6bd58fd9d13a53d2726977809c99633dbd475a83c029b277a90000760e898726

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_9bbcd0cd2829a5502075102fed2e8305_ryuk.exe
Size

1.6MB
MD5

9bbcd0cd2829a5502075102fed2e8305
SHA1

8f3e0bf50f6a4530919bfebc44978caf984ceba8
SHA256

6bd58fd9d13a53d2726977809c99633dbd475a83c029b277a90000760e898726
SHA512

27c5208c5c7e32d734a44388aa93811bf49aac7eb1638924e9d6c2484a9ce018c3bca7a0d9eaebfefc3b941e4878396d23c70273f2322b34672228ac5bc8c3b6
SSDEEP

24576:L6V64C/AyqGizWCaFbyuMdIuwe3zfIe7xmvH/:L6c6GizWCaFbdMdFrIe78vH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2516	alg.exe
3556	elevation_service.exe
444	elevation_service.exe
4236	maintenanceservice.exe
2952	OSE.EXE
5080	DiagnosticsHub.StandardCollector.Service.exe
5100	fxssvc.exe
4644	msdtc.exe
4564	PerceptionSimulationService.exe
2656	perfhost.exe
1576	locator.exe
2756	SensorDataService.exe
1856	snmptrap.exe
2724	spectrum.exe
4680	ssh-agent.exe
3168	TieringEngineService.exe
3680	AgentService.exe
2500	vds.exe
1208	vssvc.exe
1084	wbengine.exe
4936	WmiApSrv.exe
3136	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-05-24_9bbcd0cd2829a5502075102fed2e8305_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_9bbcd0cd2829a5502075102fed2e8305_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\29acf6c1e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008248550f1eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c422d5101eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077ceda0f1eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000036c5f111eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcfe8f101eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b7ecc0f1eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d96373101eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000051be90f1eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3556	elevation_service.exe
3556	elevation_service.exe
3556	elevation_service.exe
3556	elevation_service.exe
3556	elevation_service.exe
3556	elevation_service.exe
3556	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_9bbcd0cd2829a5502075102fed2e8305_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1840	2024-05-24_9bbcd0cd2829a5502075102fed2e8305_ryuk.exe
Token: SeDebugPrivilege	2516	alg.exe
Token: SeDebugPrivilege	2516	alg.exe
Token: SeDebugPrivilege	2516	alg.exe
Token: SeTakeOwnershipPrivilege	3556	elevation_service.exe
Token: SeAuditPrivilege	5100	fxssvc.exe
Token: SeRestorePrivilege	3168	TieringEngineService.exe
Token: SeManageVolumePrivilege	3168	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3680	AgentService.exe
Token: SeBackupPrivilege	1208	vssvc.exe
Token: SeRestorePrivilege	1208	vssvc.exe
Token: SeAuditPrivilege	1208	vssvc.exe
Token: SeBackupPrivilege	1084	wbengine.exe
Token: SeRestorePrivilege	1084	wbengine.exe
Token: SeSecurityPrivilege	1084	wbengine.exe
Token: 33	3136	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3136	SearchIndexer.exe
Token: SeDebugPrivilege	3556	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3136 wrote to memory of 4620	3136	SearchIndexer.exe	SearchProtocolHost.exe
PID 3136 wrote to memory of 4620	3136	SearchIndexer.exe	SearchProtocolHost.exe
PID 3136 wrote to memory of 2708	3136	SearchIndexer.exe	SearchFilterHost.exe
PID 3136 wrote to memory of 2708	3136	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9bbcd0cd2829a5502075102fed2e8305_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_9bbcd0cd2829a5502075102fed2e8305_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:444

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4236

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1228

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4644

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2756

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2724

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3304

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4620

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
fb40d633e90453a32006692aa2a93708

SHA1
357ac0cfe6cd0b675c3aa9c94363dfd856e6a266

SHA256
f86c93e197ee7c06c37aa85675286d60e547f8457eaa40d6bf495dd9a965de34

SHA512
a1330c2d3f213e902a244d5279d64bb5246cd06bb5a1824cc6d5f7c77e7fc4274d64c7da9a201aa50ead4843f0aaee4f6d531100a476dfb36ffdf5b5c6e691c9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.3MB

