ffe53471e55a5ae9e30cd10548d98b4f328626450a6e091408b31994193877bb

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_61337646f247a62eefe24a0e74ce9779_ryuk.exe
Size

2.1MB
MD5

61337646f247a62eefe24a0e74ce9779
SHA1

55e9f18627208647444428de6c1e96605f48fd02
SHA256

ffe53471e55a5ae9e30cd10548d98b4f328626450a6e091408b31994193877bb
SHA512

42b7efe1ce9454188beab34d6ca10ffb46c5dd0f65d4399ea50572c753537108b9ea4ee8819ff5e775ea38e148e02426e64157d438ceabbf9a6e386437bddf2f
SSDEEP

49152:WsOwbb13ntb+g2nxDv1PZ1LTb3vHs3M9sR:WI13tb+Z3zs3/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
572	alg.exe
3512	elevation_service.exe
3756	elevation_service.exe
112	maintenanceservice.exe
3488	OSE.EXE
5020	DiagnosticsHub.StandardCollector.Service.exe
1980	fxssvc.exe
648	msdtc.exe
4772	PerceptionSimulationService.exe
232	perfhost.exe
4824	locator.exe
1868	SensorDataService.exe
3024	snmptrap.exe
4788	spectrum.exe
4232	ssh-agent.exe
2100	TieringEngineService.exe
4244	AgentService.exe
1244	vds.exe
3620	vssvc.exe
4556	wbengine.exe
4080	WmiApSrv.exe
1796	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_61337646f247a62eefe24a0e74ce9779_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a8f4f7a88642d83.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{63A530B2-4AF6-40C9-B231-B4073A76EB72}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015ba37c35287da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b36db0c45287da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efc026c65287da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005059bcc45287da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4185cc55287da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000916986c35287da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4556	2024-04-05_61337646f247a62eefe24a0e74ce9779_ryuk.exe
Token: SeDebugPrivilege	572	alg.exe
Token: SeDebugPrivilege	572	alg.exe
Token: SeDebugPrivilege	572	alg.exe
Token: SeTakeOwnershipPrivilege	3512	elevation_service.exe
Token: SeAuditPrivilege	1980	fxssvc.exe
Token: SeRestorePrivilege	2100	TieringEngineService.exe
Token: SeManageVolumePrivilege	2100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4244	AgentService.exe
Token: SeBackupPrivilege	3620	vssvc.exe
Token: SeRestorePrivilege	3620	vssvc.exe
Token: SeAuditPrivilege	3620	vssvc.exe
Token: SeBackupPrivilege	4556	wbengine.exe
Token: SeRestorePrivilege	4556	wbengine.exe
Token: SeSecurityPrivilege	4556	wbengine.exe
Token: 33	1796	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeDebugPrivilege	3512	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 3468	1796	SearchIndexer.exe	129
PID 1796 wrote to memory of 3468	1796	SearchIndexer.exe	129
PID 1796 wrote to memory of 2248	1796	SearchIndexer.exe	130
PID 1796 wrote to memory of 2248	1796	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_61337646f247a62eefe24a0e74ce9779_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_61337646f247a62eefe24a0e74ce9779_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:112

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4940 --field-trial-handle=2256,i,9172343514068348080,519219714517961765,262144 --variations-seed-version /prefetch:8
1⤵
PID:3384

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1908

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:648

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4788

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3624

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3468
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
9b7431ecaeb4a83b25bed3d4df76421f

SHA1
ba25ee320fd9b43385af98059de69cc18c64711f

SHA256
2992867b77ac5b7dca6e68f6c2c313dfff69d299f48170755ac4d85b7b0a8ebb

SHA512
e660ff28e715345171d2e510b87c6222185014f725adf87e468840324934859271e80d8f8b3709a2de2d21d8f45e693dbc665f9a3df435a844066e58a27b2b8d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
28e41a83a2aa08df8938696aeff75cf6

SHA1
967f7ce722943de17595fbcf322b33f64334e821

SHA256
a2a882d3813c9d987d02ac15e70d8c50fb6bc0eb15206e23b35800d772b2d27e

SHA512
9c23a1acaec6a04e7da952b1d3903e786bc44a0020a76b11aad9a1e3387fd725b5a0f983ad011af9a82998a1facbcad6e89a691ae171dc294dd0b3c120b0261c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3c97e48ca03ee6d6208830467bcfe57d

