440468a1f8c4f688c104be726a2c608ab2651784dc57eea325f2df7c58b159da

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_5e50d1914e96501ad2e3968328ed8f7d_ryuk.exe
Size

2.2MB
MD5

5e50d1914e96501ad2e3968328ed8f7d
SHA1

162aa982abd21a80f769f6c1e32f8f76034daf01
SHA256

440468a1f8c4f688c104be726a2c608ab2651784dc57eea325f2df7c58b159da
SHA512

d2a2ea3229635bc6193b682eacacc2b598c4ce68d265f3f61cc15dada584ce90c09d140cec887027320c0114fc885b136ed5dab7ebf5d38148cce273bab3a54c
SSDEEP

49152:qNl7soq7sQCc1kyG2xHywRfHIO2Ts4bvDs5UbU62FAQ228QKl:OD2311kaxp9qqqj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
960	alg.exe
4412	elevation_service.exe
3744	elevation_service.exe
4928	maintenanceservice.exe
4500	OSE.EXE
4076	DiagnosticsHub.StandardCollector.Service.exe
536	fxssvc.exe
2224	msdtc.exe
2872	PerceptionSimulationService.exe
376	perfhost.exe
4952	locator.exe
4476	SensorDataService.exe
4684	snmptrap.exe
4884	spectrum.exe
4292	ssh-agent.exe
4428	TieringEngineService.exe
700	AgentService.exe
1856	vds.exe
1608	vssvc.exe
4644	wbengine.exe
3488	WmiApSrv.exe
1652	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-10_5e50d1914e96501ad2e3968328ed8f7d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ed4ec0ae12d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005729f387468bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000186b7287468bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005729f387468bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0689187468bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000890c1387468bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047368288468bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd96fd86468bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a5b0287468bda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4412	elevation_service.exe
4412	elevation_service.exe
4412	elevation_service.exe
4412	elevation_service.exe
4412	elevation_service.exe
4412	elevation_service.exe
4412	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4780	2024-04-10_5e50d1914e96501ad2e3968328ed8f7d_ryuk.exe
Token: SeDebugPrivilege	960	alg.exe
Token: SeDebugPrivilege	960	alg.exe
Token: SeDebugPrivilege	960	alg.exe
Token: SeTakeOwnershipPrivilege	4412	elevation_service.exe
Token: SeAuditPrivilege	536	fxssvc.exe
Token: SeRestorePrivilege	4428	TieringEngineService.exe
Token: SeManageVolumePrivilege	4428	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	700	AgentService.exe
Token: SeBackupPrivilege	1608	vssvc.exe
Token: SeRestorePrivilege	1608	vssvc.exe
Token: SeAuditPrivilege	1608	vssvc.exe
Token: SeBackupPrivilege	4644	wbengine.exe
Token: SeRestorePrivilege	4644	wbengine.exe
Token: SeSecurityPrivilege	4644	wbengine.exe
Token: 33	1652	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1652	SearchIndexer.exe
Token: SeDebugPrivilege	4412	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1796	1652	SearchIndexer.exe	120
PID 1652 wrote to memory of 1796	1652	SearchIndexer.exe	120
PID 1652 wrote to memory of 2308	1652	SearchIndexer.exe	121
PID 1652 wrote to memory of 2308	1652	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-10_5e50d1914e96501ad2e3968328ed8f7d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_5e50d1914e96501ad2e3968328ed8f7d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4928

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1980

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2224

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:376

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4476

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1480

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1796
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8f6af66d0ada771fd2df78e6cd543c1b

SHA1
dd9c43117e13ab6e1626799bf995b337937fdf48

SHA256
c297f9956a60cdb118ab73ee9f9cbf0a86fa3d0ba38291add3206a4764bc6d5d

SHA512
4eaa5510c915522e2e7ec88cc762924a59e9c0ca0501c53c3e35c183f3afb3dda24de6323962351895e072f294c23a7b19a4a0167a3bef6aa5f9ca1c9ca2544c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b33915676eb4f9630567e5838ba18243

SHA1
d44294911dc66567dbbd3c627da16eade2aed52c

SHA256
194d9bf65a4eb31dc16603f2f99ca0ba1e80de0fb6f7fe13752953b73c3f9ca6

SHA512
b1f64bcaa8062e44cfbd50af0e3e9d5483e8b314f9091911d914c68d7c0dc2a8b0cffbaab1e168a78388de08133aad38a408719b8aadd1bd69898492125ca8f6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
22dbae9a35ad029d324e5a219ef68ce3

