6dbe5075dcc231b42afeea49379235f12f1b9ee8b96c598964ff01ab67333a26

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_93c3263fc2104463d76831a89128e4d8_ryuk.exe
Size

3.4MB
MD5

93c3263fc2104463d76831a89128e4d8
SHA1

16d87b4e9869f444431c5e7c43ace35c197f3211
SHA256

6dbe5075dcc231b42afeea49379235f12f1b9ee8b96c598964ff01ab67333a26
SHA512

101299b36ee69d368c92004fa1028ccd6b33fb1c01d52bba4252a1a2f7ac1a6c730c82e4743864f4a129da712233ad22f1d321e4cd796eeb6f06b27c3f0b4dec
SSDEEP

49152:3Q+UuuLhdDM3xt+5YqcYsdJE1fyMt4cltQsx2eoqo5rN1ggWrJSdj5ixMdFrIe7y:3Qv5o7FeW5rN1UEj7TjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4336	alg.exe
2396	elevation_service.exe
1680	elevation_service.exe
1664	maintenanceservice.exe
4392	OSE.EXE
3892	DiagnosticsHub.StandardCollector.Service.exe
884	fxssvc.exe
5028	msdtc.exe
3096	PerceptionSimulationService.exe
1696	perfhost.exe
2552	locator.exe
4600	SensorDataService.exe
1004	snmptrap.exe
4500	spectrum.exe
3492	ssh-agent.exe
4928	TieringEngineService.exe
1104	AgentService.exe
5104	vds.exe
4428	vssvc.exe
2472	wbengine.exe
4052	WmiApSrv.exe
3628	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-11_93c3263fc2104463d76831a89128e4d8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f3691bbd46f975ab.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d4229bb138cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e0c58bc138cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003de107bb138cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d08d75bb138cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eee812bc138cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000904dd7bb138cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080daa2bb138cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4543cbb138cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2396	elevation_service.exe
2396	elevation_service.exe
2396	elevation_service.exe
2396	elevation_service.exe
2396	elevation_service.exe
2396	elevation_service.exe
2396	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2352	2024-04-11_93c3263fc2104463d76831a89128e4d8_ryuk.exe
Token: SeDebugPrivilege	4336	alg.exe
Token: SeDebugPrivilege	4336	alg.exe
Token: SeDebugPrivilege	4336	alg.exe
Token: SeTakeOwnershipPrivilege	2396	elevation_service.exe
Token: SeAuditPrivilege	884	fxssvc.exe
Token: SeRestorePrivilege	4928	TieringEngineService.exe
Token: SeManageVolumePrivilege	4928	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1104	AgentService.exe
Token: SeBackupPrivilege	4428	vssvc.exe
Token: SeRestorePrivilege	4428	vssvc.exe
Token: SeAuditPrivilege	4428	vssvc.exe
Token: SeBackupPrivilege	2472	wbengine.exe
Token: SeRestorePrivilege	2472	wbengine.exe
Token: SeSecurityPrivilege	2472	wbengine.exe
Token: 33	3628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeDebugPrivilege	2396	elevation_service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2352	2024-04-11_93c3263fc2104463d76831a89128e4d8_ryuk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1664	3628	SearchIndexer.exe	119
PID 3628 wrote to memory of 1664	3628	SearchIndexer.exe	119
PID 3628 wrote to memory of 2448	3628	SearchIndexer.exe	120
PID 3628 wrote to memory of 2448	3628	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-11_93c3263fc2104463d76831a89128e4d8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_93c3263fc2104463d76831a89128e4d8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1680

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1664

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1388

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5028

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4600

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4500

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4064

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1664
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3f6230dcdc82864365db12bf1fbe571b

SHA1
e3551e63c2268f7c7b94dfb83e1e802fafea6301

SHA256
60e1afd76e3fba19bb0c74a364b31eab743a6d032cdb8d7b21cb3bf7105bc308

SHA512
1bef71f0258772d563266efbaa86eff4f7c591eb0e07474a7f8cdc040534e324e9272cb099417697d38665c2ecb44bd1c2a65c1e93823c49618ad837496bc7ea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
54cc9cafb7fc28079e7ab6083dddd922

SHA1
221ac1359ed1342d7a554339a3422f1a790c82b3

SHA256
60e7860176922848d47aa18a06d64b1df12fc582e25dec36e44f9e75ce01e9d9

SHA512
e0a50c9245c5d4005346d91f6ba6ea1d264ac6e3957ca50ada63b54389a6a2cc5036028d095b792d734afe498c3ee869ceb6cc4eb832076fcf4bf8a83a7baaa2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
96140e11157ded90b9051ab9cd092212

