9097f80632c034d6cfc39e7963ec1a79fe4fd01f05f59038f1b43ceda7c81cb6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_434f7ac19b2c9b2417ac2a999f6229b6_ryuk.exe
Size

1.9MB
MD5

434f7ac19b2c9b2417ac2a999f6229b6
SHA1

ab014b173148cd6f5dc5f0d0d597bb4ccbc03d0f
SHA256

9097f80632c034d6cfc39e7963ec1a79fe4fd01f05f59038f1b43ceda7c81cb6
SHA512

2220dca0d48b337cc339ea399a2bbdefbf967289b019f9521b6cf8f66f0b983e86194a8b69e7b22e5efed26456d013602e83f2fb835f2578ac793c77682d6bc0
SSDEEP

24576:fQ6V6zC/AyqGizWCaFby57ozX0j52pMkuLoiSJVlIL29mhNq6:I6cJGizWCaFbB70jIpM3kiSBM29mhNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4620	alg.exe
4428	elevation_service.exe
4716	elevation_service.exe
2324	maintenanceservice.exe
3460	OSE.EXE
3144	DiagnosticsHub.StandardCollector.Service.exe
1880	fxssvc.exe
3232	msdtc.exe
2780	PerceptionSimulationService.exe
4920	perfhost.exe
4348	locator.exe
3484	SensorDataService.exe
3924	snmptrap.exe
372	spectrum.exe
2240	ssh-agent.exe
4820	TieringEngineService.exe
4576	AgentService.exe
4468	vds.exe
940	vssvc.exe
4748	wbengine.exe
3996	WmiApSrv.exe
1804	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8bd9e96a8ed1090.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-10_434f7ac19b2c9b2417ac2a999f6229b6_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bfc7c40428bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c5d7f40428bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003692d41428bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bc5ab41428bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1185d41428bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068fd0342428bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1452	2024-04-10_434f7ac19b2c9b2417ac2a999f6229b6_ryuk.exe
Token: SeDebugPrivilege	4620	alg.exe
Token: SeDebugPrivilege	4620	alg.exe
Token: SeDebugPrivilege	4620	alg.exe
Token: SeTakeOwnershipPrivilege	4428	elevation_service.exe
Token: SeAuditPrivilege	1880	fxssvc.exe
Token: SeRestorePrivilege	4820	TieringEngineService.exe
Token: SeManageVolumePrivilege	4820	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4576	AgentService.exe
Token: SeBackupPrivilege	940	vssvc.exe
Token: SeRestorePrivilege	940	vssvc.exe
Token: SeAuditPrivilege	940	vssvc.exe
Token: SeBackupPrivilege	4748	wbengine.exe
Token: SeRestorePrivilege	4748	wbengine.exe
Token: SeSecurityPrivilege	4748	wbengine.exe
Token: 33	1804	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeDebugPrivilege	4428	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2988	1804	SearchIndexer.exe	118
PID 1804 wrote to memory of 2988	1804	SearchIndexer.exe	118
PID 1804 wrote to memory of 3076	1804	SearchIndexer.exe	119
PID 1804 wrote to memory of 3076	1804	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-10_434f7ac19b2c9b2417ac2a999f6229b6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_434f7ac19b2c9b2417ac2a999f6229b6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4716

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2324

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3460

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3232

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3484

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5004

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2988
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
74688857c8b5c8b78404cba83eb5620e

SHA1
e1e06c771ee89b4fbba72083a550cda9977be752

SHA256
b0aa45e1342266a9e6e5a4b48de311743646ab12a6a4957650fbea7018059e23

SHA512
269dfde2bfc6e58ed65ee9fde2661452a5523e45182d88debfdb5de6f2ef24cba44667aedc71ac3b5edcae7894b2af6ddcd60cf01910bfe552460804fb4b5dcc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
e597f9f5b9d9a1e0b9a4f4f4e53ebab0

SHA1
cc0e8cc4e809da0df33a497375e9aa97ffcaff17

SHA256
e49725eec605083d0f1c1438a0e1da01f283d1c4a3c6cfd8e03a9d2a7f387f81

SHA512
2762fde512966f818035e9dd062e53fb6f340d2ac6e684d103af3560e7f7200bbb6b1eb199211541560f69cf769997a1ea34cb4a36ece0b486f3e60a16a9f5b1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
189f6c2594477fde926085e874f912d2