SHA1
d1d2782071b80fd26d1aedc9064cb052b2dfbf12

SHA256
0310e60f0ac393b0ab3a489f32a597d689f1fb54fd30c39f96e712f00cd2ea02

SHA512
ebdbf962a776eb7eabcb004bc869ebdb9cb24cc857ef3e5cc7de0bce69814117bfd6536a5c3dc83b0c0d90026577f56d7e6416449e4c925ff36e5518ddc52d88

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b23a5b75fe0e9965d4a43e0a60fd95d9

SHA1
a86a5b19b92e84c248f9ff7a06b30103091a9e3e

SHA256
e58d492a85d50d1c0870674667eb218f000637090e8396bd5aa771e88e5cdb85

SHA512
b211301b427dbe5f0e3fb65e53330b8c8c603eca106ed91e31ac285a12d7829e59cb2059de3d032e5d843e52a428318402b794ca64abd2f576805f50d987ff8b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
283218dc48c971c60de8bd0e037c9354

SHA1
903f9a24ac513dfae55ee79609443c0bdfd4cdd1

SHA256
a9abd03bc425372b3caa1822eaa907c4d8b6482539d624724a6dc56a54f4ca65

SHA512
a2b017214785c0283ab8833f5846fd9ed15178d25c65cbc2acbcc7f610c4e41e7c2c5b7ec94714d34a8382bd4a652b59ab834555d28a08bb205fb7e508fc68b0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5f1adf780bcd6dbb701431ff083951e7

SHA1
9c59652cc357a17465bac14475e62455424db1a5

SHA256
3fff78931361d74a1faf1cd39e0881c5449b89563ad6c5da238ef47d24ee0d0b

SHA512
052811549594cb5f4f90cfb72365e1bd0417720927a979dac2ea49c8f7fd8a942c03a315d03ec9b81b5dbc8ab0f08dc2e196fd82db02cfcfd6a266faf5852b97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
e1c961933922af7a4a97be6ecaf6a769

SHA1
196076c27fda2bf68c3fb0a4195ff3ac8be4b654

SHA256
d362b37419b9471f11cd48556a574368c8e0dbb2129c01304d11e692710b6018

SHA512
f7e6bf6eeca0ff7b747970cbebd9a54e0be3f5bb93eb419696b89497bbcc576868230214415b5aa6a42589b634fdbfc5f3433536a274cc9df5980f4381e19239

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c96861b5a220d366a823b21e67741c31

SHA1
dfe75b4a82357571f5dae1cf495d49b34f203dff

SHA256
47daba823f415e3c2ae7749452ce903d3a43cce6d50bb6b10c64716eae38fff3

SHA512
1091c328b5f8bc3d3860d662e65bd21def6d6f9682677422549d680f40086650faa01ab8e24300d44352b13cdec9e14518e6b68c70a475fcbb5fde51278224c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
31ec1dc27de66f61194d65c14d9f15d9

SHA1
116a195bf9231e7e184143e8800326abc003d522

SHA256
876926d8f742243c681597b611090cdd53ce5201a28acd18cbaf8bc11f4f239a

SHA512
01fdc3ed900516627ddfd83590116b47c82d219e9e627238473073574908a904fa631f7ccbdd4d9af8ba1db278b568797d807916a2af18d38ba0813c0cf87224

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
dfaab440f3a977993c4efe878cffe8be

SHA1
336936e491ac62f1b13d7f696ac80d46b1768e9a

SHA256
d13233546e5a87c3d6ba5c7a0b014151f1966537b5f92af75651802d79fa5c74

SHA512
e6bdedcd5a3a90bc74e3d94d2a3404ace977748e8c4e7ef5dbb88fa1d8a7ff88714313a7d956aaa11876e4ec4774f337dbe1e1772d6521619b90865fbe74afe8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a1b6c2ad30db4645875c51472e97c104

SHA1
4171657a3996ba28be7a7657323e56e7fdd37700

SHA256
c73a48af145f85ab0badc1b426fcd4a66a7869d10b49f885d187f2ed39f006a7

SHA512
bf9732e9372f3cf0ae23ec370fe110fffd0c061d2380419219c4d6f5b6e39eb1efdcdc316da91dc84f1875405f42ba3fe4272b8723f9e72fa0c64ed6535eecc5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
176b9e2a108329a780311cc02f530622

