2aadd272e825ee956c82131a2a7521c615b9602e2588f41c058384affc7c29d7

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_48054a13a8c0a6763aa8e7d9f4d34333_ryuk.exe
Size

2.2MB
MD5

48054a13a8c0a6763aa8e7d9f4d34333
SHA1

a6ea43f9803c1537eed4f1e687b8dc3f75fad347
SHA256

2aadd272e825ee956c82131a2a7521c615b9602e2588f41c058384affc7c29d7
SHA512

ec56314c3a633bfdf0d9dcf9ec9ecf3915ee77dcca6138924f6b060b7c8af8642d8a2cdfd8e55172b443aa31ae270d3ad18856b74f7e10ce7bef4f68a1fccabd
SSDEEP

49152:iWWu1zKeIxNj2bchBluP3GiyBKD2gDUYmvFur31yAipQCtXxc0H:iWBMNj3ZoHU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4212	alg.exe
3208	elevation_service.exe
4624	elevation_service.exe
3544	maintenanceservice.exe
2720	OSE.EXE
1512	DiagnosticsHub.StandardCollector.Service.exe
3984	fxssvc.exe
1760	msdtc.exe
3148	PerceptionSimulationService.exe
2616	perfhost.exe
4420	locator.exe
4804	SensorDataService.exe
1260	snmptrap.exe
3544	spectrum.exe
3912	ssh-agent.exe
3284	TieringEngineService.exe
4940	AgentService.exe
5072	vds.exe
900	vssvc.exe
3068	wbengine.exe
460	WmiApSrv.exe
3344	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\657180e8205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-08_48054a13a8c0a6763aa8e7d9f4d34333_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000063c53b6bb89da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078645ab6bb89da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2aea6b6bb89da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000942a21b6bb89da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000300158b6bb89da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f13891b6bb89da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab98d1b6bb89da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000942a21b6bb89da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae136bb6bb89da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae136bb6bb89da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043b168b6bb89da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3208	elevation_service.exe
3208	elevation_service.exe
3208	elevation_service.exe
3208	elevation_service.exe
3208	elevation_service.exe
3208	elevation_service.exe
3208	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1056	2024-04-08_48054a13a8c0a6763aa8e7d9f4d34333_ryuk.exe
Token: SeDebugPrivilege	4212	alg.exe
Token: SeDebugPrivilege	4212	alg.exe
Token: SeDebugPrivilege	4212	alg.exe
Token: SeTakeOwnershipPrivilege	3208	elevation_service.exe
Token: SeAuditPrivilege	3984	fxssvc.exe
Token: SeRestorePrivilege	3284	TieringEngineService.exe
Token: SeManageVolumePrivilege	3284	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4940	AgentService.exe
Token: SeBackupPrivilege	900	vssvc.exe
Token: SeRestorePrivilege	900	vssvc.exe
Token: SeAuditPrivilege	900	vssvc.exe
Token: SeBackupPrivilege	3068	wbengine.exe
Token: SeRestorePrivilege	3068	wbengine.exe
Token: SeSecurityPrivilege	3068	wbengine.exe
Token: 33	3344	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeDebugPrivilege	3208	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 4500	3344	SearchIndexer.exe	121
PID 3344 wrote to memory of 4500	3344	SearchIndexer.exe	121
PID 3344 wrote to memory of 2804	3344	SearchIndexer.exe	122
PID 3344 wrote to memory of 2804	3344	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-08_48054a13a8c0a6763aa8e7d9f4d34333_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_48054a13a8c0a6763aa8e7d9f4d34333_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4624

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2884

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4804

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1364

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4500
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3562c03c799d328e739f3ce40adfef44

SHA1
366e776bc21d97b344f4369645cb5df9b5c09f04

SHA256
f53f46a11194bafb3603ee3ac255f2fdf6acc3cbaa490897de6899993b5fc475

SHA512
ac0b1f0c562213cce23d5fc20e8a65f49f42bdafb10c53cc72a43a9d3dd45a11abf96143492ff219944cc3854c3319cd210548bde6238cebf0c2bd894f1b6576

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
a6c05024befcc228679f180fef0a91ac

SHA1
77e3faad90c8c8a850aee538c98e8dbc3030ece4

SHA256
d6e756069ee67d489f9916984c86cf932762810bf07bc51a020846cbdc0777eb

SHA512
c40f94c65f920779adc8ff7d669b54f40033d6df23e991bf1d465e3b3b6463b56414e53d509cf0a9043bbd4d9c042de1e1591edf13b8bcc5d2dc1798c6095335

