2b5268d42c33ed18c314b54743dbf4109529fedcc94302f6092c677aefd8757b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 19:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-01_c4f5f3be4d7a0cdd0dbbac1aadabfe2c_ryuk.exe
Size

2.2MB
MD5

c4f5f3be4d7a0cdd0dbbac1aadabfe2c
SHA1

7a0fd8c131cf70e276eaf394ab1454ca5846116d
SHA256

2b5268d42c33ed18c314b54743dbf4109529fedcc94302f6092c677aefd8757b
SHA512

b811722aa3853d979bb1c249bb09feb28c3f7b54254915a0c9353b06214ef439afdb6148d5413258137dabbeb6f67e1b877c09956d64803442d2dd67161529d8
SSDEEP

49152:VNl7soq7sQCc1kyG2xHywRfHIO2Ts4bvD+JE3jM2ce:dD2311kaxp9qKE3Xc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4768	alg.exe
2572	elevation_service.exe
4868	elevation_service.exe
1172	maintenanceservice.exe
2964	OSE.EXE
1620	DiagnosticsHub.StandardCollector.Service.exe
1664	fxssvc.exe
4952	msdtc.exe
4608	PerceptionSimulationService.exe
696	perfhost.exe
4492	locator.exe
4572	SensorDataService.exe
2436	snmptrap.exe
4860	spectrum.exe
4604	ssh-agent.exe
2056	TieringEngineService.exe
4848	AgentService.exe
4976	vds.exe
3680	vssvc.exe
1680	wbengine.exe
5076	WmiApSrv.exe
2460	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-01_c4f5f3be4d7a0cdd0dbbac1aadabfe2c_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b3a49a9c7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0C98199E-BC2E-4534-8EDF-DBB11EF8974F}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7998978fe9bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000741b2e79fe9bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b5f6f78fe9bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b74c5c78fe9bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dffd6c78fe9bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040d48478fe9bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0aabb78fe9bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d95e678fe9bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2572	elevation_service.exe
2572	elevation_service.exe
2572	elevation_service.exe
2572	elevation_service.exe
2572	elevation_service.exe
2572	elevation_service.exe
2572	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	772	2024-05-01_c4f5f3be4d7a0cdd0dbbac1aadabfe2c_ryuk.exe
Token: SeDebugPrivilege	4768	alg.exe
Token: SeDebugPrivilege	4768	alg.exe
Token: SeDebugPrivilege	4768	alg.exe
Token: SeTakeOwnershipPrivilege	2572	elevation_service.exe
Token: SeAuditPrivilege	1664	fxssvc.exe
Token: SeRestorePrivilege	2056	TieringEngineService.exe
Token: SeManageVolumePrivilege	2056	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4848	AgentService.exe
Token: SeBackupPrivilege	3680	vssvc.exe
Token: SeRestorePrivilege	3680	vssvc.exe
Token: SeAuditPrivilege	3680	vssvc.exe
Token: SeBackupPrivilege	1680	wbengine.exe
Token: SeRestorePrivilege	1680	wbengine.exe
Token: SeSecurityPrivilege	1680	wbengine.exe
Token: 33	2460	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2460	SearchIndexer.exe
Token: SeDebugPrivilege	2572	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 4220	2460	SearchIndexer.exe	133
PID 2460 wrote to memory of 4220	2460	SearchIndexer.exe	133
PID 2460 wrote to memory of 4276	2460	SearchIndexer.exe	134
PID 2460 wrote to memory of 4276	2460	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-01_c4f5f3be4d7a0cdd0dbbac1aadabfe2c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-01_c4f5f3be4d7a0cdd0dbbac1aadabfe2c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4868

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1172

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2292

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4952

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4572

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4860

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:576

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4220
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
750b7b19892f0f9ad587da0bf72d9b89

SHA1
14fb1067e98394452b0a97f8c5fc8121e160a09f

SHA256
bc946f21db1db7db81d8ee26cdf2632466456d2dbc00c9346109eb51034fd03a

SHA512
47b7e844fc8afeb6e025901540eae414e702522a7a9e87ec71b17b08b5d7e7f3a13baa2e5417a98a98340eb097f4d5595652f3aa37ce23c242f6e173e4745895

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
684bbaf42b26db516f4f63f7455e5139

