405061ed7c8a6ca9212e8b25fe51554f89840d5d2c03f050672cee378e13180e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 08:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_057a31abb0b7ebf31a6be44773edaa7c_ryuk.exe
Size

2.1MB
MD5

057a31abb0b7ebf31a6be44773edaa7c
SHA1

1e5ba1c88fdfccf2ae458f18b3de36f78acbe5b0
SHA256

405061ed7c8a6ca9212e8b25fe51554f89840d5d2c03f050672cee378e13180e
SHA512

9fdd6ab02ce56e4fd27cc95bdda38d6dc75fb74167e908bd6680eba7356a5677cea7a8410a2906468ed731498273c45ada95bc514ebbc9d4a85f6b1b9601731e
SSDEEP

49152:vjFX33t4INlfTqkUMLu/52bulcI1wXZTBz5tgDUYmvFur31yAipQCtXxc0H:v7fTqmeX1pU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1440	alg.exe
5004	elevation_service.exe
4944	elevation_service.exe
736	maintenanceservice.exe
2428	OSE.EXE
2460	DiagnosticsHub.StandardCollector.Service.exe
4260	fxssvc.exe
428	msdtc.exe
1052	PerceptionSimulationService.exe
4416	perfhost.exe
60	locator.exe
5032	SensorDataService.exe
3504	snmptrap.exe
2848	spectrum.exe
412	ssh-agent.exe
4536	TieringEngineService.exe
1276	AgentService.exe
1092	vds.exe
4856	vssvc.exe
536	wbengine.exe
1556	WmiApSrv.exe
5044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-17_057a31abb0b7ebf31a6be44773edaa7c_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da112c8a102ae222.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000864a88a9a390da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008350da8a390da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058823aa8a390da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2efeaa8a390da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005841ba8a390da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071f2aca8a390da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2e33ca8a390da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2e33ca8a390da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088a1dca8a390da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddc25fa9a390da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2288	2024-04-17_057a31abb0b7ebf31a6be44773edaa7c_ryuk.exe
Token: SeDebugPrivilege	1440	alg.exe
Token: SeDebugPrivilege	1440	alg.exe
Token: SeDebugPrivilege	1440	alg.exe
Token: SeTakeOwnershipPrivilege	5004	elevation_service.exe
Token: SeAuditPrivilege	4260	fxssvc.exe
Token: SeRestorePrivilege	4536	TieringEngineService.exe
Token: SeManageVolumePrivilege	4536	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1276	AgentService.exe
Token: SeBackupPrivilege	4856	vssvc.exe
Token: SeRestorePrivilege	4856	vssvc.exe
Token: SeAuditPrivilege	4856	vssvc.exe
Token: 33	5044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeDebugPrivilege	5004	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1624	5044	SearchIndexer.exe	121
PID 5044 wrote to memory of 1624	5044	SearchIndexer.exe	121
PID 5044 wrote to memory of 4900	5044	SearchIndexer.exe	122
PID 5044 wrote to memory of 4900	5044	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-17_057a31abb0b7ebf31a6be44773edaa7c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_057a31abb0b7ebf31a6be44773edaa7c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:736

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3988

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:428

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2848

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2484

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1624
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2220b69d5abd53e3ebfbd2c6237f53b6

SHA1
3444f3b4d872ceb7308ddbb8f2a1449ebf5e16a6

SHA256
f63d89ad9e39ed5a86478687f1706013a393073f12dd212ae44df73a930cd0a9

SHA512
8157e5651aa9a7acb8e0e1d2d574a01e9fceca8ca8227bdf475d01d11e890bc6f500f2e1dd2a18f7ccf2d7bec641f5f413033ccbb0e10087f6ed2bb1dae54350

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
a640778eff188a71a0e6bf5a06617c43

SHA1
c2749c327e022446016ff7c54c12a22fa5ac1318

SHA256
26442fb0284165a731956eae1a99d3bee814493d8cbd54c9e1425af81fbe4b0b

SHA512
072e480423882aced7ed253b0c720cd07e79548d882e08442cdc2637a376436bc5aa874d7c33aed2ad58f319b7277ed5e7c0a1408cd6b97d47d6b7caa4a855c0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
80ea364cc25c880bc14d3a3bfa94b81c