SHA1
d2851c94672eacaf1f8c0ddc052945452cd6bf2b

SHA256
fef1fa2a2ebcdeecc457af69f1a1522218d3743779fb0b3908ac70f4cec16355

SHA512
73186d55beeecbc73386059da29dc4c060d2b6c90dbb95a4fd9433789eb239e3d10f04dd592170c943a370260948fc29aef5cc339a3c88e605709acd8450f53d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c7df41ef6e5b1b9cf0d48cb220912845

SHA1
47fe8a23b5c5eddc25a7782f39766b9584c14bd9

SHA256
714e77b568951d213da8ec488e99fc3411f4c8a9ccc8bd029a9418df28dd814f

SHA512
c331a94982e512debf20dee4e5986ebe0e98946f3d11b127f6b69a2a8e18250c24373ca22f0f403f42cb81c1b363ed2fe28c455ff7348732c6ce4d5de5cf5e66

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
3c94d62e986ea6d16483d3005301479b

SHA1
019c1e73eb0630f1d44385184dece900a6af67d2

SHA256
fab23ca7315ab3d9c5b370e5cc5287f94a9d4d69657307283b854cc3086a501e

SHA512
83688adaf85f8ab5fb43f66324440a92b199a40f7ff83209b6b81b1efd3e373be2a0345aba24c3d6624027882b3bae2516fc301513f83020be3d9aef44a468f3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
3f3519de82a779cb1dea060d3aa6735d

SHA1
0cae83b46deef611cecd3dce34dc563ebd06801b

SHA256
bff073763333054a853808cbb6df2c7df61715f2396772dcc718bdb9af0d42ca

SHA512
56aa201d39e16b673607e345abaa2b3696c125a4cde14820ea3650df5b85c838673469bb02fb2f4ea98307017f865879509a9bec2e52138261f13d2ad6892656

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
d139da26f8b0bac4db5e17a33c85b863

SHA1
7f479c7369eba6297e196f0bc7b9380fb133c2d9

SHA256
f6f6bc7ddb4ac6e5a29c598b540ca3d975d5b429303511982ea4d88892b868f0

SHA512
b3e9620f1e988fdc556fe79802a6f5a7af57f0f1bfddf8ab7023692bc90ec1bbf64a0644ffb091aac784809759d0ff721b2581f03a7861c85e24f1c2c2142920

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
24514a35902ff67a2c9b84ecedacd13f

SHA1
c4a9559f58eb8991e173621b6565e080d2c16f99

SHA256
5b0e96894d6370ef4c9285d792c6f89b5a5f9274f32d08b7b4bf6e4c9e5d9f4a

SHA512
a3977ef3b38559d56e791ef1527286128b1eb2f8c3949403d16b6bed2074ab0af70a6e6f71150e7f65b57341552245048715ed9bf974082b290408960e792894

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8fd5601676816c967afcc2acf916f768

SHA1
c9f445c02ffab5e68dada4ae0a56b904eb417917

SHA256
0a4678a2a385aed289e33a5ba6a21c71dd72c36310b8fa4b874f58d4eecf94ae

SHA512
69aa50a315ac182129fa822355963cd4872cb41f4a12b8a26031167cd2357ae02b572796b5c74092c14b361aef049065435ebdbdd0c26dcc0c2f2d535672ac49

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
47ce71a27a0278db6d1e98af76163210

SHA1
ffd87363d20b234152e11096debd5d57d3c04f1e

SHA256
b858c03a6fb5f45992804eae0e25cc60481c8307643399d1100218fe48ac56dd

SHA512
ee5db3bb353267b190b1173542fda3011881a8aace9b95a4ce4e1f5fc4e46e88e1b7a6c23f07508ea939096f5b316cda6681aa169e493f178bf1fea0900efdd3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
da26deb3dd307b911fde220d0f106614

SHA1
c5ce86e09f8ff39a613170502134e38632826686

SHA256
e00178e0f3857abfaa9dbe6900f47cddf92c09470e9f1ec2b4c354c66bf7fc5b

SHA512
e2af31177c1b6bca122902e866d624ed35c06b85a0680c83c03522575c66f8757aa1f080e2d1da75a80793d93cc08be89d60bc8d7004f47b74457138230c6587