SHA1
cb99c280b0952c98c3b3a135dde59b1583aa049c

SHA256
ddb7c4ef383183096d6584fc78215211a1668abe09dae9e942924f0b1227824f

SHA512
79a6079bd98af050e06ad4c76af6a120eb97f8a744344eea19e10a407b1feb2133f940025c6d52bbc1ebb619e28c81c3cf187202c918ef89f9139b4b605e9ec0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
58993cc1959964783391250b4b9913dd

SHA1
4cdf074a55ed996908aca0075c4fcc294b3ae70c

SHA256
ca07dc9bb38bff36e5a6be45f413dea06a1c4659e56a5c5afe6acd4acd6f0f2e

SHA512
211acfbeed66104e8037943552085bc688ef8b1c7e9efe88b9503a40882be3718bb5143e1022db0573f7624837c432bf2d881e61077fef0a21bc610ebe37515b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5df43a290ff64fe7ef7203fd85b60c15

SHA1
b3537c151f1ff072fa1150a4cf0b333145e28df7

SHA256
3ee02f1a6e4ad8816ef74f8ff9455f923f6f566332e301a2fab98b2c7384d035

SHA512
2110a9cd1878010cfc8abb32342dbfde1ad6739bd67bfabc8f26eeb7c378817098626ddd6d64e3c7a11a65120100b16b36259ea904516adda1c2b20c41af33ab

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6f7873cf53d0ddeee58f0d8f5cd80c35

SHA1
aa85cede17e53d173517650a13de7e4028a8f3aa

SHA256
4c56069c6b101a2fa8a372bbdd8dae7ca75df7f64932cb105cce5c1043f7818b

SHA512
5f64af77ce1a5eec50a863f06890ee8814fac6aa4d8178786c294a2a9f0d5c1afd6963c73b62c469b1165baebc19c6960a14e11a1c357a5c5f864cd2ec3a534d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b1b0683568030b3126bb3122d890cd8b

SHA1
a67f47ce26745c078ae4dab7954ff9aaec01a807

SHA256
d7ff7858e563adbfa7e0b70830b3f977ba3b8f5ce72e1a2757f350d51e994b3b

SHA512
3b75763999affb6b9c4cb95570d892ec74a78f1a92d553bf7958f5f2eaceefe7473afa108f43c586190eae5fbed7d030f08b22f1954512e6e806f42da8c4ae11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fa436f407556409e55ac47d4b7fdc15e

SHA1
a841e37a3ba8f738d4fc5873585405b554506c20

SHA256
e23a8bf52cd73e8414e81b166b49e02cf71916de4bb087857ae5ffa620fa302c

SHA512
6b5e7f837304f9000f0a630a32d535ec0629b4f30b8a8554785ccab379b1fc945e537cd0e189e8e0e0c8b3b426e70f05a53f6b08066ec44c4eb14e2102b471ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
616784cd297e2b5c6caf4d7ea715a726

SHA1
bb42f28d1270c3eef699b429ab7c69417eb6e5cc

SHA256
b877483b103694a933dc1ce625b973001f1622a67f368f692ff63718066ba6e3

SHA512
92c255b45f7945ba13b0b1ca8fd3dcd07a16f25d99a098758ac952d6fd8deedc6522dfad4a2b6d1dd9e80112a0f34d41d2fd4350417b87eede0767bf888dbefb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a8ff77d5c88a3cc74eabc2e0aeef3154

SHA1
ed21fb6c83594ee5c17b19fc10aa49fa287f92b5

SHA256
5ee54c1063618b03764d81fdd4f6d367b06c5a9de0a90233dacfc74b635ce6c8

SHA512
adf902d37ea405809401141f1a7b1aa8c319b4204ad4fdf3a2aadaab955ef0d4c363f14c58e06045410f2c56fee72d651f9bdefb54bc4000c56882042eff3190

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
70b59bab2b52082983feadc1db2d87b8

SHA1
44f18014a34557be6d67d8c203d48eeb4ebeb0c9

SHA256
c686938747c3779f9222ca55ebfadf9307e047009f2a30037cbc45ddb7c38f14

SHA512
c561ec87c8ecf246bf9ebfe90745417e064096f167303727fec210c5083c5cc89097fd58c7c494a59383c3959976054200d2a07559c7d83cd2cfce00e3886445

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
93d3cfb981938776e86490f860dbff2a

