9027b0f1ad2da2e3c48942b72bf088f7b6de599009ff393a983088fe3fa91b6b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 22:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_47f405f17e841e66c683eccb03892d0c_ryuk.exe
Size

2.1MB
MD5

47f405f17e841e66c683eccb03892d0c
SHA1

d9fd8b812aafe5e0d25e3a6a82e09baee9d035f7
SHA256

9027b0f1ad2da2e3c48942b72bf088f7b6de599009ff393a983088fe3fa91b6b
SHA512

c9acee112d9bfe2641cfa1824daaffdda1ed0b4b7ad509ca4e9dfefd1b677bb6c5c753c26a7309cf28f67367f6dc868971b909354a2bfda487b0a333b3a16734
SSDEEP

49152:/a/3xXBSZ4K5MJ1LvTMxbdsYBYSgxu9+fw4T24DCKN:HZ4K5MJabdsYNcN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1016	alg.exe
3068	elevation_service.exe
4776	elevation_service.exe
4344	maintenanceservice.exe
5000	OSE.EXE
2616	DiagnosticsHub.StandardCollector.Service.exe
428	fxssvc.exe
384	msdtc.exe
2908	PerceptionSimulationService.exe
772	perfhost.exe
1760	locator.exe
5056	SensorDataService.exe
2464	snmptrap.exe
2072	spectrum.exe
3820	ssh-agent.exe
1364	TieringEngineService.exe
3304	AgentService.exe
3992	vds.exe
2436	vssvc.exe
4860	wbengine.exe
884	WmiApSrv.exe
432	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d96279c774f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-23_47f405f17e841e66c683eccb03892d0c_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{01C6D80E-08BA-4005-BBC7-FA9D9019DC00}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bee5eb8bcd95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cf63c8ccd95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6a80f8ccd95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a85a018ccd95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097452c8ccd95da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba941b8ccd95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057d1f78bcd95da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b41f068ccd95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b2f578ccd95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3068	elevation_service.exe
3068	elevation_service.exe
3068	elevation_service.exe
3068	elevation_service.exe
3068	elevation_service.exe
3068	elevation_service.exe
3068	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3024	2024-04-23_47f405f17e841e66c683eccb03892d0c_ryuk.exe
Token: SeDebugPrivilege	1016	alg.exe
Token: SeDebugPrivilege	1016	alg.exe
Token: SeDebugPrivilege	1016	alg.exe
Token: SeTakeOwnershipPrivilege	3068	elevation_service.exe
Token: SeAuditPrivilege	428	fxssvc.exe
Token: SeRestorePrivilege	1364	TieringEngineService.exe
Token: SeManageVolumePrivilege	1364	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3304	AgentService.exe
Token: SeBackupPrivilege	2436	vssvc.exe
Token: SeRestorePrivilege	2436	vssvc.exe
Token: SeAuditPrivilege	2436	vssvc.exe
Token: SeBackupPrivilege	4860	wbengine.exe
Token: SeRestorePrivilege	4860	wbengine.exe
Token: SeSecurityPrivilege	4860	wbengine.exe
Token: 33	432	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeDebugPrivilege	3068	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 3112	432	SearchIndexer.exe	133
PID 432 wrote to memory of 3112	432	SearchIndexer.exe	133
PID 432 wrote to memory of 1900	432	SearchIndexer.exe	134
PID 432 wrote to memory of 1900	432	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-23_47f405f17e841e66c683eccb03892d0c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_47f405f17e841e66c683eccb03892d0c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4344

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4264

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:384

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5056

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2072

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:556

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3112
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
229456e19237b134a91cf66133688530

SHA1
566fa8da844744899b203fcfc4e2587dbe4aec1e

SHA256
d2d3e25da4fee8bfe506f729c4b0f04a6c293d091d278c9b8b636179e4ead95f

SHA512
08cdce08aaf2e7dae408fbab658efe5c42ab38c127968e7cbd830e452e0c19f42b46a920ee70d6571e291f664c441a4c4179b86c0c3a9af467ee349abe3fcd19

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
254adadf156539abf80898fdaccd6f3b

SHA1
c0cc79ce9631cc53d044bc24c96b9aab891718b7

SHA256
30ad4fee9bdce0971dac453c48f58fc9e3568371992d387d81ddc1ce210f35bf

SHA512
f733f9baf057989688f27761f16655256c05514fad3e4b777c26c4a8f4728081c21623d9a6c0158c25e8fcc98736c3417c16bfec0e3593b8610a7b91a61f30e5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
89f6c82e43d6eb29fbaaf06ea0d9470e