SHA1
ea8964555b7c25608ca4e930e5f4bf25cb079e67

SHA256
2b9a4505f430944415b8b01091b9bda5e5b5baeaf3509e6837da39b3aaf94de4

SHA512
cbfa384022f6d00fe4994f7b280ad8988db9bbd546104f1d338bc51b3214ccd9d88581f323514399b8cb5007faaa0bf2ce5b9b379e5b6707e71d08153415c7fd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
31177abb88a54d02736138b959bcf5ec

SHA1
c7e601acee75779b96a4b0e0b0d01f92794617bb

SHA256
ad9ea5355456e16d00249ac35e7e0d4a46213697ce63103bfb6bbfd7cef61df8

SHA512
17c0e814b2b6dede40a2ba1dbcd6728578361f6e262f9fc943cfc8df5bc6134f1268c9660612d63ff60a8ac65180b0db2565a53a87db7421733b10a4c4555ea7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
31d75abd359dc52e8af65771a2073642

SHA1
fa0e181289369b4aa103f5d870da029c77431ad2

SHA256
bfa86cc4c0b823bc5d0895aeb689ae4dc425d714108083003436355207b8eb05

SHA512
1bb34be9a633c1f08d3af92a438c95cc9598d893631377ea8e45bf173c413f3856eea97897500558dbe63eca175dbe26675701ed38f8de30e37fd3687477ca72

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
14ada38bca412e66683fce718edf775c

SHA1
a0ece2f8c8684a51d4f34d414cec1ea953f918fe

SHA256
51c98420b499e2675d1035de97b84d0b3363a528fed32d394ef7251ed8f6fa27

SHA512
b7c9fbea66376449d4f7154c16a60cf961176cdc48414069b7932251beeb3400b804aafef81111fc679a5973f68b12f593fca7fd4df4bf066f2ff3e0532bb6a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d75ff43ce3acae7d3dc0e4804cb9b889

SHA1
faad7bc55a98f8038b6bb34086686f3bccff81ae

SHA256
d46ed4f1d89651c918742219bf1dbd16181c70a919da7627a750e2b377bb69f6

SHA512
c98498712e0a398a4be19d8973e3e5e7cb3ce5d0f1ca3f8ce19647f539a208ba8b798b2e4880dce7fa56671017229562d3eb67ab101a43ac48adc57419b22195

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b5f9b3667fa9dfffed28bdea147471aa

SHA1
5d86a1d9ad05c8dabf97fa2d20e318ff01974a00

SHA256
2c0c74559b08ffb4dde11782b880929aa465228fa990af35f23cbc6c5a549561

SHA512
b6e83ec4b3ae343d3d92e71ca1f9a5bacc8da22cdfeff5a2c90cd54ceaa54c86b30259f7a2e3c482b2a629b2b64c3e3489faa2eb81c4ebfffffbb7ae1d836555

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7bcb01cbf9328021d6cf490199166e8e

SHA1
64afc40db43899cb7f502e88d4eda88bc0237799

SHA256
e6d8bcdbb7d1d0bb9129220bf9930861c8eab57cdba9fdb15acaad3f4bb06fba

SHA512
16062e26e48769bbb25cde61e14c8fbb7e2e37b623ca33c4f4168b527f07cd1d0b30f9383fed4cf090fc21908261a68102f893ab411afd5137cb85654c665bd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4e0e3c796a4fa47393794754a5def42c

SHA1
c5fddc78cf136c062bf0624ed7d027fbd32202c7

SHA256
450525f8bf5ba2b4a5d368aaf75cdd2968d90c8c4b9e34d0c92ec49696c1f4bc

SHA512
0d9009454602423124710814d4a634ee065aa77565e940fe46ab55dc5d50a051a7b5bdd0d23e57c6caac39901d6628f8d409be8c05b9f32a09f640135b38f97c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
be58b7a9154513584dbb81a40f3a4126

SHA1
bcd9e5540b9937ae9ba890b77e4e917038ee8f2b

SHA256
790f7686a866a94113e0271b62b017fdbb3df259d9dedaed602cfaf6d5e57bcd

SHA512
3e2922b7ca8156e59775e94d24da0c833a15f1d0e20ba7d1073097a9dd5190f88793f7a71b7cbd73a935148ce5b8a8b04411d5ff521b168074d3ffea0118f88b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5c1b6ffc716cb9557fdf1dba90e2350e