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
315d462de4217345f1cf90aadc934f32

SHA1
48866dc5def4baee62d0225a521be2c2c927efd0

SHA256
a3fd97b0023d31776b84ac4200f35cf902db483c59c876d763d28f1c74004bc2

SHA512
fc13cbb9387e964c511f14ee2f94bdfb53aa682502601bd78ee1edee39c2dd5dc86447657e7730acb8b05c418f065ba7001b38d2e74233fb44dbbdd50a49bd40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7d9d86330d5cddc5b0c0aa3efc495f0a

SHA1
e04d93d7a70b1f264b6dc2352f40162c71db8214

SHA256
76ed1de4d86dd08a19995a2cdcb2c302d894fb4ff0744d6b856d27dbb54d1f8d

SHA512
e66f7cd94dfeabdf8d1227949c3241aedee3e25b16b8156d36fa9e4940b943120c74d4fd664ee72b383b301a7511fbc84da94286b86c3d4c2e7bef694b9ea4e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7edf8d814939164cef590cc7b69221b2

SHA1
99f0fe21035a29074deed4a668d754bac61bde98

SHA256
1a0758853a8f8f5400608323343b3f905210500f832fdf450408630d2cf4c13f

SHA512
ef9d82b9b8607ec9719a8ece76aca2ebdc563a0c4e54426fcc5527b6b7690ceadab823d9b53fa8f5122847d098777a93422783288eca9bf6712631a272a018b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
0feab93b5cc1df285670fa246d713a92

SHA1
d531d75cb2f08aa90a6beb3cf7362e9efdcd1ccb

SHA256
cef97786621c56599e5b0781cfb7a9d7a4cda70043378adb3f867a5f47bf18ea

SHA512
cb2e97a42d7e600279049d81562bb9d52930ddc5102e53b16eabb772f98adbd97f3e7fd314ce0d72bbb884afa5c58a0ce6df4363b0ce2d095426a83f97e22d6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
56768bbeb110ba855552dce9eadc5cd9

SHA1
7e1b7f593e04fa0c9904f833c6798190cf672f33

SHA256
76f0ecda5111df29b54bc2b697dd7989a12324c20e1885c072c2430f7b4e8111

SHA512
8dafeb8a7ab3f6354c2ff1c2587efac62c93d4ccbf5cf811006ae544cd126ce689daf6557aae29171c5fbed021b2218f784f7e1b7941531825d4e96d566ace83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
6ebaba2497468016f71fae67d7b33e1a

SHA1
ac7107631bd892b1c2047dc00b0129bab9b165d7

SHA256
41a1dddf3c5c700553b7e6c0de359fceec1766358668f41e9a997e0f4ea17376

SHA512
cf202d0be480ea54702f1bedd8f81f79e4881f844955f426b4d092c2d9a395d7e0c1365d2f321d2552ad1124fb4e5767f6ca23e54db8c9e8adaabf9ce0955f4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
77a6c5c8698e31df9239d6227da40960

SHA1
86f155796b450e23c8bdf411c9e5f68ad2ed02c7

SHA256
9f501612d6c5c43331b75b6852bd1ce8fca7ed650e926f3a3e4a3cc9a509dfb8

SHA512
2cd546fa9d8d824511b724228b7cd528a0d28e69dc3e3b5edb23125f8624cdfbeaa0d78f7a481d266de471b536489e59089691709cef43857a995248d28fd3ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
810f827fac67b5b47fffc540f9dc0d0c

SHA1
89d043b5eaf3f311984265f174966493fbc77246

SHA256
2823afce0bda5d60e290cd9c198d7f6fc4ab4262c98786ca21126fce86be8943

SHA512
68a05c80b54b8bf5b371ba4eeca94157266db44a3d7ec65f1020b15d70eb42fde33cfecd6bcf556c00d408b2091eeb9b010d79b2205ad566d85d064820a9cb68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
fbca96839f5b181f886a9d3acca54068

SHA1
7ea0ce0acc0a6160ea760f9354ba09457de16be8

SHA256
cbf8c49a374d593323fe46969319315117b3bfc22571d05c9608bd1a00ea304c

SHA512
a4912a4774634a6b66289806538774a157fc06c147539ac6da38e00ca0164b65aa22f25cee72ce6817c33de8e871d14e0759e929eacfbf54ea2fa3c2b2d48f1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ff6de1d5c1ad3b905acfc42404381060