SHA1
4a2593b9d3235b8865d088f402b8d17f0a31ac4f

SHA256
5def08716f3fb231ab81a232726ed5f12e7a0a524f0ade24aa6a801846a59cc2

SHA512
a278224a63baaa4c1db5e0b0fc1123d8b1040cf571017984d8fd3a7ed4836936b4bc3ec32b6334c6e76fa687cd96a62c3919f54674bc39b2ef032a4273fcddac

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c04481e3e9efdeec81c2f32d1012c657

SHA1
699f3181413d088b447156fff7163a6d47ec0429

SHA256
ac2cb8a2a8ffc31e940e8ff48b832467f61608e6e403426a622a9ccea6110890

SHA512
f32a36168b49b0d50a746ed2c9be46f6427c554ce28a1bbe01910db818e17931564e4ef445a3efa7b4e0c211e1603c9a0da601c6dfbda365f8687f7838260601

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
25a178260dc2a5d69a859e22623df16b

SHA1
951cac9130db1c90f027bdeeb2dfe7b9a6abcc01

SHA256
14cb3fd820ae8b594a83539aa2a647e3db6bfed16ed78ee3611d8761d257151f

SHA512
7b70bcd5176c4806d3401995a5fcfe726a5ef93eda0c17ee1de038d283eef08b3b146390f84a59b255702baaa99f179ee083f95d1d1efcb0effad15a91856a9c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
60100808680ed93a67d9173ca7e483a3

SHA1
563eb329bbb7eeec431ace4d723348393345e71a

SHA256
d9d3f93fb8bfcd1741400d5236d79b02a4dfee09682602432774727c82f00199

SHA512
6a7d4d97c324574ed400e0bd5b759646554f67e53fae04568d289a067bca0ed7ef82a86fe40c665adbef87f5838ffb9daaf4530d884f0e22e52241c4aedf1ea7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
da45035d7d53e047816a5b892dede5eb

SHA1
4b34cbcb152082420d111e1dfca174b885b7ce1d

SHA256
994027168890835c1a35a45f61d5db89b7cdf99745b6a5a6693148ab6169dfba

SHA512
3a31a15ac635bce2038c909938bd4c8c3f8340066102bd6db78e1cd2d02dd85003722aeadc358b0b70b12b5fdfa06f5ea66fd7a5edb86b2c124ebf9b66c8fcd6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
884db7bd3f5e8786472801639edc27a3

SHA1
bfc1a24976cd221d4d0b6f63851202e8f2e24e0b

SHA256
f915b57cbb0b8de6563ea9997acb9875e79e2cce2b68c2781d0880cbad49c3ed

SHA512
26112f4ae1891a8184efa6f7674224c5d84a2bb50e2507385276b4aec2fe1dcd60ca8d86c33921cb680bb1e4994c76f7c59cb199fdf0b453272a464ee2ad3e4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
60ee8ab9bc57bdf0f7a0499278a8af15

SHA1
143a45fd3c79ee09d809379d12fcc38baae3397d

SHA256
6efdac0f646dcb98c23bc70260d398b26860458f2f2f4840dc584aba9d1137a6

SHA512
12cc1156c3599505b92fe1914db1ceb27502e2772c0d1dff28c86f9d55b24059ca6f839cc72ed5a1fc969d7f6bf7199154371fdf803053275ad38e8bb7023da2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1bfc7ff0972dd8e15356e62dcaec7242

SHA1
d48df78c42e955054ab94dd4dfca32a701d91f14

SHA256
066f87b279d7a624a46fccc94a1f871833a2a892b67c4cefab17a990bc5b337d

SHA512
7b0cff7920b57fecec74b7a49ec7d41154d6ddf498db6b244741f261d49960a672a80698d8d11a1f4123bd52e41c29e30fb213c91dc83008f94c431c69b80419

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2054b00410a03d887df6cd5f201f9761

SHA1
ccaf3658fe773de99c77da68589012e9199abc37

SHA256
b17265acc41a84dc396a0633a3bf3706d9dc14e2685075f9c7351a379e13cf10

SHA512
4149e7bd599ec8596df43037c0e9610542b82e6688c8831bc10f34e2e3563a7c3756210552da0ed289fe719672b2dba59456c77daee3003dcdc9ac99590dc694