SHA1
8194fcc7567015a0df70be76701c67114c26854b

SHA256
405854851bccd1282e42cdda07f896298cd16f317304a37cbda153bddb0b93c8

SHA512
0beefa6e11f01b8cef4188afb26f43ab1785c1ca80a998696b4070fc4d7aa2681eb93d7c4b6094cc5ee5a237c05c3fb038799030727e359cc94edaddfcf5c42a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5c96115746e12b2e1c71c6ae54466365

SHA1
427cb59e4f0457fdf8d4ebf8c106557f38f6bd94

SHA256
88e30c2d6df6ccd7124963c7e7a2399ac15e4a09df9e22054182605e9c0b9ea9

SHA512
de65a9ad302bc1653a15c38ad3883e98965206e15c89cede37b0852ca49c70f12aedec61a05f8f4998b72221e3c425ae70cfccdb5ec2331e97d86839b12a4e6b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
4fb016abfa58c44714b7b98012a07763

SHA1
260118145bda7361d76e8d81cd310dab5601828b

SHA256
8eb9d266469d99be8b254a38d30d1d34b934665623353c3bb2e899c24acf1e1c

SHA512
cd0f16602dd3bee68be913997888817614a96e29e4a4f8cc30176527ec3d673dfac4bc5a56caa32b58ce5e82c7d5f5e91285c94c178d22b45d4b6d90b7f1e468

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
86dad88cd6e84455289c5aabd91c70b2

SHA1
3c7d4f390853cd531aba82d03c20c831cfe26a5e

SHA256
aabd7f2839a432b04d89cd9f60772d22278cc5a13a04acef3c9e23b7cb6cb814

SHA512
a5d119f574844cec808f43e6281c3a014f28edc03e482b0c590d5e05fcb82d2e08fe4bfe6f08770dbde6344d7b159866b8f3c068483c84ed225d73e3b28850b3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
f3cce7fc5d1c767e25db3f021db3ed73

SHA1
128ebb6bee422c0ab0bde503cd2ab536fb41279d

SHA256
1d18d1ccf0d931d5f5d583c953c88e7fe282cd7c754af8e5accfd80872b116bd

SHA512
dab65cc74b1181ab244a7950496d0735a7a5179e2e00b0c70b8d4c8e83bf4c7947f4da5713f6b79cc3c2017a82323f8e8e54082ef82a58a58145c6d92f0ab6a1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
53bc8af9aef2de20434ce4589dca7523

SHA1
fbeee8904c980fce969b92bd1809c3b51903e71c

SHA256
a2760c4cebf4584f06fe5a0ad5797d57cad5cca523d3a4a0366f44c782503f01

SHA512
b7c1d6c083304e7d70830a143f357b17542cc569ddb5dc2c949c1bbf2851e449126f35428b5bec88384c7f3a0f4487ee66cdbc5a1acdc1e8657ce88e0573ce9c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
77908dcf16f0a6f6509cbeffa2a87a61

SHA1
321877ec088d631f5a4fd99fe81670b4d8c1f4b8

SHA256
4688e674551de2c667550b7e50f266f2f97984a92e44cd23d78698ceae4389b9

SHA512
4f229612b5142367cca04bf4152ef37989703c604e734327d071f90003bed6bcc043f5a777f8690cbd5f665af07b5260331f1e94d7b34ea2802a5b0690aa2a80

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
df64f61d038a141d2e2fa3c4c256628e

SHA1
a11fa5480b1caf20ea94eb6ce43ff81db33369c2

SHA256
fde293c4ffe7888c3bbe637cab866bb02bae98f351f5accb2e1c76db338a0721

SHA512
998694101ed0b3041767b4027dcdbce05392d3e1f4a27cbd4eda67248b3c6edc8d7a3ee9eb9048f5eb74a80a8a0a7f9caa184b6b702ded1dae5d2a151336c192

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
c2757e1f443e4cb242f497039e156d9f

SHA1
f860b2bc0d471d0065c5447c8b45b5ce6344a115

SHA256
d3835c5aea7b95e3f736d2db39245c95f51ff6d38d1d51fce9be683725e154b3

SHA512
8bc8d8f06f800f0229c40c8b9b63445b4c1be7f16fd512c32fbc548bed4f737a023e92ed658c43ab20dabdeb0fa57d30bbdc2bcd917670b5aa3f05f6a7551f3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0718d4735a53aff7bbae28aa4184e1a1