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d64c5a6ba8edd2c2d110c4d40ecd5f4f

SHA1
4d67746ff325f0b9115bdbbce37cf0426def1005

SHA256
d06a43c112eb266a218328144c9508429d83c8dc8a936fca8b9be3269993d40b

SHA512
0cc9a33a2364b65194c60b6a7154946a652368d7d540eab285410f793e96682ad38cc342bb483d4f10503754a37b6b677463838ff0a54024fd05ccb9f6e6733a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ab68191ff58576025a9babd3829430ad

SHA1
1f7a708c0b54e3855119aa970b2ad731e9c891d1

SHA256
5170d8a6efc9d5afa2d0ae2d1b2c736bb410dee3da7dd39f36f047310f5650c8

SHA512
0bcae8c5e46d5d55371a85077d65154ab631d6a94b42f4c6b3a85070c75f3fd07ce996a23abafaea42a7228c4daf18b14dfc5e1eab8d366d3475464c7fe7d5dc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
03bb098d7ae95f7f4a40492853e93083

SHA1
921df89bc3cd6c6346f62be72a6d4388c68e5384

SHA256
13b17f84f42679e91ce7ae32d26c40b938aa3e8e719f4dd1c437fa229f95a22a

SHA512
fb8fa7a3c8340eeca39ef9f6cdfe1e3049e23ad1a2f924c4e2af38cb4427aade1263248f0525aad859038e16eb2a61c27b25d4da66870d01f92abb5660af5f1c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a78626fba5b577e0bed35e26cadec715

SHA1
90bc0ca1d5cdf55e3be7ff43e54f9f5ed4274ba6

SHA256
ec6d1f1b27304009bbe8dbe9fa3295783b829dd7f31a18ffe35f25c790223056

SHA512
5b45a896b240de3c9ca2e25f9c5e9956f40b80a6a7561cea0386330ebf890c5f449a32609bc29b7f62e37f9c609f81bfbc3441b307710b3722f597cfb4489779

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6f0e2a3c1eaa3d6100a7d7da9778fd7e

SHA1
8410bb82f3773fa2ed402b331dc566f6e27c61c3

SHA256
703935d7c0f7fefcf64346ee2d7713ca5baa05b566672984ac1cf160025696cd

SHA512
99863cb9e78db9ebb5bb7558d9e7341378410854e95ce3c63d081b7cd8dd36fbe52bba4dfa48fac5437309217464f049c42a61b5480f0b9b5c89334072e524b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
268fb0f3bd7bf66de198122c44455d7d

SHA1
b5a041a4c263ef8a57e9766c6375052bc29e4c67

SHA256
6a5b4c4687be0f965db2be5cf6b580fdd7144bb10d06beeb7c3d92157cdcb21a

SHA512
633c379e148e95b2cfa040cb3d04612db8a8696b24d082ac31bbaf08dd6229678be715dbf4bf6d09c02fcfac7dfc203df78a2296ede4057b3693ee180236b473

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8941ded82b277b5fa3dacdc001c33da9

SHA1
80835b6704660f2ae04f50b979d59cf730ed9b15

SHA256
1a73afafadd55751fd26b09fc7720d8cab7d19b94ad5eb0e6d3efa4baaafe7d8

SHA512
2be5a903c414d7689498d9d641ae5d4a505a34c7c31c2f3fa63effc796cf19d510253667c4c433497ba5b6461a46e93dcd0b48282bf65deff26a887b9fd4baf9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
40fb7ce02557e96fe17ff5218ab72436

SHA1
2163d7cdf0b4a588428e093a29cdf404921c6b0b

SHA256
3379685792625eed8b92b5bfd8806214fb6d8589ef58c03d0c29b7308738fd9c

SHA512
2bf289f09fc88321b71a0500b68a575dc32d1220ada9d34c9c888d5b085f44d927b680a4485da0d877956601a794cfb6a2c77faa20dd66f197a281e1f81acf3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
15f170b93f515d7c4844a82b3e6e6b49

