172b77123de36721e8b15e6d656a57b114e88b920e3e399e8d8b94a584fc65d2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_1cf791df36bbf686b8130cd9b73e6621_ryuk.exe
Size

2.2MB
MD5

1cf791df36bbf686b8130cd9b73e6621
SHA1

85cc65c0e5bbd0a608b504d77496026e3d998112
SHA256

172b77123de36721e8b15e6d656a57b114e88b920e3e399e8d8b94a584fc65d2
SHA512

0305d51a7994658d0a35627ad17930bb1aad802798a364ab2f73169f5dbd0969f32366b09c22dcb9c4e03edeb433c49e2224f80f571077cb204eb85509a59722
SSDEEP

49152:pNl7soq7sQCr1kyG2xHywRfHIO2Ts4bvDs9RoUSVqSY9:ZD23S1kaxp9qszS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2408	alg.exe
3128	elevation_service.exe
4644	elevation_service.exe
2984	maintenanceservice.exe
4528	OSE.EXE
2484	DiagnosticsHub.StandardCollector.Service.exe
2236	fxssvc.exe
2536	msdtc.exe
4480	PerceptionSimulationService.exe
1820	perfhost.exe
3964	locator.exe
4392	SensorDataService.exe
632	snmptrap.exe
3104	spectrum.exe
3740	ssh-agent.exe
3284	TieringEngineService.exe
4324	AgentService.exe
2716	vds.exe
436	vssvc.exe
2112	wbengine.exe
1364	WmiApSrv.exe
3060	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-05-21_1cf791df36bbf686b8130cd9b73e6621_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_1cf791df36bbf686b8130cd9b73e6621_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\484d2fc9d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3618b979cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6caf2969cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050484e969cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044bba1969cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6bc82969cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc6f55969cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007da96f969cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdcdb4969cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053f018979cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3128	elevation_service.exe
3128	elevation_service.exe
3128	elevation_service.exe
3128	elevation_service.exe
3128	elevation_service.exe
3128	elevation_service.exe
3128	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-21_1cf791df36bbf686b8130cd9b73e6621_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2296	2024-05-21_1cf791df36bbf686b8130cd9b73e6621_ryuk.exe
Token: SeDebugPrivilege	2408	alg.exe
Token: SeDebugPrivilege	2408	alg.exe
Token: SeDebugPrivilege	2408	alg.exe
Token: SeTakeOwnershipPrivilege	3128	elevation_service.exe
Token: SeAuditPrivilege	2236	fxssvc.exe
Token: SeRestorePrivilege	3284	TieringEngineService.exe
Token: SeManageVolumePrivilege	3284	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4324	AgentService.exe
Token: SeBackupPrivilege	436	vssvc.exe
Token: SeRestorePrivilege	436	vssvc.exe
Token: SeAuditPrivilege	436	vssvc.exe
Token: SeBackupPrivilege	2112	wbengine.exe
Token: SeRestorePrivilege	2112	wbengine.exe
Token: SeSecurityPrivilege	2112	wbengine.exe
Token: 33	3060	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeDebugPrivilege	3128	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3060 wrote to memory of 1896	3060	SearchIndexer.exe	SearchProtocolHost.exe
PID 3060 wrote to memory of 1896	3060	SearchIndexer.exe	SearchProtocolHost.exe
PID 3060 wrote to memory of 364	3060	SearchIndexer.exe	SearchFilterHost.exe
PID 3060 wrote to memory of 364	3060	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_1cf791df36bbf686b8130cd9b73e6621_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_1cf791df36bbf686b8130cd9b73e6621_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2984

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2536

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4392

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1136

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1896

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cc195472913ab49d12e8fd85907ead7a

SHA1
3c92b78555e611246e78fa9b67d8ba19c36c0986

SHA256
8813c2c4842337692cfe1a99be021e76349390a4c88fa368a43f33bc4e46047c

SHA512
1f2c9ad7d8e46fc815f89eca35a99a7c8833dbd63e00271ebfe15d15943b51e6237ec3fd19554a936b9a30e11b3df8498bd6b2f5381405a2ce404a16d5e00503

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4c7aecac2817a9754b412ede22074a64