SHA1
7725e958eb7848eb6837f68110e0d91372118d69

SHA256
535ef52807ce2523259e68151aaa06eeba7d9ffb87790c26752fc7354172516a

SHA512
a56bc465335c18860d7dc68942b34e84c8de424e06bad4351d67e95ac4f278c2df57deee28d40a55f79c672e82b0be1d7469b2e2097a537c2c4c3659aab4ee5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
900665e00995a7fd82d9c7b4ab6a9c99

SHA1
6dd1058216ae26ad09e39f4408d8b052418696b4

SHA256
9be07fdc402eef050804324aa99d5950109d33148025a43ed0ba621f40c18f67

SHA512
93a1eca6a5efcd056a5e0769c5f7325cede0dd04c8858fdfd28635cb39845f5ba06132f105d7d3589cac97af98496ee43a98d882d21f6fe2fb457ad0c2669945

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
4a3348df5be17687c8e408479d8e1a9d

SHA1
1c61375c21926061e94ca4563da9d5a39b62b7c4

SHA256
3586c7830f23b1c7f405edc2302c6a97cfce439c5cf5fe966d9e416440ef929e

SHA512
ce06caf1ff929a6ef26231e0cc5b58c8fff11c04aa3ef80120c630e4ac3511abc29465398047700fb0f48ab64ea1b19b7de17ac83d762f8f37b771494ee11a55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
52358712df2542ae95ed8c5c176679a8

SHA1
d3b8f5cfc9ac0710cd4fce7255c6c4fc63b11385

SHA256
911dec9cd08a8d9ea86e7d0e9b737cbce2072fb8319238d3b7747e36cb5a8852

SHA512
869273185815e3e25ef451b0b57b9b146ea7a2196795a8460c2ac5c29ffdd5e6e8952e9ee78316d6a86a73730e8d34024826cadd8a349c0c5239e444e91b7cdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
9fd24689ed250f50ad582ce916bb3203

SHA1
e78b040227f5e5da9a8d932c1aaa677c64c88e02

SHA256
7390ab2c43007b2b36c4075c767f589e4709183331b145f4aaed08e116de4cbb

SHA512
057730998c7b25c16df7a394ebd10fa791c67c531c9b37cd294d75cb1330b9fe002b452b90cf06c152d74b69cdd077e903abc225069d38c15768f0cf492c2a2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2febd2ca4337b01e66adf1a7c665915d

SHA1
dc5da764423bc30492aa0ce5f839397b7d21455f

SHA256
523eb4d2fdfb0ab6a64c4e6768884057749aadf433f5827c50e32ab37f91562d

SHA512
4288040255f35d312853a5560e657db6f4273f27f48475cbb2ab13dc6d5dcba141cbcddd79687a6a2c2dc42dc9bbd5c4eb342f7aedd71883fb9114595a374d81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e12ce39aac04bbfc7142f66902917852

SHA1
c146e53f4176d296952fbb9c2a6950c4cc69b9b5

SHA256
b0e0e9fa1eee41c59ac76542cc0fb7d979d106f580b09fbfea90f5733f785537

SHA512
20fa00f796b02338be5e16571e4325ede22b5ef743d1b81c59de2b654f759b294055ae4b6519c4c09995970c841cd31771288c6043245f8eaeddc6b4fbbde051

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
883ca105e690d5b635b1d134935ef33d

SHA1
0c9b0e52016e85d9783ed2f26063fc4807ecdaf3

SHA256
580cf49b6015a3b003c365758b2f50e1888006e46191521a115f695c65a46824

SHA512
d182ea8fd6b111081cfc5c78e9546cda5bdb25b9ae4833e949d9eab61056954df57d0bc0156b67a92dd7979fb66beacd4925488b4179814fc8ae8bde6e302af1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
1b8ef4c69c961cee436aca58ba0f1970

SHA1
cb49b1494e7cce65bc91443290122cd512f9aa0d

SHA256
342e820fdf46fa2e1f600ab73decc913ab746f2843b246d31e26d6e8025772ef

SHA512
4e6efe09a0d6bf8ba5349abaf1ec79ec77c7f973af3da409cdaacf2ecf7654600d7e17b24e15030f9e9a3333cb1da19a9238e062210878ae5a4b8b53c08ea741

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
1f3d1188ca910cd962388f199384b101