SHA1
b15fe6fa1a4a2292d865de427390c2d33ee1018a

SHA256
25bdb076d2bc90b416cc640af8b1c31bc324badb77be309e4921e3c483520dbe

SHA512
f64bbbac8e0fa1383d3bc5beeb395d729df4aaf0fa9528708d95519b98d386a5eb22d35b7157a3eececce22ccb0617795db87ad92b9fd93c67491c45b8b1f1b8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e47df0f3b39b1a8270b78e78f98188f8

SHA1
1bad8cb09140430cd3bb0606c9eef5cc1bde60d5

SHA256
33ce4a17baca704b65caae67db66df69404161e48b5e248f7425d92bc26b8d94

SHA512
e083ee1bcfa01fe371cac19f60f89ff08ed9d3474fea2994e5a7b1d4f25bed745b59d1837a3e736ee917eccaefe733364dc7786c94c53a9589fae4c222439331

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
082afeb4eca894cc637555ae09d52f0b

SHA1
36406ade8c3bc7bb0d29cc8106934f0ef7a48f60

SHA256
dc716be20e064874611d89fa27215889eda57f6fb08fcf3bac2b5b4b3a71bf3b

SHA512
34771217f9beb31b4fa0ba585a5a4631670a17ea2be4243e03c373cbcf38785652e251f49a322656a4c3fdd4f858c9d38e1daa7b6d5ff01e55c29f1e0cceca08

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
18e7a0d6117f02423aec83a921d33a0f

SHA1
34bae4cdc16cbea9d32ba1081bfdf89844eac796

SHA256
18dfaccb9dbf9dd8a946546cfd41387736d1fae8d2be23fadb3b33b0eb9a98a6

SHA512
1fef973557bb696706a01192ac5d122445ebbeb12787f5e83c705e36ea7eb9fef6166e49be7876b58282b54cbb3824eac63b5dec0b5de5694e02295acb65bfdd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
e113ab5f15e348701abde228bc1468cc

SHA1
a883b64c27b64ecd20e2dd266cca57e9909292e5

SHA256
24f649cfb72e0f7ab7b1559c9095b9d1473037e553d3ef88e2efec0df033b67b

SHA512
246a32c03045d42eae00b8579adbd8c42fd0703cc96cdf01e11b9f29ff073447b26fda10058f77f3197155e9394f475490edc5e39852949204d7bece1f1cd1d0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
13ad5acb05bdcfc31017dc8f6cb3e4bb

SHA1
785cbe5b64b9f1519e673635cd346a6bc90ac256

SHA256
93fd1fcf9a190d92bc115dd372b2300bd629371a06fb1eec2b09381e626a325c

SHA512
49f21f3d7305066c671131ba1086e3a349f7c03186b8501bd855e31e7e58f94381acd74c4a542bca15ee5640441ce42efd0191608b3b6ab600c6d5a324785032

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
3b2818144e46d65b26710c90081b9197

SHA1
b9458efed9a02a14f318eb433c00deb143ef7261

SHA256
f0a3e99e837b4c98068f631f11e7b9356abcd3e38a08fd89912bc26e1104245b

SHA512
9845bfa71b530104f4c9a36f7b9f506a45a1ec5bfcb028dd31abdd14a66ab2c0150443cfcad4c7f58064c4a4b511abfb13f95c97975161b414c0254cf6b8fb72

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
210baf4df6fc88be6fc2e8f95b956f18

SHA1
a9cd0c1de3f298d82e6da6560ebaa83a2173eb2f

SHA256
0128cfaf30bfc3e62fe9986e72f3e2bb07fd4c0af7620d7f7955856f8b8abb4b

SHA512
18b9b6f01ba5e8f2e6bc80181af5847d88b06b6558c791b4fd7bdabffd349c0ed1f3f368abae2ac52a558f34618cdae1af1889238739f7353264d70d1808cc41

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
0a68b56a496f65473d96901769898d00

SHA1
526d17b587939469127b6380561978e21f350d35

SHA256
5f71b3c3dabf019c74f83fa78e1c260b72de281044ad8c2f758c80e1c26d450f

SHA512
ac76cd2ecbb91d989c3e1494b91ca12e44e7b7a84d49bac9edc13bb8fc7542968d4b0c36dcdfbd234265a21682c56e5f3bc5fc7fe8c4d37fa25ae48f3411c958

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
ab2257012cdeece91a72a5a377a984f8