SHA1
e60aa3391b5539ebf77b6170eb2075991e349242

SHA256
f4d313697360a59b6f37d553f5cc1cb3f0ed107b6dada2489895998b05047dcc

SHA512
d1c9fc603589fff4ae88544275446bd6ea45ed2cea512fc3236fd4891d11d80e299a4fd340395fd9b1335a8ebd297cfe00a86b72124ded4fb56fccd2e4455aeb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ec97e7739d051fd35530264447feb3fc

SHA1
cf55eb11f1c49b2f105ce48fae27914ad501c956

SHA256
fe485fd9e5c0cdadeb10b437333a321559bcf20492b9bc8f1c11318e8cdaac31

SHA512
9fa6315985eb51cbc0d5d1c91041155c98d2ea1707944a67cecad09a4a1768e5f47124b72b137d1c6e57290de4140fed22d6778631e9413804850705483ba770

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1f05bdc76a20d95dfeaac08cd2e7b8ff

SHA1
4353d33976af067087b18b23de11a4b4e0b407bd

SHA256
2feddc42fd80561ecd000e4b209bbb061efae4c4bd239f1b04b0fe211aa5bf75

SHA512
4721359a84255ff62919592af0054bb8418c1e3339fd5edd98bbfda4cc9c1092a8d704e340066acb85b2dc79fc194da6ea254a43d3f977f420e4978ff7a1a810

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
10e38349c3e883c20bac34af0bd0917e

SHA1
e90ccde8d8237855f4c228a17efb9b6b554a2212

SHA256
cb88737d3f42e442a7e3265c6e63df3c6bfc25b938c8a6a98a371238ad4c02a9

SHA512
12cf0af31d43900c67e7f478c7e9a232b55d9eaa7e8daab00459df06aa2787c06e6fbd695e1a6680a0f73008876119a715191f36d8ce6efe1801a763f960897c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a619bbcf8c162463e01113155b8db8d8

SHA1
5bcf731cd3a3898e5412876f3d3702ee41695d1c

SHA256
6c186a353d2b310c44863bb1c3e3ea7659196abfd7429741b610078ff016f299

SHA512
6d88b920434f3f390a7b33cc49347b0e09f32e7742cc861fd8a7bea622856b0c8cbf0eff9f1937d47b572b36c41a81171c71a7ebb3bbc3e619a0c28a1b6e5468

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3213eadb65bc058947ff728933b9331e

SHA1
d753e5c7940bed603b5b069da72015931ebaae69

SHA256
bd6ed492869da230afd2d6ceca5da4333f38c95f225b44bdb5dac1132cf55c55

SHA512
4d74bfe50327528b9ba0d36ae57856c88fb2be9ea9258a2653af17ba75e985e18837cc14e87fd46fde4c23948ac7da7954d68967aef6e61d4427fbfdc1abd8ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
2ed75e454c646d6ab0c4b2160e8b23e6

SHA1
922ce904bc041a203614bbecf9ee8bd90e55fb57

SHA256
6a840eeedc05b170386148f02a5f74f32459415ad6804c15424060cda0aee48a

SHA512
f67df8ce7cf5690f6fd92a2c12eed074268312e25aeb9b306fb1c6096e5117238114da62b2b290f7311fe1e5298e039eef61ebe3dfdbd7dbb17467f5cfb00a18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cab8db40bd963b7d1d4e9a40a1440850

SHA1
a343eb3edd78396454b7cd5f774712e8e39214b8

SHA256
7034a6ffd14e6f564806f2137333b76042705618070606f03db24df0234dbdfb

SHA512
9038de3338c60a22434cbcd2032bd82daba3426ebbb1de4ad8fe54deaf98fb5e0acdd77b7414efc3a9521bab28805bde308379fba0f7d2f5d139e75553956b08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a345920d0e72db7d70120e5152b793c4

SHA1
0ca73a8668548ed4ee7addb4c59d8f5f11851f20

SHA256
b3da45ae7877ec0bdf51945c48d2a1f7c6b298ee017f35d253b3544c69c69558

SHA512
10117ae169474beed4f0ea9b0cba118e48f7847e8d0b7be72ebe9ad09db25aa0afbd6e714f49d1b15ad88295ae97b8c3376224eca21a5786981e133948d481a0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
766fa76d8d687a21f807e6a69c0307ae

