4dcc1994acc6f52cd74a69264ecd22c8e662e781ec9cfc93b40b65dce5d56ffa

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_ce2f7957fc56fa27d7a44e5fe38f8dd4_ryuk.exe
Size

1.7MB
MD5

ce2f7957fc56fa27d7a44e5fe38f8dd4
SHA1

4268c2ceaa99040b00f658e511abd31ecad7986f
SHA256

4dcc1994acc6f52cd74a69264ecd22c8e662e781ec9cfc93b40b65dce5d56ffa
SHA512

fd5c1e7554e83fea12fc6d2f9751340b6be12fbb9c15ae942b7c203815b663137e3d16e70d4af56c58b9bfff6131254398f442beef1f95cca0e39310a66fe83e
SSDEEP

24576:m6V6VC/AyqGizWCaFbyZMdIuwe3zfIe7xmvH/:m6cbGizWCaFbuMdFrIe78vH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4720	alg.exe
4900	elevation_service.exe
3456	elevation_service.exe
4476	maintenanceservice.exe
2728	OSE.EXE
3068	DiagnosticsHub.StandardCollector.Service.exe
4176	fxssvc.exe
2760	msdtc.exe
3608	PerceptionSimulationService.exe
2080	perfhost.exe
3624	locator.exe
3876	SensorDataService.exe
4980	snmptrap.exe
3164	spectrum.exe
2448	ssh-agent.exe
2296	TieringEngineService.exe
3544	AgentService.exe
776	vds.exe
3612	vssvc.exe
2968	wbengine.exe
1684	WmiApSrv.exe
884	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-05-24_ce2f7957fc56fa27d7a44e5fe38f8dd4_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_ce2f7957fc56fa27d7a44e5fe38f8dd4_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1dc9657ae703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099284097f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1c29a97f8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2b32a97f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000153a7297f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1d76f97f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
4900	elevation_service.exe
4900	elevation_service.exe
4900	elevation_service.exe
4900	elevation_service.exe
4900	elevation_service.exe
4900	elevation_service.exe
4900	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_ce2f7957fc56fa27d7a44e5fe38f8dd4_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	216	2024-05-24_ce2f7957fc56fa27d7a44e5fe38f8dd4_ryuk.exe
Token: SeDebugPrivilege	4720	alg.exe
Token: SeDebugPrivilege	4720	alg.exe
Token: SeDebugPrivilege	4720	alg.exe
Token: SeTakeOwnershipPrivilege	4900	elevation_service.exe
Token: SeAuditPrivilege	4176	fxssvc.exe
Token: SeRestorePrivilege	2296	TieringEngineService.exe
Token: SeManageVolumePrivilege	2296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3544	AgentService.exe
Token: SeBackupPrivilege	3612	vssvc.exe
Token: SeRestorePrivilege	3612	vssvc.exe
Token: SeAuditPrivilege	3612	vssvc.exe
Token: SeBackupPrivilege	2968	wbengine.exe
Token: SeRestorePrivilege	2968	wbengine.exe
Token: SeSecurityPrivilege	2968	wbengine.exe
Token: 33	884	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	884	SearchIndexer.exe
Token: SeDebugPrivilege	4900	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 884 wrote to memory of 376	884	SearchIndexer.exe	SearchProtocolHost.exe
PID 884 wrote to memory of 376	884	SearchIndexer.exe	SearchProtocolHost.exe
PID 884 wrote to memory of 2108	884	SearchIndexer.exe	SearchFilterHost.exe
PID 884 wrote to memory of 2108	884	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_ce2f7957fc56fa27d7a44e5fe38f8dd4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_ce2f7957fc56fa27d7a44e5fe38f8dd4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3456

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4476

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4696

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3876

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3164

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4852

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:376

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
02817388211ad2573e074edb7424f45e

SHA1
3f8fd982e964307d8f39f449c87f9a4a80ad8e0e

SHA256
d4785c550a6c90131cae2db77d7aacd4012df3240c1579d71e49a3c4eb5260ed

SHA512
aedec8af9683fcb9024346b2f02371787d5982b9263563e16673b7afabbf7e5943b887fb06d93b9dccf7c33a83b421f7e51b3f448eba1a178b616ad29845c6c5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
2739b12087d660e298edcb49d3c36bf7