MD5
b9f215728178e5a4df2b9daf8f16afae

SHA1
0393edb46b90e3126cb6e4f9fc794c42ec9c8432

SHA256
8fea094af29fe9a5091707d319385b87202afda44ffaf59dd0a98d4140253045

SHA512
1483851b212ad39cae1f24c04593d040d491f5f0d7281eed66c7e4f4ea442af62e4091a048f85f7f1d4207e7ba9a5aa7ea9bc1557577e596689d4ae229ed576f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.6MB

MD5
31ee660a9ae88240b52556d90a9c4372

SHA1
16791884df9531e06678f8e6807736763a1d9b5e

SHA256
20223e8fe8cc341bdabae9c1d89e5db1da1e4a41529b6140132b98a358fa3a5b

SHA512
da0b3809054f1dc7d76aebd714af4f05aabb0143d14e8e9971edb0e2f54e663d7d45f88bfa5a38623bf715a7a2c9bf2e42a9379c25f4d0a3aabda1e4be52c2fd

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e52da1d81cc254faa1607b7b871832c1

SHA1
5587bc66368c003d80190f8e7d4c4b8a0364e2a9

SHA256
1b6ceb3a832b5772d86a539135458733597b3094983c9909835668be04420d60

SHA512
ff4dc86a30f58e8c05e0117abe3d32ca0cccdc75dda1594a62bf30b0bfd5cabd9bd41076346b019cfda6711f73a1abdf9e802dbb5e59313855c36780b6de8931

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2c242ae6bc1c92a54eec8ba1f5431555

SHA1
94fa121d9f7d2062f1b7a75b29d699d04ffe1175

SHA256
f7b5bd1fd0a6d3f935bcb88725e4bae010adb2bc4e2421a40a956a400b48d691

SHA512
45ad77e74cb38daebbce8df21a61a655d9e6d7acc335c93111e9b228a55d58089a85362330eedf7b19f842b6861c61a42a06d6249294ddc13a52524503fb957b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.1MB

MD5
d7fb9aa7c41ff0923f2c089583c73d1b

SHA1
37716e72d3d1fb03bee104a779fab5c23f0aada7

SHA256
38fb5b50d88f2fa2ed77cc05ee869189a40ffb81d760f219d979052189367079

SHA512
3918cbcfe680dd3f1e2952bff1ec9b6f3258387d01f73d710c4dd2a8e3267857f914f8a6d4c6a6aed26b7430e3dfc87c0f29aae86a1a66c5867a2d0958ffb9be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
1b44ad47ebce0a41e813f0238b7ac772

SHA1
01e8f0161dac3401c76f792f97daabc4c05c60ca

SHA256
5aec2c05091e98706d3c9196d5ce98000501a00bd912c5db46aa796453d7a043

SHA512
446f11d736c055474f62934128c51950bf15a630b3ab57977d0031c90612dde404e07770af7195a03f542520bcdb0887bee565b9dab34ea5b1dfe686ba14b09e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
55c41acec438c300121e48acc64494fc

SHA1
073af64e7c262c28f330b9b69615f50a38695c4e

SHA256
5617a2c053e2af823964d19230746705106b1b1dfba883612fbfd9271a60514f

SHA512
4897493cab57fe15712f57df7d2de7aa235f11741c6bcc06a7bbfc96c36a307412352b517c6812fa546639a527aa19126c5fc923c1964cf8384f0b6dec057700

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.4MB

MD5
49fbbb291a819551711f4de340d190d4

SHA1
bc1c799d8ba6d1b18901c31a1b594771e1fc5bb9

SHA256
50ac54686ed1734b0d7caa22e798f18fb301759ce0ce331a4789e1d8dc2b664b

SHA512
ae2fa7d0e5646b1a36bf1b2dd71d33c22f1ed6abeb8e36742739eaec4966d3787ace27d41835b7e2ea21bbf26375894f13d44a9c2275f459488c3d58ade31e77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ee6b7d243c52fd6a4817396fa7dd32fb

SHA1
b8fca73e812f5c6eb81f4750fdbb7c7eae3fb317

SHA256
fa463c6efe3a7f70014185e3f551ac7f1ac93221caefca0cdaa3e96393d4d45e

SHA512
f7fbdc48e9e4986e483db445febf88d28d68ca48ddd254efb008358bd2b232b728a3b8fddca51c66e7af813bd656f0eac8ca29d54bf77135bbe221f5b3e4a07d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5715f722d2235259f94ff4e6b2da559b