SHA1
e0e0d4d8d50917a65c7e77e00685adc73ec69787

SHA256
413e92fa1da58fc8bfa62794741592e052daaf33b8013ffb8ae1fd2a2333e3e3

SHA512
89b773f3424751aac7ae400a0c22bc08cfd61b156236f4d6b1ad0b8cc0cc34737f479c6dfe9152bd9c01cc94c13b159156de0dba2834bfd725595ccf79229195

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
943127eac832ccde58dfb2ed35964adc

SHA1
ed1d868f21dd5c46303d4040bb8cae8cc0f9e26a

SHA256
93f6cc8590e1896e2c3c84a78106dc4da95678d40e42d758f3579e4975a0956d

SHA512
5ca198ea00827dc3f80a6dc75aa74c058744a4fa7eed2079f1926d6c9b58f172b23ead668f805690968b3ec0ad9eca44c8f8506fd1cb74d0eac07f57a722da8e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ef826a44d78695a47a019acb3d0d1da7

SHA1
7919a5f288a239cd558045b3711b479250c0fc0a

SHA256
228e061d2214d6e1c817ae6d28afc50718d1c5115720113281655fa3c926d42e

SHA512
458fd52ff2675d7bfb6dfb728e504b14b6a806065f9b271337dbd63cc82e5a567fd717f0f1ed22351f4f5ef6790de99b6eaf60f3b3257813e28d6cc69f7e4405

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d3fcf3cd707cb446d733bf5670c3b8b3

SHA1
5b783d9e63de4cc9f34f1c477fa71b7601994f0a

SHA256
32867e4f135d8d0620c559b06bdf202353ab588f611741358cf79ec0b7f61c8b

SHA512
b93cecd5f811cf3baffe51d225729d78ad89c15127a42968e2e1b089312de2b81ea884fe9dec195be8478066adf76bd5ca678e31152fca3a500be1455c432e7c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fe8b5ff0f76c59b62687ee05907d878a

SHA1
478ada26d821832e6b9e03ec94b3da3b65e6709e

SHA256
63cdc567cb5003aa54f65c899d9489f3f410071277987d3e8f6f01b8ead5fae2

SHA512
6561f9db912bf91dcb5bf383247bf668330931d6b7ad65a92ab6d6025341e9f5faec9ca9aedc966d80fafbd6301e6759fb9dc6633e6b953478d01ab06bb51c0d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
46f7bf8f78a4ad213d5717e996eed25f

SHA1
c879ed33b6450d7a6ea11079bd4eff740afa93bc

SHA256
6fe38769cc4420819d7f1082d2f905956cfce16929c4a18112ac4ab595dfe0e6

SHA512
68762568df2cb9bfac8b8079a8181b404423b4ecdc7c7e0496ad527f773e18dee42ea6c72a00506e4f377a31cd7056c9779ea79fc1fd651e3d91de7f07092f76

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
6542221c08fc79a727cee57fe3f7d06e

SHA1
2db4a283ad6fbede6d1acd3a6b0c19b1401d4520

SHA256
728bd9018f2fb0e326b86f13f80060ea6a7b4942126e3fb9215e624902b06758

SHA512
066a704f55e8d26a38ec5f152485b93159dd58cb983ec0819c8346185b137b4a911320599e2e7c97b13380774fd9a9de91bf0331274af51fd6948ad37614b3a9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
5288e9d54030fd303421c38ff47b3d6d

SHA1
2dc50ebc6029637f408354bdab9655a7d83898bc

SHA256
750e68ea0d9b8f2f2b883358bd56cc391262451f5161b7ceb31c21e4aa5c3dfc

SHA512
d3a93209e1d97f3f49ce0d6f516692b29bcde0549d989e431ce6c4a0e2ce49c794c0289321f79aa66b58cdf20940e157d3f957aa6fa973b4e64b923e6d9d98b9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
9b0dd35296ec6b80b702d2d73eb99bf7

SHA1
32a73ebaa734959b8d58d9f4da3767024cf5465d

SHA256
80eef843d99392d8d62b6424778dca48f6321d5b713b46a6e3b0a00a549eb64c

SHA512
fc82c3df33f96969fa2ae9821b09ade5a2ca23a7ca3ec2c00ce902c32113112f6d0b05fce21e85d6c31eec30fb9a9ce5e46abcb6a2e91c894976af446a6ae585

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
658450dd668425b4d405f2120a348507