SHA1
65b8e4f5fd12d670d0f86ab4ef56421d38359221

SHA256
5a6fd5c72218645552fcc3284d9e2e94e6a7133586f357e4e1e77157fa4bd3eb

SHA512
a0ada1279d046e1d6e44c468059642a73049a54bbde84fef4676d099643f228e0a56836942697bc602e82c843398023feecb799dca4111e8525a133fb6d75fd0

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
8729db729fa00ae5b3d8d791e5b9b35f

SHA1
4abec25418ef0d53eaa884c6253f181db9dc903e

SHA256
80c0baaf3dac0844187418fa8989ed82b8e2f732a07ca952b4bd4086f57ad5a6

SHA512
92db680e615ef7af64df0b08c66dd098504734fcad52a52789ae0557bf851294c4ea70febd6e5b914c97eda019f504a453d5497f5dcf8d94448565c1e0498ca8

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
50c4e5cb0f996fc8e3e04966456709b4

SHA1
6e4b17593e774aa03ae67d36ca984e8e265a2f1b

SHA256
c372c91c76c46b5c126aeb6d39cb996403d04e90f91b5a379189e0f4e7dea7ff

SHA512
52fc3687752532fec403a32dec9994292816053e8e20010b3abfebf29824bd5f99bf2f77db2027b29d75689c657c21570b0af2cce0481988b71e28f9f39a566d

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d3a1328aab1e6fa83f68401402b73333

SHA1
d9b62447039a3f27a61e2e52939f66fdf79bf7ab

SHA256
930a92b2f6edb60df42b4d4804f52b2a60dcc02da1be46699e4f42f013e60003

SHA512
d5d99ef2a747dd9ba1286bfd97a928b2fda4af0b6813fc440b71abcb63eb2e88e9b8e5b8f34837b5e43d4713cb0ca04764aa4cdd997ed198a5a8bd9f765967fa

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
63b71722320c719b2eecf864ce8f7740

SHA1
b46f4eda585ce864faa05251cd22b6e2bf73e3a5

SHA256
e58c3d92baf60a305523e1300d0c0e2221ab6ad3ee8e6649d154e3ee3ee54def

SHA512
113be14da0ca0b6067f9a8ffbd85811e2503d430237102cd98d76b337396180e9df566b4760d716543c2e2137ce555f6302c37463007dddd002a6494968486c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
6f80527020ebd589b93b4edfc8f6893a

SHA1
c7e26af4030023bf74af66029d1ccabdc4229ca4

SHA256
e0f5ca73b469f385ebc44395423475defc5d75df23dfc93c4f6c5323518b8379

SHA512
0c33c3b8598ebaaf23adeda420d48db83f83967ba49fb7878866f1e8540ff1d595d7229dfe2b76db36bff3cfa9dc50731997cc706f80ee824005f475708f4b5c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8928f3300ee2d4b767a24fe5c432c828

SHA1
9a30ba6dbbc179ee671b1ad1a22470f278ca213f

SHA256
e80b62c7df5b6e51c27c772daf7cb2380239694294355cca798a3f06d82ece0f

SHA512
d51d9029eda65297cde1c2c2deb3b1f91bdc22c3eba9c6d7e3c0b1562c9145b6a628c8635c3aa0aebbb3a070342dfd910d360677aa13d2c1f755fbd991ab0da4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
a25ef7af36fe7869d5a630823786a397

SHA1
09167a0d69ef14358089003108e8734a8f9357fa

SHA256
bbc3fbc3d63835c362f4077f2f1a37cace195ef5562941224bacb6a9126e347a

SHA512
1f6d42ab7f4fbf14dba4ea514fd9ec5319bc80ad655ec4ab3367dcc7ba89e44d7b02e71af2ec55b64f1d0ec71a3a565492a110b2bc112e3d61a74042da526458

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
34ece4cba216da54d4076b6051632259

SHA1
e34ba1612cfc9c5344429e5edc5087d11adb1d7b

SHA256
40ea35c00a089e750b17b7095549377a91613636f17f15b8c4daa7c142b04319

SHA512
7da76b49a98b7c9a561d82c67e6e0a1ce29b1e5bf97b7b6be5db2f18fe0a4cf2bf1a2b8648267fd4c5f11bf50badb0be16000315d456bc22591127089ffe238e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
68ca6450d903b80c6648656fa19b14e5