SHA1
4eae1cd0469cf94e2f7743da1d65a060d18cf544

SHA256
7b51cd98da859832fd58c4560bd2a1a16fab05461d32630aa81072752d5c8383

SHA512
1d43a8568fbad3f5677276816b518d5e1b97cebe388b8577136b54da916dca4b7711a6cb002ca602c95d701d83e867c9a6c643189a857ea0e1d27cb977c76362

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c3a0c0ca39ab252234a3dbd5156321dc

SHA1
9406d0e1f9fdce81de0a9472a440acb4ba6e8d41

SHA256
b2b60f4fdc8a456b8f4820d7fb9798ed52cbe0ec4bf4f4175a49975f5b31281e

SHA512
1c76f727940d968ff19800a6a435b4009beabd6f3c7a7a73aaf7376428c9b54b81ba5ac96681759f135e59c40a12b4ba327f1439b722b7c5a96d2845d74b9eb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ce37093b3f49f766fba961a3351fb9a6

SHA1
bf3e1499b951c328f72d818db2692a0fe2402543

SHA256
55e5cbff741a7b30ba10163f653c04f37de135b9622c64ba7af8cebdb9796858

SHA512
e834b8cb8f27c50b1373e21707febe9f37b62ba81f4ad1d9e38a9a8d464c6ee307a4890a43934f9088d65732ea08710617c7885dc2e1e35f1b2aa01218f3d54a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3d88091365cba6120dcef9a3de55986b

SHA1
6384b0c9a4a29f3af6a3f49b1dafc4723fb9a4d1

SHA256
30325687463011d6ffc7c59993e960b0ad718c0fe38a54d05bc16e04cdffd28f

SHA512
df33af9753e60033b8e041f5553c004aff2634ef5b3df6cf77e19f98727431504f8b15e1de891339b4f34769d12dd7e6b4741819f07d5e849f8bda464d722834

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
12c27b96f55e82d2d318e9d6986d7cdb

SHA1
b61f74cb5b1d89f9f9e2dea4d5188220b39131d3

SHA256
5488054a4a0603e9fd70e8ab1d2f222485a45486f6b804233346e80a75f309a6

SHA512
bad40773a61c8139975cfc35934f6c20f498361b7bb7878b158b9c2c1b74c8d8eddbbd39d6080097b04bcb3e2d9e04de60c5d3b218c7329864b50284804e913c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f1db53d7848b7518a7445856e73d4dd3

SHA1
85b335b290142b19943979c15d6bec334ade612d

SHA256
db05cd425134444a5e06f188b017ab58253db0a0698aecd0cfbd18fc1724c382

SHA512
9da53ba04cd5243d1ad42226368e889c3408923bd86c704c8190e20052af6e1fa007cf5547720ca7a6cfe20d191816f61a355a6efa892dbae1c2bc3607cd9fac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0c6a4a608f8db461fb315a68d954fad7

SHA1
84c99ecff6620fc0f3408b34dddfaa395da471c5

SHA256
fb456097cee64ff3dba2c54a4b03aeb5bd2cbef782c869391b813ead17cf047a

SHA512
6bed97d1d6861eae15b7b45d11098db905d20b709634eae0d0c76ebb04e1400522907f24e73418e773e55554a7b92cfae9fa3c8e0fac82a60c53af234a60b10b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7ee62d161a3b4ab7cfd1783e2a887f8b

SHA1
c12b9e71d1f5951d8f51aea414d6cd7c7ccae45a

SHA256
3d90551996e15de8bb73efeb6e43ea90701372dcd47e058b5af9dcd7aff4e3f7

SHA512
53168d321269052143bc5894ba04fe6dccfc6bf36050de9504028712fcb06bf3c9706c838b5ad15ec3ed8cce74adc836929390168bfa71dde7e7201b69cec060

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1c761b648737cbbadb54530c2bfa56a7

SHA1
4de50b08cf4403b92fc8696cb3a77e3e99eac4db

SHA256
e959a5f01e81e044c72152823527fb9101cb08117bb8ff4e9bad645de295eba3

SHA512
5ed37092a94028be900b3e74472830eedb1eda249eea559f0cfa5ddf44edfa292b77b78635eccc901eda36cdab1f37f66d96f1bd5cd77f2b09d71cb2952e9a7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1ce5e1333d779162816212ce35f74a15