SHA1
11e99afff11b7751f079c0ae880a2fdcdb382f95

SHA256
08eacef33bd8ecb98ca02f5996296cd6804a26c36f73e712b15be613aa97c17c

SHA512
8efad7fd4335f24bbe6c0179208656b0301d55bd8488d10a3b71a840ad270c594ca23c00131d107563dc2e2f4f82c41473d853939a6429ff27a2b596d33800e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
19c3cc5288ebf9d3a9abc0dc00638d7d

SHA1
885c861bfc27ad5fbb4f0487a33c209073705afc

SHA256
c5704db99d7b7cf7199e6b94779f0fd55ff35161ea57d2c9ce43fda4025d7741

SHA512
63a95503189501eb51c312a157b5c1fd1a7ec54b9c71b0325352305069fb4b425a48df4e5e9b1535d3e60509ef7e3236f67a570106daa2c8bd79ae4b9af3e551

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0261fbe383a3aa6e25b8e94631eaeba0

SHA1
9a2bdee26e23bf993c381abd343855ec1e5eca05

SHA256
256caa58cdafd19773927a4bae279ac8b52b93d8c81845b24f4ca1c726576a9e

SHA512
82d7cad096dc10e7449c6f1d684aa681dc4dd2d75dd86073179cc88a155e1b3bcdd4a2ea36c209f64638e05b3dedc1c80c996f05dbccfe724fb97f078b70b896

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
8954962471fe6f8973afb69c35d93b0c

SHA1
0f3686f649dd92cdfbdd3290cdb47865c62d90f4

SHA256
b3f81ae84506893e1b798d428ce42baff398b7abb7c1dfd09356c55add3f986b

SHA512
2dfcf22dbfd9f37a2c8fde87a1cdfc4d920b88874b03d563e7818f98c554890eb95b726815772a4160be411a5331d60f4945321185fd48fe91645b22cec5f2d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c98804988b300aeec93df332b1367b9c

SHA1
ec9287d1d1ad9ee37ab0528f990e9f5e6fb8c061

SHA256
0547ceb22b70236ebdfe22048ccd6cb31c9f565f22a8a8d943a8586594b757e5

SHA512
c7121d9640a132458fb402a6af01dd0cb8c1e5f03d093eb90b4315e15933052df2509ccd46da973b856267c132a3096b32719798318cff2120be732ae9779be2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
fca4dc086505af6ae6e0d36df212c72e

SHA1
fef5e5f7f47574861d43a553e0f4951115c8a97e

SHA256
ab5e1b1a20058ff390c9101844d522cdc942bad246c31be29c60f10f4d36ee76

SHA512
46b4e0b90b9d01289f73695ff6d1f580126ab397deedc98ba2c0cfb0c1746e871e75bc85ed3b09ab3816d0058714651ca6cece7025bd4aad46a2b08dae5f9dd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d53702db99a9fe51b35119af5ec9333b

SHA1
c35ce84377c6f16e46001fee862f577183c2e0e6

SHA256
bd39ec4b779f5d44576194438e2dbcc872dcac7c9b2472e167131db8cf86c18e

SHA512
437739f46ec25838bf5d2e625941e3db6bf44848f5bff8578c388af077f5b475b7ad486b39a3431dc622098ada22568fddac2d15321eb9a69d72b14f84438eb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
12c8da3622be66a1de1de5a5fd14eb6f

SHA1
73cb1bce3b5395ecfe2c667b6b4e5b6c043136c9

SHA256
649b954bb42d187626f6456762d1981d254799871f4f3ed282456b2d52e5415f

SHA512
dcc0f963bfd72dda56aa956e8f78532fb6567f8fa61245cc95bcb1339d12861a8a5de2848120bf7c3f2b4740673dae7396a080b19c65b61a40ba3af6daceb6a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
cc3a61ae64665b4ca4397145db4030d8

SHA1
78196c7c23275956beca002e5bd3e70cefc7b183

SHA256
65ae18d95e0daf6518cc133e5d4f8d1f9e4faa0e90faa2078da9a5a9ddf233ce

SHA512
bde1974c7ee13ddb4a3a37249b723cac1e68602b4873cf794930ac611a7ece9818884c108990727423ee164aa66b9286c1706b4a725b68332de3d4c85dbbdfe7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
307cb3d26b3cc9d0a75d83f2788433fa