SHA1
8b7ec3416bcf285073c3c7e508ddae90a1ff4620

SHA256
89e2856085501ee54da0833cc0318e0f6b6ed21684f51e9f70368940cd67e5d8

SHA512
68615501c4c2920be698b22c39befa59d6fe4ca0e5637f61884d0167b6539e732542ca4a35b321f1d424dc0136e8b26d303f63ee0bd440fecc06fb8eb9d27352

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
629e1a4387d2afbd6bfc086786cc25e3

SHA1
a2bcf2a9ec2968f1b65881bdcaadf412452e5c97

SHA256
d56c66ba023a8ac77cf19d5cd6b34bd01804867cc3ee096fc5e7d6d4ce44e0ec

SHA512
275103c97c1db8d6e5fd27604ed67c5cc10ce35b665283f187b66db4ba133048de16f4f81b5e89643035cc38f32be8bbfceeeed3c2476dca116de2bdcf10ff15

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a5383b693d6fa645e54d3c3d1243f506

SHA1
705847bed917f917f2c3b5c0303cd6f4ff5378e0

SHA256
5fb5d5ba14c315298485b61bc9adda5517160d0a802ac8eeee3434016d164128

SHA512
58eab7ff8383e40bca6e20d68c5479fcea437b7574768027f88bfb0336a4f0e308f3e247036ce477c838aff53562c2edb088327fa818bb46a9d5c61b458d12c2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8f0074dec0bbcaf6312878f9687b9908

SHA1
ff00c861d9a74c06186201139d9f30740aa5023e

SHA256
d651eaf3f71186fa278ba3fa9f19a78c272d42ee20744636008cf4bb490a84dd

SHA512
5309aa6dfcdf7185ce380438a093c583af89186876da2c21498adb036da6147fa934285ce6e1e9ec291fa25a7042c77508314c174f203b43ca79c5d60229941d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8e6cbf677754f80596b278a799173bf1

SHA1
ba2603c116c643a2f9fc0c8a33a2d26d4ebb5393

SHA256
cae5234f7449348fa01b47bf64ac321aeb177c30cc3442d58e9364648f3eb177

SHA512
faa55a29842ef5c95dd0d6f09e376e42cea185b662e6a6d14a62fa32ce0f77a06dc7491bc8c75134ac167faeec013bf657ba062889b45ea214c05dec65eb6c62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
55b06ebd8ea7398803bf91bfb8236314

SHA1
39b27535bbbcebf9bd7f6f3508f26555d6679ae2

SHA256
c1ec998a6622ec271821a4c299d92314a9a3321803668be315329f6cddaaee49

SHA512
bbca88bde32401b0503052d0fdf050370ddab105e25fab2a7cac39dc445fd3ef914c82241c1c6dfed63b2ae7fa5e1a15efbfa9b159d92310b1b41de91066b0f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6e7a23674839137bef090e052d80e546

SHA1
d913fc174feb23df43abbd6dd58ebe2c09fa49ac

SHA256
556e31e2cf755af8218c7634bd970c5963145c47e7742c0576b6618484beb3f3

SHA512
2d247f543c74ba190b0d16591e4156182fc9c25ee38a642583fdb7e772f93854fd551edff633a0c734531ea8fe88ab0b0384ef66c9bb8005ab6e641d712a1a10

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
a918a4243c937928e5996e9b7313245f

SHA1
5f1a3778233c1d2924c6bd86be4c3b387aa44085

SHA256
3e028433d049988c481ade0126471b6e448e51ea473ba85d94833cec3ff50f7f

SHA512
6efc4e7826ead7069e0cf924b6173aad21d29992abb8a2794b5f861d75cf531073d9cbe1edbe37a95955dd4f8cce327760604d861ae9d17da00f26ee25cbb458

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9424bf1320f575064af0c7bc01d27f92

SHA1
258fe88de0987b675f3d91fb26f0dabc5a334d02

SHA256
c208e5440bbf91a4acc5bb498f32a53622735f690cee904e2b7dd0476bfe5fed

SHA512
5387c222c8bebe42d22607c6066836d398a33ffd4f882ce08f79efe812b6edfa9d8d47cf4ef1039cd47eba163332e298c43dfbc5ddf60f87cdc8d5ecc5f8b080

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4d194b00ce162545b9590bd62fe54f19

