16c132e9c8e3d0b0ec059f8cb7aaf7db7ab2e466a593d3281bd5437fb28d094b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_22db0fdb73d9d457e6e84f031cc0841a_ryuk.exe
Size

1.6MB
MD5

22db0fdb73d9d457e6e84f031cc0841a
SHA1

56df5bb458be2cfd3754f7c31b876197bfb67637
SHA256

16c132e9c8e3d0b0ec059f8cb7aaf7db7ab2e466a593d3281bd5437fb28d094b
SHA512

e0e16eceb1b2eba939f0164c3a4b7437879327de120bf826bfcde65e33cbd608c2a50c9f60ab826f3cb11c5a63d189146b1d7a6e0a3f291dd2c6185ceca57f83
SSDEEP

24576:7mGVpdEYUmEP8ROGkZk9MUoIr5HlMP6OQ:rVp6LPekZiMvIViyOQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2592	alg.exe
2456	elevation_service.exe
2660	elevation_service.exe
3508	maintenanceservice.exe
4308	OSE.EXE
3892	DiagnosticsHub.StandardCollector.Service.exe
1524	fxssvc.exe
3000	msdtc.exe
4780	PerceptionSimulationService.exe
1908	perfhost.exe
4000	locator.exe
4912	SensorDataService.exe
1688	snmptrap.exe
4984	spectrum.exe
3972	ssh-agent.exe
444	TieringEngineService.exe
5044	AgentService.exe
4992	vds.exe
2344	vssvc.exe
4356	wbengine.exe
1856	WmiApSrv.exe
1292	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

alg.exeelevation_service.exe2024-05-23_22db0fdb73d9d457e6e84f031cc0841a_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3228da574a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_22db0fdb73d9d457e6e84f031cc0841a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001609a5f3d9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000492deaf3d9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef2b09f4d9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065f4cff3d9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000008c4f3d9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2456	elevation_service.exe
2456	elevation_service.exe
2456	elevation_service.exe
2456	elevation_service.exe
2456	elevation_service.exe
2456	elevation_service.exe
2456	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-23_22db0fdb73d9d457e6e84f031cc0841a_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3552	2024-05-23_22db0fdb73d9d457e6e84f031cc0841a_ryuk.exe
Token: SeDebugPrivilege	2592	alg.exe
Token: SeDebugPrivilege	2592	alg.exe
Token: SeDebugPrivilege	2592	alg.exe
Token: SeTakeOwnershipPrivilege	2456	elevation_service.exe
Token: SeAuditPrivilege	1524	fxssvc.exe
Token: SeRestorePrivilege	444	TieringEngineService.exe
Token: SeManageVolumePrivilege	444	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5044	AgentService.exe
Token: SeBackupPrivilege	2344	vssvc.exe
Token: SeRestorePrivilege	2344	vssvc.exe
Token: SeAuditPrivilege	2344	vssvc.exe
Token: SeBackupPrivilege	4356	wbengine.exe
Token: SeRestorePrivilege	4356	wbengine.exe
Token: SeSecurityPrivilege	4356	wbengine.exe
Token: 33	1292	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeDebugPrivilege	2456	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1292 wrote to memory of 1716	1292	SearchIndexer.exe	SearchProtocolHost.exe
PID 1292 wrote to memory of 1716	1292	SearchIndexer.exe	SearchProtocolHost.exe
PID 1292 wrote to memory of 2308	1292	SearchIndexer.exe	SearchFilterHost.exe
PID 1292 wrote to memory of 2308	1292	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_22db0fdb73d9d457e6e84f031cc0841a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_22db0fdb73d9d457e6e84f031cc0841a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2660

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1476

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4912

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2976

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1716

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
8dc0ebea736c0a5f537af58441d2271a

SHA1
1373c492f4b8ca30c79648e69c576b52067dbcc9

SHA256
0177ead4b39c9d5256d12530b4a746cd709503203907b4d560301e0980c29134

SHA512
77ffc8f04abe4774a01c8d6665082289b1c491a05e3558ac783d0f473a2ae77f1df34b1e30464db6b58ac9e8b3506238b7c7cf59b50b605e50e482e572b32fda

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
fc7f588aff4d53680d9bb8cf97aef438