SHA1
fab026e2f5ef876bdbcc558cb38a87e57a2f3429

SHA256
05356edbd1de3776e04b3db64be7aa89e74afb6afcc554202f9b020d3c39a2ad

SHA512
873f8c13c612eb9222bbc79532cfa8c8f1c5e3fac2fecd8b5ff11ab8fe920d23a89ef571fb6228cd3e6185b0c2598c2d92af0e76119d762442c0509f2f146197

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
196767b899a4213852b4192fa7cc355e

SHA1
48dcb545d2b7376f70ea4b824ca9bc223aecdbab

SHA256
63339f1df56f21a4a3f5f8cfd78f4865f334a7a00d4b02be77059e3ddf58ca8f

SHA512
e6e069c7aeb960917bc8e1a38eafe4cdb80c09557b1429a528c6e6627e0b88594749cdcc0adee2f6a61c673531c9633ae35cd4c58cef349ba4cc62969cee0901

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8808f80cc2fba74fe4f4457ea206e419

SHA1
e2e91f31b2805d4b007054428aa11bb91776531a

SHA256
5b72554bfc780c5eb20d6f8de41bfbf8de7f340aad7a76141b2fbb6bb24d25bc

SHA512
b1d406cbfc435619881ff85f4d14f9bd69b655cf24998d590279662c7b4aa490fd1b9f2a858edf85ffe98795b7ddd6205524528eb6c400e0b3a6e8b1271b4f1d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
3742363a91a6271b6ea9acffb21e84ef

SHA1
3127d091a1e4d212532984924b259a3d9c8f53d4

SHA256
ee3c136e8c545fa6a7c8ba4d57713aa26487112099017a1e3ab2da21fd1183bc

SHA512
ea95033033df1ca716f7ff71f9f601d428394655f8e1c76073e4447a0439def110e51e721f546dd98e41a4529c6803e6b8c17750471c717aefc3012cb5c2ec2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
6057365f56c0783f6a987cb8d98cd3df

SHA1
9d0cb523a0b7841232b05f20951227890940afd9

SHA256
66b964ed6bed2a04d75e4719f0724ad8011cadcd8daa0b7460e4adc97e473ee3

SHA512
71069103454d1eaee618ade52b9fc7f479ad446e5a793509b05741325ca7f27cc695f5d1349a84b9b6dc7c6fe6c1a93e4edd0efcea1f286098bb8890f5b0e893

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f862587c2b74e6e91a864ac354d82517

SHA1
8126daac3adfc904d5099df9a62eaa678ed7109c

SHA256
df71835bc63e64c75f975a92d87dcdb9619541f8e61ae705102e9e84baad2253

SHA512
93bb6bd7e43372b73e2aaac3628471bf5c210c5050aa2348b24dd1cedc68baf42ae849e4941549d700a48333a736600f71e8aeb941af61d1ba9bf73982a4801a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b6e5fb9d1e110b6339bf4517e5cc180b

SHA1
bec005591ce7dcaa386da99fdc9a411b7bbeaf3e

SHA256
a8f86aca703973dcf9eeb5fd11b811a53196643522d72f85526c3cdc3e571dc6

SHA512
120818d2552290c2f30044245e1146d848695efd0b84289108729618d94d9a8e959c411b16f91f30dbcfd781097002ae5d08ebfd53e26a0659867f617a8979b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1a85fb3058a08c69b0c28f84deabdcba

SHA1
86099a3a298d0744f58a5cdc73e367779247a444

SHA256
2dc009047bb2521e2e6925dca8bd83fbb90c3672ace0a19016029a7beeae02e1

SHA512
8ee5052fa202465cc051c8f3d8a6a2d7e8deb1a3d8334d754e5b4482c5aa2b842092cbe8450f3b2816273f804fff6d250bb1297950af5362a4460ecee295c194

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f50f40ececfcbd9c673ffd60fc76bcda

SHA1
8dcd214a7aa5471ad248fc3910e1130518032229

SHA256
d67d8d49df5c55e4d2dd725e6cf31c25dc89529eab2abd41c2fec73fbdfe07be

SHA512
0edeec31a5e09027bff6e8b60a04c47cad81a9959141eb5487e3180f6103828678d6451e1e3fa059a1786a97855a68a2aba2a979c986a54df4e5fba20771f6a6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bd967d47a5e7fcc43ca10ccb401b589f