SHA1
740ab15df3c404dc3c689ae517d97aeb7149d329

SHA256
616ed7ceb91ce7431be32d5ec131857fc337fbf8cad78c2d532e3ed8cad8d402

SHA512
50e07015cec65dbe7b49d415492b1a37786da9e95fa438ef67c2810ee243fba36bb12a438bb6186cf91dcc37c7958b50c75aeed07bc33f504c28eca9b0000198

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
19d269e85534562cceedc551bcaf3434

SHA1
589629b520212d61372f8b85f2d85887c579b161

SHA256
7e5cbb40133ccb7e8d7b1bdfbbb38ef5aa87e4f2dcc7eb5bcedcdd379e5c6399

SHA512
eac105ab27c7f341ffac9786ae811fa3946b7a7f56c250f6b29407b72a236fb1a42dcfa9ac0bd192283931f7682af5ab43c43903c8e7fe3b0c21662b3116700e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4472ce08b2505af97a7031805ecc9c66

SHA1
bfb76a570008c28592ec1c8ee530d1b1536e971f

SHA256
f58309b26729398a1f0e95c4fe139b08e1be75eca1ce0cd30d4687afedd93eb1

SHA512
17728bde8b403355bf1edc49b2824d7df733660ce9e3396ba0a24ece7999c74c1c78199c07b969271a92d24989ab2f0ebb569eb3767e031fdfad72e2dd14627c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
32ef716bd7d4fba2f867b1d82dfddb68

SHA1
72c8f090cf5dbb2079bf7449aaaf4dd8737e507a

SHA256
5ed31ee3eab7b3b598b5904c35425217283bf8e9fff6610e59aef3f030e48048

SHA512
9124f7d4fcfa62b3750fc65291cac42b0feea7c1fc3a95ae52f3ab0e88693f020b72b4cb2d331c7acdc7ddea718bfc58ca5f3728ad6176b1c79c4c71fc21e31d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1beaecacd5419c52abb496f7a3446648

SHA1
8ba5f17bd64a305b354e01e31d4a77c6ec57598b

SHA256
2eb2f94247be27290e9b3ff37b62592f624828f0572aabc5c25955d48a6d1a00

SHA512
884074b7663a231cd7309e07a1ea7a88659282e9d18eb6d7f5b39c52616e8b6ae9ae51ceef073be60d00687af9e4ccf6b0b79e2cd6ee588ea8d2d7bfe6fd9f25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
cc220982a20819f8daba52db904f6118

SHA1
e7060bd77ec04b4f5043984790ef90ae42e6cd41

SHA256
9a60668972d726d6968f7bfb5f2785a6cc3c227e4b0778323d29cfef8bcd650a

SHA512
fc91e2cc80bd53e95218056b2910897288c644cfaac10f7cd7e8a53c33a9d392ef73dbac7e6172143236bf00b53d0ffef38f9987905ea40bf6a3ae7f85273ff9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
60367eba53c3bf157213b8f7b3087eb7

SHA1
4c8c979b1d0159f4596092a4a1f90cc3d970f974

SHA256
588c24565df04bf627b55afd14a39f1df3a8002fd172a59080eff567625592cb

SHA512
5d27cd03dec97f160dbafe80282512c63c73d7d2b6e6b79358a6fc65f122804a3e30a193ee098d15e4d1d9151bc4491a32d6f402dad5dbb9abf74a8c45e0eb2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
1b12598cee904fd7094f44c678202373

SHA1
8af5b40a207594768c2baf92927928563730fc97

SHA256
e4a807a9e00dc15a8b7e4c36eb4eb4a02a23a3e753263b515369d4eb71edb629

SHA512
7477fb3afa357d6bc5fe0984af01e8701fbf07c626b46fe0286e65068f6f45a4032286767d43b0a5dc598a51675405d22bdf2b614c04a5ea0d5fd4c73d849be2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
6a0964ebbe3810e60b0569a8ffecf679