SHA1
a882e7a3d62062aa6a7063fd086300d54394c9f2

SHA256
2e38cf828cf3e9c5f8061fa153807cea45961406a7788c1ddb8f6604380d768c

SHA512
a19a3f298d700e59318f4e879e9b23ea3f395ef925289cc93a8ea3d7dc6a04023f808cb8769891767849e47a9fa69c974a3fba9a08b5e8c6922f4e9e8d3757bc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0f73822d4725e293623f81a6c7694e58

SHA1
7e71efd2be22e6fedf624fc351021dd5504470dd

SHA256
da0e80859662367ef4d6a643d461554fbde33b1dccd4f919f2609ce69854f4da

SHA512
896e9819e805b64a2bf586cba8c0c382c29f2deafdd1f00496cb51a425d4597444b56769541c984138f4034553a03cc83a9b63d9e3e98399341c0bb03b5e1c40

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0b8152eb5282c31bb4203326cb50eadf

SHA1
60d2991d6f5096c0a9b68bcce1b3578416d29c90

SHA256
994a0786bb46002c6c47d572a52bdf62ef300c8861512ca024287d96d27c2250

SHA512
6586c2c6645b0d1828298b94f102038e7508461a182371bf15a801e83d6ec1430692f3ebc3e6426902dd944f9f4c93daf4a049d04f50a2b247c1c2f123d9c9a2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1d345fd7ee47b5fc446620ff1e4080e2

SHA1
ab231a48d322e29ca9149c381c5e3e129a98bb41

SHA256
3280fc95648ae40110bed4bc1a7364125a1796cebca6593e82d79fbc8ff5ca1b

SHA512
173ab30e25f931659aff3e42d550da671fe72b5d6a064d638ee12cf27f9743e4e3eb2739f4ed5f54d4199fe7d1b99e303c15cf869d9d66228f52f7fe603d72a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3f0fea278080d5852eefd7e4c53b84d8

SHA1
2f77ac22594cf7b0fb2777b2300579c5955912f1

SHA256
e7b2248b9efe19666f2158a70931c8251af3ea81e76976fb01ddbcff39717c3f

SHA512
f0757e1b1476c27b8405bef5f341f934db82a3206c07ea0686c9ee9314cc26df875fb0f7964a41ea89e9d88755b897ba5cee2537d7fd4ea726cafd201bc51cc4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
01bb0cace8c5e26c6607cb64f0f4649e

SHA1
9c556d8b29e7057cdb5bc197d6cae1bd1bc35cc4

SHA256
78ca405902febe6581e244bcd36e71cca73de67245d7fe96aeadb0960bdb056c

SHA512
e53150da8ddbd8706c59d3f40113c7d2082f4bf2f9350566d4ecd6414790f59332d44692347b5157359b2efa1b6e319feab5ab3139ce9b1bde55637063bbaf2b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
fb0d1eefd8aacb17c8ca9375eeebbaa5

SHA1
8d706c273efda8f8b09ea22b4e9039dd809814be

SHA256
997ac5a085a5066ce167bb79aef306ef9ff4c829ce7329eab9758d283854dbb3

SHA512
8b51ef8abf5178e43521558f7c5f57e3bb71a45e506631fa82c244220a0ac1205d99061ca8518f8f1b991d1a7d3e37124eb09a8717b14fa48e36af1763da2d91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f923f73c174bb68d4ca0edf4529c80de

SHA1
9d97b635f57409791bd25f90651811590c9b08c1

SHA256
a20d5f8471c413d0504b8208f0193f7d26e466658b1fe7150832608b068d83dd

SHA512
ddab45ff3c0b1b7ec833f8d4be0fa44e1465a5c45a91be98e49ef9b24d67708b6b81529097a6820227de1114e9d5fc08d7739f4b7750f561a74363e3d8866df8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c3cf7686d9e3bab64acef7cd88503017

SHA1
14b523219a907fc12e61df9b5bc4ea6111068d40

SHA256
94b16bb9c1c6cd132348afffda95b5513dc3ea01642bfa0682406b6ff767a728

SHA512
1a1358ac63a728c6eb995301588fcab2792ed73327472661d0e99fda804df13bfed1114fafd73106916a5bcdcc4f7d47749a1923de83ab3f94997d7923e16b43

