b95e3b47bbdab30c897316b353bf4609783cf2790f947375e14781f8bcbdb3f6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 00:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_e5c8f8191075df0eb4771ace71d589b5_ryuk.exe
Size

2.1MB
MD5

e5c8f8191075df0eb4771ace71d589b5
SHA1

9c2dd5bc7f9a4e18dd7a398de40d69f7b1cfa7f3
SHA256

b95e3b47bbdab30c897316b353bf4609783cf2790f947375e14781f8bcbdb3f6
SHA512

db8568f2304a4ad59aaabfe2ae3895983b522bf1941034a67b1bf4af2991615c9d8f5251dea70b9d7fb3b4705198dc7185e4df66e60c6724d0bc5f7eb704b02f
SSDEEP

49152:vsOwbb13ntb+g2nxDv1PZ1LTb+hG/1OfMUgAkp8:vI13tb+Z3ihG/2o3p8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4356	alg.exe
5068	elevation_service.exe
1276	elevation_service.exe
4716	maintenanceservice.exe
2364	OSE.EXE
4680	DiagnosticsHub.StandardCollector.Service.exe
3940	fxssvc.exe
3756	msdtc.exe
1124	PerceptionSimulationService.exe
2164	perfhost.exe
4904	locator.exe
3436	SensorDataService.exe
2408	snmptrap.exe
3488	spectrum.exe
3220	ssh-agent.exe
3296	TieringEngineService.exe
2356	AgentService.exe
2056	vds.exe
4512	vssvc.exe
4088	wbengine.exe
2724	WmiApSrv.exe
5004	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ad3b164c8ed1090.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_e5c8f8191075df0eb4771ace71d589b5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005568f04bc87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013088104bc87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1d75205bc87da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c54ae04bc87da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064a2db04bc87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002b89104bc87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8b20d05bc87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000957c9604bc87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5068	elevation_service.exe
5068	elevation_service.exe
5068	elevation_service.exe
5068	elevation_service.exe
5068	elevation_service.exe
5068	elevation_service.exe
5068	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	956	2024-04-05_e5c8f8191075df0eb4771ace71d589b5_ryuk.exe
Token: SeDebugPrivilege	4356	alg.exe
Token: SeDebugPrivilege	4356	alg.exe
Token: SeDebugPrivilege	4356	alg.exe
Token: SeTakeOwnershipPrivilege	5068	elevation_service.exe
Token: SeAuditPrivilege	3940	fxssvc.exe
Token: SeRestorePrivilege	3296	TieringEngineService.exe
Token: SeManageVolumePrivilege	3296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2356	AgentService.exe
Token: SeBackupPrivilege	4512	vssvc.exe
Token: SeRestorePrivilege	4512	vssvc.exe
Token: SeAuditPrivilege	4512	vssvc.exe
Token: SeBackupPrivilege	4088	wbengine.exe
Token: SeRestorePrivilege	4088	wbengine.exe
Token: SeSecurityPrivilege	4088	wbengine.exe
Token: 33	5004	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5004	SearchIndexer.exe
Token: SeDebugPrivilege	5068	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 5000	5004	SearchIndexer.exe	117
PID 5004 wrote to memory of 5000	5004	SearchIndexer.exe	117
PID 5004 wrote to memory of 780	5004	SearchIndexer.exe	118
PID 5004 wrote to memory of 780	5004	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_e5c8f8191075df0eb4771ace71d589b5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_e5c8f8191075df0eb4771ace71d589b5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1276

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1424

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3488

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0e2dd738e9c4b5d435d0acde3ba0215c

SHA1
8927e0eda700db8294a87418cfb53b273eb9105d

SHA256
5e12f03ed5dda8e0ff53f0a1bf4a498c7eee65949556e62606b0ced07dfd0246

SHA512
c1783c505208400ea99bd196f48078a4ac2bb33b2eb308926b00b0a71b20d9bbd15c819ab38f39a36b16aa868861a97b1525d2af7e6dbf16b64401e8d3882487

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
7716edbe847fcb07b10cf077bdeb0f23

SHA1
cd2a9ebf24ac14669a718f52c227215f443505ee

SHA256
0436353ba5b55c6b19d811fb9184b744340a8bcac71a6f312dff6258a9fcd127

SHA512
6cb214657501f453dadf47ff1c46b447f543defa65522da54ab3ff3c725981697e425ce345f3006a428854ffcd69e2678f25d7e1d7a7cf367bad9c909d0ecc92