SHA1
2e8926c7da9ca9a36649ff740b5668645e7080ca

SHA256
38a69218eeb53388089ea200662f3887cca13fc6fc858fd858c60d70e9e9bc28

SHA512
7785beb32adb48b641c1858f2a21e160e51df6388ae0b7f74ee786066f8b185f053177825bbb1cb2848b7b4566543688b5cade3b2090d6387cfa1d19099a52d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
dd21a469ed7bb44fe3d4e9da63ec5332

SHA1
e94051a7575990483bf52faf1502d1a14e65b716

SHA256
dde2a27bbc0f24e98d2e5e27422ec9331b3bc97f4a9d667589b9c30c1aae7a77

SHA512
c7112a23765875e187d911d52c662a709665ceb9961c5ed7df0e92a75038019178b4d33adac30312c133b8accbae58d3b165984fb9a50ee769df14b3a42a737c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
65e285f1a0cdca1ae65b909e7c62cced

SHA1
336f8f99bfee94aa8b8be8376127dd1aa16aa2dd

SHA256
8d9b5bbbb386a06e470ea2466a45c041bff555215f7d37937cd132b472542340

SHA512
69c4fed615a70c0c41f9a93800dbdf0c7f7e1f52cc974ad5d0b743009011b9acc8f585859e9a5dccbd9c5ca6584be87f81a33f2d766057662fb7a06a5ad0a5ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3cadad57132387566496db5c629e41b1

SHA1
b32bf5c5102920ec49dbc1b145cb79f76dc065cd

SHA256
116e24cfa037c0c3c9b296d39b2bfb0d25e95cf919b53c06c8fafc3e18997fa7

SHA512
a973813f95a3466be1f29b14b74322bccbe9a413e682c83e11608b18a9de4aba7b7c883e1b2fc44c2f42271aedbca76d278753391e0ce4421d93f4f9efb2ba3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6631b6881ca89c42dc4e2c79ac21ea29

SHA1
7eae3582a634c7b196522368091f938a34dd90fb

SHA256
296d52ed2acba669e44c2123289e4e5771515712cea80a900c6590025040e4c0

SHA512
ae809aac08df9376b684c5e5bcf8f9ca46ba729ddb9248728e4967e79b783da5ca7181fa2ab38838cb562d1d33cce9f9f0d302b4d65d0a8a7b478650c3f324d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5e0cd36aa9623514c88f2506734c5f85

SHA1
3c79a09791f8821f1c8e45562c21d5f891b005d6

SHA256
7aacc1517b37d88ccd96d3de143fc02b711bb21ece16286323e5852732c981a4

SHA512
13ec7fb3252a41a6df605360cbbee1c6f5bedb4452faf1903782bb01cdcfd55b09d882180ab18cf191a46d504b3bdaea4ec0d010f5d348dfeb9669ecf801fe8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
1912342e9afc21487850fe3f1d3c5dad

SHA1
7fba5eb6733671330c7ce9aa39b7b9c288ba31d8

SHA256
f0f3aea018df095d458f57fd500098a8053287e1bce1cef14ee5937b68414879

SHA512
32bf32b3a5f00a900fe728274017ca484ade838d6bf800a8381501848b1731ac323092c1aec3c94bb89009114aab1458ed142e5c49a605d7b80ff79683ffbec0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
8e1df46e1c9d92ae81f11da6dbfeba30

SHA1
f1287cde504b6f11f4e30522a09a597c70de6a42

SHA256
1d8d4b5839d913211c37477140b37d81a87e0a11a4ab50ced2c0cacae3b13eef

SHA512
46191350fd409dda589821166cf94f2bfe19cf6df11e5d999c1b39f5d556af502e0cdd83c4b1383c4b48c69ff9932cff662f460ac8cccb4d4a895b195ed8f24a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
8576e514279fb5b10aed454ba13e8a3c

SHA1
617591fdac3bc5c4d70397ea1106dc50f60d669e

SHA256
492b1cd196dd5be89677adc79950f85fc5fef11fff662600c913321487ef21f2

SHA512
0140bdbf4f46b1f9177484d6a6acc86dc227b00871708586ecd060dfdea44b3493585cdcd442e7646356d5f8e1234e42a38abd637b490cbbce06b6ea822346bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
a66af08221ab4f671a4a1503b8321b1b