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fc051bbdefd29155a1de6e756f0a82f1

SHA1
dac569043669341e3b9f3392f2aeadeb174a856c

SHA256
c3d84258f5a28871c9f12427bce5dbca482d7a8e2d0475b58c7dd12977cac1a1

SHA512
3c5bbd8b907a91c18d8187e84e35a32c69a5537ee7b5cd7bff512e803a0024d62db2be73b3c98db78e56d06a69b4a385ed8771fc631fb1d088f52cbba2184a3b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
cefdd8014ec0d6d3207adc1fbde52760

SHA1
6408a7196082846c7d493c56fc8f61c443ebb7cc

SHA256
4abfa1adbf11e0aa229e6d11f694dae2f92682f204315d861c907b033952743f

SHA512
988adefbc629cf6a23b8f7d4cb983bae8252ad5228bd7e3b147967aa5eb3fe2226d05adf6ade393e740a06ee2deeb930240c2e7ffac657f1aa2d94d1fe34bcaf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0927384d1e7510b6b1dc7027602dfdb5

SHA1
a66378cca1100b7b302a90a11ff6563b872abbf3

SHA256
d31b532db1df1791479b7108c5cf1daea82b655c170f097d9c3af0753991f667

SHA512
2c51177b737221fbf6d8c6519814dd083d18dabf52f410fbd6d3d4bdc42437f8772464a18c933e7ea2d230439a4e0cd8b65b3d52758b7d5c202c90e06df1fe24

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
7d23cc0b6bccd19af2eabf717df7bb50

SHA1
f8d79a09f1179dca336786c0de7761035d5ecea5

SHA256
b87a8e6837ddedc53a96749d5f4a8a91052220c1b69248dca3da7d89d516c90c

SHA512
7c36274543e6ab45995646cbf175ffe69265dbacfd7fc770e52cfb4c341dc0de9d80c2ef5e2c07f4a5832e63f3b8b28da7ef1fdabd6900988e9fd9c414ae0dcb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7c46c2bb5485aec560b37fce64d65813

SHA1
293fcf0677a2209e715b7015d8dcaa356285b417

SHA256
a008448e9f8f1682b20415bab68bb5b079b809c0e57ff3b69d2e0515cddab9de

SHA512
be188be4eace12a8c21c7b97bb91f51ab6b86b9b966c60227278666b1aa0592568a441c2488efb7d5e5c65ba80097cec7e7004200a2aaec73c39b553b25c770c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
9164f2d6344e18d5b488559232a8a81b

SHA1
61a115b99c18419d5e5906eddedc00353143ff1a

SHA256
38ddc061aa666976d37635671432795b94afe56507b29007ddb705f21b5dafb9

SHA512
eeaa8e1b70c41902e60eaf54322389fb964bc9263f50f64a397a57afc8d39deba7cf774f980fa1291c39ec7135d39f75a61b18942a287c75cf3692089a5e6e08

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4182958d5fcc007b88a84ca2fc934003

SHA1
5e1f33950eb6a5fbf1a032fc492dff2a4dd11dd5

SHA256
014a8153c7106581cc5be5f761ad67d7701aa6486ce1e53f345f36326f741251

SHA512
07e5f22cf83bd2be0c0144a96379da98f1d71de805062689d5e41b864513b8e00c077b2c15b5342cce044bf4aaae5819943b5d2a6cec9d3806e411cbd4a1f395

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
c0f80e81c53c0e62a504aa5e1cda332f

SHA1
775e4b5901b7f95960a6d9f6b11a65979b3edfae

SHA256
ec00bc7cecb23c05ba1e5fdbc0f67f2670b3e2f230c6ad72f3665057a24d79a9

SHA512
7549828a12fc5143410c720f931357b523115b99384e5dab8975cdb679983889da1a94c90ec8660aad782a5027a1618a87b29f98df0d7287b2cba5b1817977ee

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
e4ccf42dd78d13c6019a74547c5965a0

SHA1
a88121ed500ca15c0f855a80256827735cf95a42

SHA256
d7103a62f1d5357f5eabbf1595524a56d53332d5a861696bb346d6aa3e2657a0

SHA512
a4f6d9c6412722ad6395758e86a357d330f643b7df656ae137d1f0b53b43827a9df06ef6744ddc81d80eed0ceb27937b5d8504788d192f94368b327b7cf79a3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
cd6badb9dbb01b57eb327f1468e7e54a