SHA1
932252ecd1e30eb180c7f242f0cf63bd3d42f2c5

SHA256
12d85bde2e3e1c6c4c2c554b68022bfaa18df10de4bf90b3aa3b0101887d7e53

SHA512
7a88a94662d974facd615b4330f97da02ded71726113db86576bcf69f52af76807eeb4c63b9a84bf88fe464f0c2edae6b84777459269cf90f1539bc119ddc915

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
67892f4b681088cee2ca2804ca04f206

SHA1
fe0edd8cc5052a0d2b72e179ce59ba788660efdc

SHA256
2b579b3f0e795fb349f39c2cb23d30d8cb086297dfb72268f554f3343c8a1df7

SHA512
5ed43d892c6653053ee62847098f181f712b5e5fb109c7dc1872a8e8c96049bf4dc5d9e06578a6dfeb03953680a8a10a380c5f64c3be3041c5398abb69485036

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
dc19d3a454bfc53d679eb5ec407ac5d9

SHA1
47757a0d00dc804f0a038d484f60a90219bc4922

SHA256
254a759a5d35acab30e822d151e8b1a29e453de8d1c09c91681e0b1439bac2b5

SHA512
8547c5b51ac24296305aaa86aef073ae8e1657b22bcd1a4ba855015e04f2b1ae8661eb5847ef424ad561124d7b9faf19d47c06ed471a1194a6c0f95b3eb3d778

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
5d1eef54a21e0f4c53367f0d4587241a

SHA1
2d18e6235ed68a73b433ed1a0014898eed28cb48

SHA256
5e6c79bb6d44401fd0f44c758db06950d22908a18646c966430b9969ecc51f50

SHA512
d3a9a996f009f7db1caa06e1677f85ed5a8abc9e36ba790c88add3862a0ea5b1ac9f6eb34413848f136feb71dd1fa5722099eed142d294e52344aee6b15ec0c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
04dc9583ebe3e832dd1168ba94e7400f

SHA1
3be3eb73e55fa4b7b16f78ae08761f2638c8265d

SHA256
4abcbf51a315a1741a0f8c1e631819c077e6278273839443b0b9004fb8ea9e40

SHA512
247b9e138dc2fdc15c65ab302b6347b88b7259bb90582c5795a5cfe9b487b6484f2a6feb9db199c0e3d17f1efc3da9e3316041f635fdf99a37c6450ce757fc30

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
aa922a81a8953b7f33a32bf5edd0a542

SHA1
1f62f35a1eb8bd87a4294d0babeb458d0cb7b5f5

SHA256
279dd202e90374462fc774e55d41b9a56ada993b7bef6dc5aa5a24448413e3e6

SHA512
a40c08901305a2975fe2cb536c4f56cc0c380f272b16afd3d8171750e74ad650b9439384532a51b9862b6225320ac9cac4d073e2e8ee30bed21d22f295c30ee2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
fb46d4ada880feef380e8996b7b4b6c5

SHA1
0f09e56cae15286e4011c13cad363dfa93094fc1

SHA256
2536b3e716359f8b1f7edd524ef60ffc257a21432a8185a01754af454024a3be

SHA512
7e351ca301031e9f4816612cedc0280b4011ca75dbbc74d82d26330e429d1260149540521e1631e6c6c6a9217ed6e4ca1db96e1fb8b43aef78182e167f69afb6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
a3494874c4e9adf2161906dde06133f9

SHA1
3a52d2dbfc7c8c1e114a19e3fcef5bd021b91b70

SHA256
57a791bfb4bff6b69f1efbbe1ca4fbaaaa77d4c7ee879174eb4b87498332ddfe

SHA512
0aeac7c72674d5cfaa23a81bf5323f616f837d29e93dca5d31b3720209e6c37b99eff2234b593972de8523dd5df1c9411fd4e98abb59125e8ceaa83dc30c4a9b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
b1b803cdd31f24ef578fbbb6386b28df

SHA1
433aafb15c93ffd34d7892f7c0ae5b052962fea5

SHA256
ae73f2f094f362dda01639e520fdc4d1e6e5c6e353c2f0656f84958d62d115d0

SHA512
d78ea5e1c50bc8dd1148f5754c267b397722146d66d46bef668fd1f61f1bdfbe038348ca90b3886894dd3a81bfd255bd321fe72eb23e4d57b25e4f3586807d99

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
742a907a09df7eec5be7220a958c27b7