SHA1
c4b937afd1b35d363b0b7a80302f8b9cee6dea16

SHA256
40f6ed1689e02dc9572f813d38108970de9ccde29c9859c6cef24a12106eaa8d

SHA512
c4b31086170a7ff9f440d8a0975e7b69a3126d45892add4d81d26ed221cf1a31ed7a4c55e30c3df8251badc119edc848dfa7bfb796a1a60dc9dfaf8f832edb52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
2cee4c20c16ee617154874cff5fead87

SHA1
c52aac67a7628780c32e15b4f2e9b4520d8a6139

SHA256
ffe8e0c6061510f5023bff3f72fb3d97698195e808eaed49d4099479e628034e

SHA512
bee38f11c3eab006f7abe4d291c01ee987dda94b63680bf85afa5e36adefd30c25dbc93fef346d099d41dd1c8933789cec2a8e2363c80cf7cd25861e2ebe7a0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
e0319e3d7a82967748556edee03f9c22

SHA1
6a6aac4f958a24138b0a926c2ce0a85740bdb9ab

SHA256
b260f54b2c5834a0288849d2883d4944ce2d5b3a92e191ac1a63db0c3bcbca2a

SHA512
cfdef14d417246e6458ef7726db14e57e57b2972a3d59763a622f46b89d1262d914a2e6fe2a08efb8b8535d8736c8fd0369e00978b5aeb55f66e122037f21f31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
f360c97b48f9bfa5751249da6ce6863e

SHA1
37affd7c6f4c1622ef19ac31d88547591d562a8a

SHA256
9607e30c1e734b578aea4a54bd0d4d466973fbea2daeb97371861c95c156a6ea

SHA512
eef82cbef2b6fbf3821e378f250e083b0390f0e9f57c7464ee5cfddcb8f97319483dcb638f99dd832d0c4e30bb1aaedfdebe98a837b79edab48913ba262326d7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
1d2454f20c723b863859912e0c6fd067

SHA1
eac2f82d634c9d14d0045e6e3f4a85c88a323532

SHA256
4dcc3e93e631630442aaff5c0534533200d4f4cc347bd92d663b50fd220da176

SHA512
21501735d6b375eeafa281986c12d2fa244d541704902efa42d375c44774b7698944fd68489ebcd00b2ec7d0eb1ff0700aa7162863344d8b130ab55226b7ab23

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
568f16ccfb8dda5a0f447c13ddc73399

SHA1
8bc089a6372a6dfff4be6051477ea58befd3a114

SHA256
252957e2e667ead39dcc6a92df637fff550b1d1527751b6808c89d268c806d80

SHA512
92d8b3f3d66b21b4e81eb83009f86f83d00e2eecbfd71bc8ae33f000ff7cdf37e83aa2c4c07223a2b6bc28c0ca1e68f15a98de80165032deb3988ed1b96693ef

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
564052a039c5254f4af0a56f38a631d7

SHA1
812caa5e07ab31b0a0fe7c67c877a52b8b0262b0

SHA256
5b87d2843856de026247dd36cf64c42961caa6ba5007d0e51aa23f73f5f8cd7d

SHA512
67b1910e99d788c3ea27d23b304062f508c384c971f1c9735b6f0dfa9939015714f221f41ca759175ad63b2eec55d5eee351d6cddb2ae34e5b54ba529d7b525e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
03c75acbfa7a73bb395fbc47dad2e677

SHA1
5503f6039c3adf7a5801462344a2efe22ad5056e

SHA256
34b6de3492085090cf38b9bfd30d42063f5e22ef460b2b675564e01af77c9c3c

SHA512
c95cbab66daf668afb401f387aed6a1bdd258c4c838d82b013d7b09907e28581042a1ad48a6317b1fa1ffad71482596016e0cb5685c36827e9563d639e977900

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c7a38a40b5901d7a4fb3f7347b49540e

SHA1
cf2b39c99a5e6420ef48c4b11723089e5032da6f

SHA256
f13c63dd4374cabd17c661ef41aa9010ce56d89e86451cff0211969857a71196

SHA512
bd6bf304b558c4fcc66cb26b8ac62e54ba5e7d93ef07abdb218f3d96c8975ec1fee3177c4397eecc49e15ce349a6cabc0db32a21bd9c7b013c6af8a26c652595

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
59f3dfd803669f9c98705829ac0be11b

SHA1
36739aa38b4574fcc9c921b58ad946a60b809ad9

SHA256
cb28cf1ac5bd973c0fa55f7306c21700d3bb79e7eb0ae4d4f6a373bd8473e6c7

SHA512
3eafd2a01b5089480502b48bf4e9421dc115f3e893e48e6aafcf7aca7df9e3846781562c25b2a874285cc0fdd8802b7c4362e3632eb3f3f7da6e552016aa7085