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
123eec1baf6869e9987310e8cf27810f

SHA1
553fbf7e8fc3c34c4921cf73e8667ac9d428c814

SHA256
bdf1d9b66f0648a428ac67fcff07908140344c8b0445d0a372b05a3022185874

SHA512
93f82f8f796ead482c1a4dd67acd4ab7102f262b56b93d6b80eb6474b70ee7536867e9ea99ffd8d9cabff10b72a8027017d4cb4f6d206853be284e6e3f0e7309

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
139de08920cc5007bbc693b15d632fbb

SHA1
f400a27e95833a17ce4b334c861db8752e0bdc6a

SHA256
b139e00631fcfcf142ac8903c0163c37a6e372d5d3e2d7556a81acfc7ef75c35

SHA512
c2f1376b665f93dfc4c6c84314504e70494ade509ccca46fc3d6da5a4d0e1644210ff49b17dda424140448c3d17c2f536e1139b8bfe28430453404bababbc5e2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
62ffd350f667357aad9b9e2c9708ffec

SHA1
ecb9fbf44893ca57a79224aa0b7ea89b4bdf88e9

SHA256
3075058f6a02d9f6853e6a644b2a37aee73cfd542fb47ca7f51af0f592af21d1

SHA512
918d0bcf18f1315daa9dc9be9409dad085e5dd4f48e44d766fff684203cc5ba2d71aa46b4f410882188ccd229860983de94abad752458b25b6837d5c511f1824

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a8988792e36fa3499243e1dd05f755f4

SHA1
69864cc0ab38f36698bb17ac126c61590827da2d

SHA256
1b0cb74b31d6d6207fcd1a847db9989a7c1ac49a150a74487e104ea9f493c678

SHA512
673b83be071258e7be6303ebeb0a3cc5f992a23d598866cdf1a50a22ebde3c2fc001966c43e2348ed52a4295fac65646fc358d437a1c412ca5a811aa036d122e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
976cf30e9b98d23816c63069c6010fe8

SHA1
14c66f0fef74704e31f8ca48f1105d8be2719e94

SHA256
a8a4851dc3be1a240b24f003e847e3290303c8d0504cb2bf352215adf74d49b9

SHA512
457f13e9cacde3ad958f61dfed8ecbdb68c8bfd29ad6482248a9207660a5cd5d74a31b043a46cdff841f40fef27d39b3ad6365fe047f63a81bf8b57b70cf2dc6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b5e0d503c3da6cb5de30d156c360d22c

SHA1
dde9bb0cde305a5407e9960a5f6c8ccf6e7b4390

SHA256
a4102da293c4a4efb8d2078bcb2883980c4e0c8e7c8080c75c5b6e8b8d8bff6e

SHA512
49a101d4396db318a9abbefa55aa6549df371b79ebccc8ad71e6416e7b83468e94e612218a02de5df0ddf81dd159202c196bb37a5c25ff4525c2f7495c2cf49e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
19668948237130ebab8e48c1d32ac8b8

SHA1
2a3d12232afe31aaad9fea3c84fae3d2f6cbc8df

SHA256
c5baa03f331f00eb7d4a10fc77320df3f113e9dd34d676fe4e6cb678c6659e45

SHA512
9001413fecba0342d3e23b1d109a37807c519a4be5d7ba819725b4d5da5a3227202471127b5c0d4ea0df513181724f50e6e07ecd2a85fc0edcd703aa2acc79d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a33e2e808deeaf828c24486c9c225f03

SHA1
27cd88fc487cdf844096fd29be4a3e2885e23f30

SHA256
95df649c649e3a76445615d22be728ffb09f8d76343c33c8b9452b8bc052850d

SHA512
ba381c95c4f1879d3a15cd6336db4076f0b23978614d7da7b8ef31287068ecd64a495098f8dd202449fabdd7891f6564f2a85ada1ec80ad17c2e1ebd347a6e43

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
54644b88ed820172ea8ab2bb65ddc444