SHA1
eca7155f309bbe79a77607241a79261057150a81

SHA256
b1e30f6453da6588bbf94c74d677f8ff99f635e528f2b243140b2577da12f979

SHA512
bfa6292799e58a651283e001eaf6c49e013618c51705a22ff3a8007af890e6f36ff9bce220d01051790d0092e0c4e974e7ad6fb83f734e503db4c5fe8d598158

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
178cc6bd5dfc48d2b8d3b7ddecac9892

SHA1
6fafa718846b6fbfc15497dd31916e5671963f83

SHA256
4351633f9e2ff0c255a3cabae60e9a764082f72a696e6c506a800b081189b918

SHA512
a2588c8a780ad25f81a9f9b251ad4930db7b4149ea9910c74a91fd8059d2d157eded2df18e28c8166211c3ad5a48c68eb92a8d00d31dd5f89b08496947f41ea4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
f45f452adc8a8d552e416aabeb686327

SHA1
a98a0b07680979c17f5d9bf52accc294e9ebd2a2

SHA256
77e0ec3bc0bbf3aa735512b9d21f5ffb078535748b672f764b4dd804762d3c6b

SHA512
fc94c23b0934a5d936b28569392e6b0914611f6fb5d9c5d6a10bb315ac915dcf8cef7ed9bec4d8839f0e9443093b9fcab8c614ed43576a11b5e4d1947955bac2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
b136bb3698097ea72116626c00df032c

SHA1
c119cefb67bb556a7892f1cf32a93c19c1163e4d

SHA256
b8824ef4eff8caa027dc1dc286585f93229b1840612376af1dd83b9546434e8d

SHA512
2a3327efdcb8d750b935ce6427a56ba3cc9c5cd59d3c0136fae19427a7968cd76efefb43e8f54c94664bf7571997d574809d19ecf33234c5b155638d54b81665

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
6054529e36f862a0dc4285df0da51544

SHA1
c9f00902840b4d8d4035412b11e4a4190c15fe2a

SHA256
01f7b7b2758b7ff5bd36f1af9fb472a0e83b3f5ceaa8cdeb67300a3d4fed5f54

SHA512
b25e11ae30e911bafedfed43f4e715ab709741e4f90f7063dd124dc8696342377c1d9167bcc0cecadf44503af165937d206a47c4dcf14cff333e794dc09e389a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
83cd90970338d68d7dc856e399c8a0c6

SHA1
b1dc626cd08042ff95bfeb12b496451427ede068

SHA256
5cb4cd7f6983001328a4383bda29c7265a048ce72f633ea5e18645382344bc24

SHA512
15a61e22ebaf8cdc95a0fcf34edc79b1a6df58591047b99e543458a526af5c4f9db76c883bab6bbb4e8a964e3bf16ded3acf33dfce22fa21f05c674a7c8e9c1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
0650213b79c3b1daf9b60b238164dd03

SHA1
15fbd329526ff97c16d152e7827ba56cae0db98e

SHA256
921833369bea1af235f605652d6f3036498ac8e2794fba4efd84461fd3fa293e

SHA512
a2984e4f91e4a90b302a787c4c80f4ea9d0ca87bf1baf1fda6fba994ca6299b6d5717e7315bab7ce3e21b71b02721c00507537fee03c37afe8ffe412305d6a0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
b76122c21dca570f20f8532803475197

SHA1
99ad4f55a802455e37246d295b2c5643d2085fa4

SHA256
0acea2cf17144118ce6305fe1666da6cfee3b1972fdf822c84cb0f797e87d837

SHA512
0d560e5366dc31dee2745001ed06e9f01750d23fda49d0c7c4a9b917423e225b1309dd27a2007e139d5de8feb8d22e713c652f19de4d3eb80554c187b3abb29e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
00e6e6ba9fa8e169571d79fae105d6be

SHA1
cc9e2bcfd28137f8703477ae90d8e340afb523f7

SHA256
7f4e610168abb4febb46b3d28650966dee8af8d034dca8ad8d0b6210ad82940f

SHA512
a3cdeb336c84125d261fe2c8d628cb1882b00a8afa98f961f0f556a1ea683533771572178d76a03fbad65b0d18c539757c986720f468bf6cb3ec1687e1ea8ec7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
37bc25d2869ef8a5dc2458d65da07fdd