SHA1
3b2279fefe89e55103a8ecc98667312e905f3018

SHA256
7ee7a0908b191b609bcea74ba6d96973017c3df1b91a0a1f8d320f42183811b6

SHA512
f2738666eedbd5a20100cf1e24760cfad03981a0af7c53d2b92d7f095a646c8ae38c720429ed1e995d33d735a4c213b6817224fe873e5c16357ce36f0af6532d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b0f9fdcd15de8b2069b8d98e590e0202

SHA1
a2e7d18177451ad96698ff18dd70e2cec3d9c7e9

SHA256
05d12ab20bf744cd616a619b3ffe1bed82c483e08b3270cc92abd0d9ec5d3801

SHA512
03029266ddf8b2f3c4ff4a8e4436873de8be21bfdbc735a33df5bbfeb4faa06024ab9c2ad15375ddedacb95734d05a43425db417f6f975a8f7f1f1220873595e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0998364fe19e6a4d3042cc67708ef703

SHA1
0a045f0b026197c4d7f00d5070ef3af51f776625

SHA256
ec799ec7baac040bb36277ff23606ed6dbf8efd2feecf29b69b1695a779d5159

SHA512
a9dbf1486af222fa75d289fd88f0449137f2b3664e71a6d0e6425c4737064ad5a14fcb01929054a7ad5957c350538c0f4baa0fa707405ec83a6f79ed9d31a1b3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e666bed91f5430fc10034534b5ecac52

SHA1
edce7500baa1fdf8c0074fdad1ade44997af20c3

SHA256
95c3fc4a44a55fb3fc4a6a9d3b628186d6d77db98fd790a7e87c904063d3a95a

SHA512
d9074345bb61860452af0c036bf16e69dff3c9320b6da5cee9aad58c72aa145e184427c8d2b366a442b610413aea3acfb999f41becc223b377d4f4197d7c4116

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7d4d91b811db6c51c1827d40f516a818

SHA1
85f4aa0d5ebbc4dd17480dbda521958bf26cf8cb

SHA256
ed2aa6ebedf3289f16064d258b2f6ee2d402ef868686e004ae9b350485622327

SHA512
5071a41c8e9fdbe58461e4180a1b376651e0cf6047a5813328bb109a3fbb895f3a2712e097b688438f5fccc55ddeb8d090c26efaaf51c7a25930da7f937ec50b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b3042f75b02496b3ab907f86e120a194

SHA1
111434cc912ea9a01db1f27fbb8f7189125ca3b9

SHA256
d2835f8e16f6ea61020afd431db425a8f053fdf9fe8594d4bf037ad35a949abd

SHA512
2a940eeea5a0ab0e8cb3edb526166d9972d08a317027f0f39d4f03dd58687a50f6c973b5f34151b9f9b2870bf6acf4a29c78eed37f95faae4b32dbe3ea968f30

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d8a704b2e88d9c4059e57b9754e05693

SHA1
fa08982d4867cc691e8b01e6f702fdb41e608e11

SHA256
4221da8dc8104c172a66ef16f901fbd198f67380f3d47f7f3c06c23475900f98

SHA512
fbd33561ba6f2a7e23b820669ed368a559d77fe0bfffce0114e6e44af1dc3bf09cfd73a94ffe3ce96566354f45e81f2efa4266a642fde6c95bc0ed3b4b506786

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8efcd38885cb7b8b4709ed167825e439

SHA1
1770781f39d16e3091ecc33ac29dfe60442e4dad

SHA256
30ff5bc3e8f0c796b2982a2ddb452c6db58eac1e0688e92b87179532624a8edc

SHA512
6883037c62d33f2cf105aa45a74164e3bce3c85e1be6737957508b32861b77e2b7439e45cca414153bffe6be614bd903ca2e2f9467a439df30a1362b76fed18f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
46ae02c0e67874edd4b1fe64070626d5

SHA1
bdcd20208479e501c44c608d5d2a86f8f4430a13

SHA256
a4fe3d68d1d3164555b2adcec4e0b87e4347cdc49cd7e6f25c53f028504444b0

SHA512
c1c4918c955bb8165ebdeca99b3bdf3f802967204350791bbdb3ebd32811b2b2c1899ffd90872292f2a17b583b019112287eca4ad382f182b839f2a6f641d52e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c4b578cbe69a74e0f19d4e658760a764