SHA1
342c74a8247cd9991a97a42e0dcf36e3ad8ac5ed

SHA256
fd30421550cc4a016732944b1110d668633d46e9165170dc281735deb7f84063

SHA512
4c6578add01f061a8b999f39b4891801dfc554124f80e1fbdbbf1085e9557037601cc8bdc565b6d88bdd448a03c3ac3b13123c421e9ef8fc6deb69e9413b7102

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7b9f9fbf686eec37ec98e139c4a02f13

SHA1
54356ebfce6d08cc1882fa83baf895057428db88

SHA256
8f98fb05294899d7ffb0a2e0c60be18d0e56a92af2ca3a20561e57d532e24b2e

SHA512
0bf12d28df8d1081c90119838671aadcb994ab3fae2e917caf61872807641a4c7b9e0e5966fd9f4a2fc67420152393651d87e436c7576f6c26dd8046b36de12f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8b2ba1529acc79f68c10673818b502f8

SHA1
96734213814e4725b1bdc6b2dacc3fb0a6095431

SHA256
eb2d3faa575b4dd3fe300f188c5913892eeb3e6cbdaf42d09cfeecc9a764cdd0

SHA512
73c567c433d82bb0838219159f96d6f3408ffc24af845dace363b0bb1e9f62a8425701a4b3c5fd7c29e4a059cde9ac055440a553e5abd91d9ce7a6ec82f15dc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f97a3fa021f517ba7ebfd26a1401829e

SHA1
d621bb62aee4dd4c44223a20249a625df5c80f84

SHA256
66d357573677546f53a129d1f4696747bfdc8fd30dc71e0d3f1514dc51ae2f58

SHA512
a776fc2818749c12be4512de24193b9f2d72ba57b8761f3f5c0948a9af3472ba545487bcb215f0beaba5069d8945b597becc52f4e9a23ec7a49f5e6aa17f6343

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c52d5d7a6eef7a4d2c49e013f4a26e7a

SHA1
09154ea8157f49b936bcfb8a93b9c8a3a44d5fe8

SHA256
23f7facfcae30f68e9a78c14f64446524c475942fed5d4570a0f90ad3de4c370

SHA512
14e8a6fd6b38058d6259d456915d1861a115dece70827c09e2dfaee2ec82f3382c3b6b92c3a6b33a11b05e77ef320442c78aa7240ff4a73d196128e97093ce9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
153784e2d26998c1a99ed039b25b00fa

SHA1
c5a509808c9375e1ea97d87c6897dec931992f39

SHA256
27e8b66cd0997968eadbd06a2d61ba514105959e0264fbf6775a925008b90aae

SHA512
823b34db1380617c950c186b5cbd52a450e6f96f395f0d773f7ff98d6f82f08bde756bfa61108b2be3a820ea7e7c99e7d267ec4cfde9bf7eaa8d85f340dc305e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7092503bee18ea174e67257d30abaa72

SHA1
eeb702aa4a1a2995dcc6531cfe2b11c7b4fd0eeb

SHA256
d1d12105265d16a9fcd91580ea42315c90c2cdcbf938394020133bbabed7ebb9

SHA512
8a3244dbe145fc06545582cb0cbf352eb5653ef5de9b489758a076396a8e8780f7b7b2d81b0ae54d1508aa0bcd7aeeed322cc7d4b8256674f1625cf64d942216

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d578aa83f151a71d5242cc540e0ac768

SHA1
6a4cf864089f3c6ebb6884eaab3d8310713fb683

SHA256
8b1976f0a3287a0a24179a6e7736cd79361920873a3f5428281645a2abca6193

SHA512
9bc92bd6222717c6d21d8b15d67e21005dcbde84e09b35ec5b28508b3f403754976c88fb115e8ab05eff2e28bcf6ee77befcc7ca3c651bcc843a78a01d1ccf82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
90d6d49976edf32cbfd9b76ea0432af4

SHA1
80b53d35f7044855a0e46a6f82859e567fea2202

SHA256
cb10d96f45deff112706f0ffc2afe81fb6ba891894e541c999a33d2d9f25bdcf

SHA512
69692401ac33cef6114f3a095bfc1d053996e334d12b8714f707c070b742bd303019286b30b8df0c68e37dc9e116b34700e07011782bcfd811ac9cc0d391a1b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
61e766998f6d2fdca79fd90e8d4ebc18