SHA1
378799ee11523a5978404a62fd9ac3cc00d59360

SHA256
9212c3dc0b1363c91164a490b829beabab98d32f5ee0288abb955525534eae84

SHA512
827be89efd57d22bc335f32263c5cf0a8afb6593b7eb1663322f4038fc9e9c465a7deca22effbddf027f93c888c27ef1b225974dca611dc41f356388aa4c2c58

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
2f6825c7ceec3a8a1578508b7bc383dc

SHA1
ff692c8ab0bd951f4ed4bba7b576c00a14182f6f

SHA256
41643d323e8089dd250b928ffc6e4ad7ac8484d0be076b94bb1cbba5c667ea20

SHA512
465a8cc621706a9a8738c9db25f2e4983efa70b12542c85f98cb7f974225177370369a534eec2acd7e11b95b092e54bb88d87d9a7e20c49b1a055ae472529ea7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
226d1354a6f3ba1a47a50de37ef53865

SHA1
09b938e615dcf6d950ef35a22b7fb568ea52ee43

SHA256
08a982c71edb0387756a8b4a5167457b24627b7e04bbaba59c2143e9a3a489bb

SHA512
d22b33f8c1579b4486de40cde2e33443cb8928fee5e6009e2b0ea4f531146df178deb51dea3c1035ef1dce5dcc7f60e4d97c004340b160136bd61ccd01c29f89

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5c0d30ec1d967ac49a7a7cd0f9b3e8c5

SHA1
3e143ad0332104e21a0f91e21ca2fb915f72d7ce

SHA256
46578284396d052669f2cdf86a4708377ae18830ae24f6c74a415bcae01a5f20

SHA512
10190806ace1107f2c63352f7b3256e675a9a14ea80014083b845e3666f1ed324d657685220f1f50c774b17148e541ffe0692387eab6ed0b8db5befe39f58e77

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
de842b2171242ef2c9c3aadda9f161a5

SHA1
c2d18f56b424f9411319630ade9fbf56ba571ba3

SHA256
ee47e9e8b470fcb6763e55d7c7ec340ea84936eb17c57b3346c71e0073ded90b

SHA512
5f7d1960a2824e8cd0c0e5494a13436cc69b06c9f55275647c29aeb280544f771e3ce685f794705f07fd77eff9cb8adcc53778736009d25d0fb5522e7c032de2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
1a88fea696ee6583c0d1251dee8b9423

SHA1
3bda0e748a62f843f32e9ddf243b768c29e79b16

SHA256
5962bd87c6a56eeea0f2f424ce8afc7337d51a75e3e1ddc2a90828f1208f1dda

SHA512
9e3598e7e2480d19c7724228b506c6cc69856c00d68a398732c200308d517aac717249438d3ada80d41c99b46d8461fa69e8cce8096c75ce2d20284c322f851b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0e0bc328cd726088b2c4fa3586e42474

SHA1
ee35bcc15de2b2ea4f6ac08ded6778dc86ac4b94

SHA256
0e03b83d1fdc02cb193c1f656fec3457efd1cbb7fd09037e3c3f02bebc979015

SHA512
904fdb8614ef31eaea2efd0b24ebbba6218856c2649ecd2613c36bb087846ec61991902cc956ef51e4a70a102f3ef9cff766ca703250edd359abec29554d748a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
92f15faa8bc590995e6cf0e0c268b798

SHA1
e2d754baa69c2138834d57e4b058262a86fb475a

SHA256
0c471006abb3dbdc9e7d408c20f24c00f988e509804cc236a93a3d525b18307a

SHA512
1c196e2b9e0ca041ce6787ba7d306ed367bf9070589076c216cc7c60f0330dc3e02fc8ba4af6459a2f5923e0d555b53798df531165c1d09b961f0e7409a985c8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9e5db43fa07b24b1e602ce99991a5fc8

SHA1
f45b3b4fe5993a5c079a727cbe2907d34eb2cb2f

SHA256
a72530739ccf5c51bd40f4c9f3b77ea2288b4bb1f60ef8bc6e335faf0bdb027d

SHA512
ee67953258ec0caf605debb93ad86c464a7a95197c624c43af4a104660095cb022d4b29e5f9c7ce961009020abd6741af4db9f48412a060c99ac29c64154100e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
52483d69b68051e47c45dc1f6e5466e6