SHA1
d26a52aa48ccaf089b9bda1d3b608b443a83772e

SHA256
a9b2b9f7c8c4a31e1f10879b6824cb9567a9bdda35125d1c496d56b945edce2a

SHA512
b0aaa439e4c2c9b65c155f8a3dee53de8d4e8c3d88debc714686e4120f83d67405c8e10320cfbbb60b6e8fe302e70563708e71f261325a1d05ad016202a476c5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
81ce02d5a18b3e9a558fa3d683988495

SHA1
9a3fe253310d19f2ec0335e750ca6ff203cac89d

SHA256
931d846f92ea9717fedd0ccc1651d0c418634a91908c1a0d5335b0d1875882db

SHA512
f8578fee84a7988a73fc80fd0d15cea7e0046987a9df88742ea4fb03f49e5babc8ab1b8c8bb93d53057a421ea721168f4dd42a6d9685e5bf8c9d81d84fe4f060

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.3MB

MD5
70f6b12f156d751dca6b78108d8e66af

SHA1
0d4d2a3dc8a391fb1d95c2b86ecce42e46a5eb4a

SHA256
626ed0df2c428edcfbad01df3790b66471bb6ba6ec77ff854783e63c5c2845f7

SHA512
24f8a811ffb1083624daf4719cf15db51c35cbd994b71e992fa73a168611aa651ac3353976a7ba3be688b55f41eef8b509625edd26f97d8392cd9f0534e21a24

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
57b0218d4f1d1e7cbf3ee7568b1537fb

SHA1
ffcde13cd0d3355ef7ec52694955073b4324426b

SHA256
f231273d0684e85192e3302799be7151914f54a9b55cccfd8bed5138d3d8b246

SHA512
582774bfa7b67a2bfc80010939fc7d8e18d237ebe22f90d56b3adcbe1165adcc3b7b064991e5769905a4b4ffcaa61c0fabe61a0353910e3ee535feef8bff5778

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
fbd9d01587fcb7a22fac4fd5d81f954b

SHA1
a133076a3332d001cd4444c0fdac09c3dfc601ac

SHA256
42d2c67f44ee754c3ea7ba837c6a40007119218b88cba329cf4e602cbca2e0d2

SHA512
b8ac2a8041d5f1c2e002212a198aacf04267feaf299fcd78b87accb21d7b9ac0b54521249d8c12de85ba5f1776a31e96ddc1aaba3eb9cdeee888237e408f2ec1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
27cdaf7fa7ab6af4dd2584a0471399db

SHA1
caebe6726593262070c1e6b4a9c39523efb18f5b

SHA256
4b2e58bc65c4d54bacfd06a4804fc9f43a63c0209cf952eb1bcdae45b3572c72

SHA512
6dbe80be11c719511d3beeeb826acbe34abc4bff3ada795654ef9e10396f538f5c74ea64594a2f33b13767f45adee7b387527195fba6075a8a45b0265e987aec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
3334b3d6c8b5fd0087086265d0d67014

SHA1
198edc6a8a67ea74d3832e9a6edbf8e419ee4c07

SHA256
6923ef58301c7117ad31a84218300b8edf12827e6d911de27d149709fe3bbd83

SHA512
a1e0b43480785d6db085b21803d1f87279025983ee9947f6a18d06a39d6f6f84c19a80d5eb4c34bcdc420c25f94f3a96bb4b29c13f228ec1f3cda1db9056ef6b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
080687dda107960b2c8e7146dd106062

SHA1
9f4b7b311157487e7493d0e64ac34e39d9a561df

SHA256
9b861993b058f295cbf66e031d541ce412b0ca27ad83729a5b4fc88fde403e5d

SHA512
e5c796c5d53112172acabcdf56f489f12edce5ece5aead23738a9351dfef9ffc553af8aa569419d06b561a5ad39801b77f8ae028049213021b37b060c70e862b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
1cd0dedc5baeb2729ca2494f4d5b5d05

SHA1
87b4f1a0b33700e3c8e0e5a665eca95f5d623302

SHA256
2bf179584c443709a79e508d9a5f3ccd5b35deabd6e5f80db0aafff82ee3f8da

SHA512
31ea66032aab10c88ab9a5a2e803fe4fa2fc07f8dc8ae1271cea61f8f92b7bb3d82e2f98b7135cd30d537d34ed80bcfed482e391b5647ce286804a6f67bcb2b2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
247dae4222e0b5d6c32220f047e9ca63