SHA1
84572c070564197d2d80464099b7b21a56bf0564

SHA256
d3bb444abde640ac81a4b5e7e328c9a7fe882b5fac3dbff94deedefa00bcd419

SHA512
61e245417b6a1bfaf30c271c63498c7ecfef6f4560e26dbf32d6f41cd29b6e437357434418702741c8ee38f3542cf5bd018d788e23f3eaaae8a82889d13b94eb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
836d138ce608b74be141d0beb620bf11

SHA1
24f074c69fe7cb181a9b34516f703299b0dd826d

SHA256
c279ce88933079cee4a1101d26e161561d14987f4ee34c57447eb0792bc3f084

SHA512
73424486dd40874b0dff340d17dfea2b56357950c939c15c4a2e7c89b185e54b496978709bfcd41b3ce25f7d49ea4f7ebf5dd6cfcf0e3ad34bc49c9e59ed7679

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
4aea39e05eccfec9b8d438b1e643c5f3

SHA1
b008e8489fd4838887fbe82a338a5cbabcf69a2c

SHA256
e1ce872baa66158478c915a953dfc3759631364cdcb077360a8bda7a5400417b

SHA512
f1d5359c45e4a69131327f17ef220a062d77b4e1a300d420eeb3fb478dedf260b3a386510d578d8d2f90a7801d16a8948dd7c8c9ccea55650ce66ef5214d7477

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
343c55719bbda0990d11e0b3ed648eee

SHA1
5073800fe55b0122e3d2c1955b309012e820a20d

SHA256
764f5e0771c798644a4bb1ca10a556f516d4bcb9ba9b5cc1f4f013f56eacd36a

SHA512
f5a743a45ba23ff2474f5805459705eb549e407da3de571c33bb996ae20d24bd784e106bfb87cd4ec55b776f8ef71cf269b65c5b8cd2c65cca368105cf28b906

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e1202cc269d37c5d156fd5ec4e654d5e

SHA1
8fc9c7fc257f23568bc3e104ac126a0b9b9722e8

SHA256
4693e400209d60290068e9103f11a7a5830885b667f518ce70e10b2bc3277d03

SHA512
adb75e5b6051def95c8253ac5d5125f5d97c5482a88618df301f1d98239790b5bf74254b9bf0301c7a07aebac7dc8e3c701b95db6d0e6c71a5080a547c0e90d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
75553811c214853c6ab04c44dde2b684

SHA1
bbe1bf2e5b3fd853ab78093ab0a254fa8b05b00f

SHA256
92a17c227414525c6f5f7ebc22d446a21e2e2bc13e364ead1af694de56372b0b

SHA512
6af581b801215b38aff39e970d6b7d18df82ff43c8cd7f501da943a2bf5ec813a3e8307500ab8e4ec79dab531ef88bd85f46f9850572b8437475b860e6e40296

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cc6b417fd0f4bb19f92f026032b8853b

SHA1
af68d626524f9b5c6c4803306271ded9f4c43f2b

SHA256
97c666fb079c4bd3a45c8d9dd881b6eadb88a75e30a35eacc7f8620ee4e215c4

SHA512
d2d3148eb4540252fac6fb562ce9ddbd45c91f50ac3abb02a8ec0b65b5a73f1f6502602b6db503e8612f21201cd77b3cb8df6a9e19ec1eecb1be94213c04a62b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d9ddc14bceb261b1272a24ddecc45ad8

SHA1
ac3c6b7a69c8e238b9e5032bf3aed2e0de653200

SHA256
55b2dbd53f9200b9fceaac2ae36fa2036eb1b0413ae436aded30855b0e9f1a72

SHA512
4d61ffb158114b26706976acc8002eb891fb9f483326687d596cf3d3cfc9e846d9899f9da33305b1debc922fe6ee57f422f1104b6e0afb22dfd9f96193bd3b36

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d187ccc88e3f52e1a60cdb6669ab52a0

SHA1
6a343c638b08d911c6d9e069df99057459b69ba8

SHA256
239194bfab82de01ab57d74235dffc068693ccaacc01d998bd8eabe540fdf209

SHA512
9b02189b3d08b67d4d9d07f0cbd1793dcf359c48dec38fb4b9d303b1b8fc5a197fb6cb20fc35c9d9a7948ca636734acd585cfd2b17c03d7e7a4556c4c7d9a322