SHA1
cc5bba0bcfe864ee63c0fec8fd62dea9000812e7

SHA256
d1a9c680372185010dd173f0c6080407438110fef9fd572b20349a66454a301b

SHA512
8e62e785840c3a5c112348a29ac90df503cd5e8befa2573b71385d1740fd42a67ddc95f75973729a7fac3defc731afaeed68599e606db4bed6bd5556448df284

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
9c531d2fb0e78dae236f08e9bffd62a5

SHA1
7d218f0026743b0c0896fdfcd537fb2bcc84b7b9

SHA256
2fd226b55cd8b8569e9f2419552223f5f43e93c8c30a8a39edd6336f96e6ec94

SHA512
918f00e037a95bcff49dbf2fed8b74f0680a614fe10c82c896a78e4cc75f29a9def328c5146ec4c06a5221718d8bf979c4ef994c10d9dfa9347a7d769af8c301

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3e0c6b4adebc239469e0425cb3d121b9

SHA1
32b0c55a96fc1c00b178b1f1be4bec52e0fffb90

SHA256
7c97c76c7ac0180810edf3b3092873200a5d2b053acf738b01ac9b8e7b7bd58a

SHA512
8a138dc6945cd62f300e5c149930acdbc871a828802d467a2579c8459ce064792a1f8ad04c51b2cfa302a14ce92183063b1d2fc22a016bd4247cb44ca327d8a2

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
4691d9c1ae81ca8f078f7bc7c28fa5a4

SHA1
9acb6ba02bd77e3f0b71285504d3c12e241c7c36

SHA256
0ac055f1924b6e3ae2cf8673ab5de33c3cde47f720a0d7feb2cb9e2f5ecb7486

SHA512
65c1ccc82a05ae06f69d03a4c30f835dc44ed3f137e99def2123aa1d6479d67306857b40a8ae24fb9f3f6d1e5908347242769d596fd5af668547ca96bcdeb45d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
5515f49a1e9f09937317d5b164a0557b

SHA1
1cbadae9ed0ec6becaa6444d17181b87c44dd619

SHA256
d20808aeb2e6260d1a112b04c02e18bf896876c1167e1c44437d601c62da5605

SHA512
a0813d8bf14f352603e1653f058092110494dcedc755a1c07fb6a0fc88fed755283fd1cb361c1d5620136b04789245100ae423904787f0b67eb25c532e09b713

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
9b791195c908509304c576d5c79615de

SHA1
b142d8a674313c5462a5f2b5bc4e3b81b2d0b0e1

SHA256
60b5b8ee0a17d4e379e809e4616d8fa81eb492e4d0811574d8ddd2b6b4e827c9

SHA512
9d847bac9cf48234bef60fad23e2c4c2df83ff2fbf3e6704ca9871b5f4343449ed06444efe9f7a0dbff54a77b871afe844c34b0481c9772b1b788aba22ea05b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
091a63baed29ccd87a0a45eb5358b1ec

SHA1
29230e2dcd5c81ba50f28296d73da72cdd198634

SHA256
59ef662b3299d20d0b703818df1c75530a371221ff0686999f80ddc7508c97a6

SHA512
d46cd0fc850740c841635089c551a96bc8a5c050c68a519181d9fef159adace884dafe21447256d09aacc23105e9496a4e8ef3f27109f9fb0a0d3f1980130f91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
715b9192b2e267078063de52754f9c1d

SHA1
25b06947d512ab53da42a6582f0377c48590328b

SHA256
34b422e3d73e4ce22282e92bf72dcdbf06cfb0bfc3b39265aa797c4825154c3f

SHA512
a180ffbce6cadc9a5e0a58d8f58a87c491ce3c33f1307203615a462872f8e8ec019127b1fa186a1ba3ff6a91536700a7a5c8705ef26e0d598129a6e104e11fe2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
e52cbb56b08602a6582021ba2e7a81d1

SHA1
6e105217058834fbdcd8fd567be08725fc6eed30

SHA256
4155c15a876c1e11868e3b1b37d5586ce32d7cf409b3223bd23b3a3a1411c26f

SHA512
28796c09d7107532dc861649fcec6cd9b21e5367d8ad55b66d762516bd5ab40819f775d276a904e88b703f56617e387b601d2d4a3acbe83977dffc6dc7671082

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
6a5bc0a42cf990cd5ddd22f3d25b6e92