SHA1
122e3617846b5809f3995ee86e5293257be84b90

SHA256
0bde4ea4434e3a24cc6e6b5ecb544281d944cefdd2164813f647ba5a7f888824

SHA512
52221c0a6534b4e19ea0bc52f4aae50b89d0a0782eb399810071e2043764028dec77e30a9e6729d06700ebfa753da0e8135a8d7db34939d696e20bb3b91e79a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.1MB

MD5
7561eabd3973d29d443e72f5616f5f58

SHA1
219a37d2df44201294e5707d247af289c1b8000d

SHA256
9557336e61a9b5a60d293cebfe3f3705501bca2a379e8fa156eb899d5b037d59

SHA512
2c9db8dec36a7e55c4a55718dfdb4bd68d5343dee02b0f94b94a30f71c9e0655b3de7aeb80cdc524fd98fdd061c9cd289fcbc3c2668f614b314e03f0cd7166f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.1MB

MD5
72b3d10c0f0c822b29312db29f0d2326

SHA1
2b375b0c57a3d651e2acedefd95d57604f359e3e

SHA256
830274620c4bcb82843fea834e977d8c3f7e55877c08c0fd828230765af40095

SHA512
865572e74f4c027a7e739547432c60f5573aa638deef8924c6454ce49cdfbf9e23d30f7b4de06aef00fc7ba436831e9582975e7b356189fa3751cfc27268ab88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.1MB

MD5
6fa8bc6306403d5a6a9944a2d0454ea6

SHA1
c9fd6abe80547fd23f17af3ac7c8c6be6572078c

SHA256
a061201db43099df80ce1b5e8cde74318af3ee568119b9f717d1cb3d86aad528

SHA512
e021591dab46f8f16a3c6d58e52800cd6329751d2497c1d5e2f38506b4c41ab84317e1099fcf35b23eae36398f93d4bc41ae819787bd519c4552cd0548ee05ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.1MB

MD5
8bb0d34a3de77724d270600fe98ad191

SHA1
273b29e0b87b7e8c047f49653a2d489110dce1ca

SHA256
4c2365eb83d2de5b310c31d54518abb6ee6d1ffacad81ce1a15bc71478b6d9b1

SHA512
a334718aa243bd44744fac028821480eec317be2a6c5fa42a978b8a4a428b874a1584f436d3d11b4fd03b14e74708d6de99712012b5ea7047877492171f71c24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.1MB

MD5
19d8190399196a8a0bbdaf7aa7c3a4e4

SHA1
caba9c62ee8e2e95a76fc25185cbe1952b375a3a

SHA256
c85310d0ad5b7fca93f515091845436e5ea8ebaf80e70679c2451a9dc833d11f

SHA512
230704878ca80a7b59ec3999da4ddebdaca056a68e58f1b9bda941af6feb0ae5eb25d96610cce32324a5d8b3ace0265c7da68fec268dc887901646b16b689e05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.1MB

MD5
aa428d0c8791720c2c8e0ec08485e3e5

SHA1
68b886965cc7a472a79b35d4841a63f1b0dd249d

SHA256
c53cef0a45d4d0b8b8dae9ce8ee2c68dd5292e5dcb9c002ef89c7c24ba9310a5

SHA512
5b0da42f12f4d8022a73733dd2b238eea4d39ba010fbc163eef591fdec7c7e288ca239a2fcd9072f101644f84cc0ce9ba3a232343dec99cf1e9f68af39bfebd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.1MB

MD5
815ca4d65fe46551157efee87061556e

SHA1
f2124b8281aeb56c8e4771d03db6f512d9111499

SHA256
c70386479ec198374e730d7fccc09e8bba83d04333fcc1faed12025a96ac1149

SHA512
e8b5137c8729ee41ac7a15dae99eefba5bb1b877313ab3f8ce6197813014b7eabe13c2e99605886d0f608d39b14a8574b11dd9eb237243e680abb3bb94ebd185

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
bb4aad64f0974bb9b64c4df1011a35ba

SHA1
89fedffaf7f734d72f4722372cb6506a445330cd

SHA256
18da2693c49d26b7b6b5c32d30d5cc4f6637eb2a6f2753e283bf301701b4177d

SHA512
1260851e555ecc42e9547e6eb4131491a9f9c8d9338cea6df2a6df19457ab75a71730b69e9c87297f2a2491e6906f9afa884e1e0083b386bde2e9c29f3e163d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.1MB