SHA1
69a93a8f0d5bcd718e4479b446f85638526ad3be

SHA256
e5c44f7deae38771f82de02b3f26f2c79ba624e85f66cbbb33841b3933c55db3

SHA512
02ea2e3fbbd5c813fa644653ea5fab093771ad897840396dfab4549efb461c080affe590d8f84186591820a2aae341b59b4f66871309b9229e413b3ef8247d6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
83575460eb852992fca59927f9c4afc2

SHA1
4e28b3fbf23ff203ba981295b254ca4d8b5cee4b

SHA256
1aedd4e6b1c2bbd6638a4652aabd0532517b0d309df40cee616bbc87ab507477

SHA512
e26d484fee28d9d3e6bc5eafc308e95f64e94878829cbd41534cd184aa03cc71a11310d71e0d82fac05cc66f612bcb9c250a27d664cbff8aa00c666a480c2708

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
14bf5b2a0238bd371956aac1af398ffc

SHA1
f005e343e4ce564725cbd1586639ccde88dbd2bd

SHA256
1ef5229cc1512fd8e102ee7bb494cf0116b646482453a3c38430904618f87693

SHA512
ad7f380614758fb0f37448dca71038730eaf2adb131a88c2517e7b0a90e8619508cc9d7e3032ecae29048522d96e58bf051356a23707cb824cdbeff4ec275663

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b919b692c26ed6aec18389c6e48614f1

SHA1
0475db72c421fef09626fc0a2ffd9f0c48a78616

SHA256
203e91e92bc4aaef43daec38f9e9ab9198f604b3f393782a21e5a73290f4dd62

SHA512
cc8cc232e1d1425c1de7b7b0f0553f5f9577cc2ed294c628a8aeefd087ed6a2390ca279d610c0284ac748443e3b64afdbc2295d95d06d33db3f6bec99934f5ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4cb98c39995212386a1b01356dcffbee

SHA1
3f3a04a0d3a1d06006de936d04e9e40838f11266

SHA256
a9565a736307736b3863aef57a4f14197ab14602eaf47a0a7990499fbd80f6dd

SHA512
0e5e4bf9cab332df68943397eaf49d44472e5cff977e512a5cd2d02b9a241bc36e70ff1848cc779b63cdaf3436273694da49292b5cb4ab3141331c00ce2e6c33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
643892d8de53f68f66741a8ae955eb86

SHA1
452111126fcf9383c3d736cae47baa3ffd3d30a5

SHA256
63b2c497359ebea81985314b1210288a70897f219d7e672c758faf9f8cb39788

SHA512
b744289329542c76424728cfc8f88698340e4cf9fa8c8d5f84a08dc9a088b9a473f86efb0dfac6769871cc689cccb6c1b39aa8d4b83066fed9513b951c026d45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e71c4ee090eac4aebe8049634ddb5e01

SHA1
d7d62d5706f153bebfbaad4b94cafd4a10dbc016

SHA256
866f3078cb55bd7650ab6d852dd39236e5534aa209198ca757cb94a7e7bc1e5c

SHA512
a21d73945ca39bbc7c370c1356fc42f06df01d3a6848935ed9331111e431ca740568ebaa6151a0c352db294917dadcbecbb0826fadb6c31a759db2c887d056af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
23974ce6b6557e917fb01918417a00c8

SHA1
173bb81e3d74b563a908f05932e6d42b1766fb15

SHA256
c7c2af1f667ba275f61a6efac3baaa901f60d8a6dd12b5b8c1d682836137d9d5

SHA512
9c2e60435c6eefcf0e824d43d4adc5ea947c6cfc35b8c5614d3056c6ce4b8f3c9a8eab69b0e95ddfca0098df887850cb2238a2d8f12779eb527268b36e6f8911

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b6fa7070642b3bec3c27471ea942e77c

SHA1
e044f28b18aba3a1a6146e5d7fe37dd17ec9f5a7

SHA256
35b1e43e89a00ab6d504d39389f8a06cf82003a06ad0724d8008e31dea9f40ac

SHA512
f951e51c3d21d4c2b9f92e6a2b2970de1742a7b1e803844a9bf99916bf7b48eaae98aceb290abad300a563e8267d01a90ff73593405368ad704bc1694527281c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7c3acdc07a006849d3479f47d0671458