SHA1
9134c5cc87fba5eb64d01d61ead39b0cd012d301

SHA256
bddb9f64cd74421b56399f3698088c4af7a44c33e6005bb53c76bf8330a92d65

SHA512
0dd477108259a29983505ebf17f195bc3eb33c5824f82e00aeab66df10c6684a7d1163cef3ecd4e60ea6d964ef6abb66fb7bf26d3b8be8e2d8b332f15ef6e67b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7f834a14887d79feec08c7b5e747bf70

SHA1
35661a820f74dd0d3cc31ca3aecc3293c6b6c3fe

SHA256
16dc2bfb87e117381596b00700dfc84da36c902c31425e6eb8a9d892eaf21ad0

SHA512
aef060049a7735cd14f97c7ab6eecfe6733e6fc24a34bed4dcbd1aeb81d8b4e672c07da09efcf062354201245022d78ebc4c8a0ca7283e18f5127b73e85f1c24

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
2ea6b316af37a891dbc30607eddab3fc

SHA1
16e8c8f76a24b00aff0a0d17dcfe18c85c7a8791

SHA256
f41b169b3def5478d6cbc122c0c2572fda9639e3e7485ba139fee2d5d7fce9e5

SHA512
1c97601db5f19916d12375ec227e81f166606e02f5044ff6d64463a4c0a1cc83a02582b856339f986477a7320f5e999db1f985e0d02732c6a67b2337687d1e94

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
df89504579b26bce088cd9a3d21bb1e5

SHA1
4dc35e402e533229a8138f3cb2bd22d90539e4a7

SHA256
5270632851a8fb12acd8331e1ed612eee8badffc4d5daef09a8f1a5b6dccafbd

SHA512
2c81491bab34e47d87eb868723911a5c1f031a21168e7264344e017f02ffea4be6189460b5268075d5500d23bb45b0fccde78c3cac9f23c7585ea7b8e41235e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
69cc49e7deb3be2cf8127dcbb8897841

SHA1
07e3dccae61be0e4d9c7386a4e05b317a59b534a

SHA256
8989d50d40fa315ef1b78dbeffe06842a0758ed028f59bb43b3486be1a0dc767

SHA512
1085e7009a2f259a9a8df14fa1bc0484cc69bbadfb727a13c1479b66f118084e9c1268c8b6668ce514fd9a1130fdbe080f20d91f8e1f0f59db8e78a4924c6b41

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
603d1c0687fc557335c2f455332c9838

SHA1
d0ea9c7b446e722879c4e43b7a5fbcb211e812fb

SHA256
e9c301311da756cc4090a237044dd9f48f6334213a8555d7e5b24f7bccdb208a

SHA512
48718fa23586b2708fe3de89cc60ba61fbd66771ca7033c71e08d7cb85c78e7784c6d340f27c9613219b8ab8565c0d74f9647a9477a3ec1ad53ba4d868d0c7d1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
dbdd189e42752a733933c55b8779feb7

SHA1
8c1f8470ba28c4302981accab44d036fa7f96665

SHA256
e72f3750a94fa065fa84ca056bbd55b4096b91db76fe8f15888aab172dda7931

SHA512
9df4486aadc43f58be122931fb7c1605f27b81f67885e3c4bfe7d8566b4f84c1d808310e43eaaf285c0b95fa5944c9df10747be895becb714b5d29840004a675

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
7f852857883d05249cd67a9b3b2cf118

SHA1
13b355f289de3d4c5f9922f670cb6aaeca7b8bc7

SHA256
be1554cf68797a1552f30e5738a1436f6f6b30eb22efc4bf503c3ab3b9cb04b5

SHA512
bddeaa83eda4264895aa9b9843c293a17316694ca8267d221a75f48c614f5a2b87a455fc1990e65af09a4c5ae13f5ac13e0642c5e4d92bcfe9d7d49a96d98665

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
2feb76fe231938bf62bef30506d9c627

SHA1
5aa5a8d031095e365ad566f1652057a7185f2a70

SHA256
d019368989e2b7f628437a58a73850f4ad3411774090d16b80432e52a2b347e2

SHA512
65d41b8f6378f27aeaf9769a94fccb11bae7924ad27fd6bf19a85e4e5f09ab70b2476c2a8957713921972cacc76be4e68e1f643c0316b38e2477279222c4546c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
e122650baa9a755d5565d3609d080e16