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
25ab296c3fe6aceff035a79ca53a4514

SHA1
3363a7184da39f8dcd3074c15ba20efbdfceba84

SHA256
aaec02beec3312a3e3b0ae554a48ad845d95d0a7a90aafef440e43b3b21392ee

SHA512
0424b38263340e7585cfb2fcf88aa6283263c505a98ea890e6c3c18852ba5ff54941d99a35b1a1550626cd2f2c7185a20e52a37f322025f410a81812d7424669

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
c22b1638fdd7950b697fdc878335c76c

SHA1
88763b81b2663444f740b5804b72a2e85268dd70

SHA256
8082314405ed8092c64cea1adfb0d2423ef29cff90fe8ac31b424ca6e2a41cdc

SHA512
78a67626bdb6dfb758ad7c66f0eec5a4ad31e8b5e7026d7b9ea107739e1cb615f5ab7cb2cc0484e99723e7a1b38f5caee884beebd19f30d8703684f75a1c76c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
8a4b346c658b794180fe844883c4ba9a

SHA1
17effcc7775f9681767521949a3c3c99827ec6c4

SHA256
01aa2916540f3b7107df17828bc5865cdb38c98376c93f89857091ec026c8232

SHA512
02e9da77eadb9cb0a9aa9cb4274be5ba5b54d155c666cd9bff2ac3d82c918e5cfd98d0c15318ad21324751785466e98438f4781077303a165cc697e260349f12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b7ee6c513e195a03dbda59258e494e5a

SHA1
e6d47089482d5979ed387f0a3586c96bc0d0e165

SHA256
09dea5349163e1f3ffae27a09283b054a3ddae48c68f2a659eb65bc7b6f7957a

SHA512
b789fa070746eb8a137b3d8a630d149cddd1e424a293fd65dc2db2a154747065495fe82c9017fa73f3345e169f44b4637bddb06adee8d2ab96457673449b6b05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
7c97567ed8497c585a87d5b38247c5f3

SHA1
e3dfafa94d3d8572048e1383828e972caffa21c3

SHA256
1e13d5a25432e40758c6964331e6bc5be8685e26fffe432195773218679effb5

SHA512
39f0798d9a8735cd677c48fd9425ab9e1bdcc0d9601143edeaf607c21c424b8ee1e01d1074add211d10fd18777a79232780a6b41daf08639ddd1eee4ee5db095

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
f8c98a9b89aad272d929c95f41729e01

SHA1
a19a21654377a642d9d1e9020d2810cd673f8a72

SHA256
b14f3861ed49a76425710034d8fdade27fd12c07f47abf31a78b6a2fad90c087

SHA512
ac4a8f983689dd7637e35bacbdbea03a090de5e1a5bf94fc4a67a1d2dad57ed09febcba563fb507b8d5d69c2286d40bff5c7f981d452134060462b54b852ac7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
272d7cb832e5cae82ed885bef28325c9

SHA1
a5bf4d5a46a8f5dffe41c061439773b92be6745d

SHA256
2e7db2e4d01bf0240a2eb2cbc179567620245f501b335e403e2019dd58d0fff1

SHA512
86f3386d25d02dbc4bebd51a97e395742828ea01281369176565848e000ccbadc33e4499fca5d880dd05034e6f07c7e6ed26dade2bd28110f2287e758ac43c3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
589ba2ff9076c3c4916358ef2bad3832

SHA1
509f6d6083fd8a41ab160735a577cb549a3903d0

SHA256
a912c8475b0739209d6478e7869bed8b68a1a854f688d20d52de7165022aac98

SHA512
1e853fd2bec33550551078a9f2372903d5102a086a42eb8ce5a2ecd53a6368c31e70ae33de0803819015144473543bb73785ccda5c0363907411b9d176973976

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
ea4c0f7764960434dd82b291567e5242

SHA1
e86bcd1f01dc65b84f630fb6ed612010772ffff2

SHA256
4f1fe3e6da66970adb82fcf5089752de52994cb96d20118b3491d6eb308095d2

SHA512
6b8428b26baf6b256a79bce6264ee1afcb064f7da4a32f4dc8747f1c54b26c6019942cd27298005e6843881cbd4f85626b54a9b1b2f1264bef8b575393071b32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
bb6bee451dba4469dde3b95e6fc27f8a