SHA1
d816ebbfa622d5f012e29155434d0108544995c8

SHA256
6d82a2140ced420f72afdd2fe25353a558b48951468cb4cbcc2c5a6e16f1ecb6

SHA512
02a2906f58bfa0a5debc99f9775b6fe5ec7c883ea839d0852ab81abb5ad02844f1021de283925b06d039bad882977b93bd2d7f1a131efb3186e127d1016196ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
40243df6fab435f5cd1048921723ed09

SHA1
1ec59b16066da3ddc53aa4cf6092662e4c647275

SHA256
c7193d10cc99d05e72fbbdfdce64c904cf9579275df038d09b596b31b770e042

SHA512
50c472459c30d5a9e2621944956285012a36f6fe9159bf2a8d5af461cd8c8531bc7aa3f56eefc5b4c32d73744725f60723b9767d7515f7e2cbf6cfccefd0f5cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
0e9aa21ff8bc793f7a021e869c110e98

SHA1
e389aa7d38a6759eb578d291f06f646dbbdc990d

SHA256
7e57ef6774804bd734e30998b8836d5e00b1fdc61eb690306d6dbc8300acc44f

SHA512
aed5c8085211182bec3401c17665aac66eeb601a5fc9c59c1edae585e0acb27c87b4c06bd9c7d3022fff6af204529e5a3340f13ba65032791e6ecbd0433d1a4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
29e4df63a5b82d97ac4da8787ddd0bba

SHA1
b328d9e2dba8cdb33985db776dff997a6c0f609a

SHA256
0ee3fb8372ce7ffdd11432d7b06e8bd415c9d3af36092bed04b625bed5b21e4a

SHA512
09f440843034dfae04d8d6ab9b1253e913454fab5c5ad2ff2a6bab73eaf0fb061b3da416a560bc88679d12b566c54203600b17e2ee110962513488803cd96f3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
ac0b4b4f9a441a4e373d13b47b62580d

SHA1
5006283568e791f23a500b99c554e9933de5004d

SHA256
1010cf916c4685a43dc26d68911f70689c9794fa18e53eaf2b42619e603a932c

SHA512
808cf2b67dc879918ea20b9c62fa391f56152e6a6e134f5a31032f54c284cf6022cd744d616f01ecd74138f5b21c57235e160820c685de0fc5c03fa6933eab49

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9089469f52c18f5cac6dcb0b7062edfa

SHA1
e0561db0724a79abae7bf8750650e0dfe65613c0

SHA256
e58affa0a8f4665aeb2d620968363361679422393e0aec1321d8ad8164a93c21

SHA512
fb7a1189470370644322aaf7e1afac6f50f37492c4fbb814ddb61c66a9751e28bafdd020d6e732e93bfdcef2237dbb5a170bb40ffa249331dd7b5f3a38fb712e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
795d439c4097a1e92df80e008f5ddd26

SHA1
fe75298632e58600bcc025afd76705badba63e90

SHA256
9e3cee451631dbb81b4eee5e5353e04882e4d2349790bf565caefc7b01f93d52

SHA512
003e98909ed1eab44dd42e97ac8dad5a9e0abda26c728ebdb2acc67ddf4e4ce9d9f8ba603955a4dc02cc7dea7c3f714333146fc92c4b09ccae54f9bb10ced0e7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e75ca663e5d4d1e7bcc49f5253e1906b

SHA1
f647b06e578030a7fd1b083dff1954ea5a0d8f44

SHA256
93f56e2e42a3f007bdc2611e3b932d2b97e93fa7ac8a7b1ce66b2bb92e3896e8

SHA512
19a053a47526fb2b22cea16c3cf72a9b8354f3ea8fefa90ac4a8e4a8af0f88a01c73bc236192f518caea4de29bbd848c87ba372b306ec711e5405604c000394b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d6e28cac856495824dd7f77347c44376

SHA1
e6ac15eb7d98ca39aaeb8611b06f14f8a552348b

SHA256
315f0ddd4a6334afbecbd9a77d630ad210f6955785922ffd9ef5465c73bc0c10

SHA512
39b3f0344c06e60ec73aa04926c574d453ae6fefe7a0ad1bb8c5fcd034f88e30bd2db9b4d3eabef9acf968e644420829a291ac4685b5d286a603cae93c3d6fa6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ecfaafe850dd174e78466ed888c5cee3