SHA1
6a8ce85422f153d3fe560863381568ef0f8c2054

SHA256
6d69794f6a8b522c048190cce7a997d45c952004204a3de548fb69368aeff00b

SHA512
e2f41f72b53c20a688aab258ee14cde17d2ce75dab5b9d956e6d2e7240ad2e701aeb55d16aee6411012d5ef7806096c5d92c618ab14fcd0f346faaa7a6bb9cb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
446c5ab79cf3aa18747f75656c00fcf3

SHA1
77db7b0eba066a672aeda7ffae09eb97c333f494

SHA256
3ea8817c4dc464458df457f11ad7bf8f24761d290035a1336caba1778e214567

SHA512
cd0732cbe332fd4f76bf3d631c401f1d4259fc230e13ebc992f66f656cb00f6588e0f53886c3412f9f9ac67e5560473a84e2eadd21da47170cceed9dcc90e4c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
fe10f841f9d76cde827812d85b74a48c

SHA1
7cb7c47b5f52abe38d7bbefcaea58ee847631f31

SHA256
41c8dad5335ef5a7cce48fe2a57d342dddef0b76bbe1bc0e118e00ba70417913

SHA512
33479833817b42b04db2377928707538b4bdf99bc2a716bf76da00f0ca85e10d78b94b46430aea8a949fc8d8e85f7c0a4d493affb42cdbf25f60a73b8dcb12f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f85894e7d1f961a360d3be89db348cd2

SHA1
a6ab5c9d78bd84b6a416d011eee2fdba2fa5966f

SHA256
c1c3afebb27dae3765b0781e5371156ac5d6a24bac77ee3ba679f170de237c3c

SHA512
358cc7870c385a964bf771e643e4d80d20a8818e98165555a145702566c755a170a036ced843c3f0d2e519da9b6a15d82a92358bb77c790c1118463a122aeb88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
0e9013da0b87c59f34a8715fc9653382

SHA1
b3b4c70a3ea657bb53cf0c294ad54903877238b4

SHA256
483a0e58504ad8a463b2c60f42c1f9c110ec4a5a8bc95396bcb3640f4be7f863

SHA512
d5206abb335fab4c63fdca28da502e25ef51670aae132b1f4d153e7fb5f5f33ac9235b4209d23c0252c430d8e6d524181d8977f00d128139d368db1182317851

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
eaef554e5cfffd95738194e724039e64

SHA1
678771691e41a38be15acd8e4d33fb6aac1a41d5

SHA256
736424e6afed84cf44c316a3e3a0ff632a1805b2a122a4c0a22c4ec7a6e9da85

SHA512
5dfe3c575de259bc9fc8b0f9ccee222838e2c698e4e8e4a9821c862104a6a6b1c9a55aaa5e38cd79fd1a4ad1a41b408812dae4d28cfab43afc392fd38d8f5cf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
28024ba80002818bdce33e51d6e589f0

SHA1
56f39a212e7a84167a0eabbe1e3c9c24cd4b4767

SHA256
9dc36912e5a2cbb00e24c19908ff06e576a4309ed3edf2df4513ce86505a8190

SHA512
701c6d199ef2c9a6da87fd0a938e6de05ade4374d27cd916ab2990fc2e9d125b22c8901443d0c5c7d6450fe771271c742a8de0442eb6b000e78d5bb1f3c92c84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
114fcc01d5b08d51e09b38dc076ee43c

SHA1
f416ef4076d681a0f31b5fc36f25887399c64163

SHA256
d4d7c7f0c8929ef425f00cdcca9dd17da2be1609ec96c5fd69baa5cd13d55ddb

SHA512
6cb3d146af41dc5e9aee1555e9a25db4d99d15af479423e91cd28cff0104d2136ac4208288bcb6f45f81d51affeed4a3ea4481b0be7b0e20ec1067d1cb123e26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
1c679c60e399f7398f7ad91e3d09a4c7

SHA1
94e44629f90047a33a52231f723f8457a4024db4

SHA256
333f649bf675c8403806e8337b0d3e8869e9aa0922c70ebc46e45ece44809b71

SHA512
2bbc014e4f9dbfd0f3bf8d7ae3ec31d508ce686351dce9926622c965690768f54cf0bdd55afafcaaaeb4f65876feb58c1ba69145678e0f801cba5f0785241b0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8843f25e05e79305f97d38781aed60fb