SHA1
bccf863361c3c971c551abbc3fece3e431af099a

SHA256
ff2cf3c54a77ebbbaa09c161c61de4317487fe925799df22bb83e9d1f3ae0353

SHA512
12f5f192f7be0f1e08562afabdeff8814499f62c97e5e858a71aaa889dbc79bf1ca587397ae366e24e72e79c482ce0b607592fc63550baef768bb0d49ff24bf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
3738e0d463b39cbe3d1fcb1fab4352cc

SHA1
d6713ef35aef94ca86a5db4e6e78e6fff5ade60b

SHA256
8df8e83c1d91e477fa7f04bc65fd27efc839b5748126a4049db893e166f8b169

SHA512
0650ba976185061bd53c38569948a900433b2a9aa76b519b2402cc07641a6f72f23b69a28aab7437016bca1da1c1b3b2f72f2abf041b804832ac779e02446001

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
e4301d7758dc0b086898abb3a1fd609c

SHA1
5651243dbc55086d94ef4ecfd83e7bf7be372d73

SHA256
bae6390b4b7dd8ef120ddf6465bda0b428afa47d21f24676961cd559e7e47429

SHA512
a45a46059b55f6b84827029df39e5dd6e108427870ca9d2bae8b059fc5a003a9fa5bb63acc5efa4731e8b5a66d8b0969ac443b35ee675542c1fa225489b73fa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
3bf7af24c2eeb6919bb017f85ebbaa0a

SHA1
dcf88cdb2e107e5bdf57b70f56beabbb784c0174

SHA256
56eb242f5ee6a81405b075c003be03ca0241f2c5450967626550edf6b8019ac5

SHA512
6a30b72b981742afea4d03ad21522e374356e7598cf80da4f6c7a39a366b1257a33212de1ebf2347ccf2b97517c877358b0b2382c215efdc99149a8d8ee799ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
802d76c03f3ffd290695d01e46b468c9

SHA1
652f1c785c07c8050763c999c7117ffb8949d5e1

SHA256
ce852a7ac1fe3312caaf9170130730475e6e93873bc242afcb1c5fd7122c6f32

SHA512
a0e03bed6db910e13d4bb027173d0059f0b349a1175b666687c3a1b0f9f867ec858932e40a5ebbe6ea984126c8544cf884e294118ddc209eb1c3867db2cd90ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
0ea8169f1ce128d0052138b63702ab94

SHA1
eb95a237f4f7542a9d5fce5f384e7140eb1c144e

SHA256
62e771f66adb14856bf370505c9e819e2f07788fc93d19c583ddd518c8c4f63c

SHA512
5059f8affedd06206584cd8276cfabece3113a3828e5334932bff09167bda7f36ad0941138f90a19b9bd67a7355f017c54f256871333f7cd61c99eaaad9ded8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
c915f4936da5160d1304496d193d37cf

SHA1
72fda77c3a297348920afa6f83d28f05742bf443

SHA256
a3c08748554db2fc1f127cfded7ae0d0d1693be474c713db2ee39c42cf67a0ff

SHA512
355775c498d660da4f0238200304045205c09238eac361c8337d06a3465a567f639dbd3a17c798b106cf3b9c984fa87b411bb0c0cdd0d68eff91ee5cd9cf8972

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
c888a9f8f3548f67237973d47227e29d

SHA1
101a2e5f4211ff40b4ec99715ebb1dfd6a6e51e8

SHA256
eff71bbd9a1021cdf0fb2579f47ba2f7dbf6ad1a2355a3f9b205c5b31ab029fb

SHA512
f192fe9d891ec2c24b15b228d8a273e9b65174472cc5ddd248d0e611c6e310c2da0c6cae049ffdb21cb6c9cd9044c7317d43168040c8954412ede36feb321a21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
1735c039a493d325d191ef274fb47e07

SHA1
8cc70432aa1a7acd5c824f942021a7aa5bf2e1c7

SHA256
83616025fde93347825cee7ce60ee7b99ecdb1ce962f45aaff58f969a738cb6a

SHA512
f83d25e64a655e93153f894f5c301338442ba379c10fd3146a6033fb1c541c18b22d3dce8140179c03f8c7d6f47126d4499231860bf59baac0791f0378949ad1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
ef30ca01c1415210e3b8a09959c8e177