SHA1
40a8b50decde385eecd2c6ed0dd6443f283eda05

SHA256
c6ef33e25ca44888e561bbf05e2a2aea8b22d2e6a25f2f18245dffa141a8ed56

SHA512
f929fa9ae7944ba0d853cf53a064f6d0ab63693eca717a63061e310bbb104ea3fefc531b488c984c790cebabf20a057cdcc2e28f07fac72aa295236561ccf91b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
1b277d28ff1b828d07250af81777bb4e

SHA1
dfbc632bfdec2dd96eb35a59c1952ed017b5d784

SHA256
792ae4e6f7783737d28714c8d8c55bd6504d57ef6419dbc59f30e6daec7d5b4d

SHA512
f652ee47eec714bb81275ddf4a75827249b132bde2aeabd13cee45ac9a721b34d71d526edb87886b9dcf08fa790e0eca820818af26be93cd5e0b56cdcd3cc334

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
2f5918cc5abd3ff1d5d5bec89f5f2dfb

SHA1
dd0b51a06d12b9f4e72352f626a607b7c6be06f7

SHA256
c800d1d9884ed8777a9a1902ea51486f1259f627ddac52a5a06f28708eae4552

SHA512
c97996957dc12b78973f5b5dbf9f4ef75f62c947453ebf91f6cf1bac156aac6df2c9df7b585852f3b14c4f1daa28fe389f1f02b2955c6c0620d7dda1390ab2ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
8845e9d7a9c91618bf8901c0d7ad87f0

SHA1
c410c1278c193fbc316d15d55ab00cc3951f9737

SHA256
65fcdd53c065e3413dbd4c6deff9b34d22325f52c0b7c5e9f834640e7c03d12e

SHA512
55fcc01fb903f4fd77d4568f8dee9eabaca40556c86f4e97f2a37ee5f110a3304d28e10e73275d9099e152a3acff3014f57087b139e8cf55240333a731e60600

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
405956e2131073767f89ed8f9cfe807c

SHA1
e02d8e98d55c6d41c3d2c401509476a1e1affed4

SHA256
44d07d994c4eec9ac3e8f17a7d4bb28ddeaaf21b7f1d04e4331e870085b0779c

SHA512
165f3f1d6aa770ab877d7161f7cbe93f5e896d6b2c78f432e15ec3ba28ba19cfef81eec1855caa768dffad139121fe346f5611e0fafdc760251e76cf996bd015

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
9a6e4d3049914da7a7a8b2eeee2d74e3

SHA1
63504a9ac10956bed4d2ef09a4e26ff3ebb71f82

SHA256
a0dcc12d56a468a80d4765cc41c3297649f50e66f5ca4ff4ac778c28e896f1df

SHA512
851a6ec23183759a7d56bf2697753e75eecb188e8eead21c806b2f85a3c18d5c08d507bca65aa1083c569014172c3f2f17773281d9de1410350dca1d2d590dc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
c154d00a146b1f6fb45f78c6c8eec1d8

SHA1
8cda7d71bd92dd68f6d5c5ac60b71c4f4b47b2fc

SHA256
c562593d218f5e8a569ec955831132c28d0a3ab9c50fdf6dfdbc9408297178d6

SHA512
2f9d18dec12da50c7d9b0871fa58c52539f17238198ed1815303668ac50d91a1b39ff615fe460f799de831b9c06fceff2637469047aad032439c46aaae634e56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
e5e0717035b97a303b6dd978c487194b

SHA1
dabad4c467a006f536594087934954be6d1adaba

SHA256
b9d85b5f439785545496394df1357b7c64cc9fbda13f6a0378375e60e87b52f4

SHA512
c804746985f0ad0c5ed0574ea004737872948675a48e51e5c250ec786d17ce8ad9a7265cc8ce61865f043213c6a09d1f996eb458c882934ffc6961655ad1e951

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
8a33675a9050a8029294f5cbe4149826

SHA1
7922d19aa9f923f975c5ad680b12fd7444a7f1d6

SHA256
0addd21e54342475a8ed1391943bee208a694fe14e06d6055660e62171c43a89

SHA512
89cc42489a5fa26a922df2782060f76e832e80c757fa30c712835f02d1a766bcfa5cd358c58b0c90f939de42e1c7757d3882cc4cae871c5790a55d907933b13c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
59d1e9ac17522ec1976b61d4c5f84aed