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
075ba22a2588690a902e6370c971a2b1

SHA1
99a9fd84104d01f671844230f93a2a66a430a7b4

SHA256
37101d3006d3efab12ee6dc7c14da378f9f2c2a52b4623c4839721e0f6d2e819

SHA512
6b723458d55aa31d6d21fb9a0446d07414aaa9aaf70e97b130e52b7f2c3069ae77189933323b1ba927b5c363086b8dd6fd64621ae1c3b5a37b637776be6bbd7d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
36a162b262f1829ed26ff4d77adce2f6

SHA1
52b319519f04515132a3044312212cbe5ea780bd

SHA256
b267cd23d329c7bac877f02bbd79c3550e709a6e85d558576f52c156d84d3508

SHA512
387cfd9dce9dac0eeae07b0f86f9654988cabebf7de1b0bb79330192741344fb8a44be274c56f0780797ca32f02f4adfba0adaace98d0715bce4de3ce7a0403e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
89f9b7df4f61515645daa4ff0ee4dbc2

SHA1
71b058fb9707aad5558e0bee26f59e337b2796c8

SHA256
612a139e484df5374322dfc52b21a3e9675258c7f48146c3377b2f5f3e1d7aec

SHA512
56d0db6b845a83f70c70102664fa07a4d0d315aeec11c404aa8e3c11f3afe65be2a061c32f3000fd394a76a54d282646e97da0e7ad0b4f1d837a3f608b9502dd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
fc48d290ce9217cf7a6032fb3d209046

SHA1
ec26042722b3f024b5588d9865b2fb8a586f0384

SHA256
8604eebaa275527e8a60819f4098ea7fe3a68067b4deaa6d8d1a70c3aea11d42

SHA512
b974c5f9867c60311bce88789de309a0b731817df2f560531ec9f69e9f278f625bf6b77bf60fde6e98348dbf8677fe294a6e82d484fec9749a2b07f242a2b4d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
8a14dd235f5c402b31735fae01b36808

SHA1
9c2218c387196691120afe6db833c10a51a057dc

SHA256
ffccea9c771de4e07b89f173b72c0bf296d4fec70ac672633042023ffd7ec13c

SHA512
09f8f695eaacbe963d887fef4d91e310e478b93f8c2c3162130ea299086cbcf7429cae422e1a3299f58b3439bcd5aafda38ec0b69c7d19e37192d67c96d43fbf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fb9e351e316f00bcc49fd981750a798c

SHA1
cceed4e5da83f3a57fbaf9ed09176edcc70125c9

SHA256
b68fccd55cc1961f6c12d5628adefac1332001a0484f7695c15c176ff222da2a

SHA512
463a59f401c4cc3c8bf98040d784705c749b2618ab29962f87e46139c6e9440e6d6ed04f2a255cf263b882a2225fa9761cd7f55bd10730f8aacbf23bc4d55599

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
0b58d1ecffaa9b5423d14ebcf989add9

SHA1
2dd642e8e07083e4011f098250a06af9add1ce11

SHA256
07f1fa480f22f31052ddeaf7ed214bdfe1c327f68dc7c058979ce795bd4dfd72

SHA512
7b7188f0764215698784543053f8fb2509c684b71190de1b7f041f33d1a4ce914a79667689f4f076d1f6cff66176abd33be2e15d68d4472f532c446556b620ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f2016e43abf47c165fc90f906f96cb6c

SHA1
7b4c51f1fc7998bad096025aa1b88bb099d80395

SHA256
d49c48208b2b513299d1398c2594f3ece9787cc98f1b394e78e2811fa5a51c7d

SHA512
899771e8a339f81091c87c21a38f8854ebbac1467d3295151a1ef6e50f9c5cc685f0405355004e03ac07dc151a5e300c41a845833071cad0089fc4ec9bf75406

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
79481da929d305f24fb5747041be7eb0

SHA1
026bb81994f97bc8b4327da350d74166fde57699

SHA256
62185f3ff2cdfcdaacd6dba43392f8cda1322bb067158f3988b519eecc0a190b

SHA512
6e155effcc80675557eb1c160b638726db5d162c49e0fb58764697f2ceddcc1b1e12a9823de164ddb83c043efc1e63d9970e14db8966a43159e6703106c30379