SHA1
eb5b24f3630cac0c162b512bd0af8059ed3a692e

SHA256
5965eaad219f877c6493548139b57eaa386862901050daafdf02426cd3679379

SHA512
18691673a40a027b5fb3107871b6313a22bcd56a7c80e083ed956e3716557f30ddad5319be173d8bd3d1c6565a108310e4fa390304512fc4713ae3480eb09540

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
d6a461019b639ea96db01bdc31a6eeeb

SHA1
4d5cd3ab086a84d724c8f938256257f29398d26c

SHA256
631f8172b352982ecb9d845bc96559425a84250214aaae2fd55bf6b8c90ffe5b

SHA512
f6054b092f15de946a24922953d7b7b4c322c3def68a801462d2d3514fe3e2ba44a57f4e0539cc19483634da0d65a7f9a85b84855c187d71a761e95eb761dfc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
55d506c17ef3367ca000995e9ad70aaf

SHA1
8b6f9b8d70c11c053a17451935c9c26494bd446e

SHA256
5518137139de15057b8e22c2a1331864b805823bf578101dbc0d619313e44916

SHA512
ddc6c963c8cf7835c4bb126dfcd1056fcfe5565c40838c02a5eff8ac9707027c1441ddd47bc550122bef4601ff0a5325edd6d4caa2161dbf63ac402032b9e1f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
a2363fe3f64822b3d517559ea0f7e1d3

SHA1
216f6fbdb49e014ae0595a1395cde3f436a2e6c2

SHA256
45f8905400b30a9822704a9dc41895c9092aa4666eb1f34527f6c7a9cf5f3175

SHA512
5134364bcf7fa9ee458da64949a842bf674b268cd246412baee3c3fe57ad567ed84d1920f9827f79407429cdee3b02f37c700c4686c323bf836098886583fd6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
bff37e887186e43403622f25f834e992

SHA1
b20b53f772398142ce25396631960afe27c83bc5

SHA256
3878504c2543919a2cd2f6b9cc8680bff42928f60eda1e8fa92894f8b1114164

SHA512
4ceff6add9bb42ac357edfda95d273ff9bd934e9ccbb5c577aea2b42312871ae631270ee381e1495603f9bf4f503e491820108ad5ec83c9d7604f97c85f13914

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
93d983d00d43c9e5866e5852aca50831

SHA1
6105340dad3a8c726727d9eb86e9519f4c70fe2f

SHA256
a5ad9916a1a9d693d9851ad9bc1276af2a96ad2412d30e7cd3176efcb803c7e9

SHA512
0e81c64f10065b01c6d6a2b31d3051d2b03e719088cb0b0ca61614fde575f56257119827e755233e8ae3f6e9b7fa0550353def71998f5a9f94567fb7068d0eb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
50d9d898f0eb7db8a5f752e37046b6b6

SHA1
3b13b919ca9a7347065f502890e0bd266f1923d1

SHA256
28154776620251cb5a1caf3952ed92abc124d5f4decfd4a965b93a8b53d7b3ac

SHA512
23fd3630c575b0d9378235b8ecccad9f7367091ff69169cd56a5df67efe27f232b1330b8e83bc7acc36e13093324f755052e654a9ccfe9dc96bfff0d88de2587

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
ca65e64c85dda66ba9326d8a6ac349c4

SHA1
a4d542da8436ddbc8687813eceeca5569f8aefdb

SHA256
7583b91dae94f515e5e5b0ecb38c598755c42b1698f97b97d932c560c94c014b

SHA512
c9e26f80520824243ebc1470d57370543954016f3f84ad3c63addbe4454441e8d98219e2386c8653f23bc8e5f43df05ecd66b740798cf54cd760f1ab143f524f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
044f6c6c9ca6f9b142c3e897684584ac

SHA1
5f3ea35b5c997fecad90f0ff9c9c9e8b0902726e

SHA256
6633f2d551295455b7dd7db300a984419ce4db04c05f853b3d951c7e4bce5cea

SHA512
47678bfb56d56f1cd50c61d25fd10900925e0401507a9ea3454c327fb906c9fa704a2aa9a94acdb1dc34c55facf4d4d085ced8a0b57fed7bf50511be1dde7140