SHA1
a9fbc6f9259577c3fbf570aa580f808cae177c84

SHA256
67ed820aa3662c2cf06bb3eccc9425b6a3d558d1df50878f508065a4d1ee8bdc

SHA512
2b41d9e3912ff8e86b1c87d678598f74be07a0026f7cb777681d74107bb6dc11322b3700fa79ea85c4ca9c8c28050480778096642fb1410bb0067e885c19f7e8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
896ca84ca01059af54350d67dce12e32

SHA1
cd3b21f547a8b512a3385a42d4b6a9ec1fecc790

SHA256
0b37acc93cb82ab7e3a3b39e035a6136aae51c1cf456e5e7ec00ae8ebc208a14

SHA512
39bc91c5196897e05f7b1e558101e83e0a016fadd1a3c1cfefd6ba658ffeb3edeb7a476596122103fdf9fc2ecf4c231df36170d53beeec52875151bfc7e46e3c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c99193c1fafcb6ef5e0588bd595f5b86

SHA1
39b7c2167bd09c0e6f65006b73e4ef88b4c2e28c

SHA256
7262192e417415fbfebdc75ffae689ff9c559403332986ec10e0390513e51735

SHA512
c761facf486c1f51160307cd43e5173c03353ba4a5bce895e1f5ee812163a1885f80007d350f9e5d3b62c96d6b7b5f1649cdbb09a1777052411d5022dd2fcf22

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0c5ab7b007cddc32d827fbe8947a4bb6

SHA1
f8d8530f80be788e3c365a39c253aa67bf221c64

SHA256
a36863f576745c15339cb07ce04f2fa699841cfc02b091ee289d47600505364a

SHA512
6134e26653a4bc2256ffa233cdffc997919116c30b33b0dc5a9613b27ce6221087d3c39c83e546694a4053ad1e06897970b12cce9220d9afa7ce4d8df79859d8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4746f82bc118ddc1580913625b04ba92

SHA1
b8a556b446e43560b358ab3d5c7e91647ebd4d95

SHA256
6e47501c8c8bd83ff6c282fd29fb1042931502913ee9667e18a4c023c357c0e3

SHA512
385c8c9a3c87f4f98f34ffa047c48832f7a0c31e9d2dd12e2d77d9db2868234ac6eb920111a7fcc9cfde46d9306ec3e3fc7127e24c6f956aa516137ea009a4a7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
66a947b65f6b8bed9ec8e899499ea449

SHA1
bfca72cc0bed88206fa8c7ba7a9ccbed01ca1aa8

SHA256
22b5e8b443e54d32ed0df4a13d4d5acb3d274face87c1899c47dbbc257386e59

SHA512
87d7a1ae70d42cad09382fb09cdda7e08c0198cf5c93de0aca060b205bbd4f755dec9dcec22355a8848d6f7f91987a0664ccca08098a3dc8ce90509b4e4e4920

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
13193818e8f4e4bac5f416019f366063

SHA1
b253c1942d0be9b9470f8804798245ad57f949e9

SHA256
5fecf2b3fb6dc62c850be8ebbc4749426c2eef0bfd0daaec93f3ad65e31af398

SHA512
3219dec166a21bb911febf96b5af58d66c4000038da8692f4a0081630375e637212f5f9ed81052c1447e1f388970ad4cf66969f0fd0edb2e136adcb15f8c61e4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0a7cad52078ea64b373cb9461e616d25

SHA1
f51b505348a1165ff66ef0d3d4c8b69bc7319142

SHA256
5855ae18fc2a3c58c18a195e9915608639133ee940deb1bd3872c866f5d7915f

SHA512
580af3cd2267f278592ffb837bd12c59bdfa34a090ac6f0df1d82a67d4b43ea1a960157eb6fa1cfb49fa4bf8af2cc68f28a9783ebe529c7099bb1cf9d89cdb2c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2d2ec1f819219ba57258cace9f4037fc

SHA1
8b956270010205325b3c369d0f64a020d3f12828

SHA256
2aa009eac6738d7b243c0f05bed2f215ccb85249d1056d0d79d2d2e75786fa41

SHA512
a4b78ac55d6d77de9e32f7c0d36c3a475037d69b38629fef88090b185e4aa7694663f9d9c0cba6327b211aa9b32e85521c0a7cf8a41c1e5d9cd63bc78489f893

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4debdca8c5231d40b6ee0585f4d48fda