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2470d9519c4c5fb6d974dcf6195221b0

SHA1
a007aff6afb162ea414c31cbb0f52c971d906f3b

SHA256
68850878af4a21406cc466c3f805257cb4a2675fb42c92971e3383b212ca64e1

SHA512
600e0a3b015209c1d68dd5c6681b49eb055f4ed53beee2d002ff9d8f44fdeab93f3dee8d5200a46dba9e22e1136c6d4d6dddf7de42e51c6a77a44eefa578da2c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
46b03ec09392608a11db8c063585ad5a

SHA1
ded9cdf4ead282549c5008d4e46d25514c582c5b

SHA256
064d33f1de03df809e7284b3e6fd9a92ab456b3996f615dfc5b33bdfddaa9db6

SHA512
91da9697ee1ecde9122d2ad589b1badf85416817533fe721183e68a3481f7ac927a3aadd3ec863d64e39bad37f164a7593b253bc3c11636a507c9172ff677714

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
f8ab26903ef4660a7edd83e65f17a40e

SHA1
6c68e96a4531637051e7462600d7fe082233cbb4

SHA256
ad53c7f1b31dc80f4a611ca129a3369dbfe1fa03a1f103ef94c8d6283bb48c6e

SHA512
b4d658f35a71f97c513f9a8268f95f957344c4c51bd25f08064148fc4415b57cdf8c56e37f20978781a21468208014048421f18ebc06571c7815392dc8561e2b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
f0b2af14729037d13dc9a9720831192d

SHA1
50124c4375ddb55bcdf1f94be57eab638347bfc5

SHA256
f4a6f0baecde69f4e6cff372c6dade9f302a845403d0dfc7d8e16baf3b1aa95e

SHA512
b3e1bdd209214416670acd79d437e6f3adad67eeb6d8bcc2adb67e9e0293d012b8cf0ccfa047ed0fcf1732b081f1b66ec9475234655f3ab57efc4b8fe9ba174e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
b05df8b341b50051249768e291f12737

SHA1
3a757dfe89170c26c7f8c371bc67e3477f680eeb

SHA256
df0d77ee235894f7d74f38bd9d1d86d5d07d6aff74ac76cac7f4fc04cf65fb94

SHA512
75cfd72c15e5701dce01c5aea197aad783a906e50d924fb6110cc04564322d30e9e789cd1a37ee9e292ea460fa681d5d9f076b521c9459d1a8e954afbacde3b0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
c4d37497dfd0e3e490912d0fa5e78fac

SHA1
ae422471d068d4a41874840d919d16ad26b8a4f8

SHA256
e5f6a79f2853e3ba066d7a374729787326c9d52bc6b9030aeb02a213f46a12c3

SHA512
8d74ca87bd163a8321bc3d76fc65c106f9e87e2371740df5225d653bd2dd9e28a861c09dbca8fdb23c25accc1112bcdcbaa1d2e242518526c11613b8fcb1ada3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
afed7255c5866135c85c6697bca08569

SHA1
f05e162c3acd3ce1b6f04d726e1980c66cfafa31

SHA256
f10a9fd62cefbc73a1bd309326c4db87d536e92fa11535090de06812e77a780b

SHA512
a9d31d0c521b4dd4b8cc9d2d3711c765737a9075401ddce9b59b49d3d0f692731a3f0abd33fb31eca99604a127c586f86bfd3fdef520ebb6c17d76ac3edac06f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
7b3d60acdadc80c102af299a568d17e8

SHA1
b6543a3d3526969641e0bca708b3d309b15dd6b3

SHA256
3d7e22cfc7b6396acc2595be7e90a9b827bfc24f03eebcdb6e149296a0dfc769

SHA512
0d041518bf994819e12c50405cfe3091d49adafd2d28ddb69720c3af78fe06e8a2dd317d4f077a1c86cf252db172a16bd60b07f9c6895c7d2b0143cc10b486f8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
147131c1ae0f63ed9fd80050f4de262b

SHA1
63c1638daef85d4b21b3c0032b226319b3b51e6f

SHA256
008a0af1dbee85d2f9483b1fd6a6662071af32f108e33d3775d6b7b99d2fac55

SHA512
ce66a0cb66a3c94a5bd27aa3a6070ad82bfc8e5652476ecde0138f291b3f627141e35bc48e46ab88825684896901763bcd7d266f09466962627a97c4bb55bb66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
dfcc273210e3b975e07fb5c2863c094d