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a089305a3be6500ee57fea5505e700ad

SHA1
7e23f40d29d9f56a7a1958ca98775ea31c7d5d8a

SHA256
250390a42296e17e35923416c624c0c93017ba6d27f336623c0b43d09f84e0f6

SHA512
f3c34bbfe73205dd55955167311ce28c2a39aa51acbf454f970db56c95e4f733fea6ee133cae4d55cd125163f7a014d637e376d8e4fb2a1f38ba42efe5201cc2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
719a35e3e80f4349cc7b376c7ba6ef61

SHA1
d659da1ffa6d202ebdca7a6f27837b8558e30419

SHA256
d07e47dbfd678e785d04c498c43c7f2fa619d34a97d8668219931783fc94eb1f

SHA512
1b6f12ec76994809ac854fd9c98a143b86144c4b1538a3637f7867bf982a05e045bb3baf861e3a96f167a5bb1e70729aab0b4210e10253ba0b458a02cb0507ac

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
20def1221e42b626f5eb35e200345c65

SHA1
d6b311e6c29ebadb4406a3cc31b9032b0fe093be

SHA256
ced1108b4df1cde74a0d0e572c1597f39bf831d5cd5abbc8f1e87d19b0c6d385

SHA512
be604f4f5a21e8f301796ad9eaa1d70a48180e4814fb1719d25537842a2a8fa03ced662508036e6bcf8508062db6e0475934480da7c3cf66cebd02e9d4ca32b5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
12e3aa7813f883de676b015e2761261d

SHA1
1924ff8e00bbc6a4eec40bcfe5f286571bbbb5dc

SHA256
95fac16cf673cf53fdd5f28cee841183080ef151c24b5b05675e9eefce2323f8

SHA512
7e54e27791ad016a60abe0cdcece18b23c74a03f8f9378abe22d4c1e9ac4d9e426e8dffdb4fe045515df8da165d8437588569e7be666f9e7e3bb133b3faeb1a4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3700353622a7bfd620b3648d7fcd153d

SHA1
c8aa11a76ca3a81af2e59feb0324387e59f3ead3

SHA256
95a140cd1b437ef42ff9fa7a319ebaa83cb765f06ede395af9c4e69cdde29d9e

SHA512
9562e6456940a460a0b68f927cacf0e7a173bf84290caa4ff1bc201a9eb4ba07a22e08ebf73f66631792c89cf901cf7742f70c4e358e772fe8c4443c95ee730c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
96d9b3aae284cb2888f179bec97103bf

SHA1
3cbe998e08eb323e0264f290d7974f08daff4d0c

SHA256
428e8a165e62738b0e867a642c479a6e1e49158a9513dbdf841e1a2ba9e59500

SHA512
2e5a0a69d670af7356905134a43c14ad773ec068ddf2ab39840586d2ff25d8082c4dd36ca876abef755728503da01fdf4092945a30cf2b21a463cc3ed222dabb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9bc40ac942d13d390e8ddfc76d46201a

SHA1
678cf8263fb076c3d2eddcc4e1352cb3492a2a61

SHA256
5b77d438047486473d01a7b560ad84aa5beeae28deceb8b4c31e3c2b08fd6964

SHA512
163e483ead63e7718b13b23bd04734d0e531728587dae3ebc9243b05c87ad23dfed94583cc63f18e7bc6206e52abcb7ae6f351c18cc2bff5293b683142478cf5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
40bbbd60fa80b2793042a057096e542b

SHA1
deca6dcdeeecb85543316a54644bb42336067bc8

SHA256
d405e6a04920e079834b3ba8a5f9ed19d5a1cbb8e4c11dbe6081700d3c670faa

SHA512
e20f1e109f23dce2984d23cba6d6cec1681cfbb78874d975f369079a55f46f56dcc4b4b8643ea7a05e0b9de48e38e031d649f8886fca10ff04d5f63e8dfd20ee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
905d109459c9437a533a42210382350c

SHA1
04de1f31d79238e79a3f405ddf1be1e4f0351fce

SHA256
ef5d9df58a9213c3a1a179813e07d400e235dd67a63a2bb57916ee0e96cc422d

SHA512
f9bf9da3e94c709a17cfdf567e5e53ded69c929289df2f5d01983f7a44bdd38e5a5547778ff470d752c77868293540cf8d388a299aea7bdaedcbca703982988f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
433281da047a22c07e3fd27c7cc6a483