MD5
71cfdd70eb5e2b22d6174e1f8c4944fb

SHA1
659e050f54bb419a398a51a7dec73f3684c25358

SHA256
7f617a517ed7efb182afdc6189e507ff0ede929e8a61e8035455017de8254c15

SHA512
ba29f5502d9893f6707c949ed3060ab1c3880bef6b1a78189853af1adb0947f9d34fa2a819c42ccd633e6163ad0c4bc739f103277404700fe6431cceb7a9b0b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.1MB

MD5
b08664aff6b2be032d5afd54ae1fccc5

SHA1
14ce3502420d0bd03e2f0094ef03b32b61cbbda4

SHA256
4965420c28ec8e1cccd53b5628b27022a96fd98957fbbe8c1aa12567c32e797f

SHA512
9f56d7dfcc7770afd78ec9378c8ea3e0958ba85f58c72a15fa3da889f7679ef7ba1f903119ada61eb775f297f7fa873eedcb15a3ea6ce0f8bc3abacadf14215f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
fefc51daeae5fdc25a17788f0e0e0b36

SHA1
18a3db4c6c504fd11c64484b513256a8393515e1

SHA256
a7f108fa02386e89ecf977da46cee20a350b956cdef97d67629bbeaf232db335

SHA512
e3dcb6607ebf529bc00d03c147656f7a1002946be34cc0590832b6a780cf16503f53645393c1b22b78585f41a560ea2534b2c9cfa47c334ca5f2a5faf4619d63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.1MB

MD5
89fbb9b88ff6006b7d1d10e8f17d7cf1

SHA1
1c66dcabc8223c583385b20836d22f7e04d5133e

SHA256
3ecf75614bda9b6d024ab8c413c77d845176f4208637d974894868156ae46470

SHA512
914b77f0633d8827611586f1539e9bc7eb698cec17192389dcb11968f95f067c300cb87025f78b9581e25399c233817c5e476f8253910d7a32d700d05b7042f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.1MB

MD5
2354c6c4c287c40985773b6a7d7e4a7e

SHA1
0c7445eb826e5554750755583b7bbe45ba449fcc

SHA256
443bb56b26dedca6323047ccc657983d72527ee557c3e9657cb52663c0f151af

SHA512
aac613c299185b0bdfd73e1774428917d42bc0fd964483d45920d7b8fd6f6c966a2c1b57f453e855d97f9348202faf5eec65092f979e0b1a8c5fc7acfe863dd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
bb3a35adb871aac7e5058d0ae8a310d8

SHA1
974b95ca10899ba19a5303c2f0b46ca79dd84549

SHA256
02916567d75aca4f18637ee9d47153ecc7a800cc2b077be8796049e203cb7fa5

SHA512
6e32a2588c76e49b6ea74f3fca35a235c11a0d3844bb665a4a598ae0dcdf7d758be5e81e967932dc7b8e282819fa14cc5c356d90c97786f7608e6338d74d431f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
f20c4821298afc2226bacab0c1049fe5

SHA1
3d66d446affc9960a0147d7e68027bbe838d8c28

SHA256
bcc23bb600944d2286ece87d7b7001d4c038709c19e7db3a8ca7872dc3810dc0

SHA512
fba952797b1322315454b9fb7cad29650f60286b19843a4e1313d29b704ed4450e920da4ceb7ec1728b0f3aca39417412776eaa72d72817e7939353218a5b2bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
b4feef28511b77d9f4ab91ab045d8c7e

SHA1
38ca4ddd147d869460554d68ce62efbc81d5e6f0

SHA256
1ddaabda2bc5c8f6d44c6b09c0bff1bf84bb804aaf1f8aa1f4488d694632a093

SHA512
69737b9c51c80f19b718445684c7bce62ad907a5b74b86bd7d9fab34f1aabdcf6d3758af4068ff23f1a29a10e03579badf24a73264426e05621494c15fdf2fb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.1MB

MD5
b9e1f27cb7a220370febab5f3205bfe7

SHA1
699cfd22cd09ecc0a5978bb3237b9c6b21e5218c

SHA256
024de273df36781fba9f5d6a738b48e3b6b8b11a5f4c1de5bdb5e6e1d63be11f

SHA512
4d7c58c866e1675cd692d92b4457a4dac64543ae487f1089b2632dff932cca80d2545bb795c64e7fbf6fd0ef1bf0d29f44a2f4ce6eaf76677aae0214f0a9675c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.1MB