SHA1
7870aa30e0f385b0f224318e766615238a35c484

SHA256
f075cce1aad4d6ed5e10583a77a1e5a0350fae3bb31a4f37429428c844bac6d2

SHA512
3ea895443b259063aff448036c66c06b11fc52b60af289eccd63583fc641a26413508bb97414bcb8e2a8fada287dec2d9b6fb5c4b1aec19672d96a805084b02a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
7359a7356da853746db9fbe50487331d

SHA1
433671794037875666c2e67fbbc2665707a814c4

SHA256
5ef384d39339e238597ed46822f9063ca571f2293f035b5a82420f88dc709852

SHA512
70e1db50c0b57cbf222f1ef1c57a8389f27f770c3283c3daa1fff54897e891057ad93a9c4d2448f6434a1716ab370323f98e2632dfd2bea3648f4e08349bd049

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
c345a2618214b5975fc1a706f05b7ed4

SHA1
ec968cfb6e5687ce4fee25d2e2a80a1cb28f2a59

SHA256
4a6db730a2f557a703742ec870ed8029bf8b31ddc45a974f5941e6ea93da94bb

SHA512
ef3ef5d302ff27fe75e56c308ed7478c943cbdf35b984fdf7e527449251f4d73d2c7d40debc8bdd74199a422c52bd6fa08e1b6aa079001b94f49be239b819075

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
6a88dd72754c5f99dd59b3d5945eb826

SHA1
05a135981e541d26bd08b5b3a0d133215e840652

SHA256
8101430f6e986fe143b2f5ad29f8c6a25e6cb62bc4d4384adcfd8035fdce2302

SHA512
447027dae554ec095ce68d31406a83a8678da5aeca4ea11d9546f2b35a429eb69aeb9ac8bfed086938d41a18c2ab26ab2569466a5583c18b9e4efc9000b94def

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
32e7a8e0079d2766d12f1e7a0e943a41

SHA1
613a9d0f033335911a01de33140de52ee678b3f4

SHA256
63a5679ab2ecee22ca50b529e77695240e94bb7321ef75bd3c87a5b7ccc2fa5d

SHA512
5650a4f5fa4199271cb82943313826a49b2f34271c04f8de3c991f32cdc449bb5395d4ff8d7cfbf0ed203b97f83a1240d4e6f434308a6c01411e8d1f529ee458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
72e299c0085a58d6566b093e33ab1709

SHA1
84ed6f2c69d8d37480f029bba6e2b037ce53ff9f

SHA256
718d1e3d7821e7536e84ae7296c327383b828f1a7a03f66dcf9caea346ff4503

SHA512
a60ff65c0c64f6ac4a5ebdb54f9463afcdb48c141df71416859c81969f59f0312c0bf07ee12e748dc73b051627cf751275db17acdc38ce1a36b35430cf41832b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
c9a349f6df492a82af168b06ea40d8b3

SHA1
9fa0c29b55cbedf976bf9aed0b90329385e00533

SHA256
066142675928a86828568debfd5da4a00e269b27a0f6d0be7e65c6cf29a064b8

SHA512
45f8185af266f11b717a63fa03d0d0e9e599ea35dd5a317e093e7bd7b42f82601495b9f1c8a1a62c19d9f4cab915fc8a82c2295f8d5eba96f4174e19b626b6c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
ff28b43a616671fca93d7b681ece953b

SHA1
81a1baebf9797b447b2f455b69fc45df75b955a0

SHA256
9cf8ea28b17120f3c57a6f8d8c16ee5fb1356aef62b023c0c27f2a72854ddc4a

SHA512
8c2b59dcd79060b88be1bec31f8939255caeb30ee21883708f2974ad09800f0e03c91f7f9f238430c84c63a2cd1b046b425623b41750641dd2bae29368ef9298

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
c3bf497b93942560a6230028c4a39512

SHA1
620dfe5c3e7ae6a3692604fa54ae23e38968d285

SHA256
b7aa28fdf6da76e803ca72f9a57b8346e01de245b6e945ff8994831af753edd8

SHA512
128941a7bf4a3f764eedf530c38b8f1cce90dede5bb5cb685a4b60b5e0d009cc9f1d60d2babbf85183b8dbc9b2e8b1cb27f163f2691fe9ba307bd95fb0aa1472