SHA1
1e5803eea4b958c9fb0ffb5a75515910fdf065f6

SHA256
8169390e0811fda02829b8daaeaa648844c9631ecdca1cef09b6fbdf071a7d21

SHA512
eb95dc7fdeeb0f347060fb90672d0d272c7098b6f98e0c9eac90d8054acf7c4a06923f23034ee90febbbcf9fc247ca1439d26901f4773443fecbbe2ca86cb528

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
3d2543bc579ac3b1c7debd6b4885e0ae

SHA1
91b74115ad21fc877b217970184ca413524bb090

SHA256
094ff16fd4d900db4e34154ce350ae42d552b0d0a0a563e2c2a8aa4e5b319e29

SHA512
a7edef59888815ba60f868057c08af26b51f4ce3bd463fc3f1cc4eea03430cfa32cf1bea00f759aee737f499a277fec3f08613178cbeaee8dd7811afd093323c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
451bbea441a12f7abec63ef71cbff3c6

SHA1
5532917feaf2e6b977c505a8c34f9acda7ecea32

SHA256
716d6b0ac62a5df9f9b6bde2464a86b8cd8333ffe9a20477efbda4d102dab09d

SHA512
ac296dc4c0d1569baec93a70cf7cbb36591d5aacc2fc6e9de0da3f6efea289cdb86f2ea8081c795c9fc061ca846da3b900a01730824d55dd4e3a152ef39322a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
34f174b88e108ba16bf7ec04897935e4

SHA1
5ababb98d2b5c3e7e33de6e942d241eb4c22fcc0

SHA256
b8f5a1313684308430a444009c573c77a165086cbf23f24f12e0913c840c4da3

SHA512
413ef2cc00308273a06f341403b912ce638c1f759436b34b9d465871a4430eb10cc64c238019848689a18e9dd27ec1ed6942f3f515182e0e0fb6662eeb90d535

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
1716d87e87e752d5953d922bcccfac9a

SHA1
09b961b79141914efdfbb0476c12d7e2868e0010

SHA256
adc60dd1a7efb1a5652f01319a549a8066f61ea0967f63ed54044cbef501558c

SHA512
d3ad9bff6dc7863cec16f364c4fd634590a440c871dadfdd2fa88026290b01e4ec064ea8e359dc92972a2ebf1461d5fa56799c8c0495dbfebf5a1abdca12fccb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.2MB

MD5
f82dee698c0487b209356cf48f4e2167

SHA1
0a881d8ff946e41f6cb18dd54d39ad9e6fc45b1f

SHA256
b5d0a433087226b36147e01cf21e3ea45c1f308b922756c7d82aaabc20ea1537

SHA512
451ab16a222b4b81da228ffbd60d7029dd566abfcb3ef2b232810d385c070b4a71719b19c3e33b0dd889a80b03f5af7eb81a437cd46fbb3a6fe05cd4b495f16a

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
4e49adc036ea0b7bc0c129cbd2bfef1b

SHA1
045b11584fde6dc59194d46f3ba6199183c132a2

SHA256
842d33ae54fcf099edf0647bdd20881c3f6e44b22b8148f54ee779c854eba589

SHA512
53aff4de2a845386b113312f199e38c4866cc9a2884b3508f0fe8d2b1fe4b8302717e8b821c7cffd351cb55bb6335c0bdc74c8921fd0b0517e9c438e4db17911

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
0daa69b1feb00c5aa937f515df05c008

SHA1
28234b76718ac3d0c78dad28182ba32da034ea80

SHA256
1d6f7d17a13fc61da4b09c8e57cbdd9a6ba0b571d89d0daded787b2a206ef917

SHA512
7106e7766b2eb285a2a1a13ac4e915167b1343b3611cb056d1d567d18f1c5bd0d1538e11461d3911c31d3b2509ffec4ebca504af9ebb97883c75068b8ded7358

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
92214f2deea57d3e4b2a7b25313e7697

SHA1
c2970fe9a2d4e4fd2f8097cad1f7d43b91af5378

SHA256
263dfdd2f376b573bbec5ae020efa09ce6bf226de669c3b3f7fd10f1fbc1b6dc

SHA512
0939a5215207270538d286c5b8e40efa88fa9267ff0b6773c12aba6e71c318c4c8b3d5ec37918585410b1f53fa30f8f384d7020c3dd66e336dda51a05453f1f6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
f4674e42e7f06cd72758e2706e62443c