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
86349ba12029999ccab0900d9a9370d4

SHA1
5818a30cb5730aae05cee7188c9c8edd82e51214

SHA256
4ba8cbab1615338db71616c0ae1ef22a6d084badd79bbcff259ca58cd51ccdfe

SHA512
1270718cd754c1dbdc486f1ce070e3531c911072340a9ce2c76c866d7e1ec8d22962a91e9919943f4aa40f33ff2d7bea8f3fd98c5c7783e5a31d43aeba27b73f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
10ab760601d9d2843b589924e4da1e67

SHA1
8297d143172df7d0bde2641febd7f1f18fba9c72

SHA256
cab1a1f0d8ac4110828d5c639e1632752a45e63ef6fec0ae32b5127f02dba634

SHA512
94676017f7fe12f1ed3b84e03bc8ed6d51a4d8d01a0141c1018ea756e892f26e49f0027753c9bb0dca6eb486f8bbd30644eea3056bc3cf2a1fa52c86545dcbf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
c429e3be1ec1ed5b3b83910c0f531451

SHA1
a421a832fd096c90df8a0c4de32bc41686e99770

SHA256
997f0da564ca9a361dff392587d820977714460f08db797d13fa048a4aeb1783

SHA512
f3813ea65bd4e5c3ad80f9d208db30dc32a30c31a310e462f3bdaf68167d47f6ac1a34b11d92be9d257fac248a420afb34574930b4c43acc601bb70fc58b8760

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
18d85c3033b49e2485a7530df75ccaa5

SHA1
8310224eb47acbd85710fb6cb2fde89ea0ebaeb0

SHA256
64b3edbb13b1043e520b71942fde854b191455138118b39abf90e545013955c6

SHA512
6ae43f444793f9f807d2b6ee7dbabd3fd862d107ce663aa6fc1bf036283f7e4eec915aa43ab78dc27a198db43609ee32ad286e8b0354860a347a5b2843704ec2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
6e641cd7d0c82cb5ce0862b98d765672

SHA1
4e2a25842f80ddc963b939f51e95e2f804735228

SHA256
31bc0b0a1a35381257ee92050f0c174945276fe18d90004c1cd84a8fb5cb555c

SHA512
8c1233d76b288b2c84bf8a55665586903e2119ed9f67b27fef448833da474f232829706b596dc14cc47f5a3d6d0cf0e25246f1a0502f3718463a3d87ccc0cd16

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
56cbe3e9679f2d719069e52fcbfe38aa

SHA1
2278f81ba3608a5150c60a598e5039e3cbcb7bf3

SHA256
69e3f4068f4500aa87e4b5cddb2486bc72c725e89576d1a890df3f96a704ec2c

SHA512
a28b30badbfab8a85431467b5240cae07c5f6577b0e32e5460c9b26c61b50524cc6d77887a80196665dcbb6d5781846cd15ebabe4de82fb112178d2a8de7884a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
ef8f82af17f35ef7c9aac513db674b5c

SHA1
bb009e76a0180149f145532130e2ab5566fd997b

SHA256
5c4eb59a14f6266aad412fb663f1f9a4de5e98f53b12a4cdb16946bf48ec448a

SHA512
2ca71ac0c8b9beff769e79beda4c745d49f507934a5d96d0add67b7e0201f50787e21e0bda04a73e9076b6e3b461fc721252868b9a01457428ecd4fff31c05ef

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ecb10be841e60fe80a5d4044edff60d9

SHA1
a7ab7927d4fcb334cde3afb4ee5b9fd067046b6a

SHA256
e3e0832c2dc472cf132beb4e09fd47e522d13b2e0fe895ec912a0abe0f8abaca

SHA512
47f328bad995b781031456d5858157783c7933034813590c9dab8fc7376afd908483776d6dd53cc13b4af26d669a42c5ea0c741c5eb2e68222be26c9efe5073e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
47b040e19627108481309739fdf9a2f2

SHA1
7484ad56173de699d31d5067b528e8af2b018bdf

SHA256
0b4cbe32b9f0c533b8825fee21e1f53c717eca33c27a0df68da0aac7388670b4

SHA512
bad32c595a5416f476b4f93b9cff91fcb860e776912383245c6e3eaa257b5ec2d68ec28355ac192f1b83f479566b191eb65308c39193ca3a7b7bd589c6ee731e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9f69686331509e014fd0efd96eb1a761