SHA1
eadc5ad091efee6442f4df5e3f9d28d2ecf6cc86

SHA256
45a8c0828d46f0e9b5dc5efd5f9de39e4cfb2d7748548b5311e4caf1e168612a

SHA512
6bae47c811e82812efb8d0c4a9f5ed8d308ca35d522c28bdc567f3f7dcce18f8635d2f673821300b65f70b4ec880d33153b92772df9cb8011de56259d8e175f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
3bf7111042f2b6a95af0f02966794292

SHA1
c821478dfde4fa126e7dfbace3f52a57a1e82c3b

SHA256
55e409685b461c5c22ba76064323fcad8ec56ba217f04db441401ed6c3c0753c

SHA512
da25ecced415be298fda790f9d7579e96ba9c37bc916c5b2c6e4a44e706d27de804f84bd85c5a556144054700fbf5e6ba0b4915d756697235fb76432ad2fc3b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
a19f76ad145f59774f38910c7bae9dfd

SHA1
8f981f0af9015aa6d7e8ec789969e355b8313bdd

SHA256
a16ebb3f5d4aaf20f22f8efe1dac06bbf8d2a92a99670c117588717d4b85074d

SHA512
220b4d9e061ba23aa72d6a451ec48ca2771fb8570399de55a7c2f2fc46496a5c4193cade6006957a2df577b5fe236efc460816a9fc1ca9f3bed870f6c3088ce9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
90f6b47fa2391ba326c9d77f71108949

SHA1
6c61c6f068d3f84cc83c00737fa1ecfc55b54226

SHA256
5bccbd5ed18efffb8e3d007197f3a7051de1eac759f0b8e36d8e0f6f5a71a555

SHA512
04d117e27258fdbf1ffd01aa77926df07efc27fdce7019a16b67faff255abb627c8a9288ba0e479f2f7939e72663986b78f3de4227fbe904da04c3fa6f5cc495

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
d46796a62cae8cab6b82d66d2ad04866

SHA1
d395327548f319e6736d4cc5b337e1cdee4ba356

SHA256
befa5cd6d39828f53a45cff3214ed284b4bb9f08a3d7f6d84cc403c2efa78793

SHA512
03f5e35b69a028839d644edf7e72eaafc73ac06156906ad3c720dfb78d43d1104b66e396203fe5481fb7dce46260a43d4b9ac1ed80d44a9c7b45ad690b759902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
a0cf3fa70f6ba8854166287f077114e7

SHA1
4a3799845aa975a6adf47261958ccbf8fd36b812

SHA256
c5fcd2b0416024fc39ccb446ed98351c1fb2298d1ccff4a09f4b41306a2bc843

SHA512
bc32f8609b9352459df4f3bf64f955a331f2b9ce88ac8137eb0cadf8566b3752105f2b4f394041f56dc8b431a25c55c1087b879621b6b4262a32a66a3dbd223c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
4c0d9a33a4c4f491818b1361fddd8925

SHA1
87a8e451fe18c2d72111197a62581124d2303d64

SHA256
bd12d94016a67152247a2c6c6ab50159cf2a2891d28c902344f34205294893b3

SHA512
815c4bcf6a8de5c6f88a8651af87111de3dd9176abd43cfac9f6ee98647765dab0d43485af8769d5867f5caf40cbcb69aa277d37fd5ffb5e9fbeee344e333b2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
123e15fbbd0af30adcbd6b838bb7c153

SHA1
bfac9ce4b0d1fb58f7c82f53dbd0098820a2c742

SHA256
b2e69ae45281444cf95e0d77ceea6c9ac4bf8ef0ba99b80fcff3469fa079a4d6

SHA512
08a1cc1d9340e51701e167f7c7a3c9d6b3a24d32cb7fce4b818eaca1ba203449c6824c823a9c12b190e6bcb0ba19b0b790354a3ec886d922638ee1d51d3c9db0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
aeac94263619f375d1771e7e7ae71acd

SHA1
ac2c56e17a2fd30d6c553f9e9a5bb4406e763018

SHA256
bc0fc1ae3762c930008b85400a6e307f690f7935186923523856bf0d554eebfc

SHA512
8d2c96cc62ce312682867c8bfc3cf4a23807c4d3c0339908b093797d3edf0ab19670666186e9c62e9fad9b198d81fb1e03a099ef0302abe3aa06dedafa142144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
ce9b867779725f0ce531771eeb305c34