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
825b744e9e6820b4bf2e7d51d54ac68d

SHA1
836dcca479bf326f7313e3afac81a79a80bdedc5

SHA256
b2c538b8df795a38393957ed4b068851caa476112982c9ec69b86b1a999a72ef

SHA512
abdefc4c91ef706bd9c36142cca4a8b5e988b397ebadd0fc23c07ad67e352881b7acd2acc15e44ee2987d5e785bb6ff84b349f16b32fedf49f50c91efdb21eb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
8bcd3e87e6b058ae87ed56b434dc488d

SHA1
4caf5df5bdec06de8fe8e95d7083b6f6ce4914d7

SHA256
0aaf754116a15dd987fd355157fa298a1d40a45c5fa315815f1fcb104af409e4

SHA512
e4e41722f306833ebe82bffdb79ff35162bbd312247986f5d025a77e217f3dff020e7080b48f7b3c38b976b2625e3568d596c81b0c5eebc98e30d96aea791454

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
ebc413fec56dc52996851e3b9e881303

SHA1
30c2d825b97a5aed396e0b13f231c24283681842

SHA256
742fde29fae5854d5f26b5f66405c8ba9e36b37f1ec9ad11b611adeba2a136fe

SHA512
9a995f6fe730fa37450ac1ea3ad34cada9b6b829b55b93ab14f9dda62aee4c9dc1585f0bb5f1a4c825a054c0ed9361fbf4824ab8761be92d3e1859c4cb9f91c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
f3128ade3a7b0cd3def264cf506c8735

SHA1
8b532d7d0ef353c9a0412454ee35c584ab01fe3a

SHA256
e05976062462e95712f83265a511aab2167830e9e4f1e9babf4b20a173a7553f

SHA512
550d997994ca4b0e0dec3f9a43f1823ede668f3a1d62d6fb0a3aa9dec8b365597779195e868e3f136451ce5a544350e9a0277a3735ed84091417750a02241a36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
047d57b179b376e96982647380c32b87

SHA1
487724516631d7059d2c24c4db84b75de68056e0

SHA256
b15bc26876f94e40dedf7bf05f88070365748c9ddd29f427ec9d35330bb61e77

SHA512
057794f01ce550343da512b1d241543f2c8746cb3833e06e5b144de0aef799b61dadec27c96661d879a75de250368d1479f780005f50bf4c8a36096037186685

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
b36681cdd4d864a1e969773ccb4c4a44

SHA1
75ee520220e518688ad82110d0f612c63bbfc89c

SHA256
c6108843c50ab7f31489583e023738a9fe9cd0aae03f7eb6b69b8fe00c2bf0ed

SHA512
84a22a73e63a872ad9b1e8a8d1107b00cf848ac9e5dfb9cd0b899e44334b9478cd132dab7467bd4c4cc455d37ea441a349e19e80db3a92b460bb2c87c4c90e04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
823f3db92bf890489f2f21646a2fe183

SHA1
2c653bf38940d188e2ca83239e192cad0b30951f

SHA256
72d86f0a3e1d426f70fd5b8ba42bdd383dedfcb4726dc4bc4b911a18bf103d19

SHA512
d9de8168ab11178ee1e2c1efc19763f3918f7a40757103e2dafdd1962578b1bd7944d6effd6445162b5e379eb5fef083698125f5061d590e401e5f5b310b2704

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
45345d18bdad7fa787d97ea28227d940

SHA1
7372f2914b8d50f784f052b16e23969efe9f8f16

SHA256
9c043496fa8363a664227a1a7250ec3879d86fddc4313609080fc2d762ebbeae

SHA512
06a049c6c0da69149f1e3019be8eba04be83a10ea217512e24e04d8b4d529021cb5a7f09411e5309eb4b81088b012902f90cbaa3dfde5cafb08142e77d40204c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
71122fdfe35feb9c8719dc23b231490c

SHA1
a1be31a4aee85da378ea51e9f192b12ba1812017

SHA256
a77a16c485c9615080cc5a60a1bc59a853f87c7ac5a746b0adfbd333d2a73b7a

SHA512
37fe50581334bec32697dbf391f60a92aeac530732c430223293f69e36e1e924a9b3dc4d046eda825719ac4d65192e6ec3050be65bdc9c3eb265a74bf07770d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
96711a688988be43900b633ba8fbdf7c