SHA1
f5dd97f820a39fc29c2e15197db53463c077d10d

SHA256
4d977a7599b1f7bf328bfe3e5c4ded2bb62641ba05e1edc65c8f94abbb91d165

SHA512
7320c1083aeb6482f5c7330d7dff21373996d2b5433a87caef00c958dc7d1569fcc7cd39d77de1606a0e4c6a4e031b90979fae391056c1589bf723843385e30c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
dbff42a50ae67d216547baa892e2455d

SHA1
192198d710633fd489db48a2fb1b49a0861e351f

SHA256
ca63808a9ec5e3ba22a939ead7b24de61c22a87c0302113e0fd0020495bb1b34

SHA512
f7a52df80b24c96f2b0901ef99911c9af4f1a83e892805d50ca87f7903867a922162d671bf33ad08223547b3124dd6d185c58cb2c61521b71cb3e6a234c688b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
340c9672374015ee7586817edf54f5a3

SHA1
b8fa746f04cbd5c82d047cb6566593da9ec8484e

SHA256
d35636564ac7c706dd026982056fa39645eea74aa95967e7f227e0ca3c4e6614

SHA512
6b59f421ad3452a889bd5181bf35862ed0362d0524ebdf387b3ef8ca76c0d52382f19182f625d4c2c7d8d3931fef5ee5720f382a9460ea81c67e127b61e59d0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
2ae3a9a7d7b222c3f11b875aec292efe

SHA1
9a4412368f6847701eabd6683253973e8a6f5897

SHA256
5be320831dcf6ab0b19ca874a8613b755b8ad0782950d489751c44a51c508524

SHA512
05fcccc45967e6e0474376e5d4b4a8218b109c6025200457195ece16649a289360418fedaf4c7f3b7097dafe572c3289427c6f135d53b88befdc77834e0b41e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
5990718a99332c70f8a64bfd224da3c6

SHA1
de8f20e287ef2cbf76a0162cf497a0f41142b1e2

SHA256
8e4350bda9700f2dc3b17c49bc3d89e6873d47373bba40ab8f3eecc857434b94

SHA512
c84866ef5b83f2a9024c6819903a6dd99a58702545f5ee011809bcb660a6a3eec2b1689edfbd1745b321a8025b00e33457fe23a9c02a3164825b90570216fdd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
155d29401a0de9403062a8829ec2a256

SHA1
4114ee543435b4c02105655aab1b3b8e70ccbe60

SHA256
0aeae1ff8185b29ad6e43643718ece112c9fd52ffd88ebb3b2311992038e6b0b

SHA512
8a31286e1389da93d2054143d4e433e88266d200719b96cc8eeec518696ed5239737181130808dcc7d3e462f5a052598d57be61781e2ac9db18b988f5b853036

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
532296c826ff2fe820db7d1b82676180

SHA1
7190f7c1d25cf0a446bafc5c51955b9144550487

SHA256
d8e8421354787cefcea1d194a97e35e689cf92e8adac8799b7f2b2814407bcf3

SHA512
f517866ab5a07edb6bf6c3095e4ec83e1452bdd7fc8bf8371d695ad7a51152d6067e0b1107b25b1bda9cd7a428bab68db89fe8765c8fbeb76d6ff8069921ccb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
1d74cb03c2bebe846fec3819f246d48d

SHA1
84406f93c91d87a771821a6a87aa08655ee42be8

SHA256
29bbd79840d1af0a803f3079a742513f629cd040528ad77a80499a4d5b687353

SHA512
ab11dfc69531459e51c8e78c79e29f1fb094326e4c03f70cb1db9c9de357c2d13678adcd034a6fc8b2a60be422b64c1872b5d217d4f89a65ca2a9d1718ced6d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
8b5686d61cda09ddda9a9e1ab0adee99

SHA1
bef32877618e5131585665525632a32d369ba6ee

SHA256
5b4bb64265fe270a0e1ec387f5030ecfc34a17d170e254ba31d4045d5ad031f5

SHA512
4bddbae21f6d92956c99957c87f286a0279c8ec3b9cc9062d65d09e64af824ab7b1e812f076e167f7a8d4b9a86ab56268d51ba804cb7d4c92bcc373ecdf95ca1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
9c6a70a7d5ca8450b43b38ad5e10a2f9