SHA1
269c0e52c43104579e78329dd80b69a8e9a340f2

SHA256
c6396ade0d63706bf64415f70960b99978ed3c18aba24644f8b5199e226859f3

SHA512
37477b7831cbef6eba0877b6bc7ba1da56b8458fa1b75aa19f2abd15bff21cb256be3dc29279b99f950881bd8b12d8b222ff77bd757df58bdab7d538cc5ace1f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9f1d0096f29ef497709ca4b51abbd655

SHA1
bd28ab4f85fc6b81a4b755c81bab8652c969cb7b

SHA256
19f0a9e8016e76ed5e7cd6a80bb342aec0e1296424877f4e97b23762e6dec120

SHA512
14f92fe8b6cba56bf7ba098d8aa2a6c686043be2d5449839372e0b860a0b85f4b7ad9c5f516e3e51d87866ad4a8ca4703eff07c8514339008f6f264ebe1795d0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
55f9b4eb625420d4ca3e39a9dc7e8861

SHA1
2293547d07ceb3442e442873b5f70035606ba114

SHA256
fe208980bce4fb6607d660df3b234e8d25035399fde856e8fdd9922ce5135f55

SHA512
24b31fe05868c5320c884b52a1b5b2ecb07420a831f09d5e90a61c8f6f92f5326291315f6932a79808d604dad59bd889c49f0229f09289c64797f24a143f2df3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d50b8b687f0a028bb71940f128e0e5c5

SHA1
1793bfd0d3cfccaf0faeba5a8ae6c95f5962624a

SHA256
d8362d57effb00f0b11501f8447fea3371eb619b9597426937712a0fa8547a73

SHA512
88d136f9fc1b298497a2ea0ffe83cd99e6fb03209746407b9c0a4c86359bd145958aa14d7022cec3228273e79c873859cad08d82cbed79b0d40826d21c1c4be9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
58222941dba984546545f5b13a24579d

SHA1
a2f365445816e806b3e5a9027ef987ab4a572b9b

SHA256
9f7d65951fee45e33bd4843cac7e7fe30bb86fb0778ffba16f83fddf7fad4d0a

SHA512
bc3eaf774abe365346303056b8148ac9144647aa63828d89a8b53c3092c5a18610b330553b7920b8fba8a74b2dadae647157486782afc21c7b5e8fea88e02a4d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6407a982249a66e014f5041c7d3a900a

SHA1
ba8a1a408a272c035b9e4d452eb6e0f5e0f01c96

SHA256
be33d701dd4fc3a830cf8dc32b4403ce16aee1860fa011038e2571a34c33f3b2

SHA512
b1082fa4f57507393459100f36752412c01b8380fc6cb42035093e4d89509b28c9a6088c6284a2de214a3f3f668234313fde25551e38651699c4840d102b8834

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
4eb5972abc56fa4cbc2cd9b67166babb

SHA1
7fd436a5677fc3404afb1a1c841abba9a508b51f

SHA256
e4d9f78b715091ebb73abeaa797fa4b6e8f1a99a16aef8ffe2c0b2f3d6f9b6b3

SHA512
43585432ef274a262706e1c06d57e1c6239ee1543dda9a99dfa7ffa8b764fdd77c6f3b8ef0f64d648db283e67c072dcdef4ced4c30011ca0a3907be7e55898c8

Download Submit
memory/376-367-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/376-301-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/536-273-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/536-257-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/536-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/536-264-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/536-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/700-403-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/700-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/700-400-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/700-394-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/960-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/960-221-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/960-16-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/960-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1608-415-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1608-423-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1652-463-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1652-455-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1856-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1856-411-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2224-282-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2224-271-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2224-338-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2872-296-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2872-351-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2872-289-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2872-356-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3488-450-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3488-442-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3744-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3744-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3744-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3744-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4076-312-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4076-245-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4076-251-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4076-252-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4076-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4292-359-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4292-427-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4292-368-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4412-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4412-27-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4412-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4412-34-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4428-374-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4428-381-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4428-440-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4476-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4476-542-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4476-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4476-326-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4500-64-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4500-239-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4500-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4500-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4500-66-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4644-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4644-437-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4684-340-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4684-402-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4684-330-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4780-1-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/4780-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4780-7-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4780-10-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4780-15-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/4884-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4884-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4884-353-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4928-65-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4928-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4928-50-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4928-49-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4928-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4952-314-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4952-304-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4952-371-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download