SHA1
a5953e4c6c1168eb3c921544b4ba00be6a09c26b

SHA256
66dfc786578a17bc636fa23b7258ac2924528ec3f2d24613aa8decf3329ed99c

SHA512
13929a6d770ef8ab81cdbeaf75cc44088dda5f2db000b2366ad00a72a5eb2c258ee54b14e062a78215a82f73636bef26de4aa075027be83e08ef61430f634342

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
e58a89e93d2af911b38ad9e36db299d4

SHA1
7b333a2d5b2a14a26f6b3521562d6d20ccedacd4

SHA256
fa6eb464f959bf71c631ea110903755d07de4c9816c2643c90aa37bc0e375b32

SHA512
4ef483cf5ecc0d553aab0cfbf92071806e4e269edd2da6a0a0a57d04d238b1eca23e5f254b0b49af08956b71d7078df828acea14bbecb3808516455f4688bc4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
0f985a666f0eefd2346322f4b289e47b

SHA1
5b85618a4fef25d0930c3ae000b41c5fe58bfd15

SHA256
b0f0775404bc58f327202f9e98655a96123a123ede4b3b1d693e5606f3258f53

SHA512
0fc2495bff5381c64df861662a0c643a3fbe6806343c8e5a1fd9b234ea786e71926c572375cae27c924bc393fb881c49f78f3d67c45e5ae1f586a1eaa1b91115

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
fa78f2d1c894768d083469828ee99988

SHA1
4ed4d3237967784cfb116fa7d039fbf6047b2c48

SHA256
31fba07266bc38388ea2e1f6602b1b8c0a7d65228ac49499968f59577313b141

SHA512
3748071cb9a482eef96d16df28b5b7852bd21030ee72efa4e8d08d2503b4b1f4370312b0e31a26fee41058440b66fb6833b01c035005ae7e584c44948cabfd81

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
d2032fbbcd6561391eec274a349c01e4

SHA1
972f43b6249fbd6f509d304e10d7e0d2727c3e93

SHA256
2eb34f2fbe4e5ebdf17a18c5156403b9eb550c4f7dab5286665553706ee67acc

SHA512
cc184114a451e008f502ce534f682df9ded522c6e14bdbff90b74cd0142d37606c981e8cf2037d7c9d69cbc6a3c6b590d1f18c540c3271cf0e18c9727f24875f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
05c002183d6ccc89b8f42f50a2239b5f

SHA1
7848b829344d87b7e06d35fe18a83cd20adc33be

SHA256
9567f7047c051230dfa5bf34c5b0bcd1d340fb4d25e7f5e093a4879fb8c917e7

SHA512
ea1d99297b2ec66924722af4d47587e949ec9744bd6d8afe65870bb89c072007a577184f77ce09698c2b3d523f0f08d599a7f0a3cc1ad289f30cb0d653ae8a38

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a71a00e624b88da29de4df32a0d64aed

SHA1
291ac48637ee4e393f49eb63c120a2c816d41fc8

SHA256
62d1f3267b45b607979b0ea699400615aaa30b1371f2035268e36d7ab64bf113

SHA512
5bce8e13f19da8234bcf7b3071bd9524891b40a16c26047e9ef549921e90ce49901ca9e89e5b4ec1dba47c67ec9b1f89a1f229c05915239cd30f0e2dab530b11

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1a63479d3002541b5fdfcae101d8ed79

SHA1
e310fc0e9434fc5c84ea09dd047d4b8a42258ac2

SHA256
aa768c454ae74dd3cab2aea9142e2fe46d532ff4fcab50d0aa9f564b8ab730c2

SHA512
030ee62b9e3810321e90e1126f6fc69102805f33b1f5eac7a168716ed21eb3d4a118c0f7d5f3db3084de55dee393c62af1e6f4100f3cd0e20be938ab1f1256b3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9e3d70c51289aea09eb9b4d250502007

SHA1
3065a5276129252dd787fef75d9884d78662399c

SHA256
d5b625288e0d97270fe199fa78901166249b9177ce28e5d40d133b2824551395

SHA512
40f2dbd00b03c0243e99eaf9a4668c8d9ed3841e9e9f902bd16f04471d6fbe02ad8ed6c48dbee3ace68cfa9d4a8a090502a1262b1480ca1a822c3e29f91f2ff4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b9f52245ba07fefcc3f0de7a599c7c5e