MD5
cecd718dcc13efcaca266280167fa1b9

SHA1
cb30a46da5cb5a986c9bdc059823167bb7ecb93d

SHA256
49303b7b50a3de7b6fc7379aeb2ab0655e587d2c85c123102c518e058e1504fb

SHA512
de75dc36f4a6e9c0f587119a856871f8afd758b9a2e68d3c60471a9f5d3b099e3945bb7463f426361b7150a4bb7a33a1bec4e8269544f15c5ecaad3a2df9a551

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.1MB

MD5
3109975f33c5c787c872010f86514c84

SHA1
634968424722766ca1d2b851250c83a5083fbb3b

SHA256
e240162571173e37b02dcc31db5a5b88bbd43d7814309aee01a995df2a7f3034

SHA512
a368c0add5c5323577294ed0ec9063c496a8f535effc0716c0882900eaaf6de6e8df4fb1416deb7d053e8c2e5ee5c76cfdacb8e2704736f14b75c451d947da0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.1MB

MD5
d40c7b890018390e3815ae4b1568e8f9

SHA1
de1ee91f6ad22a4610c65e60a7246f1fc52e389b

SHA256
eebcf2ab1a2effc8012109e44eda33abd38a099ef92ce3e729266bf3f879450c

SHA512
5c9555597a85123626cea4c2f5e69197fea6d80174a656cefd3f1449d7bd1d2904e43c0ff4f83e6f2c99883ed81670e9a0cf4d46bb599604158ab56600bb167e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.1MB

MD5
7b09177c958c2f8e828837e5d05da2f0

SHA1
356f8158a04c6420eb96de49f3dc5c829eb16cdd

SHA256
8813d4cb731307a3690100b0983cbc0a0ee0de51696c1a761d1cc5f519d52c62

SHA512
1fd0edabd7e294e38ce43b560e999ccc8f4fcde558ddaa1633a629b29142b0205b1650a377c4fa9776c48c11d62581e3a8527cc807f406a6124325ba4f4bf6cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.1MB

MD5
255be3c7fd3f0ad9330a32055be50c16

SHA1
8928cbaac85cc6939a4088de55661a57a0012d8c

SHA256
5a798132217bb5e8833f3d899c788473c6cefebc9d211e35778ffb5c9681ffe4

SHA512
1c8baa351e005c16b1ce3368a81a228afe9667da20281089a77144d55f64bbd75653faccb0f910ddc546d8c5b13bd6e7972fd20f7637e56b66e5229e211d8d5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.1MB

MD5
ace625b57dc3ffbe149a7fd9c85b32b5

SHA1
f940d1a584f8571972b423fd1e6899c20933dcdf

SHA256
ef8474b23ee01494a4d3c624edcb4f28f276e3188bded8080656409305e83ffd

SHA512
0f9c9483f95a7047ee49b80a4aa4f4bcbaeb2820190ad00abcb4d200ddcddb67234e6bcd22bf8294593cfb6ea7e1bba463802a1e8f3ec838c1bce54aff85711b

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.2MB

MD5
a49b0d613e32f474f5fd592ac356be6b

SHA1
db7e417d707f86844789f4ea4f31cce8cb5e11cc

SHA256
94992edf11c8ce1131d0c247afce57a6aec638837e15392a795c67bcc42b5439

SHA512
096de3d03725da17dc9ce09a552990e41ac5b3a73db34bada97885327beb0ba0e4f6784dd8cc77f6b310a7eef55c3081b9645095b75558c11add3f54d2683579

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.1MB

MD5
fdcc7f5d7497c6239a4da0f72a378ef6

SHA1
c7becc11f580c49f942407aaf1b522c5b4b0b569

SHA256
aedfad073a5a5b5040677d0751d74d89c6292417208c94d55c4125e48a618f4e

SHA512
f6ca6cc30aa871d7327dad80d5447913dc15cffec4f93bf63dfb32f4cc3b98dc3242a2d82ceec3cbad4fb775cdfdacaecfb33103548e51a668883374723ab6bf

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
58e6d03c053786bc34e376ffe502796d

SHA1
ab91c4ddde93bfece55abe7370d7f49bb834550d

SHA256
3ad7d4d6cefa051685e7bb495fb4a81830567a8dcb9c62b4fba02f9d8b720511

SHA512
d256f1ac10e0725003fdef331aa2bf28217b0bc8e449bb9dc1f93bed2e8efa13a3ee0cd199c9879a7dc687b6b7971d12976cf585f5f8a71da10ac1cbd3a59320