SHA1
b2d9044846f23a4dec4ddfb2af6735a5542f0b78

SHA256
b108894133c83a4631e3a630cd39693e4e26ecd2ac8a01b9c34e4e37729dba66

SHA512
4deadb3e86c90836ecee9e7579c56bcb6bbb9cb7ae0d03a35cdea663ce3c53a5041eac04e9a2ca2cd6b588e5b02094c966037a6077734c5de0232b4b74b5b86a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
fc09d1f2d90ff6454f153446c1a80ec4

SHA1
25648dc74d5ab25afe079f73c9756becea5016ab

SHA256
7a4ba2d2f69fb711ca13c0c5d987e4cd2ef1165ab081d3663d3052c15ddf2621

SHA512
3e181cc0b41c2c7f9dd7f08318832ad2885e267ed2aef8ef6ac98c7e9365a9056fab112f9e82ef76c09c18c2a05b077225e42e521a342addbe4bea24e7bae856

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
53a6b8c8a0838698318d51804124f0ae

SHA1
0942697f1bb3f68f831fc91946293956d407e784

SHA256
2445ba2b85d96be0bd3f972902175d3802136282f0be390068d7666dded01743

SHA512
671423bf29341c6065d20fe7aa4807822a5ef003fad8080f4e318f94ff80ff2e84a46fb3b6e9bbaf3841fa30cb1adfa365701c1f304a020f7c0ecf0ec302237a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
7e0a36f69f6d5e2d457299f8f6b3363f

SHA1
f4a8527c249fae0b674962e8488828ac5c07fc18

SHA256
1c349cec76aae98cfc171c82d3b9830d13b36d0d3a7a48320316be9ed71b22b0

SHA512
43273aea85e43071ae85026b857a9cc5ee9314428b7147506b9e6be3603a52631852183732a0acddf15ae22f2c0f96ae07b9edfa6de73aa108718316ca85028d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
736f824f7e8760036b973c584b7579b6

SHA1
02c5ef2c4374b66fdd24f7947fa606f05e098779

SHA256
9e5799ef7ef41d1b8a6c1419f3a861beae86c8c824bdcc5db6befb71ab3bf1a1

SHA512
944e23bb58066d9de380f7f05344afe9f5163592cf3998db55c2098b05dc81d14d2faa17453fa84ebe9d09e5a442936b48f243b94e90314dc1b124e6584ed69b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
68a4239271a711ebbcc0354c3f09a884

SHA1
3acc4afe4230d0b8012d3d5d1ba0e202356e2eaf

SHA256
fe6b81d14e8a7754447f81ba201a7a1d5b5dea35332f1f6df4f7ec1c1096137f

SHA512
c84e0abcb2ff37d8eda6952d6a9fe99f41dc4d9d476db8902e6111652d0e4291b39f5e3b6a34c46c0f8efe5aec19506b21be5f40591500c5de9e842695e3b66c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
54dfd512a0f4a3b3dfc1f2c37e19d95a

SHA1
fe1856c25583f2acef58afb6c37de460a7566f8d

SHA256
cef02ce93e6b70fe43a2e86bc5c1068aa20908069a5d3f871a8108bc7d4e6443

SHA512
b6975e301c370344139eb735837a9449152119601acbd3694a771918eb6c23fb6462acc5a7a1ab2a9cb773a120a3bea9f2a71f67d9cabc40253bd236a0163601

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
de3a8d8dbc7ded0e941cac605371fe49

SHA1
126039c0d2c1bcde8afbf51a99d0d5975a0d6006

SHA256
4e180421f682ce6837c0fca2e31089fe84280f96641656623495d59a2e9db137

SHA512
0f550bb48ebdc34e8d66c616729b1274cfd8b7adcf2df025311db48a77cbb386ee76d6d3ed90cd5656e28ec7b80bc266612713a907d58a3096e168ad8dc768aa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
34965974af366e2a1625a80111bf4e79

SHA1
ab8f7841885445c1eecc1e9a8fac9374872ce580

SHA256
59fbd07f2d84be873f73267492b85f74c07f33bd63af37dc33d82037b81abe59

SHA512
15295fd08850fb69d5b8e79ad31c375b7dace9f959e5701ff818d72ab11a3084e8d53adbba3093ba27bc96844186104f57adc489c4d303f8522c9e8d5a1f3b04

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fef31a72e9eab187d2285e1ed3995772