SHA1
9b8303a8a965f15036e240f0fb56ab275600a6cc

SHA256
b64e924235ac73979e51cb1d8bd97880f0dd5b51c3468bcb33ef6450109b5996

SHA512
f679e2ba2f367d69ae5ae1e3ab8a2dd649e2087bf01e8f36ffabacd5a7d777f2482b50e69ceb4643af41d1e83a8df5336169a6556e5b950e748dbc8f92307323

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
d48feea69e0bdbcf15e5d5abd829d64d

SHA1
a2ef1f534eb92cf2ad7b974de9b4d5eb3f7acfe9

SHA256
630a4fd323bd66c05e4d6987da62bb7ca4f44d0ce71971bb77daed289d605694

SHA512
79284a2eadfb09436ea7fc91747b80d5d85baad4b6a944cfe20b96b1d902509de81b3c8c8a75a7072156ddcdc9d630abceb9936f02e3cad5bf249bd923bb67e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
077f02a3f26ebf32e5e3a53a0c20f136

SHA1
4a4d0c95a0749c8682b8aed11a4599520cd9a912

SHA256
8d2ddb6aa92ebdcc3e025f8487118447c071e189dd5321bfebcd30cf2d468931

SHA512
26eab32acde13c07c1025ed08cf19ce1be4dde6a7074f3310dd6aaaefe87845bbc236c1b384ce8efa731cb820c78ab174aa7a79c9dd484bf1824e197159c0192

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
116176ec73d86fae877e3fe89bdfd1f1

SHA1
80fccb26e0968c3365309810fe59d4114cd3c558

SHA256
7e456b17dad8308b6b331dd4a7d1fda5b540aecd1aa8bc49dcf0be7f5d4768ba

SHA512
3edf83fdc9d8738786b782a16955e8cc02eb9a6c899849b98b30e369c8dce6c026d0709f4217b18d20e4652f1f0760b6a3f78aa2976251b03c7c705bf96df28b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
e27aa998b2336dd38d14feceabbb18e1

SHA1
7812a26735e0227abacbd4ddb1858b295437407a

SHA256
b885bc10c43b4b4b5f4e358c3ef3071008493b2c61f64f252bcc9de8ec40b39e

SHA512
d290e3bce894767713c7f1cf96e84c62089c5501ec9bccf243a1757da4bf3efd3a7318bee4683b598d73fc3d2423de9ed0547795c6dee061449f1353f25e807f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
62c24b1c4feb229d75367f0c35b3dd21

SHA1
a2ca62380fe1586bdb23ec812e46ddf7f898fa4b

SHA256
0d341587a6ab98ea82b59282726754118c40d2567808d47f3710cc5e3908eb8f

SHA512
b84455ad8c695229e49ffea635b6c536bb017edaa22fb1773a91224c1a3b0e2395c3900cc9dfef51e4cf597c49bcef0e67bfd6c1af57b1a9b83ea7d72d7f2815

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
d5552746b147497e4f60b01b1bc77cd6

SHA1
f3013daddccab6c1f4012e99cb4cfa4a1d924d5c

SHA256
4550170a6e1fcea1792a32947988b52f5c523ec1acc1fd047a074aeea6fcd821

SHA512
de20e6feea97a18cdc9705bf5830fdcfa9ccc485c33d045b30868e308fcb5d250eb181487e3e4f6589446649e915ad42f5be9dc5713f387619be95fc306761e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
fb06293a0f1d941f9964386f5a2b683f

SHA1
26b0b00e0855d80e0f62597828a4cb14e915396f

SHA256
4d1f181832b4bdb986363bb3906716326c85a0ac57fee6085be2951c32884da3

SHA512
4aac0407c003d1abfc9a95b8c865c19350bea1391a27e730723d32204a2aeb3a506b82a37ce75f829676dfab9fe7f52bf50f8a8a80b8ec04262be56e9c412e0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
c1d06c62adb09b24c617a913bd224014

SHA1
6e0d9fffc128c28385b5f2457fd6e5847fdaabfb

SHA256
2af01ca6d3a58dac3a4b5287a2e338fac9f1269389f25880af7e8fd4ad7621c4

SHA512
1b5b9c0794114c87ad5d04242e6f870013e115f5e354395b6e48091389fcc64f47c4f20958df09669712b85de0809e9dc026d6352306cfba3d3f217b83ab0177

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
71741118eeaf9849e5148a0b28d7bc69