SHA1
2f62aeec0e323922d57d58e725c2ac266af2c219

SHA256
3c641aa261208ebaffe4be6a8c705b860d132db1b57c1b8d981e236d5cab11e2

SHA512
21b9ffea2f4b3248451178f38c36e6c4ac83ce18d475136cc5f86b0ae145d1059f2d8706122cb3ae9624661af0695bdb5154b02f05abea07be74118f967df2f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
04ce8e04b6cbc9b97d3711a96eabd127

SHA1
1a80bc4b7d1201f5c8063df5d430ae18f7967574

SHA256
a3cea428ea17691f23fe8b6e983e87e50c0b249f3a351e14dc0e221a95450a57

SHA512
a1a5310b0b627f573a529d0424184472d7c21074b683a2d69ff27ad8711691321ffb2cc0321e124b69d77969f674628e958b94526dce68bf31367c1bb7a65b90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
e7257d8d06aec3800b7af545e5429a1d

SHA1
e74fbd76ba92d702ea4ed144f4967f9e85b8812c

SHA256
b9cd97045022df8d0c6efc6f66870810d26e1dd06b63dfc00fe3cc13bacc71c2

SHA512
e7b08659986e3a0ee0cbe8495597b4f6dc3101bd7250ed809bfc7838c09af3bb5ae2057ad4c7426eaca3a56d5ba281a022810dc8df20f5521a2c34bae2aa963c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
94501373a800009f5d94482719cc3466

SHA1
0ad3846f48d711d32c597072b056a45720a0d121

SHA256
4748f663cc598008198624b830cbaa00ba6964574fa2a7b5ced1342203c32ed6

SHA512
b6e57a45e3a1b221c482088c95f9063784f3f120fec2f15bbd8bab081bb046026e7570d39ca07a3ff969d4758670201deb6d2b60482c311e5a002fabb55f3c14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
03ee955184076ce30c3fcb86b5ecfc95

SHA1
dafd40852b8aa68ff4af8a2e1ca2b727216f8666

SHA256
c1cfe9ec59c18f81fff4d2edbc5ece598a2ff2dde2441a76cc88bb4dc7fcc248

SHA512
f2a2f77acc14122f82d91296072234eea4f65b8349aeb85b285e3b04305a39bbd444bdddbf6777a806894db8d8958c60437ad5c47042d46f3cdd5e4883dbcc9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
42cb2283cc316f24e0f40046b83dba47

SHA1
4aaaa4035ce81742614a1b72781f8c9eb9b707a2

SHA256
e2a9295664fb79b42c5f1ffb79b2f194a136f848eba29e846b13c1fc72286a37

SHA512
ea6b3754aee1d5d5eabcaf42132cb4fd33391bad592380188c6e560126b3dd4dc830967e062a48cd1aaecb9280330012a021ed5b1b3e2b76c1de32e79138cd8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d61597316707deb724b02bb7def9292d

SHA1
a67112ef71930dab3a3e5a4f27af7cf777d0162e

SHA256
de165eeb99510c667afde808c74087d6ebc078d53f96099235db7df2116feaa5

SHA512
14a6a8c54ccdd216f9f5e2dade0ea6e8a7d5f7c21b9fa9bd25026374890ff4491852105dadcb6c992cd62fd471f6fd2438fd5701f25bb839e9295349b7cd9946

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
0f94aaead3bdef2ceea8920e300d0f7c

SHA1
2e9490a66f26d533fa16ae7af40c0675109ae616

SHA256
e1c73f316ea1de190975df74af54b26cc40f708fa4192dc492663e357200926f

SHA512
4ddc7a3e92a82876a90439f2b9b61fc29efca14af2252951bd8a39d0856d54f10da4b5f3b9c3eb6c5ed6fc9854fb1dddd6d9cc160b42dc5818f3b06d684db39a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
c097a5446a537446d60f277025dd6bad

SHA1
a71ab5e8fd06ba275403a159174bfd85e569ce48

SHA256
0bf1f2bc6b49693d62b36ae477552e136d05a19d6307b0ad3c77c987aa35ed82

SHA512
14fef07fa1df6b9f7800d1aa062d0083f27fc1120de5cd195e70d9dec6d7dfb8eff511f021a05e3bb1db1c3724a175379ff9edfa865d3e503f8ce34d3848a48e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
64d30cd0eb2d5226494d793ee4fc5bae