SHA1
a2ff9570ec74c7c66f5126d1cd6a01d180c5fe9e

SHA256
b3cbb5f4377c3d735b96ba4c9184d36f6dda8f415e76a05ae64840e92c584f33

SHA512
bc16b3c8b4820341e1ba4f51cadc073635925282b06443d18d1e7c3a02a1023cf5b7e4540a069838a7bdbbc1c8646b645766672f6dd65c61fce6d40ea6407140

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8a42500c6f9c1b7da08c7fb63de02e31

SHA1
820339b20280c811e9a918452e2a266a9d7265d0

SHA256
113a968ec3d298b5a88f824d869cebc5583c2c527cdee2f538743a9863095fa9

SHA512
dce65ce77a4d6d3ff3b9eec735df082cbaefc10a3fc8b726261b207f4eec52ea8d78084114e96dc1e2c6788f9f21b1831328a4202fdc3435f025e570bf7c85ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f78ee8c96d1bfb8b9a5ecbd50b7d3627

SHA1
7ed6886ac223f029237dbd0443f6cf4ed0aa77df

SHA256
7cda71de913b18c69148bdf260fef0f19d6e44b6f4221a0fad0c788042e5128d

SHA512
4c88e2d25f84096ea172d6ba6a7b1118c6b07d096f079b11b42469d58f83e915ebad47352854f8858e5b5b9d33ad524af159dd3690666d600f9b0367b998d6b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
20eb6ef9b313467e5cdc8f2187d0a539

SHA1
9b010c76403f2452a957ba7bb776b51b043146cf

SHA256
968310530b433f5d1815b39a22fb51bb9135f9add404acba55c5483e37cc69a0

SHA512
e0b665cd315be90331343e0699cf32e4f8219ef2338e36e8dc240a101758e891ba34fcc8756db380cd5d42f38844a3e7a280ca06da7efa840162ed1259e576e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
62e78aaf14799474ea8b525f98620f9b

SHA1
e97fffb2b19f6aea9a8daefcce06e640f6380e6c

SHA256
c5c3f40e9a64658d71b0c4d510900fbed71f878f8b33e7f8fc14ec1c1a18dfce

SHA512
93c042eba019486d0c312d11a99fec9db1edf38eec334a32d411cdd4ba2d6d07fd831d9f851221993d045de89cf714151ae067d6c4f9189ba18b866a57934135

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
73e780340c42a5dac5694b8161374606

SHA1
d9a3a6d227e348e5fc6ad6eb96b37c934544b95a

SHA256
b77099162f91bb8ebb2b49c0e6be2f710658bab3977a664cbab7828586243ac9

SHA512
5bb8280011165321b1cd4c02a4f0be16dced07ac77929cb05c0a895eebaaca7a64f3a7d7b3ddd0544fbffb68b22fff7874ce200891ae472be5376950a1cfb0a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
08dd44811c6540e80aec11090d6990ac

SHA1
08e3516653ffc0193a34c0751e121327cdab5ecb

SHA256
72480fea37141e4bf08c87751d0a1e28e347349ea16c2531572b21f2fb583cef

SHA512
74c44a95daa04a3f3791b9f7eab103d1a227ee7034891753ea8f83ff8e0d7b5876da56638b29b0680c1946859097b1d36fda5d674fbdd8614f55656ce6e8c6eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
ac56f7a3af06c54d6c51b559fa368a0c

SHA1
0971b8ae399dd1bfc2123aea665aa86d8a8dffb7

SHA256
85170764a195d237bedd939ff8ebf335f943ee68d0005ba13bbe76f611217523

SHA512
6f8ebacf293ae5b999516af5a81ae12725d5ea5b5c3b60df8d29012b936318ba0ce586e9324ee3d0d2c2d75623b15007349a3a73e7cee4853aa304d757df5387

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
ab1de31eaec8c51aa60c81402b2ea79c

SHA1
351929d1381998a96297227f0461c4374482e5c9

SHA256
c0f74fab35a3d657537b77d60a25bb2dab4ec72278baa5341e8510e7cbc1a72a

SHA512
fc8c1424d1b515aa14f15aee1b7f999af5ce265e009b0188eeb17ab39477bab952064030bc865db98d3b0b4f53fddd7677a1c4debfdac01e1de6a8d31c4a4ad5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
87fb674d66b72f9539eaa7c7bb400173