SHA1
e5eac3c028dc43cd97bfb99c1e18ebd69f20167e

SHA256
e3c48fe064e7a6e9506d44e6f2c4f584965e5393629b4dae098d850ec7d2d106

SHA512
0096a66d8aa0bfb9315216732f2076465d4b24a8753f888f858b53ee8fcb121cd4d20020b934b99f8c5d0c3fe7b1f6b160fc853d5418ed8081d00654e71bac57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
69f1f36f7a0be83eb5cb1ab16f08d4b3

SHA1
8c7f8027292db0ab0ed4da5339c1f1d2dc396939

SHA256
63c42b0f24a880195fcf197dbab20c2c07fbe6608f0add8cd2894f5500c85b63

SHA512
63021fe6418abf9807cd5c41dcd0e55fb0bdff5142eabe158f283da4b46f7a7e578b56417047babcc352ead9487f0fc190532eeec759a5925fd15600596f0276

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
8e22f2b3f0bb63233709f5f6f98bdacb

SHA1
25f419050687041654791faec5adc260b094af06

SHA256
0ec6524105f135114d09fa20d07dd5ae1d04469e7cc31be99d6d895368fe8dbe

SHA512
73c4beefabcb6b6f7e0bef746a594a38ce0d6f39dfc7262aa98dbab43076dfc9174868b3dd4d923d2b7991f5bd87111893806f4342812c76ca2b75ac195adce9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
0cc0af7e4061637a0c4330e1007f2629

SHA1
9ddc1f9955c118254eb821c4bae1ca9874dff745

SHA256
f6db4fa03839350f7639682fe8eac47ab2d727f2f6af7417ea6925162a17e2b6

SHA512
0fe10fe3f4d793a5bf826d72e83e0c7e6d67e9f26813c907458d37fef435d730855575037362d82a8913dfcb9ff51419054f6d3485b21c50a17eeb60e0f8bb61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
d2c5944f18677e942a8e3657bf176d85

SHA1
e9a8a8f57a3aecaa4731bb523eec32dab8ff1e96

SHA256
55b86f0115a7d8f011d134048301d19cec02d73e4a4196d9b767d0216c97c2ed

SHA512
ab201905680e0193867af07d7bbc3cb77b6ef54976aafcfad98e34251993dbd0ee27b353b786ab08ef1021ebcb9d030d42a4241ed65d84206503345d2e3277a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.2MB

MD5
67b07f34d368c10a4768e71f621c392f

SHA1
0a7132adca7ac1641292aa615ca233a21f9d643e

SHA256
f8b75ee9937e938ebf531fd28a94cc1ac66f49fa125a787077bdc7a2d3dd2491

SHA512
a550634c6c1dfb04b175c0e675bda867611972fbefecbe5665629aa2483f7b2ebcad91f02445982b8c6cd7b330a13aa5efd62ce96c586efbc589bd03feea3ee7

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
635df01959aeeb2cf0dbcf9c892156f8

SHA1
fd6e649ee8ea725efd11291bb11873c65887a4a2

SHA256
f5fb883e264821cfc71d00e7e040e5e06f98b90f759417fcdb9ca21b152ce562

SHA512
fb1d02d25cc0e32fcc8bd0c19868a1e28c08b387ccc9ce8a8c3db7d81019cfcacc8095c3bf23777db48c9fa81225027b54b1253d855143811efb38157003c79e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
f5854856cfaeee6052195126692b9ec7

SHA1
465bac4b4bd60f6073d9ae81c543d9f219c9cd82

SHA256
a8f620bbdc31f003b4b019634d8b1bb8c944f879811de788162cd9836cd9b812

SHA512
c24352657837cd5f5097f74f593e83157091485b3fcefc59b45d512526af563e0a8ab03700c8c0b4358fbf30f95ab37e26fdb7fc21b34cb9b187f59052eea133

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b3100bdcda853571fca7cdef26050924

SHA1
d38f7454066d342417fa219ed12548800a24432e

SHA256
9fccbd42a45a5f42ca591b7fdaf27f4c494ea5ff04a1708e33038a704c8cf090

SHA512
223c4bc5133c7e026cb64427d064485d5cab36eb5672875a612f46be91562683ea5552b26cc0c0929ad2e87b393c0c163eb5e99e4a10717a13220d43c1b09b98