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
472eb7e5e59414230c636aa791e24aed

SHA1
647558ed3222ec7dcb9a379b92a97e377c7f1b3d

SHA256
6e6f107120a0ce9ad6dd41d9ac9ba38dbf60d519bfa161a7f56e3cfad38eaa87

SHA512
5e31c996c9582e232016ad321d466c5dc4e05bb4643e3d091854b44584595110643414739918849d4a64a37681ddae159e33dc54eb46b8204f961da37d20baaf

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
ce183298d7286c970045071e4cd411e5

SHA1
9af8dd5a7027db33bfa4f05e71e7b92f365bb99c

SHA256
6bcccfa2cd0344d400aa802965d682f4385e2d52f33c5ab4769a4d5bc5c26b62

SHA512
56bc3933fb43811b23f0d093222763d4207d753a57a05094867a8c5c9e084e6725ea570eca6830904480b7c60d8d0d0c0d9ef7c15065320641b0c13dc159ea49

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.1MB

MD5
f6527564832c4febf0857fcedba9b1e3

SHA1
b567d048d744934a04f80683bb1e1243a8c5f1ec

SHA256
e2efccdc77b3525bbec6858c952c43e41f16c9675152ce4a4ac803626be36aae

SHA512
ec800a964f6f84119d6f72eaf6579a1569c1c925052db6fe1a33a06808f0cf87a5ada8152112c9c6882f789c501097233e4f6bde69912a2e2cd152b620b2fffd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
1a3ea1c014f9ddac602eb786b5c8bd19

SHA1
364f7f2121e044f0576cea7d1ef9d5a9bfc72421

SHA256
0f703fde73eb8f0354acada64a452602915de481d363e2726e33c324b4e5275f

SHA512
fe530d6fc6c2844431b9aace86b1f2995a918f2036152e86800d50470dc7edf27b7e8e6c29abe52390901cd7746e6efd681a037cf6cc0b9ec8275992ffbd970e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
c46edbd103304e27ff3f86e43d74685f

SHA1
417f2944f0eef67e1b5e7b1b6ee5ccf6f54b3df2

SHA256
9485cfd324e8167158aeee96adf90eff31d1d74391ab730dbfcbba06a1b59335

SHA512
a4832c5e770c2915122773d32882219cbb23e668abfcbdc24d20ecdecf8cb007f4586d698a80b64b49615f12c3478d1a79c050178a8bfdd70c970ed8faf14c25

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f1fd7ebfbce8c65c9c7855af1e4bb179

SHA1
b56eb11216712da5cc6c28035ad88a5f47372d07

SHA256
4db231baefc6cd56d8876e8701f9b1259319c03712b03b95542b73713b8cb723

SHA512
e64ed8234d60e4418e3f6c47c70fb1a1fc735dd5e9e8632a4b626c84b3229bd4cd1db0e2f31fd71b1da4b9ec2d8663caad88914d631f4d67c70c3a74c30c7e84

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
8e3ef5025bae9060192c060c669b98c7

SHA1
1ffe8660e7f5b4754b6d837f7d4ec7c2ac1af331

SHA256
21b6f34f1c09ce6923127083955ae3827f21124cdadc204de5b5e64bd888ac03

SHA512
72b38203881775127ddfe7700d24e3d24a361006c2f80d8c408c989dd74a555f02fcce5ef8c2f54a681eb93c84b2c588c19e323f3e94a3633d6538d9747a4994

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c31535b8d1d19c98e115f65f61e7f2c7

SHA1
4bf9a0b5a838457294ead3b8a91e5a86e8b49e16

SHA256
fa10a649e11c898a1ee4862245b8599c938cc1274a9e0cb45f67660b01472ace

SHA512
3246801ac92b2643c4bdb434d3adc56adfac7d2408bb4b665e07e3b5f62ef8e1c3e41873da7d8fb053b5a20d90f4b2fea301340f0afa0896449a0ff7d0049c67

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.4MB

MD5
85527536228c5b64fb377c303aa3768a

SHA1
fa147094681b50e002681344e184b90c74c2c1ed

SHA256
a0047baf8afab5855cf459bdb959901719b61a218b331140d9021c5f291d7dda

SHA512
f3ec44c3c1249d05c00461533f164a4e5387e7999f6c332cecf1cef56dbcd2c598c584b650da1f7056e9371edb985334948e245efc1ce5b6515d3d5d5ecfbb3f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
653a632f7d685aa5955ea6a8aaa15849