SHA1
9d45891eef3bffa8dfcf18c76f5a5fbcabb873d4

SHA256
0271a3c8ce6742adefaeba57a2a4bbccdb454e1bb8aea0716c3fe1405e3dc3c3

SHA512
c2d68502c2eb41829b6e64af1c5fca3ca0505491f8e47769194ce544817e53d8a1bfb3961c4aea6f88fcc30f140f04f86d1bfa603dd35a6ca6ad3b63c235edab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
caac5955c3cd1684ee1f0d313c0686e2

SHA1
4a28f88610051179cc3ff54525df4db701e6ace2

SHA256
1de0875464e84db42671745e6978272a4df2b0a369b894398d90b762df480dee

SHA512
88a8ca2667297b6fb0118e9cc21153f372d6ddcb918b60cde5b7aad658fdc832e187d2a4140c5392b1343cb5cad941bb30c5f5289c830f59b0f5b267f4236bd7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
a5fbcd53787225200b6f3cc79ed011ea

SHA1
e0649814139e0678739453fa60ddf17df97b5622

SHA256
1d42a759601d5eddffe4d0c444abf8de558f41495868e13e0979e595355de0c4

SHA512
b14bcaca90118b359d22a4799699a4544d40122696c2542caeaf93dc823219f89d2e5a864d02ce7d10fe2c35907b06de53840a6863b0ce4fcdb08a305dc4e2e4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a57b374e30964d55c939bc9f215dfb8f

SHA1
7f9cec2b5e09fd4680fb98c248293725f7429f28

SHA256
10252db852274b773635182e13ac497f2ee15e2c105434c90ff45982db031398

SHA512
da2134e8fab11f62d03370fa4d88358a89ea49fba6f2f57383f12f2cc3a425f6b7ef05cb23fb74fabd3723ad73c8effa778de540b8baa4bafa23ee9ae9f486dc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a32cb4afe8b6b2aede7decf5dc468472

SHA1
14834d6cea12eb6424d74f49d3eef5152575ab35

SHA256
2c66043ce451979e3ffbc23297e2976d5b21d24a6f1c4ddc505882b37f7bd66c

SHA512
92c41cd5737cc8d121fe95df6ef4d85512870fbd897ae2f9d77d2b7b73752e778e0d9b39f745b288c29ac8084cf3b973932d2be7948c2aa6fc587864ab3beaf6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
edef0cb8c45f0a645870d6bb7e85a137

SHA1
2ecedddb056569fd431ab06bd0912856178b10a4

SHA256
4f7d7b0b3f5d5fa2ed039fd05d1678a0b71e9091b67c4cae29a0cd68993b563d

SHA512
7873dede3e7210faea4291b16444e84d1afc9fa4531efa23373234808191e68b6a6628d87b4463f141a9d85aedb1911c0fa4691aa8642d7f2c02a180e208e612

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
0eff6690ed9d218eba4340e99e9f78bf

SHA1
32cdb5aca0ae200d942a4f33f84a60dbcdb232cb

SHA256
a94735ae748c001dba20b294660d221390221ca185b7bb92e417849f623d44ae

SHA512
3dddcf2a80a48b2ed3d34b589633a73949069111cf32aabbab2d782307c2bc915d06454c02369031d93378f1595d11eef36c6b429eb783d9507d2c3ab5561d48

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9a42f000975705111736a084b3f994f9

SHA1
cd9c64e540b6f1970e8c3974a7d94024608c248e

SHA256
2f2ba9cf4784bf12874943b48c6cb666acdda770d610b46d63314185717e744d

SHA512
d4ccf58ca9e9dc1739a2589c2a5fcca63529a5ede4552c6d4d125161fcb32e7d40bb68fe062f82e952794bf937d0f00404486db94d81c6fd7ae6fea4fc31ea7e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
18b616c5839c27e4be1dcb55ac848032

SHA1
c440ddd678fb8bfd0cb074d34515bee4acf8aaac

SHA256
74056c5b1055eeb1e6d4d446bb2c0bbfc1c805a355a2aa0066c0b09a1cc7dfe6

SHA512
50960b4f1f96195190a2cf932a63b8c0c79f9e8ae5f1ff44fb932d2468c3da8abd38eadd21588031d0331e0bb15ac62f80bf12106b4c11519be58dc52bcd28be