SHA1
64f6ad561c40a07d048a20b522c5d25d07d67058

SHA256
9c91c0e9d4b5ce3d8bd21251e20393e1acdc3d65b11587dc5696889ac1c27132

SHA512
33bdad5dfb9100d9cd33cae67bc23b26c2ac2669c8e8addc697e78743971916755c9a705e49afa69830d32fea39eb8a9594f03c62ca093cadd2c4c173b90b939

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
38480cc7b011eb83527014e16a630947

SHA1
f946b802f4f3f74b748c255e8214a8b8b6432c67

SHA256
78b04cb21febc9e546927a91e595004d32d62e3be95903469a75e91c75176624

SHA512
a5efb84bacbfe564ecc31db57dcf50bcc3bbf8fd5bc78f45e1d2c8e1a482e7c31fd5442a985395a2dc24e943e4a886a39a93532c7dcf2cdbb70e562ab75fa7ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e055bdc617fbdd971cc9d63f5da60232

SHA1
aecd26d18a20dabbb18b447a7e8990db03b535e1

SHA256
baefb7d540d16200aeae211ed853148d05f0eabbfe44d689a3ffa119d23f99ce

SHA512
b1b3f24f58401a49bdf4f298e614b7742aa97d520c3f556536a92a295e42fdc77ce82ddbdff49ff7eeba6491b79ff3085258d3f1cd8d9bcc1d04a02495d4c8f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
fbcd8ee8102318a64e3eeb6d38d399d1

SHA1
8843dfb39ad9940435db463336d440421af13a5a

SHA256
e9403304e4bd0ab1d1f3600c8e5512e965a46eed51d233bda0f23fe7143787d6

SHA512
6c1976c5a1fe344f712f5bdcb473d3f8a17dc7116efe146dd4b6891818af36b960ecad0258695b9a9106301897c6c3060858bdef1350838fca4c29802f77f618

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b32e00cb7562eef88fdbb2beb45e47a7

SHA1
e4145dc05a2d56f72ff692ac6d854be5065304ce

SHA256
c88291b75832aac22972471aad3405a367dcd66050df7a2e57613ce877eba073

SHA512
dee56cf2a94d8d6ac2aab5cc489f829b7c03bb31bc04781121c4e783cf62f64d97e5597ce468fff74b3528e1f924d32b4af665294796700f7a72e9d059902354

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d37e3cb7b0c2b74f486258acf0dc349b

SHA1
9a78bb96b3532e91377b8363f04224f3a362ef07

SHA256
ead26002a19ae11157414213131d4f5dca6bca8c886d84454ab45721ab3e90dc

SHA512
123e148ed402f931bec1dd8c921f9ac505cb645af8d3e20c9f233158b94778da0b346cbc3b12ff28a2e9071187d03cd917a74ef63397c806b2cc497ad22b1211

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
b13c27396ac5802df85641c9d4ee5f96

SHA1
efdf6e0b7140c59458a082a0d534cea58d0847a4

SHA256
1ac14cd8d00243f031ace37e7e5fca1d1f3f568b434a3f9822f69a57dea5e370

SHA512
e9a2a01a999ada9030b6dece03d68016e56d4283bb30782776761231a9652d650eb2ac1a4a8008bb9a66095034de489847a6e3258eb4d78b0070a003a6298996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f8e3a2028e31579f755b0050d69f42be

SHA1
07934540559af63ac0c829b03aaa918d569b6094

SHA256
bd504f04d8c24287304816045380ce8c7b0ec75cc1715e2ec69fbde1d288d9cb

SHA512
c6ffe72da87e6c66788a460b05e967e1287e86c37224e20c8b661b5d48047f9b38adc15419ed4cec08701aeae4692d4c811d8c80b8eecd068acdb97371a51748

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
9461c1405904709fcfaf7f0649044ad7

SHA1
0d60c8efc8640d9f0126cd3e409ea6b88c8f6a12

SHA256
af10cb1881ef478fefe034a9b34f45a9d05e1af3d4d6047a40832fd60b26adb7

SHA512
50adf50673988851f68f6a25247299771bdf8209bb8f9840b7c8a74c7f749e9233059cdbf77cf85caf429b17cd2795783ed759f05cc0807acffb1c83a2f2d05d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
fe5961e76ae6d415ad4c51f6a1a0d6da