SHA1
4c6d8cf8d199ac6086a6011e2ada218488afa16d

SHA256
464141b0f8f69dddb146ca7ae7cce1a1d609d40f850533e1e2584f23fc89366e

SHA512
bb4909d3581ef651163e6e8792131d4920f18178c57b0a87e0d13ce6c83fe321cd75ac8260d0ba355b4355a9e3bfc5b5674ef6fe308d30c7335a5981cfd37bdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
0fe6c2806e8396e9fd1aa0e96017cc08

SHA1
f564bfa7f8f62686032b7a1b09609842c1bf233b

SHA256
6ff62d2d4afe63f58e602ea2ce90c0532c7a8fb39457cc668b25335341fa9329

SHA512
48758e611ee33f1a8c8557a8484a40183d2d681c73072dd3321eaf9df83df305e61c8fb77b5c13a8ee5a07f65ecfcdfc08ae3cd1d6633e04b9f7a50660ab0f9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
fc34bbd5f3fc0251fbc581cdbfdeef8f

SHA1
8dccf51fb035bc8c2917891a02cb2cb3e2a9dc62

SHA256
9549966797fee189f786cbac7f5cfad76a304064b7eef173942493f570b424b4

SHA512
e59d5f63ff3732f8547244c19bda29e7e80d6d2338aab72f9130eeff894d9042205dad38b225470fa16af35d3651c103cc9a8f8443404726e6b0af3aefdc28a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
c72711366f443e27faedd0a028572204

SHA1
7783756c97d20510d3d0e62d62ee7a4799b68bb8

SHA256
bd07054e220724f965682ae00732e4e3fb4087c5210475afddf8c63e33dc2e16

SHA512
65c0cd386ba4adebeb63e62aa4683659e42f2a3c3b9a2732004c97e6f41517f5d444b17645119afa42e659e2a61c8d78d3ec589bd13ed0adbce321f15b7a48f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
56a756750e48c9cfd88d142d2ba80005

SHA1
b741bc844e495bc1613b51ed5e183fa283954feb

SHA256
9e73fcfdf4be950f05b23c30350ad96ccad30576c47a3b914140246e5d580f5f

SHA512
b49ccd5808906884586a053406e377857506a84f4420e891c89714b6aa4612a6531765e8f346695e9017bab6eba992914282e9484c3b627a20447672abee3c8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
5a3751f0a39429009762710db9429b54

SHA1
0d9184721ce56668645bdf75b4f10b89e7f4f495

SHA256
e280434685149fdb8fb8c459fe1918c3225032bdbd370d603a5d1974b7eb9c61

SHA512
4992b6a517a52e8b758cbad6402de5ba9cf894cbd1b812b5b07e2681762be852e40cd9e2f1e95f681024ccd81b94628df21a2ee8ac8d3fe96c7dcf3e5ec2a18a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
87722a8fb850dd7546df5f5c4d6a6674

SHA1
d7f8dda209fce5b0ff306483d14c9992a413e10b

SHA256
215744746ccf35b816fc0d5de3c37a19b73fa9c25c093d6d573e22c626b1322e

SHA512
5c6159eff3083b16a493c76d32fa8bd04551006e62d9caf437f4512d03a3f857dc265b4ed6d1e593b64508ac575e08409f0bdf249cc0e52b71e7cec6460e207c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
cdc63d64319684015ba3e56d608e7dfe

SHA1
e46c4b0f9c5a00a68d17ab49a506f4a310cbdaf2

SHA256
314ba3992688f73d42d0ae34f19c96bcf9c45ff81c495180ce53e6948f56609c

SHA512
dadbac13350ee4ff82a002fd5b9045b8b5c43fa0d09a4ab5a33947c89b31d566cc914e421c8472413206b8e8418163acec6819815e4098601dc5d65637fb3aa4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
97ac678b079e9383b3bcc74de3758265

SHA1
d694f0290ea82874b777b3b2754cf53d4b79a1dc

SHA256
4fd107084adb1557088c5e69481799d19f9d2d470340ccb6c04345480b0964ba

SHA512
d51066a1235f585bdb4fedb7f7d883517638331fce1c78bfa7bcaf41ec698c14d9f4acafff5e8852fa80d7f9b2d378dd1d41d4d2b622a0ab554fd3fe4c820e5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
db2418b1ff88e11a6a521878415d551f