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
bf76c3899c2bf2b8b95692308ae4b78e

SHA1
1f2fc75a6f59a54358b5104e05a1e1ff00c47cfb

SHA256
a39483307ad0fa73e233b785f1aa273c8c7b8a73e0cc9268d30f8b114af2e21a

SHA512
bb6b2ccb7f8d01e36be977d278ea8a0ffea3b72c4ab0f13cd1bd482daecab13e5519fc81c5bde34f91993f5e8d1be40e117d760b25ebc805e25c6a894f4f2521

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
cc44ec536e684cbaeb284db3aa315252

SHA1
3fd1001ee6a977ebd3975f86b3d5c88ec8a25511

SHA256
ceb67f861f0bf4c7ecc62a89e0809732a9b4c998b09503c4e3a6f4a7177959d9

SHA512
64e39f6d839e1f8d53ad3eaf553649984a6c8e46426212c26ddbc375978ffc06bf202acf1373c8a52c78f440202fa6839784b567af732c56499b4758c9a50683

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
16cfcd0c6dcbca6f4ea0947e49387d0f

SHA1
1a7652db23291fe022ece753b28187fa3c829e89

SHA256
3b256980dfef27f07a13f26a37dc5d92007f959bdf046769b6fe6012e316f3ec

SHA512
58a6abb32ba17f34bb071ad0753d809989bb837c01deeaace045a327cc73a51e921d845ed6027bc1e223f586425eb4aab2a7bee3dd469ef8871e0e6ea0c26979

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
12e0fdab6399e1e2bf20d97485ea2b03

SHA1
277051a0fca6d7431305aea11e2e32529bf59885

SHA256
c4c8325325a29b9ca0c5c3526746ca4b96398be82da2dbf935fba21092624644

SHA512
fedcb614939b85a196c82e41e9dcbdc0913b6905cbb5c868a23db5cdc4e674d72843fa603571533c6ade47b7cddd7e0365dda9b1be288ba45ec76a8ce9f8fa27

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e999def9d457743ab80bfcb1a6cce5ed

SHA1
70f41c00d1258a01645ceae76d440d974b82fba4

SHA256
6a0173dfedf6e84e19bbe0ae728f4fbe8863784b4f1d498f02881e58ce7f9032

SHA512
828b75b15de8cee178107e5f5df5ed8c78f63b73c1170754058b6621b02d91569a63bbc13873c4e48fe7501e3cf4cdb1b40d6d703550372ba70db5c2a1bc1a6f

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
14dc09d4ec769dfc7c705cbfe6202fca

SHA1
6151f0b0f760ba9759b5a6b469aff6b5c1e182b0

SHA256
10a01f2335c035a61eb04900789a8bd94ceb5e92ae123e785624f8b4c4920c60

SHA512
027a28cad236add5ad7e783c7c282a3f46b8e8bbbf82c2de8c2c035befbc6ba9d4f16daf62bc53ab0a14777b9c098bd010d2a4dccdf275cb39ea20fae047a69a

Download Submit
memory/956-0-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/956-2-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/956-7-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/956-10-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/956-12-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/1124-350-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1124-297-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1124-288-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1276-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1276-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1276-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1276-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2056-418-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/2056-409-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2164-306-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/2164-364-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2164-300-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2164-373-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/2356-406-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2356-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2356-401-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2356-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2364-72-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2364-238-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2364-64-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2364-65-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2408-347-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2408-408-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/2408-340-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/2724-458-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2724-452-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/3220-375-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3220-367-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3220-435-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3296-448-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/3296-388-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3296-380-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/3436-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3436-333-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3436-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3488-431-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3488-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3488-359-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3488-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3756-281-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3756-338-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/3756-272-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/3940-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3940-256-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3940-265-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3940-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3940-270-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4088-445-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4088-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4356-227-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4356-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4356-15-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4356-14-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4512-433-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4512-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4680-251-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4680-311-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4680-250-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4680-243-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4680-244-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4716-62-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4716-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4716-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4716-49-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4716-50-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4904-378-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4904-313-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4904-321-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5004-471-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5004-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5068-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5068-33-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/5068-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5068-26-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download