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
c83fd9a14507d421e0dc24885df141f8

SHA1
13aa65ebb8ed39c8c1ca0e192917358d59de73b1

SHA256
a0e711e5fdff79ec0de4d52cfbcdb7aa93c5eb0899afe9e6fd9e55d86b889e7d

SHA512
7f9db03007f2d263af1527128c0852268ade3d56209b718e1a4ca9e52fc709c61ef43d8443e60d9f4597427e3a2811265d60d7655200f491cd19e827fa3a81b6

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
747871309e280532cb698ad11f692ae4

SHA1
3e439826288da21d30658e145cdbf5e1543bbb10

SHA256
b6ee1f6c93f3d982bc4b109d2ad8200d944ba4679a9b0503d94a620ff7ae37e4

SHA512
bd8539987d0cffa695fa4bd61ff9f6e7ee3d34d1579f1b251bbf6313c70948392e5f975a892472197ebcce59ea033de29e5cc24d00282a01369bf5b17a73a8ab

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
4ba30f7626181025d07d5fe52b3ae70a

SHA1
4143118e44650eead9475bd25a7355bb03ea34a5

SHA256
2b82db73343407b5a08a71f35e8c36f9b77ea396eb9c881eb6685df199202761

SHA512
139c790cd36d04febf91bd7ef7feed8166a8e9d765c5dd3bdaeb9b58deca5157c29268334af47209a03d66231da1c34b4e100363e5dcfb18c12ff983343d6e45

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
d02eae5b5e1d61c92e9617655397ae8b

SHA1
6e2d8815307cee27a91eb03a71113776753a0d07

SHA256
ff2eaf2162523518dd2571fdb13df80cf59542b8e49be397e35b81bd0c9029b5

SHA512
2e5ba53512dae6b42eec2c3e7fad796032aa576d8def9eb9205ffd02c6ba86b02dd8b3cd4fa7d4b01dac2b7fac8222c5671272ad1cc6cfacdf4d6f2fe71a2be3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
c6b6287a83c3b11f6bba2906eb90d560

SHA1
7264df3233a558b011faa413cd54b6c281ac774f

SHA256
a313c2375bc6b1f179e61158e4e8d217e473a55f1823dcb61d51648aee6aa11e

SHA512
b9be576865027250ce5fec84d27b0460d8d78ccb9736ee357acd51c95df01e27cc35d369c03265d2d1ef1db495af609661510f19a4831c92a0b0bd1662cf044e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
1662f5e9438f1685326aab7a0ba69270

SHA1
235797a3853de90add029d215e9854d82dc20805

SHA256
ebdac469542cb9f333a28b1ba9c5d166d320e88230be503e7f5817131956a246

SHA512
9bc65599b045e2f5b5a8ae524f82a48fb9521216b7a0a1b48f0e75ae7608961bcd296b2b314057a1057abdf83dd01c52500099b8d419c7e91c85edb5cb895e03

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
19db96f8930abcb8c381f92e6ddb57e2

SHA1
d9a858bc65de5e35c40991345c4e2e8ddfc0159a

SHA256
054d673b4c6f31794e227b582440be10ce81fb0b86ef4c6b33f6089d9128f06e

SHA512
fbb1a8856753d54093179f1acaf521e809b7bb2c41caf9be1233c9b0fd9c15df2c60460791e6c631499b36bdd4d697f20e436b43ba850ae503fe004af8d143bb

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a624367603d99dbcb04bc6dc134a62ff

SHA1
24615e0981485207414e5ff35a1842a190103ad0

SHA256
06dafa3e5f4864bca507ca9016effb6223366b425750ba1787352ad1ac0124bb

SHA512
08fc63bd88cc57d51c7fadd61ffe6d0c1ddd876d57892ea1ec88dc117eadef99a0e161c1e02b98177a42af1db5e625020b2e6bb1ac3182b0f54f57706ad8b30a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
b89c71475e7e0528e6cca05e1102667f

SHA1
763fc2c738114081c52a96dad740bb178b4a3048

SHA256
8b48b541416350985550ffce92404ded8815fff15df9977a660c443a848e09be

SHA512
88c20eb333d4b65978d124a4e9d182d76f9f13e038335dd260eeec574e240ad3a77ee0a82f9d15234c54b177337282e80efe7f96b64932daf729c0c6d9dead90