SHA1
0b22caa847a21b386e207e8fcdf900e7fec564f7

SHA256
56774eb860e02190b82c222bdd304ba3b8d0f152b93c2f2e49c1a474a3250b74

SHA512
354f40393e42ad3f18f967a3a8cff5f7418fb101907e871293cab53d873510c12c57bd5d1daefb912b684c9f85dd61885656ce19eb54d3a9d96f4699c016d17d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
6feb946fc1fe7ae5cd5beb0035f79953

SHA1
33237bfdc098d2428bd6e43dbed3c85dd716f3a5

SHA256
71fd2310e2d7b36cd19167985b9f81ed8358c7fe6f6ba7604cdfbab56d6ca6bd

SHA512
0ee6e28bcb06af84d7ac2f375e9c0f48767a20daa436e99db3c1d795b4f265bdad732b3f86c5c820480d92b16b9e71f49c9b7797719387f06f687aa7b376bd00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
2c194cddde40a5c0135e6294d486e33c

SHA1
b1ac197ba79bf3b4e3690400f374eb6868395681

SHA256
315a7937a1bd5661da5fe9f2bf5d00c6b7f55b434d99c51e7271c89da109a9a8

SHA512
d29dfec4d649932606b195fce0dada0dac93ae80692e3312df133355cee8c277ee5a2ea7491d063caca5f8aabd7d3759dcc9e1d877335940215b305a0febdc7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
27e483b35a9a6d40918bcca657f4a055

SHA1
78e0b670cc2f8325dad428136619006fdbe53d57

SHA256
22f6ad2e821e62b69ce4c7f7ba58269834aca298ca0464c7dc37ed6a4834e9b7

SHA512
56bf074c31a0a543ce0ba76564d26b9609dd369f392ecece398290a6b4dff5c5ab7b175ed13917041df3d8ef0a107cc0a3ee1b3dd39749de403cf3ca2c278699

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
15d2733ba646baec311357936216a57d

SHA1
86c8937b049a33787d2deb6e6833c62858f79e99

SHA256
c6d8c1acca87c7e21b945ff87f36b9907181db4a57bf707dd65f00b994fb3af2

SHA512
077a873e3eddc50b25ab73c2590984c3ea389ebd8b06390aa47aae0150979ea8d88d9dade540ad5657d316ff489406bbdf67887e307b942dde9eaa17dd26c349

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d616a0662d8c677051b02d74199f10fb

SHA1
8ccd7043f471199a5dd3fe6660934f590fb6d73b

SHA256
aeacf12acf32ada602be18dc33518c4ccbb1c186f03f0efbead1861d4f11f669

SHA512
6d027f718b697a273ad8d1d11c50ff697ecb78fc17b636fc310d735adf878c2d23805a13c4e70be9206b81644d849b9d5b2c03c1cf5ad62e7a80b3992710a08a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9f475ec17b8b5cae42b5ba0a98d84689

SHA1
1d7d31b57fb303cd2b0e2b4297d82923d4e0e587

SHA256
eca0f33d56294997bd4c96ae5afb2e47901e0a1ba97f232ab58ea595ae164b96

SHA512
b56d3d63b0b3196556eb046490aeb7572c7941cc66787c43350d03f904fc47eba514a5ad82f0547f8c7f77ff6a2fc5bb90e41d8ba3a89dfa6cb8f169f3a76d05

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3ab86dfaa0d15232948cb5d0b05265dc

SHA1
a17e8224e1c86bab7b3fca6fb366a35b0f20e074

SHA256
a1527cc644ef64e73a8e73db198dacc216627cb4973330d3dd1750be42c1f697

SHA512
cb72f72d9f3fda6f8eec1368308d9d41cfbdf14d123022d989a8e69ef461628981e1e7ba29e001c7ac49cbb9184d7fde725cda0914bd33e3b27eefc549585cd5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1f07c8e7f01cb66f4f6c885185d8e6d5