SHA1
212ca0917988053384245770e2bcdb8bb86b76af

SHA256
0c84a9a86ef98afbcb87c0c576cb92fd806a3d9f54d98a7e9188acc57a50da20

SHA512
bf99925d5c613cba0e864bac17e6722338e0a1c96d2e9a27369229605421ceb5cc3328830dab8fd47d60934cb185de9107b3318cc46e743d20a8e248a57cd9b9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9627425587b46c55c45fca151230a452

SHA1
f7b5d22b1e87f011a93977113e76c7f9de71aad8

SHA256
439597f5878a6726ebe391757a3fe50efeb45247dd9b85933f70e5ad7b6116b2

SHA512
c67d0d2c43aed63937dd8ee2f1ffdf20d2375e5956f840bca308799b89bc04775b551a118253ef01a12c08559a47f7a53c19374bb53653d19cb8932995ffbe94

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a1cc95089062dcd177d7e57485c77b60

SHA1
5fce41b871c8086b0755617b5374a28ca5b60b5a

SHA256
ef8684cfcaee909156047d062d60d1596022cc8684c80f357f6b2aa34eded5d1

SHA512
79263732f88f690c6f00bf1cb61e4eb22e5a96b39d6c9ffcf4e0eb428ea52c4d4e3a325d1692cdc78d7f75f3dffbb9360b87eaefdab917502dd102a16a7d0642

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
514521c97d2e5d7bea832daec004d656

SHA1
e70ad2a5ed8665eaeae9fd48ccf6ca6e89fc31dd

SHA256
af5eef2facb0876efa09aa2d69c6a89d2cefcda4f04dd16279078d2b31acd49b

SHA512
5808dd6ebf92ead1d3d3a7326612ae215f5f2e6fbec3910bc60c6b0782813201adf545c0bb1e527222efcd3205f95dd734e88a8d8d63c144dbf3d1be59f4b8f0

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
fe3a85368b53f6c6721954f8434fee44

SHA1
ef9f7ff859ad6f394e102eb81106d55671852bd9

SHA256
84a4439aad4468bc9c2aac275131428668a1e56f41430336106a662b3fb54b53

SHA512
f37108fa5eefbce412ead9d8a570f9b3de98537f455b4eb4d5aca9a71de77636d31220360494cf5a2321929dece918bbb81f973858ae29146a47f15e8479eb1c

Download Submit
memory/884-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/884-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/884-262-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/884-255-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/884-269-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1004-329-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1004-398-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1004-338-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1104-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1104-396-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1104-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1104-391-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1664-57-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1664-63-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1664-60-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1664-52-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1664-50-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1680-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1680-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1680-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1680-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1696-299-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1696-365-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2352-2-0x0000000140000000-0x0000000140378000-memory.dmp

Filesize
3.5MB

Download
memory/2352-18-0x0000000140000000-0x0000000140378000-memory.dmp

Filesize
3.5MB

Download
memory/2352-0-0x0000000002210000-0x0000000002270000-memory.dmp

Filesize
384KB

Download
memory/2352-8-0x0000000002210000-0x0000000002270000-memory.dmp

Filesize
384KB

Download
memory/2352-12-0x0000000002210000-0x0000000002270000-memory.dmp

Filesize
384KB

Download
memory/2396-35-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2396-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2396-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2396-28-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2448-541-0x00000222C65B0000-0x00000222C65C0000-memory.dmp

Filesize
64KB

Download
memory/2448-545-0x00000222C65B0000-0x00000222C65C0000-memory.dmp

Filesize
64KB

Download
memory/2448-546-0x00000222C65D0000-0x00000222C65E0000-memory.dmp

Filesize
64KB

Download
memory/2472-434-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2472-425-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2552-312-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2552-369-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2552-303-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3096-288-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3096-350-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3096-297-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/3492-424-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3492-355-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3492-366-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3628-452-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3628-459-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3892-243-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3892-244-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3892-250-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3892-311-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4052-446-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4052-439-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4336-230-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4336-15-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4336-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4336-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4392-238-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4392-65-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4392-72-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4392-66-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4428-547-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4428-420-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4428-412-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4500-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4500-351-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4500-411-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4600-323-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4600-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4600-381-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4928-377-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/4928-371-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4928-437-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5028-271-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5028-336-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5028-280-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/5104-399-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5104-408-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5104-540-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download