SHA1
3043c5158f60fe66df1d2df5a251be9e16281198

SHA256
26e65387e4eef410082f89b0d5f8696ea7fcda7f8cd747bf0bb3ac44a03d8feb

SHA512
28ed44ebd007cb6f37731a5f6c6b5b9111ae5a4e249884e275fec570f492d37f9d450acb594f858680a2c033242c641c0290e645d54a355086872ad96afbd232

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
40ee4795e9736e28fccf5d888b50cf2e

SHA1
fe5da226810b68a7ee07f6c76bb38445ed95cf35

SHA256
0add9ece903454ffa3196183e51a7df1c2e9ff1a61e64550c0c5efa6752cee54

SHA512
1b9adbb122999204b0eeb98282c094f9e496177bf6afb3d1bf4d2ff966f073ccb40d54d0c6f7c1167d81818749d8c5ffb3a8805b42ef310e73f8419b73b6d541

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
08a9f31b4f646f9224d9f11d91aa784d

SHA1
073c3d850e232a5d27a83263b3319ef498512b0f

SHA256
471293ffccc5863534109aef5f0a6a47e7e3eb37e9a0a026ff0072db80e85864

SHA512
bf498acf5291475715f6c2a510cc0f7f1d187719bd5fe724c40b0fba14c1c1a9f3531f26cf35b7185e2b5fd482cb3d09dd309156d167451fe5aa070e26c9ed70

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
26adace6b3864dbe1cd1356ce65f4c5e

SHA1
9051026f123e314e8a9f36ea7f22941cc688825a

SHA256
a00aa89df1a6ebcf2a65ffecc29693d21aed1fd62d53dfaab00c7f00eb3c2b87

SHA512
f9f3dc59377ee59471dcd36795df8e9c75383f3056654c1c75f07cc73a7a16d0755b538ae35826383f6e05f935b50ad00d9e11db8fb7e321cec51bf6b26a6325

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
edeaaf23af1e31f2bdb2ae14ee112db5

SHA1
6ed40b23fbb3ec51a1fc47fc92eb64443d797025

SHA256
632ba3aef4a57b44bd8f6e8c3ef348f3ebefe9f370b14c0f30604ebeb4f17fd0

SHA512
4485bb1ff45638ce9892d42f0f6c9f53a5789d42b7c7d6f491d37b16df04616e7c36017b745086de6297f9e9abb35d2d79e2541debac9db143ebfe3359ec930d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
45776d0183028b765b707c27a7071096

SHA1
8b5b307adc87efa6d527873b2295c8126fa81285

SHA256
e5c4a1e395ffdfc8b87260db82918a7d1f14d2fa74585e3d08291a9c9a36024a

SHA512
f251af3bb041a1f37466abf14ff2cc6e738a3f2fdf7b9dc0a71250267556032e4b08e3c42bdff0ca22287e21171967cc5ab78c3584d0d0dca88d479038ed1369

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7c3cca8021b910336afa7ee0ab54e0e9

SHA1
a811fa998030cff885d0071b29f0b6c6afa04731

SHA256
64ceef1df9cf94e4b77821b0194cf721f6a0ea70624d48e4a4c70678d9593d77

SHA512
4f4653dbd584a37a0fce9f03ccf9e28724b71500cbd1754ea1528929f8aae28aef01d1fb7220ee40dda81b717390616156762c004d08d41dafa88ddfe95d09f3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
34a7baa9e9ca45bdba15571826a36b1a

SHA1
953f22dc1e1bce0d31986866b67daaea201971c1

SHA256
50e309bbfeb76c66ccb97413bf130ff42ead4396e8085e896a11999d4cca57e9

SHA512
e55c411d25ad88cfc950a4ccf9ad04a0f81fc3d5051e99aeed54cb9d65bcd368c2ad6c82b2d836e767081660c04ea5bfa3ebcfd18d9f05afcf39c006326f6cc0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fcd0f64c973f767bf83e9a9fa7453edf

SHA1
81d2d73d74c5b826ce52f552deb1b5ab0ff8afb2

SHA256
de9e37fde6d685e4184bf87fa8a13568bdec79dbafb550196f4560544553a016

SHA512
8fb3cb9ffaa22181cbf38502fa5f52ed4e4881c69ee4b35d71eb9ed590981bf91d7f15c4fdce20b47981cfe99b9a74a5b006048f3f6ec12bd6d577508296daef