SHA1
0259fe0eeae796407136b052625c773ed15cc1c8

SHA256
0c02c189a0d4f5e2cc9552197e34b05afb7b1b0f285af2ac6616b89fa875364c

SHA512
007801a4cb98c57b3eb330d91d96845f71c7e84a1b1ea574f881bd6807aac39cf0fe9a6b748225181589af78fef0636f5c20707bd0ba3ca2152706838a820994

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
79409e3f1aca540226fcda3b479d50c1

SHA1
6b3309111239b97819d22d10434b2dadae46ea85

SHA256
fdd71dbb62082f19ad50acc020663436135dc1d3b719399ed951f58886437971

SHA512
f4003387b24b8257c8bd554629a2b1c8b39323ebca1f24d931f74800b2b4b936406a72a7668d50b88fe6b88cbe58cb1378950244e9255bbda9ea49d7fed05fe9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f3179280b218d54bfa7931e9c82c5493

SHA1
d3afeb67f273e689f18232bc4654d7e51a019daa

SHA256
925879019cb8d0c42442692c152c9236702657886fb443544587b10b7b918906

SHA512
227333a9fdb4c8292c482f690d3509c1bacc11a14e02d61966e02a1db69a9cb9e017ea5765b329f8ae728d0b615c7a6fe75fc95041d1d7f86bf175164f116909

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
45544202030161abd07f8b92e4773723

SHA1
fb1919f57db7374b05a568dde1d51c798ac90ffc

SHA256
9cc7268bcaa24af5057db81b22ae46097e11a072fb47bba44ffd7bd44594975a

SHA512
2a717984ba0ff14d97b063d334b75dbbee394c2fde80e0769114afd141dcf85e74be4a675528251f177a5c7e1a7a8431c65e0602dde1a42739d02eafb1806949

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f6f8249b2403a1d235a90761cbde81fc

SHA1
b4739a18b6e4dfd7e3ab85e537c68bab286ac363

SHA256
47dde963cab662564af3e040c01c6be44cf1d8f21db6e1f09745a781217dac9a

SHA512
dc04daef7e76e02d9e90e568386542631391e66cda5043151e01deee535dc2204544f3f8840b1ca1d702050e8dd864eacc9d4549b93ac087ecf4aa80045a1ac2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6df8d193e5d068b0d339e76dbbba5095

SHA1
f8900d1f7c00d19d410c5fe258bfc7131c361ac0

SHA256
4b99e62fdd273c2d5f86df8c6a52c4c5fc5ff9607a5ec155a9bf940be91464e2

SHA512
0fdc5a2e526b6c70d6972a9927ae2817ed8f27dc90d531763926c71449817cc3880acce1592f631bdfee945741efa03b82221726a5a1bdd4e5f5f4bfb8be5d3b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b2cbaab13da19c50b73b4a719c30ea28

SHA1
1d4c1c2c025dd6ac55b1d224d2da879d07fb1a24

SHA256
efc448d131dfac8fa24a58c1ca4836a53d86b50e2db592dc83528b6fc8f21348

SHA512
010051cd924575c73a31d8f5b595ac49c137485c041a3166a051bee7a8c3e5b52f10f8a7323aaeeef1004876e87a3f8a1038623fcfe06460359c12cc75f894b0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
078b113fa9a85984fc7094ad5564c929

SHA1
b44f1e0473ebc3971a58b19364d3b60d6f7c8632

SHA256
7321137d1d8d148f1742d3a4815f7d95b5d5d742fb7884b9e76341b27c2ee53a

SHA512
2daa77d10623b0c2fd73bade92adeea50fe90d094afa5e582b151663bcda32e2ade5ac5d29ab4c33b89de85be265e55828f0661ccc0ab9f0399d1aae4d1f6801

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
07da2eeb572777c64b6a753008ed138c

SHA1
ace4b7ad6c3f63c5585cfd2d84e1c9119e730bbe

SHA256
312a26091805e0f5ed185dcad17ef1454081808870fef1d37c436cfdb7d7b265

SHA512
636b1537289582b09e7d2655b58fc68ec7100e27e91accfd11420aa11d1d0596ee68a88a315e67dfe457a4b3edcc21719f50bfde4fc0bbdc12414ce126382a5f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
59dc097a07fb03fe474a721f09a3bd94