SHA1
ead2c75b232dab4342e798044586ec63074060ba

SHA256
bb6f5bde7fceae5458ceef3f79ffea3b41747ea76aeb961dca6074afa8ac251b

SHA512
1a2105a4370b4266dbe79b4b1cad4f5c7b85ccb8981f8ac438ed244b91e0f5a34919c61d5aacc30249eaa73f232ef4a0f49d0baf66a22fea92e99505c9ccb666

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
b5b46009d48efa0fff0b10c587342f0d

SHA1
8d67df878c0aab24379f40ca93ef0e1e371470d8

SHA256
c69b6f45c243c486c7862b858c5f0b74a9999369f78b730985ab98fe56607872

SHA512
4024e7208d3f91091b1559d3013024d1ee98f411778f03cca761ebb9cc63fa93a633595b63b2ffe7bf6104fb39358e5690e450b265cf7c35725d44fdafe53d9e

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
35241de15ca4d7b334b7537b8d5ab808

SHA1
c88ea61ce4719d4fe372bb9e5e5a420c0c1ae5c0

SHA256
4edbc76044c8a427fee9d27756b4d56b4418ff45b496cdd4c3e01d8a67b135eb

SHA512
b00357dc9e212f0365240dda643f33b1d8b3c10718c74cb5f96de384d09c82e73b9e3df7a2920fe24042b2a3aeb0e97cd8f60abfeae39a553160b97f9907a2f7

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.1MB

MD5
07526a659cbadeb290295ba8983af9c9

SHA1
661bab2fd6b2e53c90d5acc77a2dda3d04e12353

SHA256
742c8de41e1d2b6a1dbcb160d658419e7c567b4eeaf2051a22b2d05243434537

SHA512
40b5a0271893766603c7eef8891cbbded3eb7bced7b31f294b928443ddf705de0c2b13294160089b7a9cd5fce89102834c4deb9ed7280d5b547523b3c62991b2

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f5c522de3458ac81d27da64596f7f7f0

SHA1
8feac692e64f32e643dbf1bd57b3925048830110

SHA256
aa792f20af1958075c61ae9b9103a76f032627c53491cb336bef93f70119ad77

SHA512
a5e6a14044e5500254d057e6398936bdb18018498670e6105e88620cb85617a09ced4a0760c3f6f4fd22a2bbfc4dfa438c09b91bacfcf8fb28f58c2f87ab72fd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
5790ce8fe1fc22efa37335524c1dc944

SHA1
dd9fc876fda59ba407ddee6bf56014cbca942960

SHA256
ecdb813573d3326aab111b1dfeff549e55b27bce628a5512c806cdd7d42e6283

SHA512
d0ed5ec10084cb58107ab5535bba3873b1f8c41b6b705cbdc7b59191f4856f597f02926101932a0c73bb46cabe7988283907f822358b481ac4996f67b0b34ab9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b235b5437f0fd914ef8fdc968159beaf

SHA1
52f3c049a8f361a6536276af25d9bd557ede13fe

SHA256
8a0aff954f2e10dacf68a11f4e19f3500ea0a973186f8b4f42bc6aa88fe1ac46

SHA512
a5b134d8b35eed54244068fe8082ed48471f0d8f3ca0e808707fe502444e2abdba39b4e1c29dfa537a313a22acdbce8a75767f0ff6e492734fa5ccd8f1868b78

Download Submit
memory/444-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/444-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/444-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/444-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1084-617-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1084-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1208-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1208-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1576-425-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/1576-307-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/1840-14-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/1840-0-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/1840-1-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1840-12-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1840-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1856-338-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1856-524-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2500-396-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2500-615-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2516-235-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2516-26-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2516-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2516-16-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2656-297-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-413-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2724-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2724-544-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2756-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2756-527-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2756-446-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-240-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-68-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2952-76-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3136-620-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3136-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3168-364-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/3168-612-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/3556-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3556-29-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3556-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3556-37-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3680-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3680-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4236-52-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4236-59-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4236-55-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/4236-66-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4236-65-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/4564-283-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/4564-401-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/4644-389-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/4644-268-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/4680-609-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4680-353-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4936-426-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4936-618-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5080-253-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/5080-251-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5080-245-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5100-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5100-257-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/5100-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download