SHA1
8383f09148b3653a327f1e2a985c96cdfffb5c53

SHA256
31a42684485a361c83caa5cf30313e7444088664c1f3801dde673ee7cef68daa

SHA512
746224bc4176332623e1c7b960d4f03e49c1c1593117961ec35e45b978d74381e8552cb6ec10ea2b0f97870f8ee2be204d6467bf87c25c6146f2e37500d0dd9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
09f0e963b4c1d4885b36c048daa6855f

SHA1
dcb4b210318155e845acab54d91ac21c9bccaf1f

SHA256
1f591c93838cf691d9610ed154efebea3f105393ee963d0cacd7dea2299ced08

SHA512
5b7044e8b77576309c9bcb4896ddbb58e131042f543963d76bbdbb24dc8e96bb5e4425bc81203eef248aac779ef9da7cc02f3d2c7681a5887ea8818175da7789

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
271415e765ba3c36a844f5b0bf8c9324

SHA1
6e3b12904aead78091a23fab4d6517de57f00ef8

SHA256
886da8d267d19a7ab4148d5f0abcc184c20a039254f5cfa66f13cc192e001ac4

SHA512
9ab9b01f9f745358972619eaf99ec1b8e7db2e56be308d243e3564eedea32b314019cdf54ebd981204b405e4401b122fdba2502898e782ef4e1c458e4423da7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
48dfed2d609140d874d1cdbe097da70a

SHA1
93f772e6e4822f8b0a9df6d6075a236356a50f0d

SHA256
c9bed0da081580acdca11d36a4d34ee9c1ee65121e4784830bf7af6446ddf10c

SHA512
e3fb163dcab048ea47ebda66f55f59fa0a8194ad32cc0bbbdba7412df6d7b96cfc6077cb2eed59b0f2b34d56a8dae38d0ef3db37dd3024b5b1a44f7e944e3536

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f859f9072ffa5d575508a87a30c5e385

SHA1
5942d4294ec2994966c056329f6d7ff44096ee1f

SHA256
2629384d0d1ea6c99a8780c33a4e7c7bbcbd9860a3ea1d82024e12e23ef625a0

SHA512
ca7e7177d976d25b5dca62da6c6ce0e6704b8331dfd3438fd825c2034cabf0ad69b050b53b7c4299fee68f97f575d89da6664f9501f01fcbdf6aa963d77b5071

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
83ffc2823dd26a4e1c9a92b81dafd986

SHA1
94e9b1a28254038fc6f38748a1dec4bfc479ec35

SHA256
a33d4e5adafa195e0f79dbfa168131940eaa8a17f56ee48937d155b6e5d57899

SHA512
b0bab23dfb440c0a47f7a1a110a9fb9e75970f9f121959b066109fac469e8d561c257b6fe1bfa9f102c32e6f5dfc9f15735dfdd7dba939f1ebb66a44905d427a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
e22a5de4c3dd6ff9b702424e829017bf

SHA1
ec48aad03f350d0e302dfd38a37260c2c3640ce9

SHA256
09ac07b5e56cc14d5b7e55e11895fc36ef4e89cdb8613dca37dcdc1d94523e0f

SHA512
6fbba3505c521c1f4226e7e2ee2e638ad9c8c4481e67d262a66f230bd3d12653824bbd4c534d793868416369673c85a9b4f69017a2d61cb25a81695d336fdefb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
7ae2d34e3b30de7d537bde991ff78a74

SHA1
4dad4041aec0254639605d14fe146aef64a50af1

SHA256
9a0c76d993e4ab9f0e0cd1a825ed9e4cb1caa98cce59a4a18db99c66eb3c3156

SHA512
2f138e1ab1461e8f0257b630d430dc0729cff97d4cb9b8182c9c96b8b293b27ecab1bc10dfe59b581ad14b2a210a0b417d66f9e5e442d7133b5d13b19d874672

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
7c0613fb4eb35e4a8e64d0656ac5c426

SHA1
1da1671035670f7f7d52b2cf5b2d894f45ef7a03

SHA256
bb8b0d01994c4429793061daf669c25ac02960a98f954c876eb92bb05aa960f0

SHA512
1023c21308af0beead5e1d06b687803fc0e5305ae024eac7a6f272257a8a7da18be5c08cbec6f53032957e7a4b5cf591ae26a95bbcea96b87423e5bdc88c298c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
1a6d932fc6cadf7e7872f2c606952175