SHA1
2736efd041ba89059dad86eb22a52f4f9078c942

SHA256
4edf64ff6d68f87e2d54be3aae7ac0d1c0034c594e291fa56c8a24fb1ccd4957

SHA512
d3d149b0fe2a722e54720fcfda59a39368fdadfd9687cb20f942b62255981d7106bbfb0ed3dbad2b7fe821db2597c7eedb7a7a8631d8fbd239a1aa947fc9d66f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
05dcd59f026617f7f57d1c26aac633ce

SHA1
b270e0c9a95e698628095ba2a10abc2c0a754d7a

SHA256
7c0728c1aaee90ce2e91d51eb61633bc0804dc25a083e426a3a501d41ee334c0

SHA512
5ca40e5e77d817b7a3bc60438e7246f4fd296ef2b7468af66582459a7e58bf73aec824b1717d91011f126853eab6aef21c0c37bb110ebc8c12369bf55b9e4514

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
08260e17bdd392f5b2c6966d1bfbef1f

SHA1
942c454cde10b57ce08d7f11c2d8b8f78b039bcf

SHA256
b94acbc4324b4510b3190774b08ba2133d54092d58b4e374938d829e103c875a

SHA512
4614cfb974a8d4e536efc9745cfb7bc22004cad27c1fc6d37d2e9a17cbef4de16040577f90ad155547e32f3e2e77e404a9a36a2d88242415096bff622ad293e9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
57c82e0e8ecdab4315ca440fdcfc051a

SHA1
974d7be0789ffdc7658b8edb7be8075d07df9dd8

SHA256
464123cb478f762d50b8534d8e485c4d87a6b7d41e9bbf694751e88c95a2902a

SHA512
d5270310daaf2212eb5d516931e449000d6f9b87881cea2970f789316cc4410cdd4ec6696631ea4f9c6a3107736f373d9e679bab70c2ad0281a449969becca3a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
65bf58d624a8fa342125e2b93cc7e9f9

SHA1
c673fe68fa6a774450a5f2b96fbef6b5a4a3bb46

SHA256
84c45d3af669ab263edcaf25c6d91416d79d684feb541afd4b185cdf5720ac86

SHA512
50a78fdff6763c4223c96a2ca19bb6f2809f0c3ed7c1ae86fdf630cb52cbf15f4d7e1a51835b1a2a2e00ca4385392ce1825bba3b8da6d4eca4201c573d65f3fc

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
03c569cb37a1c07d7a008cf8221af3f1

SHA1
9ba679b71fdf2f71f6da6b506696373453cd0bc1

SHA256
ae47f0e4e156f2ca17be116e7a79bd9e96fe7070a91dea3b7f072bf8375dd9cd

SHA512
a34b28135b8d378edb5cbd3759b7bd7b1019474fc220af2bf49478479d628ce93012c696a8cf5b69344ace6d01a9cf566f56e03ac8fc5daa87e94cc8abcf6a8e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
73fc34faaa76e3eb4bce4d34fc501e67

SHA1
0f1c33997691728d2cce8f1e5cb6cec2bceba5b9

SHA256
cc84200b05b803d2ce05c757510714ec6dde2e4c627ef1b2b5f6ab5708672125

SHA512
79e2d80c80660bcf6554ae4ed96fa3a946cc76d231d03e6ff2afc3aac24d2f36ece085c5368a3f29d0bb133a9243e52cecd1f75422f1f308108720c2e6baf390

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
bf7f774974d91e23784f2b3ded3c5402

SHA1
125a94c72731f8b91ffec9a91f3b200255eaddcf

SHA256
478c3fa251ee3350a91ce2aa5369dbd2fe8514a3cf088979bf1ef16562399191

SHA512
832ae69d2a1380471c4f181d1b5ca4880fb3d38d0c4d8b367093225b67f477c3f4431c25bbbff7ddf8bf1ca3fbbdb0baca4d47252009d00be18df7ba6bbe2372

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
9d38415e9d7c46af01c0d82237ab73e2

SHA1
d48a4c153063a3f9b1faeacc933e04469dd569eb

SHA256
4e681a22aa95874cd4d463eef788ab1f52e6a8a8eb7f42ef926ef188a650fe52

SHA512
89f6d5476e3c3ba53604741b5a7c480b83ebbba5939dace8fa453f2c5c4c57c4ee651ea7cf64cbe39cf0e9e4d465a455576e4b12a43c9aa3bb6364a634521f61