SHA1
74b1acaa5f09f8480e04531c4377cba91f793720

SHA256
c28d731c3050eebf3d39bdce54a7ffb89f25099ca7dca037fee219bba847ac47

SHA512
28905b5bf033eb73157507373220c8c7a6d5fcccaa9815106d92e219f0fbeca047a44f2125d8ccd14d2f81c8672ec73f4cffc4d66ec10929a82fb5d90abc0ab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
d037b49dfd6eb9f4b34996ea4172ec92

SHA1
e252164659aaa7320606cede536d5538404dfa5d

SHA256
d87897ba75b4eb6468539d407771734664c4c6d035bb258bfb18b1ebffcf3fb7

SHA512
c1dfda1bd8ac5d1b6cc5d5927b7a1d86c4906ee15363006b87c095a38fb2554b4e83ad91f8b2a5ca1c44f9827db82c9271095cf21b58391781ca483f5d1aab26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
95f420e5f61b530bfc9bdb07fb1baf04

SHA1
71c9fe8e5de734450cabe48c09ae91961e7c3b6c

SHA256
77481fc260bbd379d61a6968276e138edb8666b1712849f252898671216ddf5f

SHA512
b8eb4f185fe1509f670a3b6144294437fa3724353b22fc9225fc0c2c08016ba1e6b1ccd973f71a30f50d789577d985d027d7d3fe1f9647725e8f1c61472b4916

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
f905d0e7603b3f788ab4efae1eb0bc4e

SHA1
7add03d80c93ee84081b36dfabc8e170a7c2c114

SHA256
fb6c545bbf5612688be4b935cba74f53375d96a8d78cb5067730d110ba3287d3

SHA512
ba7fc21ff2e0cb6e9d6aa895b2bf94347963dd0ba93ecf8b704cd6ad6dc8e8ae98108b6314d039eddeda1a6e6f9e0bbbf72c5847819b3eeb3bcc1d023bbb7fb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
eb84deb301461bc930a9b7f0e65d5e0a

SHA1
ce86d944521e7fdbe53e2db83cf3e59819637b07

SHA256
8609303e6b72d7fd8c186c0fe1373e27579cbe8e12c2cdccd1b820bef4afe0a6

SHA512
fcb598bf9c3ede3840d87bb4d1ac960c3e311c0da526ebdb30a49ea33447c3e4eec504f4e3a49024af0298c449ce5611e23ccc1e98c0a1f9f9f6dc3e705726e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
5792aa6b2ffe7cd517d9b9c1b9cb375b

SHA1
12faa357b426e66d3bf24c2b84fc74ffa9924c75

SHA256
62b3a02687e68d8abfc974759917c50c67d38d2d3ec307f31757f3d7061a3b0e

SHA512
ff03aa74597d402924e79852efc6926f8d0f3fc1832fcfcc606bdeee2f30be4955769b0588469fa0d0cac3a5cf1b3d7f8425ed7afc28b50f161d6cdd938328ca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
bd5f48133f0b7add29b72db8ec88b152

SHA1
80cf0f8b8146853e0f8f3a7af607e7e1435f6b7f

SHA256
f55622cee64aaaabac774926b7ce04f3aa00cd93e5dff3a3fceec14ac238dea9

SHA512
a9aa7faf25048fc1ae438ba09459fb8d5a6681349d344487a711590584e2c2c32a5abd22a65a5b9fe1917476fefa4c5f7559f30a18dfc8c33e7979756ebb3d21

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9b586b1f9d437fce700bb1b9a590a573

SHA1
897ce3a454bf9753f55f0177cd452675ebe564c5

SHA256
ab21a7f9fe173f14510202cc8d42077be0b6fbb770da3d2c7a766a8272274f9b

SHA512
4d588533f84040e67ed2e10e35754e0e3744063c918af24204d4dbfbe3ad0416cae794c3ef1fbeca864ff780a9ed3c3ace63c1e05e32b46b2e5f42521bdbb2cb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
45782eaf7e71ea25e0b5150d8aea40d2

SHA1
fb11f5ff201ba5b9e496a60e4a4b59c58cc79b3f

SHA256
b6208a97c716aec4c45eed606a505fb8c50d79dcd79e9596c292be9b4f40bc1b

SHA512
b01dbb0800f4c8c77154a94b51aa5c04c2f4b31cb56b06cbee00069fd1cb6c367526537760bbf8ca4ba06b476523a4c9654f626830d2f500e94a89cc08721b72