SHA1
75289963f4c9df456016f1c0cd3229fcb0906607

SHA256
ca9eab036bba416ecd4d91e330cf7f1916d6d4e075e66710cb9ddef8349188d0

SHA512
37c12965269c84e5fbd14cce4099ccddb01bb662039f321de74551fcae7b3f52542480ed04686238a5ca59f9746be35729467a8c2cf0f7c55a4fb56e018a57b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
b3f1b3450bd7fa9830fdc16c8ef86f99

SHA1
06b0bb6170d29cb72c1ceb920b696ef45550b6f8

SHA256
85153e4210adcc9d0a9ce63380b8a3dc1b0642677816784c9c813c51ca1bd400

SHA512
b45f1c71796b9f6c49e524b14e3b01bad378820653b0870dc8d429b55e3aac009c8e39f118af0b7ce3a6ad00b31f46576618f94029f2fe7d96a30915d347d73e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
827330eb770e55ef8b607f1a0bdc3b73

SHA1
61b88aadf2a60728114ab595b95fb7c3bdf74122

SHA256
03f3483345f29800671a50f6434988cf748103bced6eea0c9de81fbbe8cd00c9

SHA512
8dbba1c5ccd9b45d3cfa7ca734e25c2f7377409535ceb10b4d32b125072609e42c3f9a7c374f98d253efa6a3e1ac7253d9d8e8d7a43f1d2f7acd8802ceff291d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
5c7b06124b4f036ebf5ace50288be2bd

SHA1
3b063624ea3f383e5e52e553743c54c4b26fc9e2

SHA256
3c50e2f93dde14bf01a31b434f06f33b3b30c8e86b92528c7c762565f4800337

SHA512
5880bb63df37d7fd0492ad924593a586ac38e78572fd0496189e9a33cae34507e176d9b6d94c21f45ad250e50522c9f2e771520635c05788f68839029a45a23b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
755c00a333f5615976c0610ac9fb192c

SHA1
272ee095df0ce94d14e1bc1da9a72e41d4038ccd

SHA256
e173c0f8e44cf2d728d86626ace4f7617e7e422ae44a0f5ef9065362baacd697

SHA512
d1e44b54e05d0da760689dd5b11a2b246ae585913c40c7d593c1931b3317db2932f952189389227ae59e66cd2cd0c3a7bf6a9ea60c841f5990373ed0debb5ab0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
a80a3689eab6b23e44af76f1c6fc6abe

SHA1
8bfd235f206595ce4521b690a9fc1fe05a7460e3

SHA256
25a6d47098631fe7ac79b48d4f0b5c7adcd2aeec0c8c803ebd9721ef552c65bf

SHA512
cd86fd442eeda5caff3e360ff09efa39f370c62a53976c225990272add292606e4c07bac3190c318a5e5c01d54da151ea988fc937e75736c6e6f98dd04036f0c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8019b211eed30aea1536adb8acdeaf3f

SHA1
fce73a231425895b76d07976aa2fab616871a2a4

SHA256
1e6f2c132eedb94bd5339de0dbb160dbc76aa6d410f40eb41027a23343dbf90e

SHA512
a7a51017837908905d4c0d8ed4c1ff0545a3cbf7300e5df59c607ed8effdc5eaccb11c5f329521cecb84b9cf828f572f9635a9ff9aae38b37c9a3ce4cd05346a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
fb40a6bc27c0bda511d65d3593775312

SHA1
c4bde9bc19a5f9b7fb9eda76b13eac18250c08ec

SHA256
5f1ea773bd2d182f22350d39cf62a5a8ac509ef495ee7f844ec6bba3dd6482ae

SHA512
f573fdbe8ab11db45843cc14861e73ee5c9c86aca6fb06361cfba810e2c10eecb14efff05f35839d2a0bf6641fda7b6c44c7b95c2efb49fb988e46cb22eb2963

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a75c2373c09d82fc24ddd889fbff5ae0

SHA1
9adb8bac5e097fd1c5fe3cb3c438b50d643a69ac

SHA256
5a261e9a4420d8224d7066e57902c67a0a9f3b450e10508d5a037e10cb42bd92

SHA512
e4dfa2c87fe86fe074537c4c4d370a2fbd3a7919e4b968239bc1124e8685989a62d51d44fbc23f2df585ddf77e618825c96856cf314592823ded6b2e558ffdd3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
e82804f9bf07d8d5213d881a53545921