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
671ec6449b07b68633063f228b5bfac5

SHA1
48810f71d2f0bf76baee791bc3cf01bfc21715ec

SHA256
1f3d966528d2dc719d3d6d0872d4b7215ae2335c851f573014fafa59b6f8bac0

SHA512
c155b3410c7ee7e383f2be44056028d4411b506b2495f9b2cbd508b6e6eff638f6d8844d8d3bcb946b0da645a2ab5dd23e21298eca44097ebc6a90678b577537

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
380fe2c566ddf4776724fe5589896ad2

SHA1
3701457ad8ec922a54f2813e3bdbe54294c3a6c4

SHA256
66b7e512a97479b2f5a5e4deef7402099e08f8ec1720462f4038f0179bfed21a

SHA512
31af9da31559a1b152cac8e9cb96b7bae7ddcf0bfb17358914dea4ffbd733b1af36ccfe9a13b1be5870d4dc13056a0c97fd5b033e1c6a9bf4a726892b6bec27f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
96827d0e87c1fc6de646c0360700dc70

SHA1
d341863b576748df8d72a60be5464a498af63a2e

SHA256
bfa94891c1bb818d393ad917e20b51d6b3b1733a87229c3af8f1c64f9fae692e

SHA512
d614276e47743be303771680d714aa5cc2350ffab0e530748eaa4fca7c51cb1730520516d0c47c35fef64afce83d53a06b89b1700499d0a4792d9f90cdee20be

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
ecfae86d1d2054f34e5ba8e60df983e8

SHA1
0bf9c15a2cea96d031946fe04c07db6ce72468d0

SHA256
256ece84b30cc3a24c781ca24efaa28b44d3ad9ee7771ad5951710d0bba03f32

SHA512
bd380c73dcd320197d0b8d804497b3bff02d25d2a1d7690901ae65adc7111b4ae8fd0b1377751c1ad5639e22d2951a58355478ee9b2d16f45fbd163c8a4e2b95

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
4705c46a9f097fd606c5502cec9b6da1

SHA1
6e5f0f12b4fda6183995355cd9521e9cc4fc88d6

SHA256
4fce8382f07397f8d7bbfa41ca14540c7e878ab7dd9a8825f4a671065adc70af

SHA512
ced92ead0b76f81c40109cddf3bc97a2c0ab7e59997e9400846966d8cb7d62158340e1ae45af31e3ea55cf7e50d681b7c1f44d14f75ad08d2e7a7b26f3f5b705

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
a380df1cd652303e16e6339aed72e23a

SHA1
62aca841b93efe56fb9753a8e92047ce5e83d093

SHA256
9a8f62c6b4287d45d677e54fcaaac332d09e5a283cdf75d87d9a7bdc124e11bf

SHA512
70ec1b44092e745f6835479fe5e524982d25a6ed1af366dd4ae08163bddf0f610e3a94a46ba3222813247babd02632773f972a332c4a00e8166b41c99ee3aaba

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
62f73282aa4d29c1d643bdef85fb0eca

SHA1
abf04b3f33f930c74bd4f83f747e73821a727b5d

SHA256
f5043de233eaad1bb2f57d9d97ff7ea6b554eb10ec4e3188a7cc221af6eab6b8

SHA512
1c3ad7f6d17d7a8f9d13f779688011fa2b34c9a5636b5b4b9883b8eaab1f3e1b0c4146d95587801e75176f19ee9d1a5da247eca0e1f924a70b127311eb10dd15

Download Submit
memory/216-1-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/216-7-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/216-8-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/216-24-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/216-13-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/216-0-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/776-672-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/776-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/884-676-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/884-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1684-419-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1684-675-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2080-406-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2080-296-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2296-365-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2296-669-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2448-353-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2448-668-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2728-239-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2728-72-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2728-69-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2728-63-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2760-270-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2760-382-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2968-674-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2968-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3068-250-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3068-360-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3068-252-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3068-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3164-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3164-665-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3456-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3456-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3456-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3456-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3544-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3544-368-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3608-282-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3608-394-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3612-673-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3612-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3624-299-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3624-418-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3876-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3876-664-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3876-431-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4176-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4176-256-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4176-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4476-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4476-60-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4476-58-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4476-53-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4476-74-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4720-15-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4720-234-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4720-25-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4720-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4900-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4900-37-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4900-28-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4900-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4980-613-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4980-328-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download