SHA1
d12fd7df6ec3ae0f4a7e40e05d49a9d607a18084

SHA256
b6f2adc91d9926b68799f80c3b7b9bf3428c97c81cb4f807904eb9f34a9da6df

SHA512
aa3c15df2f58cc54746c88df86293a5b05eb4d9e089f7596cc932f702d821ebbe9f595b3cd362a289f7560279e2c4fa096716b4be615f6fda51fbf1eec22a795

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a5f0d039555b4b87f064eec421afe12d

SHA1
0f7044f59f75bcc27f422a6d1a8e1930aa8ab4a6

SHA256
02c2df185517acca2c0c75cfb478b4862aef429ff77db9268da4304d7580a71c

SHA512
1eff9a1405992336850230e8b0a8cb25c65ace5658d347f884a1afac155163adb284c44b3fd0de40ffcb0cb7314a3853b1558c4502c00bca088ee2544b4ab6f2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d729193789d0d1fb01d09f587cb445b6

SHA1
d295e9597513344227d71c93977f6ee66f658111

SHA256
31c9d754cdd01d21561a011a99f42d924276ccf0de7097b2ed0672e5fbcb8028

SHA512
69659c7ece9ea652a1613194a80ae77ebbb16615d2e04f80e1cbdd774874d5c85d10c7e72d7c24bf68cbbc5e25cbd7539f9db17aed292777a12e012c9e668fe8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5e9065f9272d8a6ab4a3df9c10cc4fe0

SHA1
03ae7df5a1722ed6efffa3ba08116352e76e29b4

SHA256
61992f1e923c1735cea7df43194565295885584289443b7efc24021376fe4c78

SHA512
cbe9448698e33845746cea664b808af06fbe5bbb754da5eb580fd581b1202fb2e284abb8861c54713dbe071ebaad78e3ca8a07a98923060be8af65425cc1328d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
033d952d6116533fafb4fac2756ef339

SHA1
b427022fe8224f3f91f6d6f7c1c1dbfd0f9ab8cd

SHA256
5d636ab2ed0b827ccd9bf59b71a2d3474239094268cd0f202d5e0bcfc06f7078

SHA512
ee4f8badf4b05150c45e1b003823683882f8d8508dee0486d909eb6f1838e669376347e5766049e07ff22cf6887d6c2744582c3d8d925dd0edbd82b80a6289de

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
aadc4b2a568c84e76aabc0302460ac39

SHA1
bf251f62fbc264a125926313596cb836e54a784a

SHA256
cdc8074fc415cfc48ed8c74e5397b5d3242ed3a216bc868e6f8f335728c779ed

SHA512
48f3659ae2dc4bc49c24a6081097acd9658a65f076a043218eca11bd484240f86350076479673a544a528be1a5e3acbb3f3717a5ab3f4a4b297b8f7d1af89628

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
806bef911fa1eb4c8ff94e8ca3dd2742

SHA1
9a79dd26b2e18b685424a12b7daef7b3f49578f2

SHA256
ee8521ae78bdc768c83f2f27c48e644d55fbfd274cff3beba695aa72ffaad651

SHA512
22760e7eef912d0c2b257ffc2a7161636d856510eda6fa04d054510d7a461dd84af4980a089dc787af9b1f8cbc79d18fe0307b52ce7b77517283f300c880d52b

Download Submit
memory/460-456-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/460-449-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/900-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/900-432-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1056-0-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1056-7-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1056-15-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1056-2-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1056-18-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1056-8-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1260-349-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1260-342-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1260-409-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1512-246-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1512-253-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1512-313-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1512-247-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1760-340-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1760-283-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1760-274-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2616-302-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2616-376-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/2616-308-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/2616-366-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2720-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2720-75-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2720-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2720-67-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3068-446-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/3068-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3148-287-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3148-300-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3148-352-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3208-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3208-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3208-237-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3208-29-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3208-36-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3284-381-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3284-448-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3284-389-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/3344-470-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3344-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3544-361-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3544-52-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3544-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3544-53-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3544-59-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3544-63-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3544-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3544-355-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3912-369-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3912-377-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3912-435-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3984-258-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3984-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3984-272-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3984-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3984-265-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4212-233-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4212-13-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4212-24-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4212-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4212-23-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4420-315-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4420-380-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4420-323-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4624-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4624-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4624-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4624-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4804-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4804-335-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4804-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4940-407-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4940-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4940-404-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5072-420-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5072-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5072-552-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download