SHA1
8f5c8f348daa464caaab5f7dd423a92c91bfcdb8

SHA256
092fd8260e46d84e1f8852a61dbc6e43f85a7573a6c28e412931edc6861e590c

SHA512
42772dac4b6f741e9b3498c859e35a909242de878d5599e3b255557458d9aab9de14719f6d4c709f13a9415dbea71335824319b2563e9b20306ee7566550c188

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
91e03727d9705cdf2eb0cb8afe749ed0

SHA1
464ef9681160d40b750f86c844b2cdf777a2dc22

SHA256
69c26a85637a379ef85a94186c225ab508c56d4a3ec78ab68600539c2fb9d4ee

SHA512
b7d0c70b295fe4bb55e7bac85a795960d3f5ec224159ab39b0b3ca7e224302736b107e8c4d9bb92104969c4fa243c4bed8a073de2db23493511fe2d055aae265

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
d4b38ae8d60b8f11d09922a3003417cd

SHA1
dedd734e1874a571ea1b982013657699874fbe53

SHA256
bb3cb580f45541d6eebe3a6c0533e701199e75c1483deca790819049ddc314e4

SHA512
25f0422078ab9816c382038e10f57a93a7df1cbae5282ac891538eed80cc3d03ff98e0a293bc7323574dbb71308211a7cf904700f042c22cfc2b814cbd517fa4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
45abfa4e677d758800cc01b2afb572f9

SHA1
fb060c646349b11fa95c7e442bf5062fa411004c

SHA256
39bcce6421b5112503b177247c91fcaa0f1b2d1d8183f76babeedc06af627c6b

SHA512
f3074934a925c289b14a0b56f54a85cf1dc2a53ac95b2bf9dbdf66e74758b6c45f3cc439f342dd96fda5ac1445c269e14362f62a3fd6b1533174290f48df9092

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
88f91f79dc277c300670af1fb106e45f

SHA1
7ff7703130765ab455164ff6738de4d0fc085d4b

SHA256
d2d5e5eec2e6f47f17decb93d73cf409e69207ea4c373398acd743c1327e4d58

SHA512
265693d58b849d3ba29ab15ab9d1ea046e1487b7400ee0eab7ddd73c129f37c70c613ca53d448fe32db0d467b44b67e7e37fd28874053143cafe3942117ea6b6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a638c8c43ec83feb1ef9b8a14a6fe9bf

SHA1
d86fa66c903e42dfb9470de06064ae73e4acc56b

SHA256
3b45d0ec837ed83be99980ab624ffd7a7b567dd9a79d57c6478418adfd40c028

SHA512
db3b1453cfefd8e402c345cc6cc0dc78f4ddc2d2ef51f4aa95960d307b9ea8eb649e54fdb8a351d3820f336c091864447c2e592b748b4b6ad3597a3aafacf176

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
20480dbae00c71f2cc99f5687c21112d

SHA1
b45a12532b1985043560967947070395fb008291

SHA256
5671945c437f326463c6cc4433b9e0a8f50b27f9e378104c20998a9c9b560738

SHA512
105a93ec4d85596e599f6933e407be38907ee43d99bb721938e983978382472d4b709bec8deb0b4fa0686fe2f648856a2bf606771f0fc4ce8d9b76e2af0de755

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
07be13b84484ce8e0c118fd776a16359

SHA1
f2c5154b74ade9f64866bcd8f4aafb55718d59b4

SHA256
5462d1e7bc1e95aa34fa0491d2abb79c866a1f7cc749b1e95cbc9ca92013daa4

SHA512
c8ca8e06d9d4cb68cab49b6638a55cddb89fcb7ad861d75e88dcdfa895830dabe0beebb4f835119da201778b9d4111464160cb8dd475bca1922deeac8cee0406

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
001f5e1c3ee9c8bdef8f779f675e53ca

SHA1
9ea7d6f722b83b0a424aac6603c6b78bc152f00b

SHA256
e602d7de940ab672a0b0a40b8580a0e9b47e68943936e10977240a58c28c4a29

SHA512
cd3689d3b4be5395b71bb0159b7b98a74101c9785a92015393e58270d123c0acc886b7da70d98442fa231432f27cf1f98d8c05b76316746e281437611228203e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d360922dd6409bb678562ea0c61c0fca