SHA1
df7711f62cd35fc11ffd3598349e380d9e918919

SHA256
93e825f41d1092f715a83e35d88f2b7ce3ba15b8b78f1398de98a2f119dec0d8

SHA512
2235d9b2e24462f20b4ed015065e6d004a8633d015b7fe6009f5ae57d8743c38b6ceeb846630e39bc9adb130f9f1434883022a1f5e384960ddebedddc6da01eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
f7511eea8c19993fa29261d8f56a7ce0

SHA1
ca8fcefe1d3a4fa8f33a3f18496437d286f02c2e

SHA256
6959a5a40a2e60c8db80a05695b78f7eee09343aa6c8f2996d98c26f1af5dc55

SHA512
e9a29e7c036fa28f06f03574338f9fa058441e635938f3f2a75a4c28ff55c9f3882e7f16dc054ae9e43123ef1bb41975a39c926a5bad560093e5cfb2fc90b6cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
7d77482189479f14555cb9fc85e71e2b

SHA1
f5895523997b8a030ddfa6c8236534f54968d345

SHA256
b5494fb8c5f8cb04132979e3a3185fdbdad442be8699ac634854ea87aac87c8c

SHA512
6f31359adeeb287d3bd267754931cf1ab5d4ebc4e05a0895012cb050f8dd0360315599402e9fd11b08e6ddbfd47c0469149e7af7edadf441bbbe61d84d37981b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
20594b3b7b85b6344d7fe4c7bfdda8dd

SHA1
8995dce86e6e2963da3ed72c88b37a2950aa10ce

SHA256
66d28a6d274e24262d52abf0787d33677c3959b7bb7cf2f3d5fd50cd48c5d10b

SHA512
c145876f6b37eca023670bbdc8422c36cdde7a7e8fd113633a6fa5ac2816d5cc5cd851dc85cfcd1d5776c6ac0d11c5247d716c62ab88255a53b904b5d623f083

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6f4100056deb05bc1bd25a0652a441b0

SHA1
909405da2641c37fb452f4c06efad66c651ae49f

SHA256
0699c69cb64506ef0b104de1b20ba837844da7a520cc61e4df45d73b6ea42368

SHA512
376bc125cb27866e27b7a8f5f27ce06ae219d91e20e46299428afebf8b95076d9edff1afc2542fce0a06037fe4fee309fdac502ee7b1ace7c0e427cfb2e002aa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
9b22a8c916909a75a6611f5cc6ea186a

SHA1
fe8983d2f1a111ab75b977f9673fd5d7a9f5cc9b

SHA256
3358ab3a239eb86f66e227860c9a81b8d305c2bf31f28b8fc71cf21bf7ead2b0

SHA512
a2abb0153796627115f459c212792837726d30bbe588124d52dfeaf315778154692616ef7a88bf398db3258a2d39233822fa2272a79953493022175717a93c3a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
114ce88dcdf19d0520bff12f6d575c0c

SHA1
77809fee3b8d5e3e8bae76d0b3da1525fe5262b0

SHA256
e8c511cec2f6d2b50f04072e07757899b0d845fe20dcc8b58a2ab29a66e537b0

SHA512
9148d8a6a50b40fa536d61d4ccd5201dab3686a437f248f26d9faebb286e25efa685410bca2a00fe8022e4333f96b701920e78bcdf693e212d83e08068914f86

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a68baf5c6562a6edbc2be5611e633d28

SHA1
a098a242b18bffaab119178dcc73f2fa0d37d0c0

SHA256
d33e021e5eeb3eca346ca6f39bf6b7eafc313a0bf376b313d78471f0fb7be61f

SHA512
857266643f2eec6f141b6a37da3ab38bfe34bbab52bc6d65b18fa4c72994d252c0e608d89692e018d009a1d72e8748b6e0633440f1a71ce8d02dc194a3cd0be7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
959020ed35261994add3ed922b563b91

SHA1
ca0a21446986b3ee1ef9d59f0fff8e8c6d794ccc

SHA256
34c12bcc1a53c7c85ae487526a88b978c2b7d0e8ca7e2f4cb1ac5d0ab5943d58

SHA512
d0ddef96947e8a24ecf4ce8ecba1452dcd1f55ce1d8917599e6ee5508af363e4f8f60a400328494fbd509b95479f4f8208917bb9c489db5ac0bdc1e5439c391e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
22be5715386bbca03d6063b17854ad5b