SHA1
4d3d3ae2a04ec41c3db1665c53b2405d1ea0dba8

SHA256
98cf96ebe5341018c3547bcbd0bcb54e4e7fdda07d2c65581f70c8493d14927e

SHA512
582bb52bdf2918db9c861965cdc59cee603f1b5ff2814414afec76a651605820c4891a30f8ecb85c1290b4c542a64072fc5148dbb3029ceac4f89531cd9651f2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2cdafe8e9946c22f58ec5ada6651b648

SHA1
daf7dfcef2691d7c1f7b725286390263bc598efb

SHA256
8956f8dde4e5eea283706b004a0932f198dd03b84b74f12521309d08a9394b44

SHA512
83e81da5c962da13295a7271736ddf5d883cb3e160b7b372274ee50b284c9c8d0863861f5260e37c36d3639e3832e9a61097a4d01eb1f5b41ea2e1615462788b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1bd6994a1419ebc28620ee61610a6383

SHA1
9dd61823614ef3eb814bd20915f1ec4e4497c38d

SHA256
cfa70b03c3cd526fe815729915ea1aae9bd95a835888136cc9a3bef45235a59c

SHA512
499b6a1d3f93e0c32756a452478be4fcbe82248bb3ba05622f9b9e93a5b60fd2767574440c15dd574ba02a57114f1e442483f002311bb121a1aeef3bfa2e6dc0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
eb7968b89cb4ef9d84e302ffb7cd1488

SHA1
6bf289c7e8695619bc79dc8c6c27fb82cd4a7b74

SHA256
68af1a7f3f3bbde9a936a2363ccfadf84233bb6716db6d789cb062f44c3a0ecc

SHA512
c4101360ae78d80ff2477aa13184db8aa11819649870e148810d1cbd1ceb27804aefe6cb7837c0bbfcf6ae1023d96940c1410a511733bfae088c2fef74036fae

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
89248f9cb80d2aeaa152d4f2702a1380

SHA1
99de1163dcf2570d0c21e37f10b68d4a78739a55

SHA256
127e6b55818ec7b2ab28fb483377b4cd73db3526015cc572367c9308735e5ce1

SHA512
57ee643be7df0af8fc05d43e8e600d8d8438f997314a6198542e84d9cbd397201ed4df821c9838bf22a752736421ed4c6007bc79ac71c34d34c41f015226e055

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7268145e990d308667f3e5fa516f0b92

SHA1
966fb5529b29b3170afdafc777685f3be855824e

SHA256
c94b14b88dac8693d1619f3b809abc1429de95fcbbd370a157e121e04fa8ee83

SHA512
078b7954e8d4318e063677595844ea66fc63e7e53e8edb9976e09804ab826e187e375fbc54c51c9158d5cb2b90529b73aed80c372d0ddeda51460bca9f372944

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d77917d6c2abd7f01251afc0c91c3a5f

SHA1
8b456a2817ff4f8a31a9dd89ab7e0d46c875838c

SHA256
a6e717710473e341f4dd19aed2f32d5296f2b85254fddd195687e7b4bdbdef98

SHA512
785491d3909988455df86e9ace39c495095c7251aa2125c10a1b21b3f929e4e03c861dcc6efcb1117841438409a4906c19b7594c6116dde0361963bd337381d2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1f2a3225ffdb7d41bea408ed383d457f

SHA1
9f721590f1729bc9cfd130ad3d6b37c84e2fb5e2

SHA256
ecb313c885e2b23713069f2210f00e2b0597a9f861820abe54211c94de1d59d6

SHA512
bc2ca99c7f862b29eee8e28fa548de7760c9dc08cb4c6e75894b2615630292a9db1562c66bf5ecf74594f99cff0ab1568d4dfe79f5914a24d68a7d10b3091c79

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
15419b08110b36116464495944335eb0

SHA1
8b1936aa26dbe83ac2ec2b51c33e8e6f69043e5e

SHA256
828983c24328e73a272a4f2fedf50f1b5420b76cf187a7f299b0dd21fa305b67

SHA512
c4461bc6fcf7c6348312122fff8d34854ee9e93742dac50e30cd9c77c9309d1958fa146964bcbd9dabbc188aa883f13546df7bb86b92f94be12f90d452fd1fc2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1378d8350db9f43e40d17c1861a703bc