SHA1
05d9d9713075c9aefd74f0cea5ecd4890d3e40f3

SHA256
7bd2956f13423f2f5f50ad52b4d0e284eb3a3f2777aae0a16d45c40cd0b9d172

SHA512
56d745a172d1b20acd28059b2d8c378b53215034304bb67b07ca008c48fe87a413261699e1e923cc4cb379d94934bd330ca1f2ed8bb14e88c26c360942b44b87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
55d9a6c9add991742e76f2e6398b3b0b

SHA1
d44751c011829f0c86a66d41086adb8e8f377fb7

SHA256
0cb73d006583a7cfc972c35d259bebb8c6f9609cc457a484c3b6a5d4894e8c49

SHA512
d1aa4e98d2ff42b0df4ec3b845fb1716f9fa82e6b8d33b4025e35c866678ce9331115293e8a606651e4a0f7b55572c68a597d0fc5fb5d901f58f6270a5ca84f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
23a9ebef62a1af076a002e1e2ccecfd6

SHA1
8ad66b8d500babf23a06099756424adce5753166

SHA256
8fb262120f4b35e21bf0505eae8d23ba10a555ebba991805d6ce2954e0d4fc75

SHA512
515b54c75933de6eb16e090ce490c0ad8ac9e3dc7c143370d84802d991d6555f0c766d5f56ea6375426f13d3923a83c1df2493529663e84332bca744d3e75c0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
9d5b2a8c8058037dcda71f4d4fc66a24

SHA1
56dc5fb12c7b17a3c48eec741290c735e9802f03

SHA256
22635069869296b28d86a5459c81da0e82349431c5782237ec38f056522203a8

SHA512
5b1ff7dacdb935451d35fa0f057b1eda5e6e64120ade63f8f51cc308a24a44fddbb20ecb9158a31c97b75b6e3f8f2458e9da13c8cbd7420bda69f52e5cb007b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
0159abc29d6bf0c5742fca099da084e6

SHA1
db9d9a00fadcb3e6e271a5fed262bdc0744a4dd7

SHA256
9565e2ec05dc0c5d2d96f07fba1c5e6cb699b892a82842f4e43dadd86930e28d

SHA512
ee3f0afa286e434c5238c27711f1bb4cb622562f0226e3e3940f5aa0be8e2689a7191f1d9fd80de405a48ac235a729455c181525962a1e8eb5261b44f7777f4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
d9ba8d2f8d2fd6e2a8c7f695aba9f38c

SHA1
b738249caf9ae96c6ee99852e1f7de617cd059d0

SHA256
f0087344568e05fc7668d24e38a9671442cd8c1b13ca0793d1c02ec6957957a9

SHA512
7910df8a2e866c915f6a034ca26613c98b4ad5dc1fc7ff56f4a6297c68485627bafee8c1549da827058ae0533269cbd5bf49aaedbd9c3f9658616dd94c3fa9b0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
486fa52e45b0330d5097de897384c1b4

SHA1
6dbd8ae2468fd043db433977f4a5ddf2c00ad71b

SHA256
21e28c664e2bafe9d140e6eadc74e11ac07d542df996ac047eea607a2ff7e303

SHA512
5ad95c5c8f009b0bde91f3006e2eca77a011f4d1f5e12063f5f637e90ce52833092f6f6d61f33865911915afc9c81e38757c01b34c24704e395d0d0338c10c0b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9f0ed9d84f9260a269e5494ebe74e459

SHA1
5e0c174db768e04a9b616338f63579379ee3937b

SHA256
c99e52d8588e296e1b4bc14ada0553f0726e96c7b0ef4fc92766dcb634348afa

SHA512
e48881120dfb156e56943b67e2c36f7425a52b93081676cb8ddf817ba239b1d30a30ad0710077161a084764b12995830298094b1b9a50166f3823f70dfab72ad

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6281e7df2d9d24cbc266bb2a68d9c6af

SHA1
4f30253be598490a5e678caee367d21c5b9b09af

SHA256
74421bb1fc468eb5e485bffff590f6a14b5fa92f925b80f9495f41a8cb339069

SHA512
ede8de12ba7ddb04837d16e3eb966768d503ea839cc6c00c10e8044f50a2e19734e4af1df8375e4b7d8b2648573cd45ab196903a399bc4656086c6a4596c5c80