SHA1
26fa447791db9413b3c52b820a1f0169a730257e

SHA256
4513d9fdcd726e171eeb8d3380a958139428263d5b124d5380afb6443437ebad

SHA512
588752b91552f97ca026e899a69482efb4836b1c2d5b9ba9e5611967a0e962662d18a50c753ed17fbbe6cec58f2523430937d036fd6347670a9ac86245c0512b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
ac139e80e143567c37f8bb6f2b47eecc

SHA1
94a04ea9a289ffa66da8d560cdf571e31f7039b5

SHA256
0df7534e69b64d9a270ded23847f2abaf46f3f97c0ca85a1a58ea552a5548f8c

SHA512
82ed0a401628f3e8552f8e30bb592ed5aabec21ef589c9626986109dbf9ce00eb2083e7b4d3fcbfccf36fd52c8c99cb0a1135b31d88d4e2e4ae3989c4b2c01cd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
a7726855c9bc0ee4f18b1b926b68417a

SHA1
acaebdfa4d5bfde5ea1225f0d3df5da0b9ec9b42

SHA256
864c855c95a473f049d5e490b160d66d0d49c33685af773c4a1fc23271da08b5

SHA512
4b652759e37dacd1ca344a2fa72eca607105d25cfc92c276a0cb2b7a1e4171618d1b105cecea007ab9786fc08c4c429481f4079d6f28d7ffb861ff2d99485376

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8ef7177307aaa794e43f2319b3ed9c1a

SHA1
79b0d27facf7b5bb7c1a51af4d9676f3e90520c0

SHA256
44af3e2ed9cccf307f7cfebc269a15f74e59f911e5520196cd4628069510c237

SHA512
246e092ef5b0d8f95230fbde7c1379cff8b00d7be679e165319b18ae18519667a06c724e071e9979de7b040245cc81997710f859dc419b532a06ed2a4a989812

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8a2425d55f9e8b3d7b5ca79b270c0a81

SHA1
dbcfa229a17fe1b9e3d47637678fd3dcdaaf44c7

SHA256
d5357b03f6e9acb62eb9eb5cec7c9491012979d787270545268c8ca4abd67869

SHA512
282c6a88f414838f74dc8f3c781ec89c1befca443f7e3687920e68eabd7dea13a7058b87ed77040b1987906cee76effff07de7476eebfd1f5fb233d610332d95

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fe5c4081de94bf1b58f50c12c093d582

SHA1
6dcbaa24ae428f7739872283010df315e8fb282a

SHA256
d3ff0dca6d67e9efb30b6d9f5eefc5d3256b046ba0de59ff13ce383c6c05f08f

SHA512
4e940949e3ac0dda083a8ee964e441d5b7a2007ecf6633322899c7fe029b00507416d8fe80bcfec8cadbcface8af4d241032e3db80365095af3feed7fbb6eef5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
9884fec9ccdd640a3ebc2ba6b08b8a0e

SHA1
33d1b3f97b40526a1964a89ebba5c919acc630fb

SHA256
3ed45e7df494656a949e12eaf07a9c7d28517f10c8265852466954b5ddf7cfca

SHA512
06474ee6547749b331480266aa09212ce2a84154e0969536dd4c5b32c280a5705e236e18053c3bbc967f5eb9fcf54476f594cef939827447e55b9964e9d96f54

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
aa501c2635c0926cb054ad6c9e42fa9f

SHA1
0cb2a887babdeef36bb583bb24d55ff9b979e7d8

SHA256
cce95c04c38c99a55cdb84a81f305dd486c8499304636450b3506ae7f60173e8

SHA512
970dc2d87780354ef8cc3b9a8883dc1fdc948321eac3ed8492ac4861dc1fd3aee3e04d15e2f5dca0f35fac212be8580d9636076dd703350293eb55cedd9a5996

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
2f72e5baf800622d613457480d3ba254

SHA1
23f397789c0c6e897faf9fd296e2b8e7c4a69235

SHA256
40bbabc62b61f3c226e2d22a7176249ba3ad46d7837b0e8a9a27a097197ac107

SHA512
bb666811a907f870bf8138a79ca2bf41b6d07bf65fe3a8212c2e9e660b5f05d5843276a58950963af71679510f67c4c7d28e9d20d1c35f70235b5ca0ef9828a2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d51ef54fbc1e7e7300ba472483f915a8

