ef6c31e61bd05dc0f57cde975b59d2be7a4d347ce

SHA512
f1e55ab5498c8dbed4b8ae9bfb973c14b8925fa2f8ae329b7a7cb57d108c0d7c8939fa58572a6c48279ca360142215b24eca29c309a7be2cf806bbfdd9393888

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
0563d72279aca5d054f184a7eb031db2

SHA1
95c5fd7f490c09e4eb6695fc882a637bda716f17

SHA256
7498401b58bef2cd646a6d50bfbd962a50058e0924db1c2660a37dd4af43999d

SHA512
4fd9cba223be3edc4ab42cc19553938031af2b76d4c37e7985b60a5c0b7455103cfe9e1c8b370c9d59ea748d92d624fa89796d02ca79430bc58987ee1b8106e1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4560eac37e02619d655a0c3055a0aeb0

SHA1
4dd8023f1fe3d96c712a13f5d3748bea8a218820

SHA256
60424f5a2d7d1ea1157725341300380397284f7f9466c29042ce351cb5d8794b

SHA512
fa8aca1f9debb31a381a4621bb1b85380807a0def95591cf5fa2c60ef0cd9749a2ac73c3d6d49bd0b0a610bf225443a375a12e2eccf760eb98fe123451f813b1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.2MB

MD5
0b636616913f7d414051f47d5578f18b

SHA1
92632fd7f8391f02bdcd9cff501a394e6a83deb1

SHA256
4766da49e76eb84039894635da528b0700816b311d59f2d9eb6b8f790b04b17f

SHA512
99dc95d7c872c254b487a3446742af76ab27c68447085ce2a5557a0ac2c01f25ef7036983e4fdda92219b247d5e03cc2ed4e5a99a872a49ca681b5c0c37d0176

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.4MB

MD5
3a3b57ce99d62222ec1e59b39215c709

SHA1
db8e6a350b06d9f6616aafd643d7959665f31cff

SHA256
5d666f1c25fbb6f389ea4a8dd59a2f353031b8ee9d345d3d6b3822768b3c6496

SHA512
e0b8c57e444aa7ea6492021d7d1c1904d007b42e7c54d456e6b5e7fde2e292863153d4e6cc437b3ce66b5df8bf4f11131a94fa6648ba6ff1f3e7619215fd25db

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
768KB

MD5
877e1af62e6f49f59c48928456a5684f

SHA1
ef0d7a6bc47e9cb6de0fe406fe9d9a83324bec0d

SHA256
c1f411519f4bd7cad936fb6c8ed8ab027601fb28ebf6bffb3ebf4eb741806dc9

SHA512
16612012dd017813f1059517ec634fca399066f24d593c6e1fb0d7133c13078759fbbb61abd657a4a81c6f66c406779332944d0f4c2583d2fff851ad34468136

Download Submit
C:\odt\office2016setup.exe

Filesize
1.7MB

MD5
ae399de360476d68a11ebf948c68900f

SHA1
fa0864d15213030257e904e9911c3123d9ffc7c6

SHA256
0cb8916977fa11b8dc98305b6d335e8ac857bac7ba6d2c98b88c34c8b6360c5d

SHA512
9bb7ac495a81dc9c58e06de54049bb3690e03565b07a8af6b58152454f38f197d84df0d8b85a44b6e0fe12bd4c12c90605220dfd248a8bcc4174cd00279d1b3f