SHA1
b194ae95ca9d8027a381a494299276fc5a16f83a

SHA256
0ca9a8b5bcc289b0a569a60c1383da949e921edcf1d44967773443189b0fe949

SHA512
19e274bcf15fdc9355dc4edb12acda6041543b1c78b7d94a3e35483e1c47060738f1f4a917bbfefd4d5124ec28c5183756190e9f771df4b651d0ed314b3b5373

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
71f00cfa303a3d84364a83b8d21cc4cc

SHA1
13e724c3e36272576bbce1d8b4ef9254e8714869

SHA256
489ac63b116bde065471436f432508e5803bfe7ed98e2899076a8c5a51e1ff43

SHA512
199d83ed8656506a731c6070947774049d8a3f96d1edb5ea3e5682a7aedbb88c234efdb99f9280ad8f41f3d7b194128b6b8e7db35f565e8987c44d46326215c9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c7bbe6471cf42aa4bea84572695dc936

SHA1
d69fb0f156e43d7e6cec5b32e1e628eda3ffc089

SHA256
8ee998a3b9f894d582fcdaca892dffd97a999def66bbfb2f4fa5ac0547af66d5

SHA512
62708ba37d67c7920cfec9658b5c4a90e4542342dd662b040431d91fc91aa96c1c0006926cc088f899fab26bcfd8057dd47468853cadea703708adac0b7287fc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
350cf415900f9a5c8de98bc2e587fa6f

SHA1
d36b089ec0a88408bf0bd35c543d1dd94bb2a0d8

SHA256
65b0338a9e4b194f27336f2174c8a5cd5109417b10037ba68f2223d1abbfb421

SHA512
fe7d4476136e8347ddaa68ffb7743c13333edd776c644a4b071df5bd661df059b412b9f120e457bf5f0d1528fb7a8ea661e16059b37deb4d5b3b9dba277ead22

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4be267475cd6a6dc7303f2af0b465925

SHA1
dd9a089994e2820bc944c3e6d8fd45ed532a565f

SHA256
766a0a2e6fccc798afeb2465191d4a5b3ff85daf101aae01967b1b3eb37b9e80

SHA512
212e107af7b1e84b084f378363c800dc4c8b16fc5c661744b2c79f84a66d111423372652a7c1d03ca86fbd00b1a77c1b3715eb3bafc979818c2371aa7edf6643

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
efd929d81a7deefbbd6e456328c0e793

SHA1
ad54ba160e41d55ccef88925b0d8f1a9e2dbbef6

SHA256
04c42f2368aa8cef6b9bae9ea0cd3b246057ebcbf1e2df33f3a56123deb0167d

SHA512
14be3091ee4d20c6d8677d5486daa50abcc88f0db62f01537d3c92b486269ec8cdf263966c44267569f39a4958c5ff23278c53b2d844def714a6d5b05e82a05d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e28314ae536af7fd76fc5c80cb83f0a7

SHA1
82cb81f8ca7292beca29ae0952c9b6558b143aba

SHA256
a640d7978316e54b1ea13441f99747a9cf7e493b88e7eb6ed12532b60dd15903

SHA512
9728f8b3f6cbf626a69911f76b137c696121bb567fa1ad8ab350bce381e3d82a2a501ae5df53f1ebd68cc080137d5466af39f771c1b03ae2ae35ab3df47cbec9

Download Submit
memory/384-340-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/384-274-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/384-282-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/428-265-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/428-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/428-272-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/428-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/432-464-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/772-367-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/772-374-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/772-308-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/772-302-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/884-452-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/884-458-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1016-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1016-229-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1016-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1016-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1364-389-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1364-382-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1364-449-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1760-380-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1760-323-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1760-316-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2072-423-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2072-361-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2072-355-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2436-424-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2436-432-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2464-410-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2464-341-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2464-349-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2616-248-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2616-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2616-253-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2616-252-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2616-314-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2908-352-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2908-287-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2908-299-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3024-13-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3024-11-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/3024-7-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/3024-2-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3024-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/3068-27-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3068-34-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3068-35-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3068-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3068-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3304-403-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3304-407-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3304-408-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3304-396-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3820-376-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3820-368-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3820-436-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3992-419-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3992-412-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4344-52-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4344-63-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4344-51-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4344-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4344-59-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4776-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4776-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4776-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4776-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4776-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4860-446-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4860-438-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5000-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5000-66-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5000-240-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5000-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5056-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5056-334-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5056-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download