SHA1
a8d8d66e34076bed407d7dbf1f5c7953cf9a8b48

SHA256
20f2a527792220a5401784bd7b4cb815e59500ef463a025ab1fbac0dfae3c9ba

SHA512
b2f58318374f55655c72d8a1f4e25b2f817f9c77d89cd2b8674671d153a550fb0c6d8b6ef69311726cca65b0192ef28d94ba39e54fb8f3179b2f57695364df43

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
f5c7ca8bc41beb46d69a5300ea83db40

SHA1
c9a3091b5515e43aea79cb09e1deb6ef9838815c

SHA256
2164989eb170d292221e7f99b0c1596910d07e417e949658e9328fe00d2475ac

SHA512
b014310817a37e7322205b0e987f6b7b4a539ed293cac9442b9893a254d5b096ec32dc4bd156ee2f1ec82fd0860f3069b47e69fac235a265b96f0c9f96b9ac5e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
685fc294b9dc78e3692c8dc5aa61a3fb

SHA1
7e0545f0ba9e7a1d799c5a81899db05c87551d1c

SHA256
70fcb6d43b1fbb579637b75c5eed7394d50f8908771f8d60ce5067a4d9543e1c

SHA512
93f48eb6a387c7f43f102f39245dcdb68afa48d992a36fb414bc8e2d3d364c14eb7fcfde421bfda2ea7bb073201d0939a1c024b341f27213effe3c1dcd747691

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
f2b1e18fec5f8dc46efbfbcb9c05adce

SHA1
eac189a5fa8057412248b389cf8d2a87a42ec42f

SHA256
0c26685634976b530859b3960ac9680919370093503d77c63392ed749d1c10cb

SHA512
23fdfb1daa462081e572c9eaadcb0639c4efc5f2ea61858c5367f0ab2b256ebce3f981b7f87baf6bcde3eddd3da39b93e6657ebe06d42c117ada50594c7eb686

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a9e2f0c7e245901a7c025f293b6e1365

SHA1
2fb52d6f3bd4a520d9bc631b65336308da499e0e

SHA256
f7b39cc84d9edcc3978f12d7fbdcbcfe45b87a1ce86888c85b3f8257702c377c

SHA512
20a38f19062ee8e04311d7cc7d482da377bc5f54b275bcf29b8b571b2a3187129f6952d05c980632970ee2afae3b6746a3e78a959edea3db1eb7de991d37e388

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
8dc50228a1fcb894f755d42ed44896c6

SHA1
013de95689414dfaef90c4b41164cbe8618ab699

SHA256
7e4ca5e0191240f6735953abada5742931e0b5975b375defb566d3bd4efd73d6

SHA512
ddb2fcdf8e7c0fe5c12a55d61c3e18f63f079254aa151e95fe9e313e53a095c8828b4117a8448d2622755213c06ea965f2fcc0db3d62a5004f3da8ed47354f19

Download Submit
memory/372-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/372-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/372-353-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/940-422-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/940-414-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1452-7-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1452-11-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1452-13-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1452-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1452-0-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1804-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1804-462-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1880-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1880-275-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1880-277-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/1880-265-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/1880-257-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2240-357-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/2240-368-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2240-428-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/2324-63-0x0000000001790000-0x00000000017F0000-memory.dmp

Filesize
384KB

Download
memory/2324-67-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2324-59-0x0000000001790000-0x00000000017F0000-memory.dmp

Filesize
384KB

Download
memory/2324-52-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2324-51-0x0000000001790000-0x00000000017F0000-memory.dmp

Filesize
384KB

Download
memory/2780-352-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2780-298-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2780-289-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3076-548-0x000001D428D60000-0x000001D428D70000-memory.dmp

Filesize
64KB

Download
memory/3076-549-0x000001D428D70000-0x000001D428D80000-memory.dmp

Filesize
64KB

Download
memory/3144-245-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3144-246-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3144-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3144-312-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3232-338-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/3232-269-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/3232-282-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3460-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3460-69-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3460-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3460-240-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3484-383-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3484-325-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3484-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3924-340-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3924-400-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3924-330-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3996-449-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3996-442-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4348-371-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4348-313-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4348-305-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4428-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4428-35-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4428-27-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4428-236-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4468-411-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4468-402-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4468-541-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4576-393-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4576-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4576-398-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4576-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4620-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4620-15-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4620-231-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4620-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4716-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4716-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4716-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4716-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4716-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4748-436-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/4748-430-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4820-373-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4820-379-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4820-440-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4920-366-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4920-301-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download