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0ec47873b58793976e2577ea8b9ea052

SHA1
fdff9d0c847682fa922d979e43c7e8773a6a3acf

SHA256
1718b82bd3d56061805873165a7836fab2b1016688cc10a9d9db99bf03364813

SHA512
6a47021c89694f611b1bfa7271e5e0bb2e48bf4b2433c03f683b57d1334bdc15f931443ed4cf01ba589c00afa55bdb859239cec876f7d1d3e15aca082668c840

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c4c0933cb78b67db06893d1b89ce127c

SHA1
7e1aeaffb7f00ad23489b80312658d1a3512b89d

SHA256
6a292a809ce0bf13fc00f42c0322283e8072160ede2ad939bab69930e356f687

SHA512
28a7cdb6500b6d9ac560acfe48af47675a7533363bfbf78be3401c790b9053fca9fb17c2f2f9e5cb7603287b588499f570c7c38342b675c8fb16d3b6cbf6c605

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
27e71096a53def52a26a06570991a52d

SHA1
671274b20f722896862efe46164ec97b4cd5a189

SHA256
2d53d819564359d7752b61ee5e348c3cc57c7e79efcce036b835a5693c0016ed

SHA512
807f4f1a31e130ea77b6e105569980e5bf0c1b07963dc3e5ac8d4a0945d4a11576cdda624c0040a66b90eda268b2175c5a18fb7eb656a651d35da5c31f67a878

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9b24a6f695329df7a34d7fd0c71ae548

SHA1
5ba222cdf512a73303c81c5ecff93cb877280165

SHA256
fbf965768d721e019efcbe4276504b12956b7edf430ca6784ec5c072179e2880

SHA512
ef1c3d044befe99bdb2ac00268dac71a01141c7aa03d7ec44840d1c35ad4f37c30165cf1193f7918c04d6cbd0b4b6fc28f77512dfebaa9edf2f7423da3b2d2fd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9fda245adcf6d46646fbc2012c89c9c8

SHA1
13d8dbba36cf847abda28b38ce352618a6d9bde1

SHA256
1dfbf6974bdbb8fda484c16e58d2057015cf0571bd2760d3bbe97039005eaf6e

SHA512
ccb3b393bc47a57ecee0640e052bb7d23b1cd6e29735f71e28d2fa75f773f994546aeb532a5a8d210568095f027efb02774abf2c75d41d4936975bb55311e9d7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e25fc438fefba48ba3e1181174e47170

SHA1
e851da908821f6b41d39a2a8290c26168ae50efd

SHA256
be59563f5db40a30fef09ca1c6f61245ce5bdea2dd1954feb5608bab505e9a45

SHA512
873be8bacb4ff3ddaecccd6372909d4531137c99484825fa0faab767577505da3c3b9b08263a6a0676418c0fa382abcdacf16773dae5702b74f194f0e57e2b39

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f9c9c5991a06ec40ee6f7268fc1eeabb

SHA1
0181136eeb902d84367ee03c8d1db03b313d03b5

SHA256
215d7669a718d37a85c8ee299ce02b8c0df15e8ac60d4f5690c3db63fcd21622

SHA512
db478b383d592929fbdb67733ac195883cb4d48d323b047c56b2730f2be501f132ae495b2869fdba38ff719e2bd65d9d4729a722f810f2f471dbdd7c35ef4f8b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
543e91921bd14c0a9231536622c9f98d

SHA1
5329edc0e9e1c9853e701ce254138e7ebd1d27d6

SHA256
ec5410f4b1a77a49e5bfc3ad0348a6dab7607b70caf01e7f9a73870bb7dda754

SHA512
7b403cf30f23b23b85a509976505ce138f4f68b3e96ac91c70e541e557a9bac55d6ca686b425abf38fce26eee100689454cc8d65fecd0252e9c36640431cc43d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4dc09994888026090043be489a1e6564

SHA1
138e28c1b9e801c94d6e712a075216380853e9d7

SHA256
d9181a1c875dda4223d4793d055e65f9109b62853008c2d7edbda89c74d250c1

SHA512
706d36a903ec553f2810e8b3ec1c95f4b2eb0b0a4f018a174b1ede16754140ecb47a3fb6f8c74f11db8e923e8c5dd269be2d066202619ed5416e39be61199559