SHA1
8b29dc661c56ceebfb017892ae3d74154d8bfcf0

SHA256
1773e704e3c7763796a124044588f3260eb3176acdb5d4db45569219cea589b2

SHA512
d6dc812d6e3bc55084f878aa41f5a1b46c0fc2e90efd9a3558ddbd82f38a97ffb0646cfec764a1c618d3f6dd08e1a158b3383019ece46eaef190ba8f621cf494

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
553d94496ada93cf954ebe6c4eafebca

SHA1
ac170c743400daaa27523a731c91a45632d509d2

SHA256
c089e54ca963206f53ef0345026ec1d377aeedd076bb0d4bac853f87874aa201

SHA512
b65a28a26900dde302ba37340856be780acdc4edb779c8968f75112d8d1b2bc3483310b5b5997b086f3aee71a8f529360c8d16863fdf774fa5b03ca70ed65615

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8f09649d6188dcc693595128ccbe433f

SHA1
057668e20b1fd16bbc8d12b8827924e3d49ca143

SHA256
57e954454f49b818ae8f17b9c7f3b107e04b38d1ad223bc697ece63da934082b

SHA512
2a1aa54879e711b29550c828d50733944a17a0bbd7a544c4fcea9f5d97949865cd2e3cf6c93104501b3e73fb568d0814a9529e7f3f6f93abd54acee32aef2606

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
96bc0bdd8aefbac6c36edf0f0a6022d7

SHA1
84336b1703cd9c837494e60d4a98cbbbf8c34304

SHA256
dbd1203b3ccae17389a67b814ac74f79cd693bd67c459a6e7d2a201f0b696402

SHA512
90c2ca95a0af7344e6f6ad55ba318fd22f394c2d636271d870008d01eae568c89df0c1de122075a48e384e09cb18eb7d8a2f40e27cf1840421b2db9763a15d40

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d80f3cbca5c521c08fb30901111064e6

SHA1
96e086e47e185ec78603e8e428d58b0172088b45

SHA256
0333beda778a4c5a1d2dcd6a675f8d96ecaa270c7d532f2dcac20d86f8e381f1

SHA512
5b32d51c3a8a10dad24554201c568558f27da34661d4e00952347c3e8aa32a4b1719ea8c5370b88fef0f978b875a174921481edc32a59ad6b56e83ab242fa5f1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ca79ddc68648dd1d094b7864bd11cdc9

SHA1
21e93b629ad290666ef9ffb4fc26c3b354ec81d4

SHA256
a37f685f59fc872310d76cf0632e046a252ac9b17d0b76fd6bffa2cf321916bb

SHA512
aeaf77f9c76e335b7229b1ee01ed918160eeffc5163b08dea99300adafa9b83e0183cae96a09a20c26ae48b2debf44960d806549a1c87ef3892e79ab0e907ca0

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
c35f5b7ec24dac2ed712b8d4b5caa696

SHA1
cd7d49f6f566b0b32622536cce38cd32dace5741

SHA256
ce29902f1e5a9e370dadf60661fad632a08a8f30afd4ea027c3f629b5dba1265

SHA512
6f77b5e3f9a36c65e1b818ebb0d863d376efa364ed1258815e7483718848a9857ec806be8e9ef4ecbdfe71d59473e86ae29ac6a24a1beb6f0932727569501966

Download Submit
memory/112-51-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/112-65-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/112-52-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/112-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/112-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/232-302-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/232-359-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/572-177-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/572-23-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/572-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/572-15-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/648-342-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/648-270-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/648-281-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/648-340-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1244-460-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1244-416-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1244-406-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1868-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1868-373-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1868-326-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1868-381-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1868-379-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1980-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1980-277-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1980-258-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1980-266-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1980-275-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2100-386-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2100-447-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2100-374-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3024-390-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3024-331-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3024-341-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/3488-239-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3488-67-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3488-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3488-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3488-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3512-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3512-35-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3512-28-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3512-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3620-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3620-430-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3756-238-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3756-47-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3756-41-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3756-39-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4080-455-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4080-449-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4232-370-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4232-360-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4232-429-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4244-400-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4244-392-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4244-410-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4244-407-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4556-1-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4556-442-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4556-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4556-7-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4556-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4556-8-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4556-18-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4556-13-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4772-287-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4772-299-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4772-345-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4788-346-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4788-354-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4788-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4824-307-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4824-315-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4824-368-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5020-313-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5020-253-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/5020-247-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/5020-246-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download