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
3f0d7a3785cbf127dcb7e39925c8f77e

SHA1
dde8bf47e249ce71ed80c10928bc6ec9ecbfeca6

SHA256
220eb7d8b86e48e4c143337f4253f29a9cbd09df8268c8c61368c1ab82e600b8

SHA512
c1800cb60b9cc60c6e041e2f40af6d80c353546fcf9fa03a21d620e6a8d30ba1d233ae01542cb7d4bcc53a3e5a8073397a7c4b6010a67131c8ce31728a271fe4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
33232265a9cdc478a74febfad23f0942

SHA1
2306f6468fdcb7255c10a79f606583fe139bedd8

SHA256
ea0b2ad4a68bb8375bba19ab0e2397a663e823b3cc7e135b41f00da1580983e5

SHA512
d4152fe6916c500e2b8fb29f3b4d5f3869cfbe0ace4398dc6d655d90202c6c3906b92dcf62c32469304b16f790b7c9454ae96203f0a729fd9e99ae4ad56967ed

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
91d72653981fb4be5f52a47e3d81ae32

SHA1
508779f5c829a0d33ee940d7c5d009e7ffef9dfa

SHA256
88c3fd47b2a614101cebd957590c572385843edef0bb071dc8371766669b6d27

SHA512
efd4138d6a19959878cac89060c9880e09d62ebc13028597b60e97cb3b1c595be2a9a18e21423806d089823b6a9e50e678da756d07f9e87a3be5a5f64d169776

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
749d2acffc49e200c7dbe32152693a9c

SHA1
93dbc1b9e90d5bc9c60ee8cc53f424fbdfe401a1

SHA256
37e64e3439f1c690a249649064f41c4728fc0bc772172577aa3e1ca399c5833d

SHA512
f65175fad7d6c8fc4791ca81504019527eeb3f10e77b24830d03506c8646d6d0e449c5be0095f40c1d77fd688abee85ab8bea509b00a30c4cae21326daf5676b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
eccd0f3da1e7a4123d5cb6f5d750423b

SHA1
75a13d64fc95345d7cde1e9d66b34342c9f869cf

SHA256
3b77211080ceb2876665af8a1f7601bb664821ad2f0a083e610a0fe730dccc35

SHA512
a9b28f740bd6fc2d20bea2c41a8bf304352ad8191cbfb8a01d14f7866908981232d1f47b16b505446a8b4157f01889c1f823265ad01b4cce780cd3b6d39cf301

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9d64b4cef16dc2c59da40489a82992c0

SHA1
16888ef51cba5b03b0ca466fcc91a09f71d19d50

SHA256
e124b4516802c03ab7a4ea31d68625bf062bd6d18d6cc683cf6e3dc74f5b1b59

SHA512
d185fa5196fe62673945dd7f7c5ad33122ac188d737fe8060d09cc7e34eac8cb75207eb1d1c3e878f52810b83b0cf249bd6051c971eeed5e9b306ef29a8cb49b

Download Submit
memory/60-321-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/60-314-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/60-379-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/412-367-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/412-376-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/412-435-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/428-273-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/428-339-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/428-281-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/428-347-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/536-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/736-58-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/736-53-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/736-51-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/736-62-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/736-59-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/736-65-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1052-352-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1052-298-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/1052-286-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1092-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1092-419-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/1092-444-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1276-407-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1276-406-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1276-401-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1276-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1440-14-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1440-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1440-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1440-230-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1440-15-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2288-12-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2288-1-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2288-10-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2288-7-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2288-0-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2428-68-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2428-239-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2428-67-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2428-74-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2460-251-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2460-252-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2460-244-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2460-312-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2460-245-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2848-355-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2848-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2848-362-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3504-409-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3504-341-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3504-348-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4260-264-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4260-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4260-257-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4260-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4260-271-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4416-366-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4416-309-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/4416-301-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4536-439-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4536-382-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4536-389-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/4856-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4856-432-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4856-445-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4944-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4944-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5004-34-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/5004-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5004-27-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/5004-35-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/5004-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5032-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-442-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-333-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5032-443-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download