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f14397fe7edac8570d92bdc4cf1edea0

SHA1
aa9888d81ffbb7209f7ab61041a01d149b8551d9

SHA256
a8b34a55e23dbb82568944eeb1540c85d6c66727b4aff5c39dd112571cd8a9be

SHA512
865fde2038fa7961f69560ac50307c879803203be051d9106dcbb88038a79759fe89df78b411f54893654842428fe26bc2853c6aeb00931c128e44603d79aa82

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3ebc09bcef7cb247521886fecccac0ba

SHA1
91f3f775af76641afb3fa806c1c4678870c0acaf

SHA256
4ae0e8c7e797c581f8302f0529a3d347bd689b5d29a59366fb60ec3afa382d01

SHA512
99b23020818144c304fa75ac654ecb41bd6155800e80c6226c7d85d9a1686decabda615834d02ec276c4d8f940ba9ac528a1b64cf96b01725a48617af39fdc5b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c2a7664245fadcfb12c231c9c00fd4d6

SHA1
a4b90b179ec0e47c23378dae144abed89834117c

SHA256
fcb81c82a1ab10154309748496efeadb23ea0975f27125b88fc50baf13fb560c

SHA512
fa5bec1c0b98848bd8e198c3a6433897863883ccf03a92a1cc22b490aa3542f26d187e3e2bf5cee9745aa57277b16ce703144f7da411674ecc63ca401732bd4f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0679590caf55d09287894fec22047fb0

SHA1
fe972b0dcb373886da37f188d25c6ef276d21ce6

SHA256
33fee0cef8d0299878cacab7251bb389073a639d0c39c5cc444806b030d33827

SHA512
207ab00c0b34af0b3b87c7ac56b8cf5fc7c9f1becb19b71c6cd13d0462151c7594c255fc59b76a22e0adebae02c73906c3e5c7890454bbb0da3a026b132c2fc9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a4800932237a8a6d031147c0c3427142

SHA1
ef53c20bc9a8ab080b367a4f65c6bfaf48bfc1ec

SHA256
f9b73e5d112ec69714004f0ce9ce47adfb53765e2a0249c6bfe03a35e22f3723

SHA512
5e2b275f6c1195652daa2545c44e4e929748c0a08b2c3bb4732a578b7a1948b89f45242fe05a5614de5471cad60a0abdf6f2fa0bc6902d372d20e1083e1b0b64

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9736d40d0285afe787549ac39f28faef

SHA1
d5ae9d51ed3ce84e43fe9bc8d7f676876e6b5cd9

SHA256
faf270bf7b1eb5811124303ae8808d71bf740e37d0a508e314616d464653eb35

SHA512
c6396480d4c15debfdcda590cd0ed01efe2c6cafa6dd1e5683a92ee5e95583dbd5c9255abef39ac2cca51cb369b696b00d6294e3cd13b152ec7d0b3122460f18

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cd15f73f92f1b2b49f054b03a9b2ae08

SHA1
74edde54d07f4f82b96ae64a4a868d6a1f60995d

SHA256
6c82de91ee053a5317cf8a36eb721fec17ac72760bd8cdd66dc3cb2fd35bb769

SHA512
aa1d578441093214c3d5e7390b965d8dcf390a3379e9dcc237a7579543c39d74161573855250235154e78669bcd269cc53836c8dc337b0b15a286cc78692ffed

Download Submit
memory/436-594-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/436-396-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/632-331-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/632-552-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1364-596-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1364-420-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1820-407-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1820-297-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2112-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2112-595-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2236-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2236-257-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2236-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2296-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2296-8-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/2296-14-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/2296-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2296-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2408-24-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2408-25-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2408-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2408-235-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2484-245-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2484-357-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2484-252-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2484-251-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2536-271-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2536-383-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2716-384-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2716-593-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2984-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2984-61-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2984-65-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2984-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2984-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3060-433-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3060-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3104-585-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3104-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3128-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3128-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3128-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3284-359-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3284-590-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3740-346-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3740-589-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3964-419-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3964-300-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4324-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4324-369-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4392-588-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4392-432-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4392-311-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4480-395-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4480-286-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4528-240-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4528-68-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4528-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4528-74-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4644-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4644-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4644-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4644-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download