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c0f75105815dcb12583ead4d0e5ea192

SHA1
91dff4a1baef88db06f1d9cfa9eec19ab5d7e0f7

SHA256
4918658be13eae3d6ec2b195d4208b75bac87d62876e67a3bbdfe4647996e1be

SHA512
86d79a8d0dfb92bac717b735a2791dcc679276f0506a0e7401d43fd262c1002e838988a22252deb28b400c48b17b6d96df2d95843b31dba33438f39fa8a2e9d4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e9fc33c5b1b37529f1586d412406034c

SHA1
f67cb51d70ff255581eecfb2c33ad6090ecfd217

SHA256
a16aac2325e61e305b36b98da6edfeca453bea764dd703209c1180e15b31ca1a

SHA512
a9162090c1e09cb47bf19436b81c259188a74ee7f374cbc0c6a2a36c5776539a6af386aa71ea96e912309b03002a06850f35c11a1897699adcc477afc455bd72

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a0e82ef82f932b571bdd21c250211db2

SHA1
312def127856b250025b377df244ecae0a072da0

SHA256
d79500e8e314b6cdc8c8cd214b23c2d101c89612d94af7fa4bac3f946530d2e9

SHA512
b6826d79f4fca8b144bc6e27a87a3a6f918aa062326215508a4a85cbd76c59e7582069568b1286222a51ad05b2b5727e1448e14d27dcc74cbbb5864020837b35

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
43a972cd902e5a4259e31ebdf6fbb719

SHA1
cddd1eee1dea86571de813b5aaddfb6391465e4f

SHA256
a97ad7562017e4afde9afe11ab9e0498f5f81f497055ce60654e1295cb45522a

SHA512
866d9983cf6e2c45ed7ac5ead0aa5903739c3962703b2f59024c81c269d3c0878ce50ae77987644fd8d1ddea31acd56140c3bc058198ea8c8d49996ac8a90731

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b8ef2df587907a9c00fc184dd1dcae73

SHA1
3b59ebd6332c3213c2b2b8fb822380ee308f1265

SHA256
f71c7054003f8eb820bd45750ed0db00baaf6ea84430c1f54f397a1aa993187f

SHA512
33769cc7c89943a69742dc21cee652cbd1e1743a9a9d48c757c6231cf10bc8d8802c5eb34b06acb6f8233f8070a1f610fb88eeed746935b98f1b574da3b5402d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cf369fe56545c3ea375557d89fca39a0

SHA1
f0d8b373a47aa32e9722c99266fbee530acba1d5

SHA256
c1063c81560d969d16152a6e938e3c1707679cf1f40ff9713bab9194319eced0

SHA512
c3011688bae408672a741064aa7bb1b79bfbdd98ceb350086bcb5a1b43b266847ea70228aaa75d427bab85bb13f7c5eb4f84d45f2022e09c6e869742adac20c9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
962e84291d8df36b532a77d2fa58c1ff

SHA1
80e85f7432ea93d1fa89cc4eb597494b5df58be1

SHA256
2b83b81bbb6e62d1940639c83bebf776ffa2b5fb2a4991b6b055a9a75bb24bcd

SHA512
b2ed0137ca450aad0cdb708c57a05300a1b5243c2c70139de354dfad66aecc903f44e12a66239146dce5c2076c0417c1f9db3bfde9a877a4566cf2594da55539

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a8d552ccfe6c40eeda4f837fd92e79a9

SHA1
259f7d863070b83acb32a11982bb5b42a13c09db

SHA256
445d39844b76640a67af342e716a1f1944b45a6682e16614360f2102dea5ac4c

SHA512
ab95676326def66fcbb0f0e07d6832ff13ccb86fee5d4408a50ba5e42ac33028d370281b0caba538f078eced5767a2f60acd5dff14b7c5be1fe3810b0497d636

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
edcd94bcf018596c7c19c755d0cba45b

SHA1
ea47b19a17d4cd84af5347d6d85cd55afcd06a9b

SHA256
92f16b966ec7bb426320b90c8f5a712b46fb7c59710cf4d2904eaf1c68fb01b2

SHA512
1d52d215facae456f6c7a1747843b064af9b9ef67e39fb051514ea5ad07b703b802090560dd3b09676079f7c6ad6dfbc46869b67e816fbf7753dfb6bba2d12cd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
90cb0fe3552768f231d7ffafa4ce13bf