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a76eebe2470c9532eea129dd10136e25

SHA1
86658eecccfd59a1426ae2b590367786cc26540e

SHA256
965503da4c20ce4d813af07cb7859573fe8ddde29ad148150c383eca4ef09622

SHA512
21fc98e3a76a4512070a0d7c16e6391236c715c97d1a11d69503675d09c239d8eaf5bf1b75a98c7fd20af6055f47cb157ae19f53f97281d6dda42487b856172c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
bde2e1a3b62c48e7b83bbcd45c482a0a

SHA1
19ee9b73b70338889f5e572c1efddee420718e65

SHA256
9cf9715b51715d4b21ead4f78cec14971a6fa5c1a93a3fa0f30f95cfc01ed6b8

SHA512
25c3a26e795da4674bb9ce1f45c5a79d2808435eba71be08fdef40758f424413e3c048fbb892e1a91cbf159802fd3d6a934a25f9618b058d509befa3287a9590

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
82f80e43ac396ffc8d4409edfccf2d27

SHA1
ab3b357dccc15dc8cfe4edaeb0e38e397fc55a87

SHA256
5be1343e5285f69b70b1ac815a7018bdd4da9477f980b0d366e73232aed9261a

SHA512
468e3cc17ab4c318adc86c8cd2d6936f27d95c42a5c37d69db25cabf0c539be74ca366926f9c630b388a07d263886710755fc9cc6f70c0cbce151570b19b1bb4

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
9a9267eb93c050392d4137b189121ec3

SHA1
d7bb9734e15b479673bfd01048f44e47c6f65eda

SHA256
b404631d9751a7ab37053a0e59bf6a5b5d9516420096314955ac2510647d6b6f

SHA512
bc7a7fff9206e01950213de614369705cf645d5ba9a32a17f410cad6d6e3558e07d02bed4824a51eca4b5ff4f165fa2dad888a6c26cacc585e837e05d995cd62

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
6a9cc3864718e780adb9c8fc66659f99

SHA1
104025b25c740cadfa402ddb074a4bb521bb170b

SHA256
7fa27b5697e94dff29e8fba32c1bafa28d19b8da7fc28809e780a3c7fb4370a7

SHA512
af72176d339e54c04d35e9966e85546d5af71cb8b361f35ef230fa5b99eb02267f719e425e413dd07a896fcc6eedfce83f1f9e5673eb78349227f0f5bbc7e45a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
4559163b727a967fb6b9bb3cc9990597

SHA1
d3fb26afd4744646282ada7715b14be7f5e279da

SHA256
513fc812f0c0776b2e5429d9150904ceb510dde609b0c38e5f7c719b5c3ce084

SHA512
1b100e593d4fabb7e9c46fd5b3e90cc19be6e269fdfdaa66267341f94c5abc1aa82f4d59f838e61d7ffb0d09489af9e5d389b488e21aa261a517e0ded1357a16

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6f306b34b87c46119e941ce714f91cd5

SHA1
8589e47a2897d6274469557bbf60118cefc2c43d

SHA256
c3237965a95c50459700b445fd132db88475ea07ab9f87e7c199892adb507292

SHA512
cf580c70007115834c3920037c258deb0d6ba7d93ee9c87b3da40aebb6be737358910fb6024b30233c58c6bfd163dffe1c5f5db4edb49483206306d63a1ffe4f

Download Submit
memory/444-677-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/444-373-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1292-685-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1292-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1524-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1524-257-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1524-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1688-557-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1688-336-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1856-683-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1856-433-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1908-297-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1908-414-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2344-681-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2344-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2456-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2456-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2456-37-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2456-28-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2592-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2592-23-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2592-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2592-235-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2660-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2660-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2660-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2660-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2660-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3000-390-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3000-271-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3508-73-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3508-75-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3508-62-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3508-52-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3508-61-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3552-13-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/3552-0-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/3552-12-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3552-1-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3552-7-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3892-367-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3892-252-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3892-245-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3892-248-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3972-353-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3972-676-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4000-307-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4000-426-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4308-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4308-71-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4308-65-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4308-240-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4356-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4356-682-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4780-293-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4780-402-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4912-675-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4912-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4912-447-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4984-672-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4984-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4992-680-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4992-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5044-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5044-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download