Download Submit
memory/1584-433-0x0000017EE9A90000-0x0000017EE9AA0000-memory.dmp

Filesize
64KB

Download
memory/1584-436-0x0000017EE9AD0000-0x0000017EE9AD1000-memory.dmp

Filesize
4KB

Download
memory/1584-435-0x0000017EE9A70000-0x0000017EE9A80000-memory.dmp

Filesize
64KB

Download
memory/1584-470-0x0000017EE9A70000-0x0000017EE9A80000-memory.dmp

Filesize
64KB

Download
memory/1584-471-0x0000017EE9B00000-0x0000017EE9B10000-memory.dmp

Filesize
64KB

Download
memory/1584-472-0x0000017EE9B00000-0x0000017EE9B10000-memory.dmp

Filesize
64KB

Download
memory/1584-458-0x0000017EE9B00000-0x0000017EE9B10000-memory.dmp

Filesize
64KB

Download
memory/1584-457-0x0000017EE9A70000-0x0000017EE9A80000-memory.dmp

Filesize
64KB

Download
memory/1584-432-0x0000017EE9A70000-0x0000017EE9A80000-memory.dmp

Filesize
64KB

Download
memory/1584-453-0x0000017EE9A70000-0x0000017EE9A80000-memory.dmp

Filesize
64KB

Download
memory/1584-449-0x0000017EE9AF0000-0x0000017EE9B00000-memory.dmp

Filesize
64KB

Download
memory/1584-448-0x0000017EE9A70000-0x0000017EE9A80000-memory.dmp

Filesize
64KB

Download
memory/2392-323-0x0000000140000000-0x00000001402D5000-memory.dmp

Filesize
2.8MB

Download
memory/2392-447-0x0000000140000000-0x00000001402D5000-memory.dmp

Filesize
2.8MB

Download
memory/3412-318-0x0000000140000000-0x000000014029E000-memory.dmp

Filesize
2.6MB

Download
memory/3412-260-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3412-259-0x0000000140000000-0x000000014029E000-memory.dmp

Filesize
2.6MB

Download
memory/3412-267-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3548-295-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3548-303-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3548-346-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3628-340-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4008-342-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/4008-292-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/4132-71-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4132-72-0x0000000140000000-0x00000001402C2000-memory.dmp

Filesize
2.8MB

Download
memory/4132-78-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4132-245-0x0000000140000000-0x00000001402C2000-memory.dmp

Filesize
2.8MB

Download
memory/4320-241-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4320-34-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4320-33-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4320-40-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4524-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4524-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4644-335-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4644-473-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4668-242-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4668-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4668-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4668-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4788-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4788-476-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4908-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4908-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4908-475-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4988-57-0x0000000140000000-0x00000001402BD000-memory.dmp

Filesize
2.7MB

Download
memory/4988-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4988-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4988-69-0x0000000140000000-0x00000001402BD000-memory.dmp

Filesize
2.7MB

Download
memory/4988-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5004-326-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5004-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5220-1-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/5220-20-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/5220-24-0x0000000140000000-0x00000001402FF000-memory.dmp

Filesize
3.0MB

Download
memory/5220-8-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/5220-0-0x0000000140000000-0x00000001402FF000-memory.dmp

Filesize
3.0MB

Download
memory/5224-15-0x0000000140000000-0x000000014029D000-memory.dmp

Filesize
2.6MB

Download
memory/5224-80-0x0000000140000000-0x000000014029D000-memory.dmp

Filesize
2.6MB

Download
memory/5256-469-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5256-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5316-255-0x0000000140000000-0x00000001402AC000-memory.dmp

Filesize
2.7MB

Download
memory/5316-309-0x0000000140000000-0x00000001402AC000-memory.dmp

Filesize
2.7MB

Download
memory/5440-474-0x0000000140000000-0x00000001402B9000-memory.dmp

Filesize
2.7MB

Download
memory/5440-344-0x0000000140000000-0x00000001402B9000-memory.dmp

Filesize
2.7MB

Download
memory/5940-333-0x0000000140000000-0x0000000140288000-memory.dmp

Filesize
2.5MB

Download
memory/5940-285-0x0000000140000000-0x0000000140288000-memory.dmp

Filesize
2.5MB

Download
memory/5944-434-0x0000000140000000-0x00000001402F5000-memory.dmp

Filesize
3.0MB

Download
memory/5944-319-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5944-311-0x0000000140000000-0x00000001402F5000-memory.dmp

Filesize
3.0MB

Download
memory/6048-282-0x0000000000830000-0x0000000000896000-memory.dmp

Filesize
408KB

Download
memory/6048-275-0x0000000000830000-0x0000000000896000-memory.dmp

Filesize
408KB

Download
memory/6048-274-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/6048-325-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/6100-17-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/6100-18-0x0000000140000000-0x000000014029C000-memory.dmp

Filesize
2.6MB

Download
memory/6100-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/6100-215-0x0000000140000000-0x000000014029C000-memory.dmp

Filesize
2.6MB

Download