SHA1
e388c032986804a2ae9175a5da23ac54b32d580b

SHA256
9c7a6b1f4cfb21b4dd97325147b604504bfdd02cf0e7c070f0d8381a45501e72

SHA512
ca8fd33e090b935e7d8198324a0e76ef0c1ae28b307a44f27ce026167f14e8ce2014712bed42c790cdc2ce31d135d4fa0aca9274269fe719fac5e0c4591719b8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3d1f6435eac5f36fb9b9232234e67097

SHA1
ba1a187c628a15ae72f79888cf3d124cd3562fbd

SHA256
fe81341ecda79524a23f1941b2329dc58dedf0f57cef120d4c52740481547d64

SHA512
49d7cded366ab5fce1f7b4cc1f3a52b42ea537601cd3b7f56be265ae545bfa32a91a6fed8f004a5730aaf1c79ec418fde1734b8f605f6847552a50729a47cbfd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8258a82e0817dab3f85f1a1e427915b3

SHA1
c2995b7c3322f633506e151f81d1b98bd825001d

SHA256
58d81474952f3a86829f210df63a78e421be025253681f117fcc7ba8e8c38cf9

SHA512
ba1f1965506bdf5060b11d4a56fc2a30128e3beda8252f18d1843d559f8f3491b8d4a026075745ab2889115ac763965a95c7e598e15e16a59f544a14b39ab260

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a8b9e6042771a6d21de5cdc13b0f8b7f

SHA1
449cb22e17c5f20d5a05d783635cf354daf97349

SHA256
2b12e32d3422430a53810991fbef4dbb83f4e1b8851d85eaa45aa894837c1103

SHA512
80724f7ffd1bb13fa8359cd61adaeb92f23c42d3b6639222f2e8188d866c2dbca4c3ef08b8b5f3b72c2bbaa21dc297056971c93c7a9c6f0c1c7e7e54182b08c0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
058faf4572ff445b2cd7c69b3cc36d2d

SHA1
ec353afbf2ddaa8dd057d4abd078c6f0fbc31dc5

SHA256
1fe42fecd4b6ffcb5697e85fa90093e89dc8e4661d075789acac28035fd70782

SHA512
560fe8296c8cdea24fea293d16d91db127e8807d8cfe15d22f2be62313823de978adb2ed9fb1dab6cfb2742c4e017876777308d7e991c764f82140f56c26aefd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8874d651908030156fca07c328287911

SHA1
21efe6bd6859697eae2fb1dbef73e34f6e88e29b

SHA256
55c3298482e4238031dd66ce1bef3f65fd2515050b2cddaa9b1f3c3ccf61e6ba

SHA512
f323a4a1240cba024a86e703e3d9e44bf2a3e569486442d06d6c61ef52aeba7e2502a0267915fb73758195d5fd3e9b69d996e981a80a9fe8e2a3f3fe316e7416

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f0568dece2d3d6cdd7296287aa5da58f

SHA1
6ee1177e42bce29be851aae35e30094a1d55d141

SHA256
54c51bf625990e305a0c0ed56531350906ec227c9c58ec1734f3d36a9bdf7a22

SHA512
c5020a43c9ce104a88ce74ea8c6ffd7a5792046ce19f70b8878503445561c193f2191aa9a175fea2f70e27493bdbf24134f128df0ff17d911d9cbc67231aaee8

Download Submit
memory/696-405-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/696-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/772-12-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/772-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/772-8-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/772-15-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/772-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1172-53-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1172-59-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1172-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1172-63-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1172-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1620-252-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1620-250-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1620-244-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1664-256-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1664-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1664-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1680-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1680-639-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2056-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2056-634-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2436-322-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2436-548-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2460-431-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2460-641-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2572-36-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2572-29-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2572-30-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2572-37-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2572-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2964-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2964-68-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2964-74-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2964-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3680-638-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3680-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4492-417-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4492-299-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4572-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4572-632-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4572-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4604-345-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4604-633-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4608-393-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4608-292-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4768-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4768-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4768-25-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4768-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4848-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4848-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4860-629-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4860-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4868-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4868-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4868-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4868-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4952-381-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4952-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4976-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4976-637-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5076-418-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5076-640-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download